On Mon 26/Aug/2013 10:00:52 +0200 Jan Ingvoldstad wrote: > On Mon, Aug 26, 2013 at 8:44 AM, Matus UHLAR - fantomas wrote: > >> At my former job (an ISP), I recommended users to use SMTP service from >> they >> e-mail providers, because >> - if someone gets paid for mail service, they should provide SMTP too and >> not leave the expense from spam and phish issues onto us >> - it's not possible to verify the sender when we do not have the mailboxes, >> so we can not authenticate and verify the mail address >> - the same applies about SPF and DKIM, only the mailbox provider can be >> responsible for them. > > That's interesting, several external mail service providers recommend the > exact opposite, at least for stationary clients (home computers etc.).
It would be even more interesting to characterize who recommends what. Huge providers like gmail, hotmail, and similar, for example, provide SMTP services. The reasons below are meaningful, but not globally true: > One reason for this is that compromised computers can then effectively be > taken out of circulation by the ISP. Not for local networks using NAT. The ISP can only disconnect the whole bunch, assuming there is no redundant link. > The ISP has the means to know exactly which customer it is that has a > compromised computer, and deal with it appropriately. This might be a question of size, as tiny mailbox providers usually know their customers personally (e.g. can reach them by phone.) > So while you, as an ISP, may not necessarily have been able to verify > senders, you had the effective means to deal with spammers and other, > criminal activity. People can use TOR to hide almost everything else they do. > It is also quite sensible that e-mail is handled as close to the point of > origin as possible. According towhat topology? > External SMTP services should preferably be used when > roaming (in a broader sense than mobile phone roaming), since it has a > pretty high risk of reducing reliability and performance. Yes. Some user just use occasional ISPs for setting up a VPN to their office. > I understand your arguments, though, but even so, many of them can be > applied also to an external SMTP provider. Except for trust. Clients need to trust their mailbox providers, which store personal files, while there is no need to trust an ISP, so long as service levels are honored. > Ideally, there would be decent mechanisms in place, but there are not, and > things like SPF and DKIM regrettably do not matter at all in anti-spam > measures – lots of the spam I see at work pass SPF and DKIM validation. True, more work is needed in order to use authentication effectively. ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
