It's almost to the point to where mail servers need their own
"registrar", sort of the way domains are tracked now, track
mail servers. Give mail server admins the option to accept
mail from registered mail servers only or from any mail
server. Of course there would need to be a ramp up period,
like six months to a year, to make sure all of your mail
servers are registered. And of course one should only be
able to register mail servers if the IP space is actually
SWIP to them. If the IP space is NOT SWIP, it would need to
be registered by the customer ISP or via owners rwhois
server. Just my $.02; for what it's worth....
Really good idea (no sarcasm, I actually like it).. But what stops spammers
from registering their mail server?..Ie..
1) Get a dsl account
2) Ips get swipped to you
3) Register the server
4) SPAM
5) Apologize, get a second chance
6) get booted off
7) Call the next ISP with a zero install
8) Rinse and repeat.
I really like this. A sort of IRR for mail servers. Maybe when
registered it could even check if the server was an open relay, and not
allow those servers to be registered until properly configured. Any
thoughts?
Really good idea (no sarcasm, I actually like it).. But what
stops spammers
from registering their mail server?..Ie..
1) Get a dsl account
2) Ips get swipped to you
3) Register the server
4) SPAM
5) Apologize, get a second chance
6) get booted off
7) Call the next ISP with a zero install
8) Rinse and repeat.
Treat them sort of like SSL certs now. Charge an annual registrar fee
per company, not per server. (Something like $100 a year) The more they
have to go out of their way to get their spam server online, the more
they would be deterred to do so. They're only going to want to change
so many ISP's, go through SWIP and then change their legal name for the
registrar so many times.
I really like this. A sort of IRR for mail servers. Maybe when
registered it could even check if the server was an open
relay, and not
allow those servers to be registered until properly configured. Any
thoughts?
Righto, that would all be part of a registration process. As well as
things like forward and reverse DNS matching for the mail server, etc.
But whos to say that once they pass the test they just open up things.
As well as the registrar, there would have to be a "complaint and
investigation department". But going that far legally tends to destroy
good ideas. The most important things is the legal handling of
exceptions and complaints and the actual steps on getting someone shut
off. We all know how people are sue happy...
What about individuals that run their own mail servers? (E.G. me).?
Get your mail server registered just like everyone else I suppose. If
your address space is not registered to you directly, your ISP would
have to do this for you. You're ISP would then handle any complaints
(if any) from the registrar and coordinate it with you directly. I
honestly like that idea because as a network operator, I like to know
what customers are running mail servers on our network, where they are,
and who owns them.
I'd seen back in the mid 1990s a user that got banned from
all the isps on his island (or fairly close to it) due to
abuse of services.
obviously when you have a set of only 3-4 isps to choose from
this makes it a lot easier to keep the guy from doing anything evil.
but these days everyone that can negotiate a bulk-dial
agreement with someone and run a radius server can sign up
users and make the abuse a bit harder to track ...
i do think some sort of smtp-callback would be nice/useful
for validation of e-mail addresses. it'll make it so
the bounces go to someplace at least instead of Postmaster.
If there were some sort of smtp callback pki, as long as
you controled your dns and server you could do something useful
on that front.
here's an example i gave last night in a private
e-mail:
-- snip --
There is an important need to perform callback but allow for
the ability to protect information from possible spammers for
harvesting/verificiation.
there's also the need to do some sort of pki to allow
callback to be secure. eg: the dns record for nether.net should have
some public-key in it and then some other stuff like possibly
mail from:<realuser@hotmail.com> callback=validate.hotmail.com;key=<alkjsdfj>
then pass the 'key' through the public-key availble via dns to
provide back an authentication system to allow for more secure
callback.
Actually, it's swip'ed to me (I work for said ISP), but I also run a
SMTP server on my laptop which bounces usually between two addresses
(one at home, one at work), and I suppose that the work address (NOT
swip'ed) would have a problem under this proposal.
I DO understand the reasoning, but it is a **BIG** culture change, and
would take a year or two or more to implement network wide.
I think $100/year is STEEP, if it is PER SERVER, but per
COMPANY/INDIVIDUAL it **might** be acceptable.
(I have 3 boxes + the laptop that do SMTP regularly).
I agree with getting personal mail servers registered, as far as paying $100 for a mail server registration (as mentioned in previous messages)...that's no good. As a user with a personal mail server, it is bad enough to have pay for connectivity and a domain name. Having to pay for the privilege of running a mail server is too much.
i do think some sort of smtp-callback would be nice/useful
for validation of e-mail addresses. it'll make it so
the bounces go to someplace at least instead of Postmaster.
The fact that you can call back in no way means that bounces won't
double-bounce into the postmaster mailbox. I'm sure that yahoo.com
would buy into a callback scheme, but it wouldn;t have done squat for
this double-bounce:
----- Transcript of session follows -----
... while talking to mx1.mail.yahoo.com.:
DATA
<<< 554 delivery error: dd Sorry, your message to xxxxxxxx@yahoo.com cannot be delivered. This account is over quota. - mta461.mail.yahoo.com
554 5.0.0 Service unavailable
(OK, so THIS double-bounce was a W32/Klez-H generated one, but I get enough
of the same thing for spam with a Yahoo return adress).
