On 2024-09-24 at 04:18:06 UTC-0400 (Tue, 24 Sep 2024 10:18:06 +0200)
Matthias Leisi <matth...@leisi.net>
is rumored to have said:
(Quoting me)
people who don't configure it correctly, in a way that is *almost
invisible.* The lower rate limit which they established in March of
this year isn't inherently bad, it just meant that enough people were
hitting the limit that someone bothered opened a bug about it.
There is none new rule. The limit of 100‘000 per 24 hours has been
in place for years.
That's an interesting assertion. The page I cited has apparently changed
in the past day and the previous statement of a new policy has vanished.
I'm happy with assuming that it was an error that you've corrected.
However, as I said, the only significance of a particular rate limit is
how many people are affected. The scale of the harm is not relevant, the
problem is the intentional infliction of harm on users who likely have
no idea what is happening.
This change in the SA rules was supposed to have been made 13 years ago.
That's when the decision was made, based on the 100k/day threshold. The
only reason I felt the need to announce it was the fact that back in
2011, the intended change did not actually happen, so people have been
using DNSWL even while the relevant rules file stated that the rules
were disabled by default.
Enforcement of the limit is intentionally „weak“, we only look at
new „overusers“ every few weeks.
Irrelevant. The policy is intentionally harmful. It's weak enforcement
could even be seen as a problem per se.
TL;DR: Rather than using an in-band signal of a special reply value
to queries from blocked users, as do other DNS-Based List operators,
DNSWL.org sends back a "listed high" response to all queries. I was
unaware
Not to all queries. It is sent to resolvers who consistently go above
the limits, sometimes for months and years after receiving the blocked
response.
I don't see how that's significant. The documented policy is directly
and intentionally harmful to users. Doing that is a legitimate choice by
a reputation service, but it's not one SA can endorse. The fact that it
is enforced by whim rather than mechanically is not a positive factor.
# DNSWL is a commercial service that requires payment for servers
over 100K queries daily.
The subscriptions to dnswl.org easily covers the infrastructure cost,
but not much more.
— Matthias, for the dnswl.org project
Semantic dispute. Charging a fee for a service is intrinsically and
unavoidably commercial. I appreciate that you are not running the
service as a means of building wealth.
Personally, I consider the existence of DNSWL to be positive for the
email ecosystem. I believe that sites which stay within the limit can
reduce FPs by using it. That does not change the basic fact that using
it blindly is dangerous. Just as new system installations don't deploy a
fully-functioning MTA to accept external mail, SA strives to NOT enable
dangerous 3rd-party tools by default.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
