-------- Original-Nachricht -------- > Datum: Sat, 25 Aug 2007 13:25:42 +0200 > Von: Elias Oltmanns <[EMAIL PROTECTED]> > An: Daniel Rose <[EMAIL PROTECTED]> > CC: [email protected] > Betreff: Re: [dspam-users] [RFC] Signature leakage and its consequences
> Daniel Rose <[EMAIL PROTECTED]> wrote: > > I wrote: > >>> This is not especially difficult really, and it may be best > >>> practice and so on and so forth, but most ISPs don't do this. > >>> > > [EMAIL PROTECTED] wrote: > > > >> If they don't do that, then what are they doing? How do they prevent > >> other users to misuse their servers for sending mail? If they don't > >> do some kind of authentication then they are a open relay. > >> > > > > I see the typical ISP SMTP setup here is a host or hosts, which will > > relay all email to the ISP's domain, and relay all email to all > > domains, provided the connection is from their IP address pool. > > > > IOW, their customers do indeed get a relay, because they need one to > > send email, but it's not open, it's only for the IP addresses of the > > ISP's customers. I haven't come across an ISP before who forces > > authentication to send email; however some block port 25 out, and some > > block port 25 in/out of the customer address pool. > > In Germany, and in other European countries too, freemailers are quite > popular. Typically they just provide you with an email account, well, > often some other services too, but its quite common that they aren't > internet access providers themselves. That's why they can't restrict > access to their servers to a certain IP address pool and have to enforce > other means of authentication. As I said, these services are quite > popular because they are free of charge and you keep your email address > even if you change your internet access provider. In exchange, they > usually add their ads in a footer to your outgoing emails which can be > considered another kind of (mini) spam. But people have grown used to > it, as they have to pep after smtp or smtp auth for that matter. > This is just one example. Imagine those (like me) offering hosting, managed services, etc. I need to authenticate the users. There is no way around it. Trust is a two way road. I need to trust that on the other end there is some one I know and they need to trust that on their other end is some one they trust (me or my infrastructure with certificates (if they want the highest trust)). BTW: I am from Switzerland and I don't know any of the big ISPs here (nor the small ones) offering mail relay for their customers without authentication. And to be honest: I like that. Without this authentication the bot/virus/trojans/etc problem would be much higher. But with authentication the problem is minimized. Okay. Not totally prevented but at least it is one way into the right direction. > > > > Now I haven't done or read of an audit of the hundreds of Aussie ISPs, > > but I know that the telstra, optus, aapt, iinet and a few other > > smaller ISPs all don't enforce auth for their users to send email. > > I know that T-Online did have an open relay for its customers in the old > days but thats no longer the case. > Here in Switzerland the same. Swisscom/Bluewin, CableCom, Sunrise, Tele2, Green, Tiscali/VTX, etc. None of them offers free unauthenticated mail relay. > Especially if you don't use dsl, you > don't need to register with a service provider to get access to the > internet. There are least cost routers and other sources of information > as to which provider charges you how much at what time and tell you the > number to dial in order to connect. As you can well imagine, this is not > exactly the way to establish a close relationship between service > provider and customer which is why they don't offer open relays even for > their own IP address pools. > > [...] > >> This would be a mess if I would allow them to send unauthenticated > >> mails over the server. I would be in no time on some blocking list > >> and this is what I want to prevent. > > > > Authentication doesn't stop your users sending spam. It stops many > > bots though, but if John Doe wants to send the spam he still can, and > > your server will still get blocklisted. Of course, he might get > > arrested later, but that's not the point here. I'm intruiged that you > > find it so likely that your subscribers would be a source of spam > > without authentication. > > Well, I don't know about Steve, but if he doesn't provide access to the > internet for his customers but *just* email accounts, authentication is > the only means to identify his customers. > I offer that as well but it is mostly SDSL or a fixed line. No ADSL/VDSL, dialup, etc... And still I enforce authentication. And I don't allow my customers to send mail in what ever name they like. Take for example this: Domain: example.com User: [EMAIL PROTECTED] Now assume this user is on my infrastructure and I host his domain. I will NOT allow him to send mail in the name of "[EMAIL PROTECTED]". No way! Authenticated or not. He is not "[EMAIL PROTECTED]" and end of story. And the laws in Switzerland have changed this year. Spamming is now officially a criminal act. And I am not going to support some one doing a criminal act. If he wants to spam users out there with his domain, then this is fine with me in the first place. But I will terminate his account whit us. I don't want to host a spammer. There exists other ISP's/NSP's doing that. They are better suited for that. But I am the wrong one for that. My moral prevents me from supporting this. On the other hand I have to confess that I have one customer which is a marketing company. You can not imagine what troubles we some time have because they send thousands of mails out. But they do it on a opt-in level. The stuff they send are news letters and that kind. As long as the end receiver asked to get that information and as long the marketing company is following Swiss law I will not terminate their account. Even if it is some time hard for me as their service provider. I am puzzled to see that down under every one could send mail without authentication. > Besides, this way they can > even log into their accounts regardless whether they are at home, at > work or somewhere else. > Correctly. They can be everywhere and still send mail over the server. It is as well the only way to go in the future. I have SPF and DKIM active on the servers. If my users could send form any damn server out there a mail having a domain I run on my server, then I would be not so happy. On the other hand: They could try it. Any MTA setup out there checking SPF records will see that the mail is coming from an unauthorized source and drop the mail. Today trust is very important. I thin that techniques like senderbase.org is something which will get stronger and stronger. And DKIM/SPF/SenderID/etc is helping to get us quicker and better there. So yes! I want authentication. Yes! I enforce it! It is my duty as a service provider and as a net citizen to explore and use the best technology I can. And authentication is no big deal. It is no problem at all. The user is anyway authenticating when downloading mail. Activating one singe check box and saying "Yes. I want authentication on SMTP and please use the same credential as for my POP3/IMAP4." is no big deal. I have jet to see a mail client not supporting this (Okay. IBM Notes below ND8 has this problem but there are tools to get it working even with < ND8). > And as I said before, most of them won't mind > authentication anyway as they're used to it already. > They do it already when they download or read mail. So what is the big problem doing it when sending mail? > Regards, > > Elias > Steve -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kanns mit allen: http://www.gmx.net/de/go/multimessenger
