On Tue, Oct 25, 2011 at 12:29 AM, Dennis Burgess
dmburg...@linktechs.net wrote:
I am curious about what network operators are doing with outbound SMTP
traffic. In the past few weeks we have ran into over 10 providers,
mostly local providers, which block outbound SMTP and require the users
to
This sadly is very common. It is getting more common by the day it seems but
this practice has started almost a decade ago.
An easy work around is to use a custom port as they seem to just block port
25 as a bad port but leave just about everything else open including 2525
which seems to be a
On 10/25/2011 8:13 AM, William Herrin wrote:
Blocking outbound TCP SYN packets on port 25 from non-servers is
considered a BEST PRACTICE
...
The SMTP submission port (TCP 587) is authenticated and should
generally not be blocked.
Email Submission Operations: Access and Accountability
On Oct 24, 2011, at 10:27 PM, Mikael Abrahamsson wrote:
On Mon, 24 Oct 2011, Dennis Burgess wrote:
I am curious about what network operators are doing with outbound SMTP
traffic.
Block all TCP/25 and require users to use submit with authentication on
TCP/587.
If they are using
Blocking port/25 is a common practice (!= best practice) for home
users/consumers because it makes life a bit simpler in educating the end
user.
ripe-409 gives some what glimpse of best-practice, not sure how many
implements it that way.
Regards,
Aftab A. Siddiqui
On Tue, Oct 25, 2011 at 2:35
On Oct 24, 2011, at 11:13 PM, William Herrin wrote:
On Tue, Oct 25, 2011 at 12:29 AM, Dennis Burgess
dmburg...@linktechs.net wrote:
I am curious about what network operators are doing with outbound SMTP
traffic. In the past few weeks we have ran into over 10 providers,
mostly local
On 2011-10-25 11:49 , Owen DeLong wrote:
[..]
With this combination, I have not encountered a hotel, airport lounge, or
other poorly run environment from which I cannot send mail through my
home server from my laptop/ipad/iphone/etc.
Ever heard of this magical thing called a VPN? :)
Indeed,
On Oct 25, 2011, at 3:04 AM, Jeroen Massar wrote:
On 2011-10-25 11:49 , Owen DeLong wrote:
[..]
With this combination, I have not encountered a hotel, airport lounge, or
other poorly run environment from which I cannot send mail through my
home server from my laptop/ipad/iphone/etc.
Ever
On Tue, 25 Oct 2011 02:35:31 PDT, Owen DeLong said:
If they are using someone else's mail server for outbound, how, exactly do
you control
whether or not they use AUTH in the process?
1) You don't even really *care* if they do or not, because...
2) if some other site is running with an
On 2011-10-25 12:20 , Owen DeLong wrote:
On Oct 25, 2011, at 3:04 AM, Jeroen Massar wrote:
On 2011-10-25 11:49 , Owen DeLong wrote:
[..]
With this combination, I have not encountered a hotel, airport lounge, or
other poorly run environment from which I cannot send mail through my
home
Hi
When we try to reach to outside ip, this route doesn't have in our bgp router
How can we check whether it doesn't advertise from our upstream to us?
Any web site and tools can help?
Thank you
Owen DeLong o...@delong.com writes:
It's both unacceptable in my opinion and common. There are even those
misguided souls that will tell you it is best practice, though general
agreement,
even among them seems to be that only 25/tcp should be blocked and that
465 and 587 should not be
Hi,
From what we've been seeing there is a lot of those legacy
assignement about to be freed. ( Yeah! )
We're having some issue with a few Legacy that where miss-assigned
when transfered from CA*Net to ARIN back in the day.
( We kept the control on them since we had access to
If your provider has a looking glass then that is a good start to see if
they have the route in their routing tables. http://www.traceroute.org/
is a good start for searching for a looking glass on their website.
