North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMTP relaying policies for Commercial ISP customers...?

  • From: Andy Dills
  • Date: Fri Feb 13 12:37:40 2004

On Fri, 13 Feb 2004, Dan Ellis wrote:

> 1)       Residential Policy:  Enable SMTPAUTH and disallow relaying
> unless the customer has a valid username/password.  If you're not paying
> for a mailbox, you don't get to relay outbound.  This should not break
> anything except those residential accounts that *should* be commercial
> anyway.
> 2)       Broadband commercial: This is the difficult one.  These are the
> customers that aren't big enough to rightfully run their own mailserver,
> but they are big enough to have roaming users on their networks (coffee
> shops, branch offices, hotels, SOHO....).  They expect relaying service
> for either their mailserver or for all their various PC's.  At the same
> time, they don't have many, if any mailboxes through the ISP.  My
> thought is that they should ONLY be allowed to relay via SMTPAUTH by
> using a residential mailbox login/pass OR they need to purchase a
> commercial relay service (expensive because of the openness of it) for
> their IP space.
> 3)       T1+ : These customers should not be allowed to relay unless
> they purchase (expensive) relay services for their IP space.  Of course,
> they can always use a residential mailbox, but will have to use SMTPAUTH
> for it and will be restrained by the same policies residential mailboxes
> have (low tolerance tarpitting,...).

While the amount of effort you put into this so far is commendable, I
really think you're barking up the wrong tree.

At the end of the day, what have you done, besides annoy your customers
and increase the load on your support staff?

I don't really see what you're suggesting being anything other than a huge
effort, solving the wrong problem.

For any responsible ISP, the problem is the spam coming into your
mailservers, not leaving. As long as you quickly castrate the people who
do relay spam through you, you're not going to have an egress spam

Since you seem to have countless hours to invest in this problem, you'd be
better off writing a log parser to identify WHEN somebody is relaying spam
through you, so you can react.

Something else I've seen implemented is rate limiting. Keep track of the
number of messages sent by an IP over a variable amount of time and
implement thresholds.

I'd love to hear some of the conversations you have with your leased line
customers, when you tell them they have to pay for "(expensive) relay
services" to send mail through your mail server. How many times will they
laugh before hanging up on you? :)

That's like the IRS trying to charge you for the forms...

And I'd also like to see the looks on your technical support staff's faces
when you tell them they need to assist your ENTIRE USER BASE in switching
to authenticated SMTP :)

And then you have to deal with the customers who have MTAs that don't
support authenticated SMTP...and on and on.

Whenever the solution is more expensive than the problem, you need to go
back to the drawing board.


Andy Dills
Xecunet, Inc.