On Tue, Dec 16, 2003 at 10:13:35PM +0100, Joerg Rossdeutscher wrote:
> Am Di, den 16.12.2003 schrieb ScruLoose um 21:36:
> > On Tue, Dec 16, 2003 at 09:08:12PM +0100, Joerg Rossdeutscher wrote:
>
> > > A mailserver can harm _others_.
> > >
> > > I said that yesterday, and today I find this mailinglist full of
> > > nonsense since one guy is not able to configure his procmail. Now got
> > > what I mean?
> >
> > But his procmail rule would do exactly the same damage whether his mail
> > is routed through a smarthost or sent direct from a local mailserver, so
> > I don't really see how this provides any support for your position.
>
> Yes - but it shows a normal user should use as less "harmful" technology
> as possible.
I don't see how it shows anything of the sort. To me, it shows the
importance of configuring things right. (especially things that can have
an impact on others, of course). You seem to be concluding that
procmail is a "harmful" technology, so people shouldn't use it. That is
not a conclusion I find useful.
<SNIP>
> > Your argument is based on the assumption that an ISP can always be
> > trusted to set up a mailserver right, and the home user (sysadmin of a
> > home LAN, etc.) never can.
> > I've seen enough counter-examples to convince me that this assumption
> > has no merit.
>
> The assumption is not "always" and "never" - but it is "very often" and
> "not so often". This should be compared to the risks of a useless server
> just for fun. The next time there's a security hole in one of the famous
> SMTPs, what do you think, how many of them will fix it soon?
What you say here makes good sense, but the solution that you're
advocating is to block _all_ e-mail from dynamic IPs. This does not
allow any way to distinguish between the "useless server" and the person
who has a legitimate need. So in practice, it absolutely _is_ "always"
and "never".
Rather than make a reasonable attempt to distinguish the actual spammers
and block them, this "solution" makes a sweeping generalization, and
ends up discriminating against servers on the grounds of whether they
have enough money to buy a static IP. I'm not convinced that this will
catch enough spam to be worth the _HUGE_ amount of collateral damage.
> There's nothing bad in giving the power to the users. That's why I use
> linux. Nevertheless there's a responsibility in using that power, i.e.:
> Don't expose services to the net that you don't need. On your machine -
> play what you want, break it, crash it, have fun. But when connecting to
> the net - be responsible.
>
> If you have use in a mailserver: Do it. But I often have the feeling
> that people just like to have a server "like a /real/ server! kewl!"
> with lots of useless risks. Having ftp online for getting a file once a
> year. Hell. After 6 month they don't even remember /which/ ftpd they are
> running. Compare that to a guy whose whole-day-job it is to read
> security bulletins and care for machines. Yes, not all providers work
> that way. But many more than homeusers.
Again, what you're saying here makes perfect sense, but is contradicted
by the solution you're defending. You say "If you have use in a
mailserver: Do it." ... but then you spend the whole thread claiming
that it's acceptable and sensible to discriminate against mailservers
that are on DynIP, which makes it not possible (or at least not
feasible) for most people to run their own mailserver whether they have
legitimate use for it or not.
The problem with DynIP blocking is that the stroke is too broad, the
instrument is too blunt. It's like carpet-bombing a city to kill the
couple of hundred mobsters that live there. Sure, you have a good
chance of getting those bad guys, but how many innocent people is it
acceptable to take out in the process?
And, given the popularity of online blacklists that track IPs that are
_actually__used_ by spammers, how does it make any sense to move
backwards from something that's more accurate, in favour of something
that's much, MUCH less accurate?
Anyway, I don't expect that you're making policy for AOL, so I think
I've finished with this argument, unless someone can turn it into a
discussion of effective ways to make providers _stop_ this practice.
;-)
Cheers!
--
-------------------------------<<ScruLoose>>-------------------------------
I'm glad I fought, I only wish we'd won.
- Bob Dylan
--------------------------<<Please do not CC me>>--------------------------
Attachment:
pgpq2kFouSm2r.pgp
Description: PGP signature