Have you checked to see if you're actually recieving the route? You may
be
On Oct 25, 2011, at 3:29 AM, valdis.kletni...@vt.edu wrote:
On Tue, 25 Oct 2011 02:35:31 PDT, Owen DeLong said:
If they are using someone else's mail server for outbound, how, exactly do
you control
whether or not they use AUTH in the process?
1) You don't even really *care* if they do
I'm curious how a traveller is supposed to get SMTP relay service
when, well, travelling. I am not really sure if I want a VPN for
sending a simple email.
And I can understand (although I am not convinced that doing so is
such a great idea) blocking 25/tcp outgoing, as most botnets will try
that
On Oct 25, 2011, at 4:15 AM, Jeroen Massar wrote:
On 2011-10-25 12:20 , Owen DeLong wrote:
On Oct 25, 2011, at 3:04 AM, Jeroen Massar wrote:
On 2011-10-25 11:49 , Owen DeLong wrote:
[..]
With this combination, I have not encountered a hotel, airport lounge, or
other poorly run
On Tue, Oct 25, 2011 at 5:49 AM, Owen DeLong o...@delong.com wrote:
On Oct 24, 2011, at 11:13 PM, William Herrin wrote:
Blocking outbound TCP SYN packets on port 25 from non-servers is
considered a BEST PRACTICE to avoid being the source of snowshoe and
botnet spam. Blocking it from legitimate
On Oct 25, 2011, at 12:57 PM, Alain Hebert wrote:
Hi,
From what we've been seeing there is a lot of those legacy assignement
about to be freed. ( Yeah! )
We're having some issue with a few Legacy that where miss-assigned when
transfered from CA*Net to ARIN back in the day.
I'm curious how a traveller is supposed to get SMTP relay service when, well,
travelling. I am not really sure if I want a VPN for sending a simple email.
And I can understand (although I am not convinced that doing so is such a
great idea) blocking 25/tcp outgoing, as most botnets will
On Tue, Oct 25, 2011 at 10:57, Dennis Burgess dmburg...@linktechs.netwrote:
[dmb] This is the exact question, why, do you NEED a SMTP Relay on ANY
network. Your domain has a mail server out on the net that if you
authenticate to, I am sure will relay your mail, and the reverse DNS and SPF
I'm curious how a traveller is supposed to get SMTP relay service
when, well, travelling. I am not really sure if I want a VPN for
sending a simple email.
vpn
i use openvpn
when roaming, i am often on poorly protected wireless. i openvpn to
home
randy
Anyone read this?
http://en.wikipedia.org/wiki/Protect_IP_Act
More attempts to regulate Internet usage.
Not in favor.
Jason
On Oct 25, 2011, at 8:46 AM, William Herrin wrote:
On Tue, Oct 25, 2011 at 5:49 AM, Owen DeLong o...@delong.com wrote:
On Oct 24, 2011, at 11:13 PM, William Herrin wrote:
Blocking outbound TCP SYN packets on port 25 from non-servers is
considered a BEST PRACTICE to avoid being the source of
We use Mailchannels to route all outbound mail through it, which does a decent
job of keeping garbage off the Internet and SBLs/RBLs clean. It is dependent on
PBR so there is overhead to manage it but the product runs on our own hardware.
-Matt
-Original Message-
From: Owen DeLong
, version of virus signature
database 6573 (20111025) __
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Owen wrote:
On Oct 25, 2011, at 3:29 AM, Valdis.Kletnieks at vt.edu wrote:
On Tue, 25 Oct 2011 02:35:31 PDT, Owen DeLong said:
If they are using someone else's mail server for outbound, how, exactly do
you control
whether or not they use AUTH in the process?
1) You don't even really
Hi,
I was looking for some metro-e options in Vancouver, BC CA
specifically in the Downtown/Gastown area. I'm finding the area
isn't the most built up so options are very thin.
We already have service through Level3, but would like a
secondary one. It doesn't have to be tier1 or even
I'd expect you could find, Rogers, Telus, Shaw and Bell all there.
