North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Lazy network operators

  • From: Iljitsch van Beijnum
  • Date: Wed Apr 14 03:35:49 2004 
On 14-apr-04, at 1:56, John Curran wrote:


This approach has two main advantages over filtering port 25:



1. People can still talk to unlisted SMTP hosts if they feel they
have a good reason to do so (ie, I get >to deliver messages directly
to my server from home rather than being forced to use my service
>provider's which may or may not work)




You're right... Rather than simply having you tell your provider
that you're

responsible and having port 25 outward opened up, the freedom for
anyone

to send to port 25 on an ad-hoc basis like we have today is a better
idea.

Today's spam isn't a problem; everything's working as designed.



I understand your frustration, but the approach of blocking port 25
isn't the right one. It may be convenient for you, but there are plenty
of people who have good reasons for using other SMTP servers than their
access provider's ones. And do you think people who are unable to run a
good mail service will be able to selectively open up filters in a sane
way? Filtering can also have a serious performance impact on some
equipment. And of course this approach isn't going to work anyway: many
access providers can't even be bothered to implement anti-spoofing
filters, so there is no way that ALL consumer access providers are
going to do this within a reasonable time frame.




The good news is that the IETF is now starting work on this, so
expect results in two or three years.




Great idea: here's a case where we need less connectivity and better
operational practices, but rather than take that task on, we should do
more protocol work.




The idea is that new records in the DNS show which hosts are allowed to
deliver mail for a domain. This means spammers must use a domain they
control. That's a good start, as it makes white- and blacklisting a lot
easier.



However, this isn't enough. A next step would be to require that a host
that is delivering mail must be flagged as a designated outgoing SMTP
host for the reversed mapping domain name of its IP address. (Which
obviously isn't going to happen for Joe Cable or Jane ADSL.)



(There is still an issue with IPv6 though, as here everyone, including
consumers, usually runs their own reverse DNS servers.)




The reality is that the vast majority of email is handed off to a
designated

mail relay (whether we're talking about consumer connections or office

environments), and if we actually configured connectivity in this
matter,

there wouldn't be a problem.



I don't think cutting off one of the monster's heads will do it (there
was spam in the good old days when Windows didn't do IP without
installing Trumpet Winsock or something similar). There are other ways
to get rid of almost all spam, but apparently for most people the pain
isn't bad enough to start using them yet. (I installed Spamassasin over
the weekend, and it caught 50 of 53 overnight spam messages. My client
caught the remaining 3, no false positives.)