[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Which Spam Block List to use for a network?

On Tue, Jun 22, 2004 at 11:37:41AM +0200, Niccolo Rigacci wrote:
> You want to block spam or viruses, this is OK but you are on the
> wrong way.

no, it's absolutely the right way.  a large percentage of spam and
almost all viruses come direct from dynamic IP addresses.  block
mail from them and you instantly block most of the problem.

> I work for a firm and we ave about 150 Debian servers installed
> to customers sites, they are connected with adsl. The IP ranges
> are owned by the largest Italian provider and they are listed as
> dynamic ones, despite the fact that they are assigned in a static
> way. Our customers run their own mail server with SMTP, POP3,
> IMAP, and webmail.

1. 150 customers may be a large enough block to get the ISP to allocate IP
addresses from a different block.

2. if you're using dynamic ip addresses because it's a cheaper option than
static, then you've just discovered that if you pay for a lower-quality service
then that is what you get.

3. if the IP addresses really are statically assigned and just happen to be in
a netblock that whois claims is dynamic, then most dialup RBLs will adjust
their zone file if the ISP provides some proof of that fact.

> You have to explain to me why you are blocking their mails.

no, he doesn't.  his mail server, his rules.  

> You also have to explain to me why do you want to force them to use a smart
> host for their outgoing mails.

again, he doesn't have to explain but it is because they have dynamic IP
addresses and dynamic IP addresses should not attempt to deliver mail direct to

> They have purchased bare adsl connectivity, why do you want force them to
> purchase also smtp service from an ISP?

they do not have to purchase smtp service from an ISP.

you have 150 debian boxes there.  that's 150 people to share the cost of a
co-located host (available for approx $50 US per month - or even less.  i.e.
less than 33 cents each per month).  all of those 150 boxes could use the
co-located machine as the smart host.  end of problem.  no reliance on some
ISP's crappy mail server, no DNSRBL listing due to dynamic IP addresses.  it
can act as outbound relay and optionally as inbound MX (although that's not a
good idea unless you can keep the local recipients list for all 150 machines up
to date on the co-lo box)

use tunnels, uucp-over-tcp, smtp auth, SSL certificate based relaying or any
one of a dozen other methods to allow your 150 mail servers to relay through
the co-lo box without being an open relay.

if you don't have the skill, or couldn't be bothered doing what it takes to
make it work, then you really shouldn't be operating mail servers on the public

> You are following an unexistant cause-effect link and you are wasting your
> time. For a virus writer it is a metter of an hour to change his code to post
> to the isp's smtp server instead of posting directly. 

virus writers don't do this for the same reasons that spammers don't.  that is
partly because they'd have to customise their virus for each individual ISP,
but mostly it is because ISPs keep track of mail flowing through their servers.
an ISP's mail server is an excellent place to block viruses - they can and do
run AV scanners, rate-limiters.

in any case, if virus writers did this then that would be a good thing.  we
want ISPs to take responsibility for their customers use and abuse of the net.

> Now you have an huge infrastructure (dynaddr lists) perfectly useless that do
> big harm to the network.

no, they're not doing harm.  they're doing a good job of enabling those who do
no want to accept mail from dynamic/dialup IP addresses to automatically reject
mail from those sources.

nobody is forcing you to block mail on that criteria, but you also have no
right to prevent (or even whine about the fact) other people from rejecting
mail from THEIR servers for that reason.  their server, their rules.


craig sanders <cas@taz.net.au>

The next time you vote, remember that "Regime change begins at home"

Reply to: