[13161] in North American Network Operators' Group
Re: Spam Control Considered Harmful
daemon@ATHENA.MIT.EDU (Jay R. Ashworth)
Wed Oct 29 23:30:35 1997
Date: Wed, 29 Oct 1997 23:20:52 -0500
From: "Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us>
To: "John A. Tamplin" <jat@traveller.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.A32.3.91.971029214748.28336b-100000@cyclone.traveller.com>; from "John A. Tamplin" <jat@traveller.com> on Wed, Oct 29, 1997 at 09:53:52PM -0600
On Wed, Oct 29, 1997 at 09:53:52PM -0600, John A. Tamplin wrote:
> > This is roughly akin, though, isn't it, John, to the cache pollution
> > problems that make it pretty much a requirement to run 2 separate
> > nameservers: one for recursion and caching, and the other to be
> > authoritative?
> >
> > Run a separate relay server, with some authentication, for users
> > connecting from outside your AS.
>
> The point is there can be no useful authentication for outgoing email if
> you don't block it by IP address. However, that is a discussion about
> blocking spam relay, not about blocking outgoing SMTP. If we install a
> filter at the router that blocks all traffic from dialup connections to
> port 25 anywhere else, then it doesn't matter how many servers we run they
> can't get to another SMTP server, even if they are supposed to be doing it.
Oh, ok. Sorry. Right. I misread the other gentleman's suggestion.
> > Hold it. Didn't you just say the opposite above?
>
> He offered an example of a customer that has dialup access to two ISPs,
> and wants to connect to the SMTP server of the one he isn't currently
> connected to. Because of the relay blocking that we and all the other ISPs
> in town implement (and hopefully ISPs elsewhere), the customer can't do that
> anyway.
Right. Got it.
> What I said above is that there are other examples that our customers expect
> to work, specifically connecting to an SMTP server at work or connecting to
> a virtual domain hosted at another ISP (in our case it is primarily the
> vdom user dialup into another ISP and accessing the site here), that is
> why we can't block all traffic from dialup to port 25 anywhere.
Rog. On deck now.
> I think you are confusing the issue of blocking unauthorized relay access
> to your SMTP server, which is easy to do based on CIDR blocks, with that of
> preventing dialup customers from relaying through the SMTP servers of others.
> The difficulty in the latter is finding a way to determine what SMTP servers
> they are supposed to have access to and then implementing that in a router
> access list.
Right. Of course, that's a Small Matter of Administration.
:-)
Cheers,
-- jra
--
Jay R. Ashworth jra@baylink.com
Member of the Technical Staff Unsolicited Commercial Emailers Sued
The Suncoast Freenet "Pedantry. It's not just a job, it's an
Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592
