Date: Thu, 4 Feb 1999 01:48:53 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: chat@FreeBSD.ORG Cc: ports@FreeBSD.ORG Subject: Re: ports/9864: make rblcheck use relay.orbs.org instead of Message-ID: <199902040148.SAA14298@usr02.primenet.com> In-Reply-To: <199902040109.RAA15905@kithrup.com> from "Sean Eric Fagan" at Feb 3, 99 05:09:20 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> A growing number of ISPs are preventing, at the firewall level, their dial-up > customers from connecting to SMTP (and others, for that matter) ports. This > is a good thing, since about 90% of the spam I get these days is from a > dial-up customer who bypassed his ISP's mail server (since doing so would have > resulted in their theft being noticed much earlier). > > The DUL is the result of people trying to get dialups added to the RBL, most > notably UUNET's. That wasn't going to happen, since the RBL is used too often > as a BGP feed, and placing a group of dialup addresses on that would result in > not being able to access any portion of the internet. > > It is also possible to get a netblock removed from the DUL, although it is > somewhat harder than it is with the RBL (so I'm told). > > I have absolutely no sympathy for you, or anyone else affected by this -- all > it means is you have to use your ISP's mail relay, or find someone willing to > relay for you. You don't like it, tough -- but you were going to lose it > anyway, as more and more ISPs go with firewalls and redirectors. If you want > to run a server, then you should not be using a dialup pool; if your ISP > doesn't have anything but that, then you'll have to get your ISP to talk to > the DUL folks, if they end up on it. (And a netblock will only end up on the > DUL after spam is sent from it -- it's not pre-emptive.) Actually, ORBS is preventing all multilevel relay. If an ISP is willing to relay from a dialup that belongs to the ISP, then they go onto the ORBS list (Primenet just made the list today, in fact). The problem with this is that there are legitimate reasons for multilevel relay, starting with bastion hosts acting as corporate mail relays for interior hosts. Also tarred with the same brush is any "thin server" or "appliance" type device that uses dialup with a dynamic rather than a static IP. While we are all looking forward to the day when IPv6 is deployed, or someone implements Dynamic DNS updates from RADIUS credential based authentication as a public reference implementation for UNIX hosts (ala Microsoft's IAS, which already supports this), neither of these look like they are going to happen any time soon. The correct way to deal with this is source host certificate based credentials, verified via DNS, and proxyiable through credential verification via email and/or virtual domain MX in DNS. Killing all multilevel relay goes further down the evil road that started with damaging the ability to allow source routing to overcome network failures following a nuclear war. What the RBL should *really* be enforcing is not allowing relay from machines not enforcing via the RBL; instead, it's this second order thing, with an assumption of end-to-end connectivity. The RBL could do this with a server RBL forward lookup for a "name" in a randomly chosen 32 bit space that rotates contents at intervals. The client would have to do an RBL lookup to be able to respond to the challenge. Alternately, a certificate system would allow incremental upgrade of servers with less dire consequences, since if a server were not presented a certificate before the "MAIL FROM:" when EHLO returned that the server supported the "CALLERID" ESMTP extension, the server could then ask the certificate authority "would you sign for this server if the server asked you to sign for it?". All transparent, and the load associated with not using certificate is pushed into a (potentially) large latency for the legacy client getting a positive response to the "MAIL FROM:". Mild punishment for a failure to upgrade. You could offer blanket exceptions for internal (local network) clients, and you could require dialup clients to register before you relay for them. If the people who are doing this get their way, there will be no way to send mail from one dialup server to another, unless both *happen* to be dialed in at the same time and using static IP's (or DDNS) so they can find each other's SMTP port via direct connection. This would be Bad(tm). You don't need the government to pass laws to screw up the Internet if you are willing to screw it up yourself. Taking the wire cutters to the intentionally redundant *on purpose* architecture is just plain stupid. 8-(. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902040148.SAA14298>