On 18 Nov 2019, at 06:04, Andrew Sullivan <a...@anvilwalrusden.com> wrote: > At the same time, there are a _lot_ of anti-abuse techniques for mail that > don't rely on the broad hueristic of, "This TLD seems to suck,” and that > don't rely on establishing that rule as a permanent part of your > configuration.
Yeah, but so many of the new TLDs entirely suck, and there are new ones all the time and no way to keep up until you start getting flooded with connections. > If we want the domain name system to be scalable and we want to have > interoperable mail, hand-crafting the list of "these suck" domains is not a > good way to go. The reality is that I’ve been looking at .top since it first started blasting spam across the Internet and I’ve never seen a single email that looked even like it could possibly be legitimate. I do not have the time (especially since no one is paying me) to keep track of however many hundreds (over a thousand, for sure) of TLDs there are to see which ones are maybe not entirely garbage fires. The fact that email still works at all is a testament to how much effort people are willing to put into getting the 1-3% of legitimate mail out of the unending onslaught of malware, spyware, phishing, and just run-of-the-mill spam that comprises the vast majority of email traffic. > That makes for the kind of brittle configuration that introduces later > problems when some new operator takes over .TLD-THAT-SUCKS and cleans it up > (or the same operator makes it better and starts producing reliably good, > well-behaving registrations). *IF* that happens, and I doubt it will, then that new owner will have gotten .TLD-THAT-SUCKS super cheap precisely because it is a garbage fire. They will have to spend some money letting people know it has been fixed. If AOL ever gets cleaned up (it won’t) and stops publishing all their users email addresses and passwords (they won’t) I might consider taking them off my blacklist. But it will take a LOT of convincing, just like I’m not going to hire a serial killer to babysit just because he says he stopped killing people and hasn’t for the last 15 minutes. > Hard coding the TLD into blocklists means that there is never any reward for > fixing stuff: everything is broken anyway, permanently, so the operator of > that TLD has zero incentive to make it better, ever. The way that the TLDs were expanded was idiotic and broken by design. Everyone knew this was exactly what was going to happen, and it did. There are no surprises here. If you have a domain in .xyz or .top you are surrounded by criminals, scammers. and scum. There’s going to be fallout. Get a better domain. > So, I would like to encourage people to find ways to stanch mail from bad > sources using reputation lists and so on, rather than wholesale blocking of > whole TLDs. I block *ALL* TLDs and then have a whitelist of the few TLDs I allow. That’s how bad it is. And yes, I do look periodically to see what sort of traffic there is (you can tell a whole lot by the from and the to that are logged with the NOQUEUE) and there has been three new TLDs that I have added to the whitelist, and I still get mostly spam from those (info, biz, and name). Even with rejecting 97% of mail, or more, most of the mail received is still junk mail. And I pay to store that and I pay to back it up. I’m not going to dedicate 40 times more storage for mail just because someone out there might have “legitimate” mail they want to send me from sexyp...@child.pron.ru, or even ap...@iphone.y9867842378423.top. -- On nights such as this, evil deeds are done. And good deeds, of course. But mostly evil deeds. --Wyrd Sisters
