Subject: Re: ingress SMTP
Hi Bill,
Bill Stewart wrote:
In some sense, anything positive you an accomplish by blocking Port 25
you can also accomplish by leaving the port open and advertising the IP
address
on one of the dynamic / home broadband / etc. block lists,
which leaves recipients free
On Sat, Sep 13, 2008 at 11:38 PM, Frank Bulk [EMAIL PROTECTED] wrote:
How do you alert mail server operators who are smarthosting their e-mail
through you that their outbound messages contain spam?
Frank
If those are actual mailservers smarthosting and getting MX from you
then you doubtless
How do you alert mail server operators who are smarthosting their
e-mail through you that their outbound messages contain spam?
You don't let them falsify their envelope or headers to contain
fields utterly unrelated to your own infrastructure, for starters.
They try it, their mail
*Hobbit* wrote:
How do you alert mail server operators who are smarthosting their
e-mail through you that their outbound messages contain spam?
You don't let them falsify their envelope or headers to contain
fields utterly unrelated to your own infrastructure, for starters.
They try it,
Bulk
Cc: Matthew Moyle-Croft; nanog@nanog.org
Subject: Re: ingress SMTP
On Sat, Sep 13, 2008 at 11:38 PM, Frank Bulk [EMAIL PROTECTED] wrote:
How do you alert mail server operators who are smarthosting their e-mail
through you that their outbound messages contain spam?
Frank
If those are actual
Hi, Hobbit - we met back in the late 80s / early 90s at various New Jersey
things
such as Trenton Computer Fair, but you probably don't remember me; Tigger
says hi as well...
Be Liberal in what you accept, be conservative in what you send,
and be really really clear in your error messages,
except
Blocking port 25 has become popular, not only with
walled-garden connectivity services that are really scared of their
customers running their own servers (e.g. most cable modem companies),
but also with other ISPs that don't want to deal with the problems
of having customers who are spamming
Hi Bill,
Bill Stewart wrote:
In some sense, anything positive you an accomplish by blocking Port 25
you can also accomplish by leaving the port open and advertising the IP
address
on one of the dynamic / home broadband / etc. block lists,
which leaves recipients free to whitelist or blacklist
Joel Jaeggli [EMAIL PROTECTED] writes:
Does anyone bother to run an MSA on 587 and *not* require authentication?
All my normal relay or lack thereof and delivery rules are in place on
my 587 port. Of course muas's and mtas will also do tls as well as
authentication over port 25 where
Mark Foster [EMAIL PROTECTED] writes:
On Fri, 5 Sep 2008, Mikael Abrahamsson wrote:
We don't allow most of our residential customer base to speak SMTP
TCP/25 to anywhere at all (and we have millions of them). Wish more
ISPs would do the same.
Probably fair enough, if you as an ISP can
I am completely convinced that abuse@ in most big providers is a
black hole with an autoresponder hung off it, and nothing ever
gets done with complaints. NO HUMAN ever sees them, and even if
they did, most of the humans at these outfits wouldn't recognize
a Received: header if it bit them in the
Jay R. Ashworth wrote:
On Wed, Sep 03, 2008 at 12:58:53PM -0400, Nicholas Suan wrote:
On Sep 3, 2008, at 12:49 PM, Jay R. Ashworth wrote:
You're forgetting that 587 *is authenticated, always*.
I'm not sure how that makes much of a difference since the usual spam
vector is malware that has
On Sep 3, 2008, at 6:52 PM, Tim Sanderson wrote:
Anybody not wanting to use their ISP email would notice it. I see
filtering 25 FROM the customer as something that is not likely to
happen because of this. When a customer buys bandwidth, they want to
be able to use it for whatever they
Eugeniu Patrascu wrote:
On Sep 3, 2008, at 8:08 PM, Winders, Timothy A wrote:
Yes, setting up a 587 submit server internally would be best, but man
power
is at a premium and it hasn't happened.
I don't know what SMTP server you're using, but on Postfix you just
need to uncomment one
- Original Message -
From: Michael Thomas [EMAIL PROTECTED]
Date: Monday, September 8, 2008 7:31 am
Subject: Re: ingress SMTP
Would that it were so easy :) You also have the more daunting task
of hooking up your auth/aaa infrastructure with your MTA's, and all
of the care and feeding
from a
certain IP to identify their upstream bandwidth).
Frank
-Original Message-
From: Michael Thomas [mailto:[EMAIL PROTECTED]
Sent: Friday, September 05, 2008 9:46 AM
To: Paul Ferguson
Cc: nanog@nanog.org
Subject: Re: SMTP rate-limits [Was: Re: ingress SMTP]
snip
I thought
On Friday 05 September 2008 00:33:54 Mark Foster wrote:
*rest snipped*
Is the above described limitation a common occurrance in the
world-at-large?
