Spam Control Considered Harmful

Jay R. Ashworth jra at
Thu Oct 30 04:20:52 UTC 1997

On Wed, Oct 29, 1997 at 09:53:52PM -0600, John A. Tamplin wrote:
> > This is roughly akin, though, isn't it, John, to the cache pollution
> > problems that make it pretty much a requirement to run 2 separate
> > nameservers: one for recursion and caching, and the other to be
> > authoritative?
> > 
> > Run a separate relay server, with some authentication, for users
> > connecting from outside your AS.
> The point is there can be no useful authentication for outgoing email if 
> you don't block it by IP address.  However, that is a discussion about 
> blocking spam relay, not about blocking outgoing SMTP.  If we install a 
> filter at the router that blocks all traffic from dialup connections to 
> port 25 anywhere else, then it doesn't matter how many servers we run they
> can't get to another SMTP server, even if they are supposed to be doing it.

Oh, ok.  Sorry.  Right.  I misread the other gentleman's suggestion.

> > Hold it.  Didn't you just say the opposite above?
> He offered an example of a customer that has dialup access to two ISPs,
> and wants to connect to the SMTP server of the one he isn't currently 
> connected to.  Because of the relay blocking that we and all the other ISPs
> in town implement (and hopefully ISPs elsewhere), the customer can't do that
> anyway.

Right.  Got it.

> What I said above is that there are other examples that our customers expect
> to work, specifically connecting to an SMTP server at work or connecting to
> a virtual domain hosted at another ISP (in our case it is primarily the
> vdom user dialup into another ISP and accessing the site here), that is
> why we can't block all traffic from dialup to port 25 anywhere.

Rog.  On deck now.

> I think you are confusing the issue of blocking unauthorized relay access 
> to your SMTP server, which is easy to do based on CIDR blocks, with that of
> preventing dialup customers from relaying through the SMTP servers of others.
> The difficulty in the latter is finding a way to determine what SMTP servers
> they are supposed to have access to and then implementing that in a router
> access list.

Right.  Of course, that's a Small Matter of Administration.


-- jra
Jay R. Ashworth                                                jra at
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "Pedantry.  It's not just a job, it's an
Tampa Bay, Florida          adventure."  -- someone on AFU      +1 813 790 7592

More information about the NANOG mailing list