-jim
On Tue, Oct 25, 2011 at 3:18 PM, Ravi Pina r...@cow.org wrote:
Hi,
I was looking for some metro-e options in Vancouver, BC CA
specifically in the Downtown/Gastown area. I'm finding the area
isn't the most built up so
I suppose I could have been a little more clear on what I've
already found. Sorry.
The last mile for the Level3 is coming on Telus (after a punch to
the face and gut for build out fee) so I'd like someone else.
Shaw does not offer service without what I suspect is another
punch to the face for a
May not suit your needs, but I've used Terago with some success for secondary
links.
Thanks,
Erik Soosalu
-Original Message-
From: Ravi Pina [mailto:r...@cow.org]
Sent: Tuesday, October 25, 2011 2:28 PM
To: jim deleskie
Cc: nanog@nanog.org
Subject: Re: Vancouver, BC providers
I
The last mile for the Level3 is coming on Telus (after a punch to
the face and gut for build out fee) so I'd like someone else.
Shaw does not offer service without what I suspect is another
punch to the face for a build out. Bell didn't return any of my
inquiries via email of voice message.
Sounds like a possible candidate for some of the last mile wireless equipment
available. The problem is the wireless equipment may cost more than the punch
to the face and gut. How much bandwidth are you talking? You're looking at
somewhere around $16k for a 300 Mbps Motorola PTP 800
Is it common in the industry for a colocation provider, when requested to put
an egress ACL facing us such as:
deny udp any a.b.c.d/24 eq 80
…to refuse and tell us we must subscribe to their managed DDOS product?
-cjp
On 10/24/11 9:18 AM, Meftah Tayeb wrote:
hello HE.NET
did you drop the 6to4 delegated prefix 192.88.99.0/24 ?
if yes please would you drop it from your BGP routing table anounced ?
thank you
Meftah Tayeb
IT Consulting
Hi!
For issues like this please email i...@he.net or n...@he.net with
Depends on the provider. Many just do not want to manage hundreds of
customer ACL's on access routers. Especially when it would compete with a
managed service (firewall, IDP, DDOS) of some sort. Some still are under
the impression that ACL's are software based and their giant $100k+ edge box
On Tue, Oct 25, 2011 at 1:46 PM, Keegan Holley keegan.hol...@sungard.comwrote:
Depends on the provider. Many just do not want to manage hundreds of
customer ACL's on access routers. Especially when it would compete with a
managed service (firewall, IDP, DDOS) of some sort. Some still are
NOD32 Antivirus, version of virus
signature database 6573 (20111025) __
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__ Information from ESET NOD32 Antivirus, version of virus signature
database 6573 (20111025) __
The message was checked
On Oct 25, 2011, at 2:50 PM, Brandon Galbraith wrote:
On Tue, Oct 25, 2011 at 1:46 PM, Keegan Holley
keegan.hol...@sungard.comwrote:
Depends on the provider. Many just do not want to manage hundreds of
Conversely, some don't want to be paid for bare colocation (at bare
colocation
Why not put the ACL on your ingress side at your switch or router?
I would typically not expect a colo provider to provide this service unless
I'm paying extra for it.
The smaller they are, the more likely they are to do so to keep you happy,
but I certainly wouldn't be asking this request
2011/10/25 Brandon Galbraith brandon.galbra...@gmail.com
On Tue, Oct 25, 2011 at 1:46 PM, Keegan Holley
keegan.hol...@sungard.comwrote:
Depends on the provider. Many just do not want to manage hundreds of
customer ACL's on access routers. Especially when it would compete with a
managed
On Tue, 25 Oct 2011 12:55:58 -0400, Owen DeLong o...@delong.com wrote:
Wouldn't the right place for that form of rejection to occur be at the
mail server in question?
In a perfect world, yes. When you find a perfect world, send us an invite.
I reject lots of residential connections...