If the ISP blocks port 25, then the ISP is taking responsibility for
delivering all email sent by a user, and they have to start applying rate
On Fri, 5 Sep 2008, Simon Waters wrote:
If the ISP blocks port 25, then the ISP is taking responsibility for
delivering all email sent by a user, and they have to start applying rate
limits.
MUAs should stop sending email via 25 and use 587 or equivalent instead.
There is little actual
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Simon Waters [EMAIL PROTECTED] wrote:
If the ISP blocks port 25, then the ISP is taking responsibility for
delivering all email sent by a user, and they have to start applying rate
limits. Otherwise if they send all email from their users, all
On Fri, 5 Sep 2008, Mikael Abrahamsson wrote:
On Fri, 5 Sep 2008, Simon Waters wrote:
If the ISP blocks port 25, then the ISP is taking responsibility for
delivering all email sent by a user, and they have to start applying rate
limits.
MUAs should stop sending email via 25 and use 587 or
On Fri, 5 Sep 2008, Michael Thomas wrote:
I thought that these bot nets were so massive that it is pretty
easy for them to fly under the radar for quotas, rate limiting, etc.
Not that all bot nets are created equal, and there aren't local hot
spots for whatever reason, but putting on the
On Fri, Sep 05, 2008 at 10:35:15AM +0200, Mikael Abrahamsson wrote:
On Fri, 5 Sep 2008, Simon Waters wrote:
If the ISP blocks port 25, then the ISP is taking responsibility for
delivering all email sent by a user, and they have to start applying rate
limits.
MUAs should stop sending email
re: intercepting port 25 calls and routing them to the ISP's own SMTP
server.
Consider an employee of chocolate.com working from home. he connects to
Chocolate.com's SMTP server to send mail, but his ISP intercepts the
connection and routes the email via its own. The email will then be sent
by
On Wed, 3 Sep 2008, Jay R. Ashworth wrote:
Well, that depends on MUA design, of course, but it's just been pointed
out to me that the RFC says MAY, not MUST.
Note that there are TWO relevant RFCs: RFC 4409 and RFC 5068. The latter
says:
3.1. Best Practices for Submission Operation
On Thu, 4 Sep 2008, Jean-François Mezei wrote:
Consider an employee of chocolate.com working from home. he connects to
Chocolate.com's SMTP server to send mail, but his ISP intercepts the
connection and routes the email via its own. The email will then be sent
by the ISP's SMTP server.
A
On Wed, 3 Sep 2008, Keith Medcalf wrote:
Why would the requirements for authentication be different depending on
the port used to connect to the MTA?
It's easier to configure the MTA if you make a distinction between
server-to-server traffic and client-to-server traffic. In fact my systems
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Robert Bonomi wrote:
One small data-point -- on a personal vanity domain, approximately 2/3 of
all the spam (circa 15k junk emails/month) was 'direct to inbound MX'
transmissions. The vast majority of this is coming from end-user machines
In article [EMAIL PROTECTED] you write:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Robert Bonomi wrote:
One small data-point -- on a personal vanity domain, approximately 2/3 of
all the spam (circa 15k junk emails/month) was 'direct to inbound MX'
transmissions. The vast majority of
Well, that depends on MUA design, of course, but it's just been pointed
out to me that the RFC says MAY, not MUST.
(That was me.)
Note that there are TWO relevant RFCs: RFC 4409 and RFC 5068. The latter
says:
3.1. Best Practices for Submission Operation
Thanks, Tony. I hadn't taken
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark Andrews wrote:
You do realise that there a mail clients that check MX
records *before* submitting email (or before on sending the
email) so that typos get detected in the client before any
email is sent from the client.
On Thu, Sep 04, 2008 at 02:01:48PM +1200, Mark Foster wrote:
So in terms of the OP,
I don't see why joe-user on a dynamic-IP home connection should need the
ability to use port 25 to talk to anywhere but their local ISP SMTP
server
on a normal basis[1].
Whats a normal basis?
My Home ISP
On Wed, Sep 3, 2008 at 8:46 PM, *Hobbit* [EMAIL PROTECTED] wrote:
What I'm trying to get a feel for is this: what proportion of edge
customers have a genuine NEED to send direct SMTP traffic to TCP 25
at arbitrary destinations? I'm thinking mostly of cable-modem and
Not too many - they got
Anybody not wanting to use their ISP email would notice it. I see filtering 25
FROM the customer as something that is not likely to happen because of this.
When a customer buys bandwidth, they want to be able to use it for whatever
they choose. This would be just one more restriction giving
What is preventing this from being an operational no-brainer,
including making a few exceptions for customers that prove they know
how to lock down their own mail infrastructure?
