SMTP authentication for broadband providers

Alex Bligh alex at alex.org.uk
Wed Feb 11 23:31:55 UTC 2004




--On 11 February 2004 16:30 -0500 Sean Donelan <sean at donelan.com> wrote:

> And I applaud your effort.  But does it really answer the question of who
> is responsible for handling abuse of the service?  If ISP's are not
> responsible for abuse using port 573, they probably don't care.

I think you are missing the point. I have lots of people abusing my port
25. They can abuse this due to the nature of the (current unadorned) SMTP
protocol as I have to leave it open and unauthenticated in order to receive
mail to users served by my server. I can quite see why their DSL provider
wants to block their connecting to my port 25, and (incidentally) other
customers of theirs get caught in the collateral damage. On the other hand,
I have noone even trying to abuse port 587 (sic) i.e. submission. Even if
people tried, they'd find they needed authentication on that port (even to
send to my local users). As I am doing nothing beyond a dumb RFC
implementation, and assuming other mail hosts are no dumber, ISPs thus
won't get abuse complaints for port 587 attacks in the same way they get
port 25 complaints. Of course they'll get *some* port 587 complaints, just
like they get some port 80 complaints. But blocking port 25 blocks access
to a well known poorly authenticated service. Blocking port 587 doesn't (or
rather wouldn't). If there were a whole pile of people accepting
unauthenticated connections on port 587, life would be different. But there
aren't & it isn't.

Alex



More information about the NANOG mailing list