Charlie wrote: > Hi, > I was wondering how exactly ISP's - that don't require authentication - > manage to restrict access to their customers only. > I know that Exim can restrict access by IP address, but IP addresses can be > spoofed (and very often are spoofed by automated scanners which search for > SMTP servers that are open in this way). > How then, do ISP's manage to prevent their servers from being abused? > In other words, if an ISP only authenticates based on IP address, then > surely that would leave their server open to abuse. > The answer to this question will help me a lot. > Thanks > >
Simple, really. Though the explanation may be less so.. ;-) A 'connectivity' ISP is what we are talking about here - specifically an entity that provides (broad)bandwidth. Not all also offer mail services, but most do. Their customers are connected to their host(s) over a network the ISP controls. Whether that is cable-modem, [a|d]dsl, or fiber to the desktop, all arrivals (with whom we are concerned herein) attach from access points under the control of that ISP - even if routed over intervening contract carriers. In this environment, all IP's assigned to the almost-always present NAT device, are issued from a pool (Allocated Portable) controlled by the connectivity ISP, and traverse only routers they control. In effect, the customers are 'inside' a ring-fence, hence 'known' to be from those attached to their network and in their billing system, and no others. Ergo, their system 'knows' which customer is on which assigned-from-pool IP at any given date/time, as the IP may be changed at intervals from 15 minutes (PCCW ADSL PPoe) to a few times a year. NB: Examples include PCCW, HKCable (Hong Kong), Comcast, Verizon, SWBell (USA), BTL (UK). IOW - fiber, cable, or telco 'major carriers' with physical outside-plant. Nothing to do with the MTA, per se - everything to do with the network architecture. Exceptions - big as they are - include MSN/Hotmail, Gmail, yahoo, AOL - who ordinarily do NOT provide fiber, cable, or copper to the average residence or business. These have to rely on userid:password auth just as a one-man shop does. HTH, Bill -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
