IP address reputation, BorderWare

Rick Chadderdon mailscanner at yeticomputers.com
Thu Mar 29 19:29:08 CEST 2007 

Res wrote:
> The fact remains you accept these risks if you run a public mail 
> server, just like greylisting

Yes, I know.  And the fact remains that greylisting and SAV are two 
entirely different moral questions because of who is initiating the 
behavior against whom.  The fact also remains that the "you accept these 
risks" attitude is the same attitude the spammers use to justify their 
crap, and the "it's only a few bytes" argument has no bearing on whether 
or not it's *right* to do it.  I'll live with it, but it's rude 
behavior.  And if a technological method were to offer itself that would 
allow me to block SAV checks without hindering the use of the server for 
its purpose, I'd do so, just like I do for spam.

I'd prefer to see sender verification as a part of the SMTP protocol.  
If it were, most MTAs would log it in such a way that it was easier to 
filter when going through logs.  Some would probably allow a log level 
at which SV was not logged.  It would also possibly help with the spam 
problem in a couple of ways not currently possible with just the 
milter.  This is really only a moral question for me.  If sender 
verification was a normal part of SMTP, and it could be turned on or 
off, I'd leave it on to help others verify their incoming mail.  Since 
it is not, and since I can *not* easily stop people from verifying 
against me, and since they're doing it anyway - it irritates me.

> I dont like it, I disagree with i5, it causes more problems for me and 
> my staff then whats its worth by others using it, however, I accept 
> many do it, I'd rather the resources of my mail servers not be taken 
> up with constant retries because of that crud, but it goes on, I live 
> with it,k you will have to live with it.

Okay, so we're in agreement.  I guess the difference is that when I 
don't like something and I disagree with it, I don't tell people "keep 
using the filter."

>>
>> You have multi-gigabit bandwidth at home?  Impressive, and...  well, 
>> I don't
>
> No, I look at it for my companies point of view,  however, if a HOME 
> USER wishes to have an exposed smtp server, then they must accept and 
> expect the exact same risks as any national telco or corporation that 
> does.

Agreed.  The entire "home user" point I was trying to make was that 
bandwidth has become ridiculously cheap for most people, in comparison 
to what it cost just a decade ago.  I have 10M at home, 10M at the 
office (although it's split up a bit), and my complaints refer to the 
mail server at the office.  I don't run one at home anymore.

> p2p would be less than 40% [...]
> Mail servers about 15%

So, your mail consumes a slightly higher portion of your bandwidth than 
does mine, but we're really not that far apart.  I have the advantage of 
not providing "public" internet access anymore.  I provide access to a 
couple of companies, and none of them would dream of slowing down their 
business apps with filesharing.  I do occasionally have to get on a 
couple of specific users for streaming radio stations and youtbe videos, 
though.  They don't seem to want to believe that with a couple of apps 
talking to each other constantly across VPNs, normal Internet usage 
shared by about 35 people and the desire of typical users today to send 
multi-megabyte files back and forth in their email, that a few users 
streaming audio and video can actually have a negative impact.  But, as 
they say, "I can do it at home with just my one little old computer, so 
with all of these big servers, why can't I do it here?"

>> Case one:  You initiate the behavior, I respond by consuming your 
>> resources.
>
> Thats ok, I think i can afford the couple hundred BYTES of conversation
> packets :) and if you run a 10mb link I doubt youd even know it was 
> happening if you never looked in your logs.

Right.  And morally, it doesn't bother me when someone makes me jump 
through hoops to send them mail.  I can choose to do so, or not.  My 
choice.  I don't respond to TDMA messages, but I happily retry when I 
hit a greylist.  TDMA suffers from the same problem SAV does - it 
normally affects third-parties, not those directly trying to communicate 
with the user.

>>
>> Exactly what I said...  It is of benefit to you, the user of SAV, not 
>> to the
>
> Thats correct, just like those who use greylisting, its of benefit to 
> them, not me

Just so I know which it is...  Do you honestly not see the difference 
between affecting a third party and affecting one who is directly 
dealing with you, or do you simply not care?  I know we don't agree, but 
I'd kind of like to know whether it's because you're missing my point - 
or you don't think the difference is relevant.

>> and due to the way it was implemented there is no way that you can 
>> avoid it's effects, or its drain on your time.  You don't *want* to 
>> do this thing.  Even
>
> but its no drain on time, your analogies are flawed, as it doesnt 
> require anyone to sit in the server room and watch it happening, its 
> no worse then dns lookups, greylisting, etc etc etc

No, my first analogy was based on my own experience.  I *do* spend a 
total of about an extra hour per month dealing with the results of all 
of this extra crap in my mail logs.  Discarding the analogies as flawed 
(and then refusing to address them) strikes me as a cheap cop-out.  
Please understand that I'm talking only about the moral choices 
involved, which is why the second analogy was so exaggerated.  If you 
rely on the *amount* of impact on the complainant, you can argue that 
spam itself was okay 'til it reached "x" level of messages per 
day/month/whatever.  Spam has never been okay, in any amount, and I was 
one of the first people to implement a strict (rabid) anti-spam policy 
for my customers, back when everyone was saying, "just hit delete."

DNS lookups are what the DNS server is for.  SAV is *not* what my mail 
server is for.  Until it's part of the normal operation of a mailserver, 
I don't want anyone using my resources just because a third party is 
using theirs.  Greylisting...  covered above.

While I'm not sure that I've been clear enough for everyone to 
understand the moral flaws I'm pointing out, I do think I've made them 
as clear as I can without specific requests for further discussion.  
Since I've contributed heavily to this thread being almost *entirely* 
off-topic, and I don't see much more progress being made here, I invite 
anyone interested in continuing to explore this line of thought to do so 
off-list.

Rick

More information about the MailScanner mailing list