Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 08 Aug 2003 10:05:53 -0400
From:      Mykroft Holmes IV <mykroft@explosive.mail.net>
To:        Mark <admin@asarian-host.net>
Cc:        questions@freebsd.org
Subject:   Re: ISPs blocking SMTP connections from dynamic IP address space
Message-ID:  <3F33AE41.7040300@explosive.mail.net>
In-Reply-To: <200308081254.H78CSAXU052003@asarian-host.net>
References:  <E4D2BB5E-C84B-11D7-BC98-0030656DD690@foolishgames.com> <200308081254.H78CSAXU052003@asarian-host.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Interspersed

Mark wrote:

> ----- Original Message ----- 
> From: "Lucas Holt" <luke@foolishgames.com>
> To: "Doug Poland" <doug@polands.org>
> Cc: "Nicole" <nicole@daemontech.com>; <questions@freebsd.org>
> Sent: Wednesday, August 06, 2003 10:24 PM
> Subject: Re: ISPs blocking SMTP connections from dynamic IP address space
> 
> 
>>You guys need to rethink this thing. Reverse DNS checks are ok, but
>>ip blocking for legitimate servers is silly.
> 
> 
> I agree. You guys really need to rethink this. My turn to vent. :)
> 
> For starters, what is "dynamic IP address space" anyway? You would think
> dialup-accounts or, at the very least, accounts that get their IP address
> assigned from a dynamic IP address pool. Yet, reading this thread, "dynamic
> IP address space" basically seems to mean: everyone who is not a major ISP.
> There are many things wrong with that simplistic reasoning.
> 

Dynamic IP space is netblocks which the ISP controlling them has marked 
as part of it's dynamic IP pool. In fact 90% of Dynamic space is major 
ISP's(Dialup blocks, DSL and cable modems). Very few small ISP's tag 
their DHCP pools as dynamic.


> For one, just because whois.arin.net says a netblock is a "dynamic" address
> pool, does not mean IP addresses assigned to customers are, de facto,
> dynamic. In fact, especially with high-speed DSL accounts, ere the opposite
> is true: people get assigned what to them, and to the world at large, for
> all purposes and intent, is a static IP address. In exchange for money,
> their ISP has grants them the exclusive use of a fixed IP address. They
> register domain names on that IP address, and continue to use that one,
> unchanging IP address for all interactions with the world. Literally
> thousands of legitimate servers across the world run on such a (set of)
> static IP address(es), regardless of what their netblock, high up in the
> ARIN, or kindred, hierarchy is marked down as.
> 

Just because you have a highspeed connection with a stable or static IP 
doesn't mean it's not dynamic. Dynamic simply means assigned by DHCP or 
RADIUS (For dialup and some DSL). If you're in this space you should be 
relaying through your ISP's mailserver. 90% of people in this space are 
precluded from running server daemons by their AUP anyways.

> When you force all people to use their ISP's smtp server(s), you funnel, as
> it were, a great number of clients through a single pinhole. Should that one
> pinhole become blacklisted/blocked, then suddenly thousands of people, en
> masse, can no longer send mail. Is that likely to occur? Yes. Because spam
> will also be sent through that same pinhole. AOL will likely cancel the
> account of the spammer; but spam will nonetheless have been sent through
> that one pinhole. And then what? Then you are faced with an uncomfortable
> choice: either I block the AOL smtp servers altogether, or I let them
> through entirely. What you have lost then, in effect, is the ability to
> discriminate. So, what then? You will whitelist the AOL smtp servers? That
> would be stupid. :) Because if there is only one pinhole, whitelisting that
> one pinhole is tantamount to giving all spammers a huge "passpartout". And
> since, by your own act of narrow-sightedness, you have chosen to only deal
> with that one pinhole, you can no longer tell chaff from grain. Way to go,
> Einstein!

