Date: Fri, 08 Aug 2003 12:54:24 GMT From: Mark <admin@asarian-host.net> To: "Doug Poland" <doug@polands.org>, "Lucas Holt" <luke@foolishgames.com> Cc: questions@freebsd.org Subject: Re: ISPs blocking SMTP connections from dynamic IP address space Message-ID: <200308081254.H78CSAXU052003@asarian-host.net> References: <E4D2BB5E-C84B-11D7-BC98-0030656DD690@foolishgames.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Lucas Holt" <luke@foolishgames.com> To: "Doug Poland" <doug@polands.org> Cc: "Nicole" <nicole@daemontech.com>; <questions@freebsd.org> Sent: Wednesday, August 06, 2003 10:24 PM Subject: Re: ISPs blocking SMTP connections from dynamic IP address space > You guys need to rethink this thing. Reverse DNS checks are ok, but > ip blocking for legitimate servers is silly. I agree. You guys really need to rethink this. My turn to vent. :) For starters, what is "dynamic IP address space" anyway? You would think dialup-accounts or, at the very least, accounts that get their IP address assigned from a dynamic IP address pool. Yet, reading this thread, "dynamic IP address space" basically seems to mean: everyone who is not a major ISP. There are many things wrong with that simplistic reasoning. For one, just because whois.arin.net says a netblock is a "dynamic" address pool, does not mean IP addresses assigned to customers are, de facto, dynamic. In fact, especially with high-speed DSL accounts, ere the opposite is true: people get assigned what to them, and to the world at large, for all purposes and intent, is a static IP address. In exchange for money, their ISP has grants them the exclusive use of a fixed IP address. They register domain names on that IP address, and continue to use that one, unchanging IP address for all interactions with the world. Literally thousands of legitimate servers across the world run on such a (set of) static IP address(es), regardless of what their netblock, high up in the ARIN, or kindred, hierarchy is marked down as. When you force all people to use their ISP's smtp server(s), you funnel, as it were, a great number of clients through a single pinhole. Should that one pinhole become blacklisted/blocked, then suddenly thousands of people, en masse, can no longer send mail. Is that likely to occur? Yes. Because spam will also be sent through that same pinhole. AOL will likely cancel the account of the spammer; but spam will nonetheless have been sent through that one pinhole. And then what? Then you are faced with an uncomfortable choice: either I block the AOL smtp servers altogether, or I let them through entirely. What you have lost then, in effect, is the ability to discriminate. So, what then? You will whitelist the AOL smtp servers? That would be stupid. :) Because if there is only one pinhole, whitelisting that one pinhole is tantamount to giving all spammers a huge "passpartout". And since, by your own act of narrow-sightedness, you have chosen to only deal with that one pinhole, you can no longer tell chaff from grain. Way to go, Einstein! Perhaps the greatest fallacy of em all: the ludicrous assumption that large ISP's do not spam. :) The largest sources of spam, their hypocrisy despite, are precisely those big ISP's, like AOL and hotmail, to whom you can write until you see blue in the face, but who do not give a damn, because they are big and know it. Do not be lazy; because you are. :) I know, I have been tempted too, many times, to just block hotmail altogether, and so reduce 70% of all spam. Yet, that would be laziness, really. Taking the easy route, like blocking all what you think is "dynamic" address space, is really just laziness on your part. It is you saying: "I can no longer be bothered to figure out who is legit and who is not, so I will just block everything." That is bad administration. Crying, "But SOMETHING needs to be done about spam, therefore I am right," is not a valid argument either. :) Sure, SOMETHING needs to be done about spam. But blocking thousands of legitimate servers across the world, just because you are lazy, is not the solution. Be meticulous in who you block, and be specific. Simply configuring your mail server to use your ISP's smtp as smarthost, and relay all outgoing email trough them, is not as transparent and benign a solution as suggested. You lose control over the way mail is being delivered/bounced, for instance. All of a sudden your clients get bounce-messages from the postmaster of your ISP, instead of from you directly -- with all the ensuing confusion to boot. Can the freebsd.org people look me in the eye, and really say they would not mind having AOL deliver their mail for them, as smarthost? Honestly, nobody likes to be "in ward" like that. It is as if your ISP would tell you, one day, that you can no longer provide an IHAVE newsfeed, but have to use their news server's POST command. Yeah, right. :) I have yet to encounter an administrator who would not mind yielding to such condescension. The main purpose of a mail exchanger is to exchange mail. :) Perhaps the focus on spam has caused it, but many people look on this backwards: as the administrator of your mail facility, your primary task is NOT to block illegitimate mail, but to facilitate the flux of legitimate mail. If you can do the former, kudos to you; but if you do it at great expense of the latter, then you should not be commended. What is that, you say? Omelets and breaking a few eggs? Sabotaging large parts of the Internet does not an omelet make; in fact, you will only have done precisely that: broken things. You guys really need to rethink this. - Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308081254.H78CSAXU052003>