[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: We need an IETF BCP for GREY LISTING




On 10/17/11 4:51 AM, John C Klensin wrote:
--On Sunday, October 16, 2011 22:57 -0700 "Murray S. Kucherawy"
<msk@xxxxxxxxxxxxx>  wrote:

Maybe a shorter way to put that last paragraph is that if we
agree that reasonably timely delivery of mail is a Good
Thing, then I think we have many other problems to tackle
before we turn our attention to greylisting.
Agree here too.
+1

And even more strongly agree if "delivery of all legitimate mail
without forcing senders to use a small number of senders with
bilateral arrangements" is added to the list.
Agreed as well. What is needed is a light weight method to avoid abusive sources with a glimmer of hope it might actually work. We defend our services dynamically from questionable sources as a method to prioritize the rest. Not grey listing in the classic sense, but no less of a PITA and an extremely complex system still constantly being gamed.

Neither SPF nor DKIM properly defend domains. IP address authorization and signatures omitting senders and intended recipients against actually authenticating the accountable domain is what is lacking. These two schemes largely support white-listing domains considered "too big to block" and glaringly lack a practical means to defend smaller domains or at inhibiting spam. Email is in the ditch.

In the face of IPv6, address authorizations schemes become increasingly problematic and disruptive. Email needs to learn from social networks. Have each develop their own authenticated "buddy" list as an overlay to what individual users might adopt. Perhaps Apples example explained in RFC6281, might provide a method to include separate services that perform authentication, and then simply hand out SMTP tickets that are good for some period of time.

It is interesting that services like twitter's ad revenue "unique" criteria gives them an incentive to cancel abusive accounts. Two seconds later, they may reappear under a different name, but that is okay as now they must then beg for attention. For email to compete with social networks, a light weight method to authenticate outbound MTAs is needed, or eventually email will be supplanted by various proprietary services. Many domains are not aware of incoming connection failure rates due to loads not seen in SMTP logs. Incoming messages might not be blocked, but may never get through the growing volume of noise.

To: Postmaster@xxxxxxxxxxx
From: Postmaster@xxxxxxxxxxxxxxx

Please add this new service to your "buddy" list.

I understand failure to respond to your complaints in a timely manner may cause my domain to be removed from your "buddy" list based on protocol X authentication methods.

-Doug