Then the question becomes, "Is running your own mail server worth <some
registration cost>?" Very similar to the "I want my own special part of
the Internet (web server)." Okay, pay your $70 for two years (or
whatever).
I'm not saying it's a solution for all problems
but that lets-say-for-example,
AOL probally gets a lot of mail with forged yahoo,hotmail, btamail.net.cn or smiliar MAIL FROM:<>'s
Lets say AOL, hotmail, yahoo all today had a way they
could say "we would like to cooperate in validating source addresses
as at least somewhat more valid than today" and had a mechanisim to
do this with a patch to sendmail/qmail/postfix/zmailer.
This would allow for while a few extra commands and bytes
per smtp-transaction the ability to authenticate such data.
You could also then start keeping statistics and rate-limit
the callback mechanisim. AOL (and i'm sure others) have done "so,
you want to bulk-mail aol users, sign here". Including this
ability to increase customer satisfaction is in all ISPS
interest today.
but these days everyone that can negotiate a bulk-dial
agreement with someone and run a radius server can sign up
users and make the abuse a bit harder to track ...
Well yes and no. Using a regisrar, people on dialups who want to run
mail servers simply cannot do it. The IP space would be owned by the
ISP, and the ISP would have to do the mail server registrations for the
customer, or SWIP a block (on a dialup, oh boy) and let the customer do
the registration themselves. (which would be a legal check as well as
technical check).
I guess it makes it a lot harder for those customers that setup "not
online all the time" mail servers, and that rely on things like ETRN.
But mail servers need static IP's, and network operators must know about
those customers that need static addresses and if there is a mail server
on the end of it. That's a major problem now, mail servers getting
online are not tracked.
i do think some sort of smtp-callback would be nice/useful
for validation of e-mail addresses. it'll make it so
the bounces go to someplace at least instead of Postmaster.
I'm not disputing this at all, but I believe it would take a lot more
work to get something set, agreed upon, standardized / RFC'd, the mail
server software, etc., than it would to make a registrar type system.
Most mail servers pretty much support this already with RBL functions,
which would probably be moderately changed.
OK.. So now *you* have to callback and pick up the spammer's mail.
What did that gain you?
there's also the need to do some sort of pki to allow
callback to be secure. eg: the dns record for nether.net should have
some public-key in it and then some other stuff like possibly
Much easier would be to use the existing STARTLS stuff and use the cert
presented to decide if you want to accept the mail.
mail from:<realuser@hotmail.com> callback=validate.hotmail.com;key=<alkjsdfj>
then pass the 'key' through the public-key availble via dns to
provide back an authentication system to allow for more secure
callback.
Note that the concept of a "callback" doesn't mean the same things on an
IP network as it did on a POTS network. Not that callback on the POTS
network was ever as secure as people thought, anyhow...
but this can still be abused depending...
Well, given that the spammer is given the opportunity to specify where to
call back *TO*, you're not buying yourself anything- of COURSE the spammer is going to
point you at a system where they control the horizontal and vertical.
The only callback systems that ever came anywhere near working on the POTS
network were ones that you told the callback "this is Fred. Call me back at
the home number you've been configured with", and it called you at Fred's
previously-configured phone number. Having it say 'This is Fred, call me
back at 127.0.4.5' doesnt do anything for security if you're just going to
call 127.0.4.5.
I know the DSL provider doesn't for the /29 serving my mail server. It's
under the general announcement for the ISP. I can't even get them to
personalize reverse DNS without knowing someone that runs the DNS servers.
Actually, it's swip'ed to me (I work for said ISP), but I also run a
SMTP server on my laptop which bounces usually between two addresses
(one at home, one at work), and I suppose that the work address (NOT
swip'ed) would have a problem under this proposal.
No, it's not a problem. Your ISP is registered with the registrar.
They can simply list your IP you've been assigned as a valid mail
server. They then accept responsibility for your mail server
registration.
I DO understand the reasoning, but it is a **BIG** culture change, and
would take a year or two or more to implement network wide.
That I would agree. No disputing that. But at the same time, everyone
agrees that SOMETHING needs to be done. Regardless of what is done, it
will be a big change.
I think $100/year is STEEP, if it is PER SERVER, but per
COMPANY/INDIVIDUAL it **might** be acceptable.
No, per company. Not per server. Per server would be a bit extreme.
Especially for those that have dozens of legit mail servers. As a
service provider you pay $100 a year for your account, in which you can
manage adding and removing mail server IP addresses from the list. But
only IP's that are in your SWIP'd space.
I agree with getting personal mail servers registered, as far
as paying
$100 for a mail server registration (as mentioned in previous
messages)...that's no good. As a user with a personal mail
server, it
is bad enough to have pay for connectivity and a domain name.
Having to
pay for the privilege of running a mail server is too much.
Well owners of the IP space that have accounts in the registrar pay the
$100 per year, per account, not server. So if you have a personal mail
server, but the space is not SWIP'd to you, you'd get your ISP to
authorize it. Whether they charge you extra for it would be up to them.