Daniel Rose <[EMAIL PROTECTED]> wrote: > I wrote: >>> This is not especially difficult really, and it may be best >>> practice and so on and so forth, but most ISPs don't do this. >>> > [EMAIL PROTECTED] wrote: > >> If they don't do that, then what are they doing? How do they prevent >> other users to misuse their servers for sending mail? If they don't >> do some kind of authentication then they are a open relay. >> > > I see the typical ISP SMTP setup here is a host or hosts, which will > relay all email to the ISP's domain, and relay all email to all > domains, provided the connection is from their IP address pool. > > IOW, their customers do indeed get a relay, because they need one to > send email, but it's not open, it's only for the IP addresses of the > ISP's customers. I haven't come across an ISP before who forces > authentication to send email; however some block port 25 out, and some > block port 25 in/out of the customer address pool.
In Germany, and in other European countries too, freemailers are quite popular. Typically they just provide you with an email account, well, often some other services too, but its quite common that they aren't internet access providers themselves. That's why they can't restrict access to their servers to a certain IP address pool and have to enforce other means of authentication. As I said, these services are quite popular because they are free of charge and you keep your email address even if you change your internet access provider. In exchange, they usually add their ads in a footer to your outgoing emails which can be considered another kind of (mini) spam. But people have grown used to it, as they have to pep after smtp or smtp auth for that matter. > > Now I haven't done or read of an audit of the hundreds of Aussie ISPs, > but I know that the telstra, optus, aapt, iinet and a few other > smaller ISPs all don't enforce auth for their users to send email. I know that T-Online did have an open relay for its customers in the old days but thats no longer the case. Especially if you don't use dsl, you don't need to register with a service provider to get access to the internet. There are least cost routers and other sources of information as to which provider charges you how much at what time and tell you the number to dial in order to connect. As you can well imagine, this is not exactly the way to establish a close relationship between service provider and customer which is why they don't offer open relays even for their own IP address pools. [...] >> This would be a mess if I would allow them to send unauthenticated >> mails over the server. I would be in no time on some blocking list >> and this is what I want to prevent. > > Authentication doesn't stop your users sending spam. It stops many > bots though, but if John Doe wants to send the spam he still can, and > your server will still get blocklisted. Of course, he might get > arrested later, but that's not the point here. I'm intruiged that you > find it so likely that your subscribers would be a source of spam > without authentication. Well, I don't know about Steve, but if he doesn't provide access to the internet for his customers but *just* email accounts, authentication is the only means to identify his customers. Besides, this way they can even log into their accounts regardless whether they are at home, at work or somewhere else. And as I said before, most of them won't mind authentication anyway as they're used to it already. Regards, Elias
