Re: [PLUG] spamassassin help: create a rule to score by sender TLD

[Rich Kulawiec <rsk@gsp.org>]

On Fri, Oct 21, 2016 at 10:33:44PM +0200, ac wrote:
> I think I need to break it down for you some more....
> 
> What you are advocating is a 'closed" Internet.
> 
> An Internet where the "receivers" decide what they will be receiving

Jebus.  Stop.  Just stop.

First, as someone who has been working on building and running this
network since well before we called it "the Internet", I really don't
think I need a lecture from you on what I'm doing or not doing.

Second, we have ALWAYS had a network where receivers decide what they
will be receiving.  We've had email message size and attachment type
limits, Usenet newsgroup feeds restricted to certain hierarchies,
ICMP packet types limited to those necessary for PMTUD -- there are
thousands of examples and hundreds of millions of instances.

Third, nobody is "punishing" anyone by refusing their SMTP traffic
or HTTP traffic or some of it or all of it or whatever.  They're
simply declining to extend a privilege -- a privilege that is theirs
to extend or not as they please.

Fourth, I have a very lengthy track record as a vocal advocate for an
open Internet, so please drop this ridiculous claim that I'm opposed to
my own longstanding position.  It is precisely because I *want* it to
be open that I'm adamantly opposed to things that inflict damage on
it and hinder that -- e.g., spam, DDoS attacks, closed-source software,
phishing, censorship, Facebook, DMCA, etc.


More on topic: it's not 1996 any more.  Email abuse is not merely an
annoyance.  It's a chronic, systemic attack on mail systems and mail
users, and it's a serious threat to security, privacy, and productivity.
We no longer have the luxury of grumping about it and reactively dropping
in a rule or two to block a domain or a user or a /24, then ignoring the
issue for a while.  The things we did 10 or 20 years ago aren't necessarily
bad, but they're certainly no longer adequate to cope with the threat.

Which is why, for example, on most of the mail servers that I run,
I blocked most of the new TLDs before they even went live.  I could
see what was coming and decided not to wait for the inevitable inrush
of spammers, phishers, typosquatters, domainers, and other abusers.
What would be the point?  (On *this* particular server, I have most
of the new TLDs blocked.   There is nobody here who wishes to accept
email from .top or .xyz or most of the others.  There might be people
there who want to send email here, but This Is Not My Problem.) [1]

John Levine (someone else who's been around for a while and has serious
expertise in this area) has said: "The total budget at all receivers
for solving senders' problems is $0".  If you choose to set up your
email server on a dubious network (e.g., AWS, well-known as a massive
source of email abuse) or you choose a TLD that's mostly populated by
spammers or you don't set up FCrDNS or you don't have a working
postmaster@ role address or your mail server doesn't HELO/EHLO as
a FQDN or [any number of other things] then you are actively *choosing*
to cause problems for yourself.  Don't be surprised when they ensue,
don't whine about them, and most certainly don't expect receivers to
accomodate you.  (I do, sometimes, because I'm a nice person.  But the
fact that I occasionally go out of my way doesn't obligate me to do it
every time.)

As I said previously, I don't like this situation.  I did quite a bit
to keep it from happening (and so did others, many of whom did more),
but y'know, it didn't work.  And now we're here, and there's no point
pretending otherwise.  You can either learn how to defend your operation
efficiently, accurately, and thoroughly or you can get used to being
a victim.  You can either learn how to run your operation by best
practices (de facto or formalized via RFC) or you can get used to having
problems.

---rsk

[1] The mass proliferation of new TLDs was designed solely to line
the pockets of registrars, because there was precisely zero functional need
for .top and .science and .whatever.  Registrars are often quite happy to
take the money of abusers because they're large-scale repeat customers.

I happen to be tracking one particular operation which has registered 97,760
domains.  So far.  I doubt they're done.   And while this number is a bit
of an outlier data point, I've got a lot more of them in the 1K to 10K
range.  That represents a lot of money being invested, which in turn means
they expect substantial ROI.  Guess who they expect to pay for that.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug