On Wed, 10 Jul 2002, Theo Van Dinter wrote:
> > Also, ISP's cannot block open relays since this violates 18 USC
> > 2701(A)(2), which prohibits ISP's from blocking authorized email. Some
>
> What do you mean by "authorized email"? Not being an ISP, I haven't
> heard of this before.
Authorized email is email that conforms to the AUP (non-spam,
non-offensive, etc) and that a user would not expect nor want removed.
Some ISP's, Earthlink for example, offer spam filtering as a value-add.
That means they can't filter spam from the email of those that didn't sign
up! (which is useful if you want to monitor spam). Basically, the law
means those users can't be subjected to the filter of "people the admin or
ISP doesn't like". Only spam can be removed. Willfully blocking another
ISP's mail servers because some admins don't like that ISP or because they
are in competition with that ISP isn't spam filtering, and isn't permitted
by law.
> > Also, many of the open relays are operated by ISPs, such as us. I won't
> > explain the many situations where Open Relay is necessary, and why SMTP
> > AUTH is dead, and such. That much is either obvious by now, or you don't
> > need to know it, since you might not ever need open relay yourself.
>
> Well, if you operate an open relay, and I get spam from your mail server,
> you're going to be blocked from sending me (and many others) mail.
You can block spam, of course. And a person can block anything they please
from their own email. Its not until you are an "electronic communciations
service provider" with control over other people's email that you have
responsibilities.
You won't get much from our relays, thats for certain. Very little gets
through. Its not impossible to get things through, but not much does.
And we have not had any customer spammers using our relays with
permission. So spam-wise, we are much better than most ISPs.
Since I don't get much spam from open relays via email accounts I have at
other ISP's (who don't block open relays--as I anticipate some might say),
I think that there isn't a lot of open relay abuse, relative the the
amount of spam in general. Occasionally I get spam with relays, or with
apparently obviously forged headers, but those relays don't appear to be
unauthorized. That is, the spam is sent though relays run by the spammers
ISP. And what is sent through open relays is mostly non-commercial--sent
by antispammers.
There are number of false claims promoted by the open relay people: Its
tough to argue with these people because then they abuse your servers, so
you don't see much of this disputed on a "spam" forum. But that doesn't
make it true.
1) Open relay are free. I've spoken with a lot of open relay operators,
and none are free. I don't know where these free relays are. I have found
a few non-spammers using our relays without permission. They have said
they found our relay on the 'net. The only places I could find with our
servers were the open relay rbls.
2) Open relays permit spammers send mail anonymously and to hide their
identity. I haven't seen any of these either. I'm old enough to remember
when sendmail didn't log the originator, but that ended back in '92 or so.
There aren't any of those servers around anymore.
3) Open relays aren't necessary. While they aren't necessary for everyone,
they are still necessary.
Most ISPs don't "advertise" that they have open relays, because that
attracts abuse from the open relay people. Its usually a closely guarded
secret. I think our protection is better than most, but I probably don't
want to let out what that is. But our abuse still jumps up during/after
discussion with these sort of "anti-spammers".
> There is no good reason to allow open relays in this day and age.
> If you're looking to let "customers" (actual customers or employees)
> relay through your server, that's fine, there are many ways to allow
> selective relaying such as the relay after pop/imap schemes.
Actually, there are plenty of reasons. What it comes down to is can open
relay be protected from abuse, and the answer is yes. The abusers are
known, and operate with known methods that can be disrupted.
Consider these:
Customer has leased line from us.
The have Mail outsourced to company X
Company X only permits relay only for its access customers.
Customer doesn't want own mail server (hence the outsourcing)
We provide customer with open relay.
SMTP Auth won't work since multiple accounts needed with multiple
providers. Pop before SMTP won't work because we don't own Pop servers.
Next consider:
Customer has 500 employees spread over 3 states. Some employees access via
whatever dialup/dsl/etc convenient. Main office has leased line from us.
Customer wants backup domain service for its domain on our servers. We
won't have accounts for all employees. We just queue any mail for that
domain until their servers come up.
We provide open relay for that customer.
Next consider:
Customer has leased line from us.
Customer has own mail server.
Customer has employees who travel, use their clients access, but want to
send mail with their domain, not clients domain to make sure replies go to
them not client.
Customer needs open relay, but doesn't want hassle of protecting open
relay server.
We provide customer with open relay.
Next consider:
Customer has DSL Line from provider Vzn
Vzn doesn't give static IP
Vzn doesn't allow relay for non-vzn domain.
We provide open relay for Customer.
In this case, if the customer is one or two people, SMTP Auth could be
used, or a web client could be used. More than that and its impractical,
and stupid if you already have open relay.
And lastly, the FAA and perhaps other government agencies operate open
relays. If you look at the RSS site closely, you'll find that they
scanned the FAA server, and one week later said that they would stop
scanning. While they are still actually scanning (they've scanned us a
couple times since the announcement), it is illegal to scan a non-public
government computer. The computer they list isn't an faa.gov mx server,
rather it appears to be a private computer for use by FAA employees. I
suspect the announcement was prompted by contact from an FAA lawyer.
Note that domain restrictions are still open relay. The only way to
"close" open relay is by address restrictions, smtp auth, or pop before
smtp.
The netscape crew that invented SMTP Auth was repudiated when Time Warner
declared (after much struggle) that the system they built wasn't suitable
for business use. Their concept of email service just isn't suitable for
everyone. SMTP auth is likewise dead. I know of 2 or 3 ISP's that offer
it now, but none that plan to offer it in the future.
SMTP is client-server and server-to-server. The SMTP Auth and Pop before
SMTP have built in assumptions about a consumer/end user usage
(client-server) model. SMTP Auth is client-server only. This doesn't work
in general. So either you have strong control over the user mail client,
or you don't. If you have strong control, you don't need SMTP Auth, (you
might not even need SMTP for clients--Hotmail, AOL, etc) and it offers
little benefit. If you don't have such control, then lack of SMTP Auth
clients and limitations on usage models make it unsuitable.
So you will always need an open relay or you will need to stay out of
certain markets. Those that are out of certain markets and don't need
open relay, also don't need SMTP Auth. If you are in certain market, SMTP
Auth won't do the job. Deploying SMTP Auth is a waste of time and money
for the ISP. SMTP auth is dead. Well, nothing ever completely dies.
People still run Novell and Banyan, and VMS.
> Good, there's at least something we can agree on -- use content based
> filtering! I can see you've had bad experience with some set of black
> lists (there are more than just open relay lists of course,) but that's
> not a reason to discredit them all.
I don't discredit all black lists. Just the ones that purport to be open
relay blockers. I have yet to see a list that advertisize itself as such
and not be an abuser itself.
> A few quick stats since Sunday morning:
>
> 609 (100%) Total blocked messages at SMTP level
> ---
> 293 ( 48%) Blocked by open relay blacklists
> 316 ( 52%) Blocked by other filtering (mostly accessdb)
I'll bet most of the 293 were actually generated by the open relay people.
We reverse scan the spammers. One fairly recent scan was of a machine that
was listed as an open relay. However, it wasn't a relay at all. It had a
bogus domain setup, and although it had an smtp port, didn't even relay
when I tried. It wasn't a mail server, and it wasn't "recently closed". It
was likely rooted by the open relay people, and used to send crap
conveniently blocked by subscribers, and conveniently annoying to
non-subscribers.
Also, the open relay rbls are frequently revenge lists. This is why
ORBS.org was shutdown. It listed an ISP that Alan Brown just disliked. It
didn't operate open relays at all. It sued and won, though that wasn't why
ORBS was shut. ORBS was shut for contempt of court, when it published its
list to ORDB and ORBZ.
--Dean
---
Send mail for the `bblisa' mailing list to `[EMAIL PROTECTED]'.
Mail administrative requests to `[EMAIL PROTECTED]'.
