Spam Control Considered Harmful
Jay R. Ashworth
jra at scfn.thpl.lib.fl.us
Thu Oct 30 04:20:52 UTC 1997
On Wed, Oct 29, 1997 at 09:53:52PM -0600, John A. Tamplin wrote:
> > This is roughly akin, though, isn't it, John, to the cache pollution
> > problems that make it pretty much a requirement to run 2 separate
> > nameservers: one for recursion and caching, and the other to be
> > authoritative?
> >
> > Run a separate relay server, with some authentication, for users
> > connecting from outside your AS.
>
> The point is there can be no useful authentication for outgoing email if
> you don't block it by IP address. However, that is a discussion about
> blocking spam relay, not about blocking outgoing SMTP. If we install a
> filter at the router that blocks all traffic from dialup connections to
> port 25 anywhere else, then it doesn't matter how many servers we run they
> can't get to another SMTP server, even if they are supposed to be doing it.
Oh, ok. Sorry. Right. I misread the other gentleman's suggestion.
> > Hold it. Didn't you just say the opposite above?
>
> He offered an example of a customer that has dialup access to two ISPs,
> and wants to connect to the SMTP server of the one he isn't currently
> connected to. Because of the relay blocking that we and all the other ISPs
> in town implement (and hopefully ISPs elsewhere), the customer can't do that
> anyway.
Right. Got it.
> What I said above is that there are other examples that our customers expect
> to work, specifically connecting to an SMTP server at work or connecting to
> a virtual domain hosted at another ISP (in our case it is primarily the
> vdom user dialup into another ISP and accessing the site here), that is
> why we can't block all traffic from dialup to port 25 anywhere.
Rog. On deck now.
> I think you are confusing the issue of blocking unauthorized relay access
> to your SMTP server, which is easy to do based on CIDR blocks, with that of
> preventing dialup customers from relaying through the SMTP servers of others.
> The difficulty in the latter is finding a way to determine what SMTP servers
> they are supposed to have access to and then implementing that in a router
> access list.
Right. Of course, that's a Small Matter of Administration.
:-)
Cheers,
-- jra
--
Jay R. Ashworth jra at baylink.com
Member of the Technical Staff Unsolicited Commercial Emailers Sued
The Suncoast Freenet "Pedantry. It's not just a job, it's an
Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592
More information about the NANOG
mailing list