The
On Tue, 25 Oct 2011 07:15:00 -0400, Jeroen Massar jer...@unfix.org wrote:
On that iToy of yours it is just a flick of a switch, presto.
Where flick of a switch is actually several steps...
Settings - Network - VPN... there's your switch.
Wait for it to connect
Go back to mail, refresh...
Ricky Beam jfb...@gmail.com wrote:
Works perfectly even in networks where a VPN doesn't and the idiot
hotel
intercepts port 25 (not blocks, redirects to *their* server.)
--Ricky
Why do they do that?
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Tue Oct 25 14:53:32
2011
Subject: Re: Outgoing SMTP Servers
From: Alex Harrowell a.harrow...@gmail.com
Date: Tue, 25 Oct 2011 20:52:46 +0100
To: Ricky Beam jfb...@gmail.com, Jeroen Massar jer...@unfix.org
Cc: nanog@nanog.org
Ricky
On 25 October 2011 20:52, Alex Harrowell a.harrow...@gmail.com wrote:
Ricky Beam jfb...@gmail.com wrote:
Works perfectly even in networks where a VPN doesn't and the idiot
hotel
intercepts port 25 (not blocks, redirects to *their* server.)
--Ricky
Why do they do that?
My home ISP run an
No no no no no.
The problem with your theory below is that:
1. It is by far best for users to authenticate to send mail.
2. Your solution works only for unencrypted unauthenticated users that ignore
the certificate presented by the mail server.
Put another way, your mechanism rewards those
On Tue, Oct 25, 2011 at 5:56 PM, Owen DeLong o...@delong.com wrote:
Put another way, your mechanism rewards those
doing the wrong thing while punishing those of us
sending our email via encrypted and authenticated
mechanisms.
Owen,
If you're doing the right thing, sending email via encrypted,
On 10/25/11 12:31 PM, Ricky Beam wrote:
On Tue, 25 Oct 2011 12:55:58 -0400, Owen DeLong o...@delong.com
wrote:
Wouldn't the right place for that form of rejection to occur be at
the mail server in question?
In a perfect world, yes. When you find a perfect world, send us an
invite.
I
On Tue, Oct 25, 2011 at 2:43 PM, Christopher Pilkington c...@0x1.net wrote:
Is it common in the industry for a colocation provider, when
requested to put an egress ACL facing us such as:
deny udp any a.b.c.d/24 eq 80
…to refuse and tell us we must subscribe to their
managed DDOS product?
On 10/25/2011 08:43 AM, Christopher Pilkington wrote:
Is it common in the industry for a colocation provider, when requested to put
an egress ACL facing us such as:
deny udp any a.b.c.d/24 eq 80
…to refuse and tell us we must subscribe to their managed DDOS product?
-cjp
For colo? No,
On Oct 25, 2011, at 3:16 PM, William Herrin wrote:
On Tue, Oct 25, 2011 at 5:56 PM, Owen DeLong o...@delong.com wrote:
Put another way, your mechanism rewards those
doing the wrong thing while punishing those of us
sending our email via encrypted and authenticated
mechanisms.
Owen,
If
Owen DeLong wrote:
It's both unacceptable in my opinion and common. There are even those
misguided souls that will tell you it is best practice, though general
agreement,
even among them seems to be that only 25/tcp should be blocked and that
465 and 587 should not be blocked.
From my
On Tue, Oct 25, 2011 at 12:58 PM, Jason LeBlanc j...@packetpimp.org wrote:
Anyone read this?
http://en.wikipedia.org/wiki/Protect_IP_Act
More attempts to regulate Internet usage.
Not in favor.
folk ought to reach out to the largest opponent on this:
Senator Wyden
I'm assuming colo means hosting, and the OP misspoke. Most colo providers
don't provide active network for colo (as in power and rack only) customers.
