North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Despamming wholesale dialup

  • From: Roeland M.J. Meyer
  • Date: Thu Oct 29 02:52:08 1998

At 11:27 PM 10/28/98 -0500, Greg A. Woods wrote:
>[ On Wed, October 28, 1998 at 19:47:01 (-0600), Phil Howard wrote: ]
>> Subject: Re: Despamming wholesale dialup
>>
>> Keep in mind one point.  Many people who have domains hosted at various
>> web providers, where they pick up their mail there, too, use dialup
>> providers like you and/or your resellers for actual connectivity of
>> their PCs since they don't get that through the web provider that hosts
>> their domain.  What that means is that many legitimate dialup customers
>> will be sending their mail _FROM_ a domain name that is NOT one that
>> the dialup provider or reseller is necessarily configured to recognize.
>> Often such outgoing mail is blocked as "source forgery" and these people
>> just use the SMTP server at their web provider.  The above breaks this.
>> So some kind of alternative needs to be provided.
>
>I don not think any alternative is required, at least not for the
>general dial-up access account (see below).  People cannot have their
>cake and eat it too.  I think some of these situations have taken the
>"virtual" business just a bit further than is practical and now the rest
>of us are suffering under enormous spam loads as a result.

I disagree, but the mechanism for implementing this involves making the
customer buy an SSH client. They connect with a VPN tunnel and the problem
goes away, as long as port 22 is available. The problem is that many
firewall admins think port 22 is a security hole (back-door). After all,
when the port is named "security" that means you're supposed to block it,
right? The point is that often ports 25, 80, and 110 are the only
legitimate means of access. We've even had to run SSL on port 80 for some
customers because their local firewall only allowed port 80.

>Even worse, of course, are those virtual ISPs which attempt to offer
>SMTP servers too.  I would suggest that the only viable way these types
>of businesses should operate is by using some kind of third-party
>roaming service (eg. iPass) whereby the user is authenticated at the
>virtual ISP and at least in theory then the roaming service could pass
>back authorized SMTP server IP numbers, etc. which could be installed in
>the dial-up filters once the user has been authorized.  These sorts of
>arrangements do require agreements between the virtual ISP and the
>dial-up provider though -- either through an access broker like iPass,
>with direct relationships.
>
>> We do this only for dynamically addressed dialups.  This is done through
>> RADIUS so I can turn it off individually per account, and do so on a case
>> by case basis with explanation of need.  This might mean adding a new
>> field to your customer account database.  I call mine "allow_smtp".
>
>Specifically authorized exceptions to filter policies are OK, especially
>when they help further cement the relationship between a customer and
>his/her ISP.  Hopefully you charge a service fee for making such
>exceptions though!  ;-)

You whole scheme fails because of over-loaded middle-man charges. Too many
pint-sized bills from too many sources. The accounting alone would be a
nightmare. 
___________________________________________________ 
Roeland M.J. Meyer, ISOC (InterNIC RM993) 
e-mail: <mailto:[email protected]>[email protected]
Internet phone: hawk.mhsc.com
Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer
Company web-site: <http://www.mhsc.com/>www.mhsc.com/
___________________________________________ 
I bet the human brain is a kludge.
                -- Marvin Minsky