As a small player who operates a mail server used by many local
businesses, this becomes a support issue for admins
On Wed, Sep 03, 2008 at 11:56:51AM -0400, Justin Scott wrote:
As a small player who operates a mail server used by many local
businesses, this becomes a support issue for admins in our position. We
operate an SMTP server of our own that the employees of these various
companies use from
Why don't you set the alternate ports up as the defaults when the
customer signs up?
Excellent question and unfortunately I don't have an answer. I will run
that one by management as it is an obviously great idea now that you
mention it.
We use TLS on port 587 and SSL on 465, most mail
Jay R. Ashworth wrote:
On Wed, Sep 03, 2008 at 11:56:51AM -0400, Justin Scott wrote:
As a small player who operates a mail server used by many local
businesses, this becomes a support issue for admins in our position. We
operate an SMTP server of our own that the employees of these various
Do you operate your mailserver on a residential cablemodem or adsl
rather than a business account?
No, we co-lo equipment at a professional facility that our customers on
any type of connection need to have access to send mail through,
regardless of whether their ISP blocks the standard ports
On Wed, Sep 03, 2008 at 09:40:20AM -0700, Michael Thomas wrote:
Allowing unfiltered public access to port 25 is one of the things that
increases everyone's spam load, and your ISP is trying to be a Good
Neighbor in blocking access to anyone's servers but their own; many ISPs
are moving towards
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michael Thomas wrote:
I think this all vastly underrates the agility of the bad guys. So
lots of ISP's have blocked port 25. Has it made any appreciable
difference? Not that I can tell. If you block port 25, they'll just
use another port and a
On Wed, Sep 3, 2008 at 10:18 PM, Justin Scott [EMAIL PROTECTED] wrote:
Do you operate your mailserver on a residential cablemodem or adsl
rather than a business account?
No, we co-lo equipment at a professional facility that our customers on any
type of connection need to have access to send
Alec Berry wrote:
Michael Thomas wrote:
But the thing that's really pernicious about this sort of policy is
that it's a back door policy for ISP's to clamp down on all outgoing
ports in the name of security.
I don't think ISPs have anything to gain by randomly blocking ports. They
On 9/3/08 10:50 AM, Suresh Ramasubramanian [EMAIL PROTECTED] wrote:
On Wed, Sep 3, 2008 at 8:46 PM, *Hobbit* [EMAIL PROTECTED] wrote:
What I'm trying to get a feel for is this: what proportion of edge
customers have a genuine NEED to send direct SMTP traffic to TCP 25
at arbitrary
On Wednesday 03 September 2008 18:07:22 Stephen Sprunk wrote:
When port 25 block was first instituted, several providers actually
redirected connections to their own servers (with spam filters and/or
rate limits) rather than blocking the port entirely. This seems like a
good compromise for
On Sep 3, 2008, at 12:49 PM, Jay R. Ashworth wrote:
On Wed, Sep 03, 2008 at 09:40:20AM -0700, Michael Thomas wrote:
Allowing unfiltered public access to port 25 is one of the things
that
increases everyone's spam load, and your ISP is trying to be a Good
Neighbor in blocking access to
[EMAIL PROTECTED]
Subject: Re: ingress SMTP
Alec Berry wrote:
Michael Thomas wrote:
But the thing that's really pernicious about this sort of policy is
that it's a back door policy for ISP's to clamp down on all outgoing
ports in the name of security.
I don't think ISPs have anything to gain
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Winders, Timothy A wrote:
We have not setup a port 587 smtp submit server. Our smtp servers run only
on port 25.
Sorry to be harsh, but that's just not the right way to do things
these days. At the very least, you can run stunnel to allow
On 9/3/08 12:48 PM, Alec Berry [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Winders, Timothy A wrote:
We have not setup a port 587 smtp submit server. Our smtp servers run only
on port 25.
Sorry to be harsh, but that's just not the right way to do things
I agree, it's not the right way to do things. Running a mail server used
to be much easier. Volunteers to help set things up the right way are
always welcome. :-)
Supporting those clients who can't connect is cheaper or more accessible
for you?
On 9/3/08 12:59 PM, Jason Fesler [EMAIL PROTECTED] wrote:
I agree, it's not the right way to do things. Running a mail server used
to be much easier. Volunteers to help set things up the right way are
always welcome. :-)
Supporting those clients who can't connect is cheaper or more
Wow, lots of responses already. Thanks, good discussion.