Never read a header? Most of that so called 'Hotmail' or 'AOL' spam 
doesn't come from either, it either comes from overseas or that 
'Dynamic' space you're defending (How much spam comes from IP's that 
reverse to UUNET RAS Servers? A damned lot, although not usually from 
actuall UUNET customers, but rather a 3rd party customer on a free or 
one-shot account). Blackholing AOL or Hotmail isn't going to appreciably 
affect your receipt of spam, since so little spam actually originates there.


> 
> Perhaps the greatest fallacy of em all: the ludicrous assumption that large
> ISP's do not spam. :) The largest sources of spam, their hypocrisy despite,
> are precisely those big ISP's, like AOL and hotmail, to whom you can write
> until you see blue in the face, but who do not give a damn, because they are
> big and know it.
> 

The Dynamic space we're talking usually comes from Big ISP's. Small 
ISP's don't tag space as dynamic.

> Do not be lazy; because you are. :) I know, I have been tempted too, many
> times, to just block hotmail altogether, and so reduce 70% of all spam. Yet,
> that would be laziness, really.

No, it simply won't work. Maybe it would have in 1998, but Hotmail 
doesn't originate much spam anymore, even if the header is forged to 
indicate it came from hotmail.

> Taking the easy route, like blocking all
> what you think is "dynamic" address space, is really just laziness on your
> part. It is you saying: "I can no longer be bothered to figure out who is
> legit and who is not, so I will just block everything." That is bad
> administration. Crying, "But SOMETHING needs to be done about spam,
> therefore I am right," is not a valid argument either. :) Sure, SOMETHING
> needs to be done about spam. But blocking thousands of legitimate servers
> across the world, just because you are lazy, is not the solution. Be
> meticulous in who you block, and be specific.
> 

If you've got a business connection and a 'Dynamic' IP, complain to your 
ISP. Blocking 'Dynamic' space and thus the multitude of idiots with 
exploited windoze boxes on their cable/DSL connection is quite 
effective, probably more than using spews (Which is notorious for 
blocking non-offenders)


> Simply configuring your mail server to use your ISP's smtp as smarthost, and
> relay all outgoing email trough them, is not as transparent and benign a
> solution as suggested. You lose control over the way mail is being
> delivered/bounced, for instance.

You don't have as much control as you think, this is just adding one 
extra hop into the usual 2-3 hops that your mail is going to take 
anyways. If you can't live with that, get a T1.

> All of a sudden your clients get
> bounce-messages from the postmaster of your ISP, instead of from you
> directly -- with all the ensuing confusion to boot. Can the freebsd.org
> people look me in the eye, and really say they would not mind having AOL
> deliver their mail for them, as smarthost? Honestly, nobody likes to be "in
> ward" like that. It is as if your ISP would tell you, one day, that you can
> no longer provide an IHAVE newsfeed, but have to use their news server's
> POST command. Yeah, right. :) I have yet to encounter an administrator who
> would not mind yielding to such condescension.

Get another ISP then.

> 
> The main purpose of a mail exchanger is to exchange mail. :) Perhaps the
> focus on spam has caused it, but many people look on this backwards: as the
> administrator of your mail facility, your primary task is NOT to block
> illegitimate mail, but to facilitate the flux of legitimate mail. If you can
> do the former, kudos to you; but if you do it at great expense of the
> latter, then you should not be commended. What is that, you say? Omelets and
> breaking a few eggs? Sabotaging large parts of the Internet does not an
> omelet make; in fact, you will only have done precisely that: broken things.
> 

When Spam eats so much resources that it impairs regular mail delivery, 
blocking it becomes a very large part of ones job to ensure that SPam no 
longer affects mail delivery. Blocking people who run MTA's inspite of 
their AUP is part of that, and effective to boot. The few legit sites 
that get blocked in the process are the broken eggs, and not really a 
problem.

> You guys really need to rethink this.
> 

I suggest you rethink your position.

> - Mark
> 

Adam



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F33AE41.7040300>