On 31/05/18 02:31, Alessandro Vesely via dmarc-discuss wrote:
On Wed 30/May/2018 16:13:12 +0200 Roland Turner via dmarc-discuss wrote:
On 29/05/18 23:05, Alessandro Vesely via dmarc-discuss wrote:
[...] which includes pretty much all mail sites. The latter is *not* a
slow-moving data set. It grows steadily.
Steady growth *is* slow movement.
Uh? I run a tiny mail site and get about 1.6 new domains per hour. It is much
slower than light, but still too fast for an embedded list... Any global
figure, anywhere?
Too fast for an embedded list certainly. As I said, "forwarding
mail-servers more generally would then be an obvious refinement", but
also "Even the complete set of honestly operated mail-servers in the
world - whether forwarding or not - is changing at a rate that is still
orders of magnitude lower than the rate of change of IP addresses used
for abuse, consequently collecting, distributing, and using this data
would be relatively straightforward." I took it as self-evident that I
was describing a transition from an embedded list to a reputation data
feed. You would presumably not attempt to list all of the IP addresses
used for abuse in an embedded list?
1: Granted, the list becomes a priority list for compromise attempts, much as
happened with ESPs several years ago, but sudden spikes in volume can be
treated as suspicious anyway, so the benefit in compromising a small forwarder
is limited.
Spamtraps will also work well, as usual. However, no spam indicator implies
that the upstream ARC chain is faked. In theory, for example, ARC would allow
me to switch to forward-before-filter (maybe CPU happened to cost me more than
bandwidth, say.) In that case, you would tend to classify me as a spammer and
possibly suspect that my keys were compromised. How to maintain the list
remains unclear.
You've lost me:
* If you're forwarding unfiltered email to receivers who are able to make
good use of ARC information, and assuming that they still trust you, then
there is no problem here: you just have lousy filters.
* If you're forwarding to people for whom either of those things is false,
then you're shooting yourself in the foot.
Don't be a bad neighbour: filter to the best of your ability, but don't sweat
the rest. Your neighbours are most unlikely to appreciate your dumping cost
onto them if you do otherwise.
100% agreed. The example —admittedly somewhat stretched— was meant to
highlight the difficulty of substantiating statements like "I trust these guys
not to lie in ARC signing/sealing".
This is the bit where I'm not following you. Failing to provide
neighbourly attention to the stream of mail coming out of your
mail-server and failure to accurately ARC sign appear to be orthogonal
concerns. (They might be loosely correlated to your level of diligence
certainly, but are not otherwise causally related.)
- Roland
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
