> From: Yakov Shafranovich <research@xxxxxxxxxxxxxxx> > ... > This is a human problem, not a technical one - the ISPs are unwilling in > many cases to handle abuse reports seriously, or are unwilling to invest > in any kind of infrastructure to detect abuse. For example, one of the > ideas floating around the ASRG has been a BCP for handling hijacked > machines. A detection mechanism would be in place that counts outbound > email from a given machine or subscriber, and if that usage spikes the > mail would be queied and the subscriber notified. The ISP can't queue mail that doesn't go through its smarthosts. It can only block port 25. That generally causes mail to be lost, whether from legitimate MTAs to distant MUAs or from spamware. > How many ISPs actually > willing to do that (although ComCast begun shutting down accounts of > hijacked machines)? What monetary incentive would the ISPs have to do > that? And even if the IETF publishes the BCP, there is no way to enforce it. At $30/month, an ISP can't afford to do much watching for spikes. It certainly can't hold the hands of users who couldn't be bothered to install virus defenses or not open attachments. About all that a "consumer grade" ISP can afford to do is preemptively block outgoing port 25, 135, etc. for all customers. I've been complaining for years that is slum tenement Internet service, but it seems to all that must users are willing to pay for, in money and in acquiring and using technical expertise (e.g. virus filters and not opening attechments). If the IETF would officially define "slum tenement Internet service" (with better words, of course), then truth in advertising laws, the value of product differentiation to ISPs, and savvy users might make port 25 filtering universal where it is needed and absent elsewhere. That would stop lunacy like blacklisting any IP address whose reverse DNS name contains the substring "dsl." > I do not see how the IETF can do anything to force ISPs to handle abuse > complaints more seriously. This is why people tend to to block ISPs and > IP blocks unilaterally in order to force ISPs to take action (not to say > that I necessarily agree with it). The only two things that I see here > that can be done by the IETF is either to facilitate easier abuse > handling by ISPs via standard formats for abuse reports; ISPs don't need to exchange abuse reports, but to deal with their own. There's no value in standardizing the unidirectional stream of abuse reports from the spam-hostile part of the Internet to the spam friendly part that largely ignores reports of abuse. > or provide some > kind of standards for exchanging reputation data among receivers. Both > still rely on the human decisions made by both ISPs and receivers on how > this data is used. Exchanging reputation about receivers makes as little sense as announcing consent to receive mail or solving spam with authentication. You can't trust people to announce their own reputations or to obey your announced refusal to receive spam. Reputation exchanges are either systems like TrustE's that in practice certify untrustworthiness and functional equivalents of the current DNS blacklists. Wise blacklist operators, and I think all major blacklist operators do not, could not, and would not have any reputations to exchange. You can add to your backlist only based on evidence that you can defend in court. Reports from outsiders, including users of your blacklist, are almost useless. Vernon Schryver vjs@xxxxxxxxxxxx