2011/10/25 Paul Graydon p...@paulgraydon.co.uk
On 10/25/2011 08:43 AM, Christopher Pilkington wrote:
Is it common in the industry for a
- Original Message -
From: Keegan Holley keegan.hol...@sungard.com
I'm assuming colo means hosting, and the OP misspoke. Most colo providers
don't provide active network for colo (as in power and rack only) customers.
Most?
Cheers,
-- jra
--
Jay R. Ashworth Baylink
Hi
Our upstream provider said that destination network is blocking our ip.
Now my question is how we can know it
If this network is blocking us, the traceroute should reach out our
bgp router to go further nodes before that network, right
2nd question is how they block us to not allow the
deric, you really ought to hire a consultant for this sort of thing...
just sayin!
On Tue, Oct 25, 2011 at 9:49 PM, Deric Kwok deric.kwok2...@gmail.com wrote:
Hi
Our upstream provider said that destination network is blocking our ip.
Now my question is how we can know it
you can't really,
effective FUD site
http://demandprogress.org/
On Tue, Oct 25, 2011 at 8:53 PM, Christopher Morrow morrowc.li...@gmail.com
wrote:
On Tue, Oct 25, 2011 at 12:58 PM, Jason LeBlanc j...@packetpimp.org
wrote:
Anyone read this?
http://en.wikipedia.org/wiki/Protect_IP_Act
More attempts
I didn't see anyone address this from the service provider abuse
department perspective. I think larger ISP's got sick and tired of
dealing with abuse reports or having their IP space blocked because of
their own (infected) residential users sending out spam. The solution
for them was to block
Blake Hudson wrote:
If
587 becomes popular, spammers will move on and the same ISPs that
blocked 25 will follow suit.
I don't see this happening as easily. Authenticated means an easier
shutdown of an account, rather than some form of port block/etc.
A better solution would have been to
J wrote the following on 10/25/2011 9:25 PM:
Blake Hudson wrote:
If
587 becomes popular, spammers will move on and the same ISPs that
blocked 25 will follow suit.
I don't see this happening as easily. Authenticated means an easier
shutdown of an account, rather than some form of port
On 25/10/2011 23:03, Mike Jones wrote:
On 25 October 2011 20:52, Alex Harrowell a.harrow...@gmail.com wrote:
Ricky Beam jfb...@gmail.com wrote:
Works perfectly even in networks where a VPN doesn't and the idiot
hotel
intercepts port 25 (not blocks, redirects to *their* server.)
--Ricky
On 26/10/2011 04:35, Blake Hudson wrote:
An infected machine can just as easily send out mail on port 587 as it
can using port 25. It's not hard for bot net hearders to come up with a
list of valid credentials stolen from email clients, via key loggers, or
simply guessed through probability. I
On Tue, Oct 25, 2011 at 8:15 PM, Owen DeLong o...@delong.com wrote:
On Oct 25, 2011, at 3:16 PM, William Herrin wrote:
If you're doing the right thing, sending email via encrypted,
authenticated mechanisms, then you're doing it TCP ports 587 or 443.
Where Mike's mechanism obstructs you not at
On Oct 25, 2011, at 9:33 PM, William Herrin wrote:
On Tue, Oct 25, 2011 at 8:15 PM, Owen DeLong o...@delong.com wrote:
On Oct 25, 2011, at 3:16 PM, William Herrin wrote:
If you're doing the right thing, sending email via encrypted,
authenticated mechanisms, then you're doing it TCP ports 587
On 10/25/2011 11:17 AM, Owen DeLong wrote:
But that applies to port 25 also, so, I'm not understanding the difference.
Other people running open port 587s tends to be quite self-correcting.
At this point, so do open port 25s.
The differences is in intentions from the user. All SMTP
On 10/25/2011 10:19 PM, Blake Hudson wrote:
I didn't see anyone address this from the service provider abuse
department perspective. I think larger ISP's got sick and tired of
dealing with abuse reports or having their IP space blocked because of
their own (infected) residential users sending
68 matches
Mail list logo
