On Mon, Aug 26, 2013 at 2:43 PM, Alessandro Vesely <ves...@tana.it> wrote:
> On Mon 26/Aug/2013 10:00:52 +0200 Jan Ingvoldstad wrote:
> > One reason for this is that compromised computers can then effectively
> be
> > taken out of circulation by the ISP.
>
> Not for local networks using NAT. The ISP can only disconnect the whole
> bunch, assuming there is no redundant link.
>
The ISP can selectively block services. For instance, Telenor would block
most services except web and POP for users who have had severely
compromised computers/networks, and also provide written notification about
the block and reasons for it. Business customers may be handled
differently, depending on the problem.
And yes, for the cases where people hide behind NAT, that will effect the
entire block.
However, this is what I would consider an "incentive" for the one
essentially providing hosting services to others, to get their house in
order. When you choose to be an ISP middle man for other people, you must
also be prepared to take the problems that come with it. If you hide your
"customers" from your ISP by using NAT, this is not the ISP's problem. It
is your own problem.
>
> > The ISP has the means to know exactly which customer it is that has a
> > compromised computer, and deal with it appropriately.
>
> This might be a question of size, as tiny mailbox providers usually know
> their customers personally (e.g. can reach them by phone.)
>
Norway's largest ISP keeps tabs on this, and so can the third largest. I
don't know about the others.
Granted, they only have 1-2 million customers (in Norway), so it may be
different for larger hosting companies.
The largest ISP (Telenor) does so by requiring a specific login for the
internet connection. This is something they introduced several years ago,
before they became an international hosting company.
Others know which DSL or cable modem the user is supposed to have, as well
as the termination point, requiring the user to re-activate (different
procedures with different companies) if they take a modem and move it to
another building.
My guess is that the smaller hosting companies cut more corners and know
less about their customers than the large ones do.
Introducing such measures is far harder if you didn't think about it in the
first place, of course, so I wouldn't be surprised if large hosting
companies are completely ignorant about their network topology as extended
to the user's modem/router.
>
> > So while you, as an ISP, may not necessarily have been able to verify
> > senders, you had the effective means to deal with spammers and other,
> > criminal activity.
>
> People can use TOR to hide almost everything else they do.
>
Yes, and they could use TOR to control a botnet to send personal e-mail
from a different IP address for each message for the rest of their lives.
Are those even interesting use cases to consider? I think this is a
horrible digression.
> > It is also quite sensible that e-mail is handled as close to the point of
> > origin as possible.
>
> According towhat topology?
>
The ISP would probably know their network topology, or be severely
incompetent.
>
> > External SMTP services should preferably be used when
> > roaming (in a broader sense than mobile phone roaming), since it has a
> > pretty high risk of reducing reliability and performance.
>
> Yes. Some user just use occasional ISPs for setting up a VPN to their
> office.
>
And then, presumably, that office has either an internal SMTP server, or an
SMTP server with the office's ISP, or the office's ISP provides a smarthost.
>
> > I understand your arguments, though, but even so, many of them can be
> > applied also to an external SMTP provider.
>
> Except for trust. Clients need to trust their mailbox providers, which
> store personal files, while there is no need to trust an ISP, so long as
> service levels are honored.
>
I think there is good reason to need to trust both kinds of providers.
Also, some ISPs block SMTP access to other servers than their own. This is
probably due to spamming problems; the ISP cannot know whether an
authenticated access to an external server is an abused account or not, but
they can keep tabs on their own users and perform a certain level of
control.
This all boils down to not just technical clue, but philosophy within each
company.
I think it is unwise to assume that all SMTP access providers will provide
the same kind of SMTP access, just as it would be to assume that all ISPs
do.
They don't, and probably won't even after Microsoft has world domination.
> > Ideally, there would be decent mechanisms in place, but there are not,
> and
> > things like SPF and DKIM regrettably do not matter at all in anti-spam
> > measures – lots of the spam I see at work pass SPF and DKIM validation.
>
> True, more work is needed in order to use authentication effectively.
>
That is an understatement.
Authentication works today by effectively ignoring the difference between
authentication and authorization. A user is assumed to be authenticated and
authorized by the same criteria.
This is not easy to fix.
I'll stop rambling now, because I think I'm way off topic.
--
Jan
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
