[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Technical mail setup question

On Fri, Jun 04, 1999 at 10:59:26AM +1000, Craig Sanders wrote:
> > There's the rub.  What about those people who don't have a static IP
> > or a static hostname?  They can't use their firewall box as a relay.
> > More than likely, the box can't be configured with a suitable real
> > Internet-wide hostname to use when talking to the ISP's relay.
> they can use their ISP's mail relay or beg/buy a uucp-over-tcp service,
> or run a ssh tunnel to a friendly mail host somewhere, or one of many
> other cheap or free options. internet technology is extremely flexible
> if you know how to use it.

I'm unsure about the validity of using an ISP's relay as a "secure"
way of sending mail.  Insofar as running ssh tunnels, that would be
feasible if a person is well-connected (in a people-networking sense),
but would be totally useless for otherwise technically competent who
for whatever reason doesn't know anyone with a friendly mail host or
the means to establish one.  However small a minority those people may
be, it's my opinion that they shouldn't be treated as lepers simply
because the only means they have of sending e-mail is from a dialup
ISP service (with or without relay--I'll explain this later).

> there's a right way and a wrong way to do HELO/EHLO checks.
> checking that the HELO/EHLO line is a valid hostname/domain name is
> reasonable (but not really necessary). checking that it exactly matches
> the .in-addr.arpa domain name is unreasonable because it limits what
> their users can do *without* serving any useful purpose.

Alright.  Thank you for clearing that up.

> no, there is no authentication for SMTP.

Which I suppose is part of the problem vis-a-vis unwanted spam.

> smart ISPs allow their own IP addresses to relay through them and deny
> relaying for anyone else.

Yes, that's just (un)common sense.

> some ISPs even allow relaying for their customers with some sort of
> POP-before-SMTP "authentication"...the user makes a POP connection with
> username and password, and the server adds the user's IP address to the
> list of relay-allowed IP addresses for the next 5 or 10 or 30 minutes.
> it's easy enough to hack in support for this to most POP daemons.

Interesting idea.  I suppose that would be a somewhat effective
replacement for authentication via SMTP.

> > Even if there is authentication involved, this won't stop spammers
> > from using throw-away ISP accounts.  If they're able to hop from one
> > account to the next on an ISP to send spam directly from their box to
> > a recipient (presumably because the ISP is nuking the previous account
> > each time people complain),
> this is why DUL RBLs are necessary.

How exactly do the DUL RBLs work?  Do they just ban classes of dialup
IP addresses, or do they also ban ISPs who open relay or use dumb
verification methods?  Although I'm not particularly comfortable with
either idea, the latter method makes more sense to me than the

What you did not answer, though I don't remember if I asked it
straight out or implied it, is given that an ISP does all of the
"right" things (i.e., only relaying mail from their own IP addresses
or known users via POP authentication), how is that going to prevent
the spread of spam?  A spammer sending point-to-point spam from a
dialup IP straight to a target or relayed spam through his ISPs mail
relay is still spam.  I fail to see how rejecting mail from all
dial-up IP accounts is going to prevent a determined spammer when a
legitimate mail relay can be (w/o the ISP's knowing) used by said
spammer.  And if the ISP gets complaints about said user using their
relay and nukes their account, how is it any different if the
determined spammer sets up a new account and uses a relay or sends
straight from a dynamic IP server?

> "authentication" (i.e. allowing relay based on) From address is just
> plain stupid.  From addresses can be faked with trivial effort...in
> fact, no effort at all is required.

Agreed, although it wouldn't surprise me if some ISPs do this kind of

> the only use for checking domains in From_ or From: checks
> is to make sure that the mail has a valid reply address. if
> it doesn't have one then it is almost certainly spam (e.g.
> teensluts36@2383736xxjjz.com)....for the tiny percentage of these which
> aren't spam then it is better to bounce it to let the hapless author
> know that they have misconfigured their mail client rather than leave
> them wondering why they never get any replies to their mail.

This is perfectly reasonable.  After all, if a message doesn't have a
>From or Reply-To that points to a real address, what's the point in
sending it?

I'd like to thank you for the reasoned reply.  Based upon your other
messages in this thread I had come to the conclusion that you were an
irrational loon incapable of spouting anything but rhetoric.  I'm glad
to see that I wasn't wholly correct in that assessment.

Still, it does trouble me that the mentality of "lets ban all mail
from dynamic ISP accounts" argument seems eerily similar to the
anti-crypto arguments made by certain governments.  Saying "a criminal
might use crypto, so lets ban crypto!" implying that crypto has no
legitimate use sounds to me an awful lot like saying that sending mail
from dynamic IPs has no legitimate use because spammer also happen to
make use of it.  Perhaps I'm reading more into this than I should,

                               |  Men say of women what pleases them; women do
 Brian Cox (coxbrian@msu.edu)  |           with men what pleases them.
                               |                       -- DeSegur

Reply to: