[107402] in North American Network Operators' Group
Re: ingress SMTP
daemon@ATHENA.MIT.EDU (Justin Scott)
Wed Sep 3 11:57:00 2008
Date: Wed, 03 Sep 2008 11:56:51 -0400
From: Justin Scott <jscott@gravityfree.com>
To: nanog@nanog.org
In-Reply-To: <20080903151617.A14277808@relayer.avian.org>
Errors-To: nanog-bounces@nanog.org
This is a cryptographically signed message in MIME format.
--------------ms060207030202020701080000
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
> What is preventing this from being an operational no-brainer,
> including making a few exceptions for customers that prove they know
> how to lock down their own mail infrastructure?
As a small player who operates a mail server used by many local
businesses, this becomes a support issue for admins in our position. We
operate an SMTP server of our own that the employees of these various
companies use from work and at home. Everything works great until an
ISP decides to block 25 outbound. Now our customer cannot reach our
server, so they call us to complain that they can receive but not send
e-mail. We, being somewhat intelligent, have a support process in place
to walk the customer through the SMTP port change from 25 to one of our
two alternate ports.
The problem, however, is that the customer simply cannot understand why
their e-mail worked one day and doesn't the next. In their eyes the
system used to work, and now it doesn't, so that must mean that we broke
it and that we don't know what we're doing.
Your comment about "exceptions for customers that prove they know how to
lock down" is not based in reality, frankly. Have you ever tried to
have Joe Sixpack call BigISP support to ask for an exception to a port
block on his consumer-class connection with a dynamic IP? That's a wall
that I would not be willing to ask my customers to climb over.
Now, having said all that, I do agree that big ISPs should do more to
prevent spam from originating at their networks. A basic block of 25
isn't the solution, in my opinion. Unfortunately I don't know what is.
Perhaps monitoring the number of outgoing connections on 25 and
temporarily cutting off access if a threshold is reached? Set it high
enough and the legitimate users won't notice, but low enough that it
disrupts the spammers. Perhaps I'm talking out of my ass and don't have
a clue.
In any case, I don't believe a blanket block of 25 is the answer.
-Justin Scott, GravityFree
--------------ms060207030202020701080000
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJFzCC
AuYwggJPoAMCAQICEHHere792RidvCSxAmsVKPcwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDQyODIyMjkwNFoX
DTA5MDQyODIyMjkwNFowSDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjElMCMG
CSqGSIb3DQEJARYWanNjb3R0QGdyYXZpdHlmcmVlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALHoL/e7MTWABWn6hJM6t5l4vv05XQW4RoJcheOQXWrEsd7YkbdFaxO8
hM87agbhu8T7PtxId9Zx2ViVpTJ3IdVuY0hojN4bp4gsvyawPa5ermMhBh8hFBJa3c+SL4WT
DSc4JLJSVKdXTUFeYw6XzxuqR6htdzp0kLlZtlHwWzJ2denPDd3VEz+fs9eUX17gNcWtibpa
4JPxuvsDVdD9V3xLvC6wDdCyhCMhaLUjq2SoA+Fv0Outq8yWVujuZ32897yr+ARav7l+6fvh
p2rCTpeASZ29x1wi+ZBVCPufMSHP60JFtNnY7YSL9lTy0lo7jHkaDGUbGqjXSy+KNCQHbsMC
AwEAAaMzMDEwIQYDVR0RBBowGIEWanNjb3R0QGdyYXZpdHlmcmVlLmNvbTAMBgNVHRMBAf8E
AjAAMA0GCSqGSIb3DQEBBQUAA4GBAGcA5XXMtmRr1nGlq4yPm37I0CKBL74Gp6BUFSa5G50i
sAagnC4Y+NZ9S81mDAomNPRHKhgjxJXDTJG/foVDdeKEqHyu92xrzPSUqkurNL1OsQp5nxB4
TnX/tOZLL25eRrdjbk0idFVDcpHVfQJTwrU/By0VnVbD0r3UOhyEaf2+MIIC5jCCAk+gAwIB
AgIQcd6t7v3ZGJ28JLECaxUo9zANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJaQTElMCMG
A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDgwNDI4MjIyOTA0WhcNMDkwNDI4MjIy
OTA0WjBIMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSUwIwYJKoZIhvcNAQkB
FhZqc2NvdHRAZ3Jhdml0eWZyZWUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAsegv97sxNYAFafqEkzq3mXi+/TldBbhGglyF45BdasSx3tiRt0VrE7yEzztqBuG7xPs+
3Eh31nHZWJWlMnch1W5jSGiM3huniCy/JrA9rl6uYyEGHyEUElrdz5IvhZMNJzgkslJUp1dN
QV5jDpfPG6pHqG13OnSQuVm2UfBbMnZ16c8N3dUTP5+z15RfXuA1xa2Julrgk/G6+wNV0P1X
fEu8LrAN0LKEIyFotSOrZKgD4W/Q662rzJZW6O5nfbz3vKv4BFq/uX7p++GnasJOl4BJnb3H
XCL5kFUI+58xIc/rQkW02djthIv2VPLSWjuMeRoMZRsaqNdLL4o0JAduwwIDAQABozMwMTAh
BgNVHREEGjAYgRZqc2NvdHRAZ3Jhdml0eWZyZWUuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZI
hvcNAQEFBQADgYEAZwDldcy2ZGvWcaWrjI+bfsjQIoEvvganoFQVJrkbnSKwBqCcLhj41n1L
zWYMCiY09EcqGCPElcNMkb9+hUN14oSofK73bGvM9JSqS6s0vU6xCnmfEHhOdf+05ksvbl5G
t2NuTSJ0VUNykdV9AlPCtT8HLRWdVsPSvdQ6HIRp/b4wggM/MIICqKADAgECAgENMA0GCSqG
SIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD
VQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9D
ZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29u
YWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0
ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJj
WiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenpruf
ZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIB
ADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29u
YWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMT
EVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+v
rL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRi
x9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9d
X2VPMYIDZDCCA2ACAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1
bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElz
c3VpbmcgQ0ECEHHere792RidvCSxAmsVKPcwCQYFKw4DAhoFAKCCAcMwGAYJKoZIhvcNAQkD
MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgwOTAzMTU1NjUxWjAjBgkqhkiG9w0B
CQQxFgQUUhVbTIKywhWDXzc8ieMfk9yaH6IwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D
BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC
ASgwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD
b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBJc3N1aW5nIENBAhBx3q3u/dkYnbwksQJrFSj3MIGHBgsqhkiG9w0BCRACCzF4oHYwYjEL
MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAq
BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBx3q3u/dkYnbwk
sQJrFSj3MA0GCSqGSIb3DQEBAQUABIIBABdMWjy8KsFcOhlCerEJVpsnsYbZhrkObLANQ4+M
oTRFMa/e4569YnsVHuXQ1lrqElEr6Sx17BNMFK9shK5y0gAmlj2aJRzhklJRzGC0ojkbaxgr
P5u9JIFzGUIXD7wlHAUT0fiPDzqhO/dUVQYjhIelPt1nR+GV3T8fdLP60p+HNCP+WRdPjEhN
Pvt88IfzFi2c9+CbQO3j+lvNlMkWc211YmZVH1Khk6ck63akOPs7ZDg8qjkD+rHlPmPMABzf
IVP3WAjSljEwMod/Ja/nwVE22WKrFFmEpZ3FBsW45Kz/uaCjWeG3s50oRfc9D8I1/DYtlBwC
k3xlurMWXn4z6qcAAAAAAAA=
--------------ms060207030202020701080000--
