[102908] in North American Network Operators' Group
RE: Customer-facing ACLs
daemon@ATHENA.MIT.EDU (Frank Bulk)
Fri Mar 7 17:20:35 2008
Reply-To: <frnkblk@iname.com>
From: "Frank Bulk" <frnkblk@iname.com>
To: <kgasso@visp.net>, "Justin M. Streiner" <streiner@cluebyfour.org>
Cc: "NANOG" <nanog@merit.edu>
In-Reply-To: <47D1A902.50405@visp.net>
Date: Fri, 7 Mar 2008 16:17:14 -0600
Errors-To: owner-nanog@merit.edu
Same concerns here. Glad to know we're not alone.
I think a transition to blocking outbound SMTP (except for one's own e-mail
servers) would benefit from an education campaign, but perhaps the pain
level is small enough that it can implemented without. One could start
doing a subnet block a day to keep the helpdesk people sane, and then apply
a global block at the edge once "done" to catch any subnets that one might
have missed.
Frank
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Kameron Gasso
Sent: Friday, March 07, 2008 2:44 PM
To: Justin M. Streiner
Cc: NANOG
Subject: Re: Customer-facing ACLs
Justin M. Streiner wrote:
> I do recall weighing the merits of extending that to drop outbound SMTP
> to exerything except our mail farm, but it wasn't deployed because there
> was a geat deal a fear of customer backlash and that it would drive more
> calls into the call center.
This seems to be very common practice these days for larger ISPs/dialup
aggregators using the appropriate RADIUS attributes on supported access
servers.
We generally restrict outbound SMTP on our dial-up users so they may
only reach our hosts (or the mail hosts of our wholesale customers).
Our DSL subscribers, both dynamic and static, are currently unfiltered
-- but we're very quick to react to abuse incidents and apply filters
when necessary until the user cleans up their network.
I'm currently on the fence with regards to filtering SMTP for all of our
dynamic DSL folks. It'd be nice to prevent abuse before it happens, but
it's a matter of finding the time to integrate the filtering into our
wholesale backend and making sure there aren't any unforeseen issues.
-- Kameron
