Hi Rocco, On Wed, 10 Feb 2010, IT-Doc24 Ltd. - Rocco Radisch wrote:
> Same here. I do not understand the issue of port 25 in conjunction with > spamming! An ISP that allows port 25 out of their network, allows their clients to indiscriminately spam the world. An ISP that allows port 587 out, but not port 25, allows their clients to send mail to submission servers (e.g. their employer) but not to the general population. Submission often requires authentication and is not part of the normal mail delivery system (MX records). > If the ISP forces the user to use their email servers for email delivery: > a) causes confusion and breaks the idea behind SPF. According to the > sender policy framework you will have to add the ISPs email server in the > DNS domain settings (spf record) as Reinier has mentioned. Or you leave > out the SPF record completely, then there would be no point of having the > SPF. Forwarding and mailing lists already break SPF. The only thing it's useful for in general is for declaring that your domain never sends email, unless you control all of your outbound mail servers. In this case you would not; also if you use a blackberry or an ISP that blocks port 25 outbound you do not. This is a limitation of SPF, not the fault of the ISP. > Anyway, which average email user knows all that? Anyway, which average email user writes SPF records? > b) If the ISP's email server relays without smtp authentication THAT is > the actual evildoer. Giving spammers a free gateway to send emails > without any identification. Very few ISPs allow open relaying as they would be blacklisted by everybody by now. Most authenticate by IP address which is a start. Authenticating by username makes life3 more difficult for your users, so is often not implemented. I agree that it would be better, but most ISPs don't do it, so it's hard to argue that it's evil not to. > c) Every time the user changes the ISP/network he has to change the > settings or maintain two smtp server profiles. I.e. one uses UTL at home > and at work MTN or Orange. Each ISP forces to use his own email server. > Congratulations. Good thing we still have port 587 and 465 for SSL. I had > a number of people working at different locations with a laptop facing > this exact challenge. Then stick to a single mail server that accepts email on port 587 with authentication and relays to everywhere. Job done. This is what most people do. > c) Most of the spam comes anyway from dynamic IP addresses of an ISP's IP > pool. In that way its even easier to distinguish the sender for the > antispam software. Like: > > pool-71-108-40-184.lsanca.dsl-w.verizon.net > 551-1-60-93.w86-192.abo.wanadoo.fr > 213-168-8-183-dsl.est.estpak.ee Yes, these are not hard to block with Exim and then Spamhaus RBL, but a lot of spam comes from free email providers like google, yahoo and hotmail too, and that is hard to block. > Or did you ever receive a Facebook pishing attack from a Facebook server? > Very unlikely, more likely you got it from estpak.ee or similar. I got my first Google Docs spam today, and I've received a lot of spam from people signing me up to Google Newsgroups without my permission or confirmation for the express purpose of spamming me. > Plus, the whole port blocking idea of ISPs actually violates the freedom > of internet usage and doesn't really make sense either. Perhaps we should ban firewalls then? Although I support freedom of speech, I wish ISPs could be forced to declare which of their IP ranges belong to dynamic customers so that I can block them. Failing that, I wish they would block outbound port 25 completely. Spam makes email useless. That's not freedom of speech, it's drowning out the useful speech, so better spam filtering means more freedom. > Its not my intention to start such a discussion now, the net is already > full of these: http://torrentfreak.com/search/isp+blocking Ditto, but I couldn't help replying at the risk of starting a flame war that I don't intend to participate in. > Or like Kyle did, using a random port. The port-service associations are > recommendations, nobody said we have to stick to them. The internet is > the world wide wild west. It doesn't have to be random. Port 587 was allocated for exactly this purpose. > Where there is a restriction you create a market. How does that square with your comment above that "the whole port blocking idea of ISPs actually violates the freedom of internet usage and doesn't really make sense either." > Which raises another question, why do ISPs offer site-to-site > connectivity for that kind of money here in Uganda? Calling it a > corporate network data plan or similar, charging each remote site big > sums per month? It's easier for companies to work this way, and there's no guarantee that the persistent connection trick will continue to work, which means they could wake up to a nasty surprise one day. Some companies prefer peace of mind (like insurance) and pick the expensive but guaranteed VPN option. Cheers, Chris. -- Aptivate | http://www.aptivate.org | Phone: +44 1223 760887 The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES Aptivate is a not-for-profit company registered in England and Wales with company number 04980791. _______________________________________________ LUG mailing list [email protected] http://kym.net/mailman/listinfo/lug %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The List's Host is not responsible for them in any way. ---------------------------------------
