----- Original Message ----- From: "Lucas Holt" <[EMAIL PROTECTED]>
To: "Doug Poland" <[EMAIL PROTECTED]>
Cc: "Nicole" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, August 06, 2003 10:24 PM
Subject: Re: ISPs blocking SMTP connections from dynamic IP address space
You guys need to rethink this thing. Reverse DNS checks are ok, but ip blocking for legitimate servers is silly.
I agree. You guys really need to rethink this. My turn to vent. :)
For starters, what is "dynamic IP address space" anyway? You would think dialup-accounts or, at the very least, accounts that get their IP address assigned from a dynamic IP address pool. Yet, reading this thread, "dynamic IP address space" basically seems to mean: everyone who is not a major ISP. There are many things wrong with that simplistic reasoning.
Dynamic IP space is netblocks which the ISP controlling them has marked as part of it's dynamic IP pool. In fact 90% of Dynamic space is major ISP's(Dialup blocks, DSL and cable modems). Very few small ISP's tag their DHCP pools as dynamic.
For one, just because whois.arin.net says a netblock is a "dynamic" address pool, does not mean IP addresses assigned to customers are, de facto, dynamic. In fact, especially with high-speed DSL accounts, ere the opposite is true: people get assigned what to them, and to the world at large, for all purposes and intent, is a static IP address. In exchange for money, their ISP has grants them the exclusive use of a fixed IP address. They register domain names on that IP address, and continue to use that one, unchanging IP address for all interactions with the world. Literally thousands of legitimate servers across the world run on such a (set of) static IP address(es), regardless of what their netblock, high up in the ARIN, or kindred, hierarchy is marked down as.
Just because you have a highspeed connection with a stable or static IP doesn't mean it's not dynamic. Dynamic simply means assigned by DHCP or RADIUS (For dialup and some DSL). If you're in this space you should be relaying through your ISP's mailserver. 90% of people in this space are precluded from running server daemons by their AUP anyways.
When you force all people to use their ISP's smtp server(s), you funnel, as it were, a great number of clients through a single pinhole. Should that one pinhole become blacklisted/blocked, then suddenly thousands of people, en masse, can no longer send mail. Is that likely to occur? Yes. Because spam will also be sent through that same pinhole. AOL will likely cancel the account of the spammer; but spam will nonetheless have been sent through that one pinhole. And then what? Then you are faced with an uncomfortable choice: either I block the AOL smtp servers altogether, or I let them through entirely. What you have lost then, in effect, is the ability to discriminate. So, what then? You will whitelist the AOL smtp servers? That would be stupid. :) Because if there is only one pinhole, whitelisting that one pinhole is tantamount to giving all spammers a huge "passpartout". And since, by your own act of narrow-sightedness, you have chosen to only deal with that one pinhole, you can no longer tell chaff from grain. Way to go, Einstein!
Never read a header? Most of that so called 'Hotmail' or 'AOL' spam doesn't come from either, it either comes from overseas or that 'Dynamic' space you're defending (How much spam comes from IP's that reverse to UUNET RAS Servers? A damned lot, although not usually from actuall UUNET customers, but rather a 3rd party customer on a free or one-shot account). Blackholing AOL or Hotmail isn't going to appreciably affect your receipt of spam, since so little spam actually originates there.
Perhaps the greatest fallacy of em all: the ludicrous assumption that large ISP's do not spam. :) The largest sources of spam, their hypocrisy despite, are precisely those big ISP's, like AOL and hotmail, to whom you can write until you see blue in the face, but who do not give a damn, because they are big and know it.
The Dynamic space we're talking usually comes from Big ISP's. Small ISP's don't tag space as dynamic.
Do not be lazy; because you are. :) I know, I have been tempted too, many times, to just block hotmail altogether, and so reduce 70% of all spam. Yet, that would be laziness, really.
No, it simply won't work. Maybe it would have in 1998, but Hotmail doesn't originate much spam anymore, even if the header is forged to indicate it came from hotmail.
Taking the easy route, like blocking all what you think is "dynamic" address space, is really just laziness on your part. It is you saying: "I can no longer be bothered to figure out who is legit and who is not, so I will just block everything." That is bad administration. Crying, "But SOMETHING needs to be done about spam, therefore I am right," is not a valid argument either. :) Sure, SOMETHING needs to be done about spam. But blocking thousands of legitimate servers across the world, just because you are lazy, is not the solution. Be meticulous in who you block, and be specific.
If you've got a business connection and a 'Dynamic' IP, complain to your ISP. Blocking 'Dynamic' space and thus the multitude of idiots with exploited windoze boxes on their cable/DSL connection is quite effective, probably more than using spews (Which is notorious for blocking non-offenders)
Simply configuring your mail server to use your ISP's smtp as smarthost, and relay all outgoing email trough them, is not as transparent and benign a solution as suggested. You lose control over the way mail is being delivered/bounced, for instance.
You don't have as much control as you think, this is just adding one extra hop into the usual 2-3 hops that your mail is going to take anyways. If you can't live with that, get a T1.
All of a sudden your clients get bounce-messages from the postmaster of your ISP, instead of from you directly -- with all the ensuing confusion to boot. Can the freebsd.org people look me in the eye, and really say they would not mind having AOL deliver their mail for them, as smarthost? Honestly, nobody likes to be "in ward" like that. It is as if your ISP would tell you, one day, that you can no longer provide an IHAVE newsfeed, but have to use their news server's POST command. Yeah, right. :) I have yet to encounter an administrator who would not mind yielding to such condescension.
Get another ISP then.
The main purpose of a mail exchanger is to exchange mail. :) Perhaps the focus on spam has caused it, but many people look on this backwards: as the administrator of your mail facility, your primary task is NOT to block illegitimate mail, but to facilitate the flux of legitimate mail. If you can do the former, kudos to you; but if you do it at great expense of the latter, then you should not be commended. What is that, you say? Omelets and breaking a few eggs? Sabotaging large parts of the Internet does not an omelet make; in fact, you will only have done precisely that: broken things.
When Spam eats so much resources that it impairs regular mail delivery, blocking it becomes a very large part of ones job to ensure that SPam no longer affects mail delivery. Blocking people who run MTA's inspite of their AUP is part of that, and effective to boot. The few legit sites that get blocked in the process are the broken eggs, and not really a problem.
You guys really need to rethink this.
I suggest you rethink your position.
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"