From owner-freebsd-questions@FreeBSD.ORG Fri Aug 8 06:55:03 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B59E37B401 for ; Fri, 8 Aug 2003 06:55:03 -0700 (PDT) Received: from empire.explosive.mail.net (empire.explosive.mail.net [205.205.25.120]) by mx1.FreeBSD.org (Postfix) with SMTP id 5CF2343FD7 for ; Fri, 8 Aug 2003 06:55:02 -0700 (PDT) (envelope-from mykroft@explosive.mail.net) Received: (qmail 2069 invoked from network); 8 Aug 2003 13:53:25 -0000 Received: from kingdom.mykroft.com (HELO explosive.mail.net) (205.205.25.113) by empire.explosive.mail.net with SMTP; 8 Aug 2003 13:53:25 -0000 Message-ID: <3F33AE41.7040300@explosive.mail.net> Date: Fri, 08 Aug 2003 10:05:53 -0400 From: Mykroft Holmes IV User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mark References: <200308081254.H78CSAXU052003@asarian-host.net> In-Reply-To: <200308081254.H78CSAXU052003@asarian-host.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: Nicole cc: questions@freebsd.org Subject: Re: ISPs blocking SMTP connections from dynamic IP address space X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Aug 2003 13:55:03 -0000 Interspersed Mark wrote: > ----- Original Message ----- > From: "Lucas Holt" > To: "Doug Poland" > Cc: "Nicole" ; > Sent: Wednesday, August 06, 2003 10:24 PM > Subject: Re: ISPs blocking SMTP connections from dynamic IP address space > > >>You guys need to rethink this thing. Reverse DNS checks are ok, but >>ip blocking for legitimate servers is silly. > > > I agree. You guys really need to rethink this. My turn to vent. :) > > For starters, what is "dynamic IP address space" anyway? You would think > dialup-accounts or, at the very least, accounts that get their IP address > assigned from a dynamic IP address pool. Yet, reading this thread, "dynamic > IP address space" basically seems to mean: everyone who is not a major ISP. > There are many things wrong with that simplistic reasoning. > Dynamic IP space is netblocks which the ISP controlling them has marked as part of it's dynamic IP pool. In fact 90% of Dynamic space is major ISP's(Dialup blocks, DSL and cable modems). Very few small ISP's tag their DHCP pools as dynamic. > For one, just because whois.arin.net says a netblock is a "dynamic" address > pool, does not mean IP addresses assigned to customers are, de facto, > dynamic. In fact, especially with high-speed DSL accounts, ere the opposite > is true: people get assigned what to them, and to the world at large, for > all purposes and intent, is a static IP address. In exchange for money, > their ISP has grants them the exclusive use of a fixed IP address. They > register domain names on that IP address, and continue to use that one, > unchanging IP address for all interactions with the world. Literally > thousands of legitimate servers across the world run on such a (set of) > static IP address(es), regardless of what their netblock, high up in the > ARIN, or kindred, hierarchy is marked down as. > Just because you have a highspeed connection with a stable or static IP doesn't mean it's not dynamic. Dynamic simply means assigned by DHCP or RADIUS (For dialup and some DSL). If you're in this space you should be relaying through your ISP's mailserver. 90% of people in this space are precluded from running server daemons by their AUP anyways. > When you force all people to use their ISP's smtp server(s), you funnel, as > it were, a great number of clients through a single pinhole. Should that one > pinhole become blacklisted/blocked, then suddenly thousands of people, en > masse, can no longer send mail. Is that likely to occur? Yes. Because spam > will also be sent through that same pinhole. AOL will likely cancel the > account of the spammer; but spam will nonetheless have been sent through > that one pinhole. And then what? Then you are faced with an uncomfortable > choice: either I block the AOL smtp servers altogether, or I let them > through entirely. What you have lost then, in effect, is the ability to > discriminate. So, what then? You will whitelist the AOL smtp servers? That > would be stupid. :) Because if there is only one pinhole, whitelisting that > one pinhole is tantamount to giving all spammers a huge "passpartout". And > since, by your own act of narrow-sightedness, you have chosen to only deal > with that one pinhole, you can no longer tell chaff