I should clarify a little, that it's not necessarily about blanket
port blocking or denying random ports as threats are perceived,
but where needed in a well thought-out manner and trying to take
customer needs [stated or observed] into
on Wed, Sep 03, 2008 at 05:15:41PM +, *Hobbit* wrote:
Related question, now that some discussion has started: why the F
does Gmail refuse to put real, identifiable injection-path headers
in mail they relay out? The current policy only protects spammer
identities behind a meaningless 10.x
On Wed, Sep 03, 2008 at 12:58:53PM -0400, Nicholas Suan wrote:
On Sep 3, 2008, at 12:49 PM, Jay R. Ashworth wrote:
You're forgetting that 587 *is authenticated, always*.
I'm not sure how that makes much of a difference since the usual spam
vector is malware that has (almost) complete
On 9/3/08 1:04 PM, Winders, Timothy A [EMAIL PROTECTED]
wrote:
On 9/3/08 12:59 PM, Jason Fesler [EMAIL PROTECTED] wrote:
I agree, it's not the right way to do things. Running a mail server used
to be much easier. Volunteers to help set things up the right way are
always welcome. :-)
On Wed, 03 Sep 2008 15:00:15 EDT, Jay R. Ashworth said:
Does anyone bother to run an MSA on 587 and *not* require authentication?
Presumably only sites that don't care if they end up in half the anti-spam
blacklists on the planet. Based on the evidence I have, there's a depressingly
large
*Hobbit* wrote:
What I'm trying to get a feel for is this: what proportion of edge
customers have a genuine NEED to send direct SMTP traffic to TCP 25
at arbitrary destinations?
Probably very few.
The big providers -- comcast, verizon, RR, charter, bellsouth, etc --
seem to be some of the
: Wednesday, September 03, 2008 10:57 AM
To: nanog@nanog.org
Subject: Re: ingress SMTP
What is preventing this from being an operational no-brainer,
including making a few exceptions for customers that prove they know
how to lock down their own mail infrastructure?
As a small player who operates
server via SSL.
Frank
-Original Message-
From: Jay R. Ashworth [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 03, 2008 11:07 AM
To: nanog@nanog.org
Subject: Re: ingress SMTP
On Wed, Sep 03, 2008 at 11:52:48AM -0400, Tim Sanderson wrote:
Anybody not wanting to use their ISP email
From [EMAIL PROTECTED] Wed Sep 3 11:58:37 2008
From: Alec Berry [EMAIL PROTECTED]
Subject: Re: ingress SMTP
Michael Thomas wrote:
I think this all vastly underrates the agility of the bad guys. So
lots of ISP's have blocked port 25. Has it made any appreciable
difference? Not that I
On Sep 3, 2008, at 4:36 PM, Frank Bulk wrote:
I would like to point my customers to port 587, but that kind of
configuration is still in its infancy.
We're a small managed services provider, and we started doing
authenticated SMTP with TLS on port 587 six years ago. It's at least
in
At 12:48 PM 9/3/2008, you wrote:
Do you operate your mailserver on a residential cablemodem or adsl
rather than a business account?
No, we co-lo equipment at a professional facility that our customers
on any type of connection need to have access to send mail through,
regardless of whether
- Original Message -
From: Jay R. Ashworth [EMAIL PROTECTED]
Date: Thursday, September 4, 2008 5:00 am
Subject: Re: ingress SMTP
Does anyone bother to run an MSA on 587 and *not* require
authentication?
Many can be configured that way (example: Sun One/iPlanet mail server
can
On Wed, Sep 03, 2008 at 12:58:53PM -0400, Nicholas Suan wrote:
On Sep 3, 2008, at 12:49 PM, Jay R. Ashworth wrote:
You're forgetting that 587 *is authenticated, always*.
I'm not sure how that makes much of a difference since the
usual spam vector is malware that has (almost) complete
iiNet a reasonably sized Aussie ISP has a web page
(specifially part of the 'My Account' page) where
you can, with a simple check box, choose to have
commonly abused ports blocked *for outgoing
connections* or not.
That's great, and an excellent solution. Unfortunately many of the larger
you just found one? i think a few dozen over the last several years.
surprised though, i thought this particular horse was finally dead
after all the beatings it'd received.
srs
On Thu, Sep 4, 2008 at 8:13 AM, Ang Kah Yik [EMAIL PROTECTED] wrote:
Hmm.. if it helps - here's a link to an
Nah. There have been plenty. This just happened to be one of the recent
ones.
But as you've rightly pointed out, the dead horse magically revives itself
every once in a while ;)
On Thu, Sep 4, 2008 at 10:51 AM, Suresh Ramasubramanian [EMAIL PROTECTED]
wrote:
you just found one? i think a few
If you leave port 587 un-authenticated then spammers just need to move their
spambots to try port 587 *and* you're never sure who sent the message. If
you're going to have the customer click a few extra buttons to get to port
587, might as well get them to authenticate.
Authenticating port 587
67 matches
Mail list logo