from grain. Way to go, > Einstein! Never read a header? Most of that so called 'Hotmail' or 'AOL' spam doesn't come from either, it either comes from overseas or that 'Dynamic' space you're defending (How much spam comes from IP's that reverse to UUNET RAS Servers? A damned lot, although not usually from actuall UUNET customers, but rather a 3rd party customer on a free or one-shot account). Blackholing AOL or Hotmail isn't going to appreciably affect your receipt of spam, since so little spam actually originates there. > > Perhaps the greatest fallacy of em all: the ludicrous assumption that large > ISP's do not spam. :) The largest sources of spam, their hypocrisy despite, > are precisely those big ISP's, like AOL and hotmail, to whom you can write > until you see blue in the face, but who do not give a damn, because they are > big and know it. > The Dynamic space we're talking usually comes from Big ISP's. Small ISP's don't tag space as dynamic. > Do not be lazy; because you are. :) I know, I have been tempted too, many > times, to just block hotmail altogether, and so reduce 70% of all spam. Yet, > that would be laziness, really. No, it simply won't work. Maybe it would have in 1998, but Hotmail doesn't originate much spam anymore, even if the header is forged to indicate it came from hotmail. > Taking the easy route, like blocking all > what you think is "dynamic" address space, is really just laziness on your > part. It is you saying: "I can no longer be bothered to figure out who is > legit and who is not, so I will just block everything." That is bad > administration. Crying, "But SOMETHING needs to be done about spam, > therefore I am right," is not a valid argument either. :) Sure, SOMETHING > needs to be done about spam. But blocking thousands of legitimate servers > across the world, just because you are lazy, is not the solution. Be > meticulous in who you block, and be specific. > If you've got a business connection and a 'Dynamic' IP, complain to your ISP. Blocking 'Dynamic' space and thus the multitude of idiots with exploited windoze boxes on their cable/DSL connection is quite effective, probably more than using spews (Which is notorious for blocking non-offenders) > Simply configuring your mail server to use your ISP's smtp as smarthost, and > relay all outgoing email trough them, is not as transparent and benign a > solution as suggested. You lose control over the way mail is being > delivered/bounced, for instance. You don't have as much control as you think, this is just adding one extra hop into the usual 2-3 hops that your mail is going to take anyways. If you can't live with that, get a T1. > All of a sudden your clients get > bounce-messages from the postmaster of your ISP, instead of from you > directly -- with all the ensuing confusion to boot. Can the freebsd.org > people look me in the eye, and really say they would not mind having AOL > deliver their mail for them, as smarthost? Honestly, nobody likes to be "in > ward" like that. It is as if your ISP would tell you, one day, that you can > no longer provide an IHAVE newsfeed, but have to use their news server's > POST command. Yeah, right. :) I have yet to encounter an administrator who > would not mind yielding to such condescension. Get another ISP then. > > The main purpose of a mail exchanger is to exchange mail. :) Perhaps the > focus on spam has caused it, but many people look on this backwards: as the > administrator of your mail facility, your primary task is NOT to block > illegitimate mail, but to facilitate the flux of legitimate mail. If you can > do the former, kudos to you; but if you do it at great expense of the > latter, then you should not be commended. What is that, you say? Omelets and > breaking a few eggs? Sabotaging large parts of the Internet does not an > omelet make; in fact, you will only have done precisely that: broken things. > When Spam eats so much resources that it impairs regular mail delivery, blocking it becomes a very large part of ones job to ensure that SPam no longer affects mail delivery. Blocking people who run MTA's inspite of their AUP is part of that, and effective to boot. The few legit sites that get blocked in the process are the broken eggs, and not really a problem. > You guys really need to rethink this. > I suggest you rethink your position. > - Mark > Adam