on Tue, Sep 21, 2004 at 05:52:12PM -0600, Allan Poindexter wrote:
Daniel> The only responsible thing to do is filter port 25, Daniel> smarthost for your users, and inform them about using the Daniel> alternate submission port with authenticated SMTP in order Daniel> to work with enterprise mail servers - or IPSec VPNs, for Daniel> that matter. This is simply the best practice, at this point Daniel> in time. Using humans ("dedicated staff person") to stop Daniel> spam isn't scalable - automated processes are sending this Daniel> stuff, we need systematic ways to fight it - black/white Daniel> lists, SPF, port 25 filtering, bayesian filtering and other Daniel> tools.
Let's put this in perspective. Say a hypothetical sysadmin were to disable any and all authentication on his SSH server. And that someone then used SSH from your network to run code that sysadmin didn't like on that machine. Would you then consider it reasonable if the sysadmin proposed:
The only responsible thing to do is filter port 22, smarthost for your users, and inform them about using the alternate submission port with authenticated SSH in order to work with enterprise SSH servers - or IPSec VPNs, for that matter. This is simply the best practice, at this point in time.
OK, now let's make it more in line with modern practice: Say a protocol more or less completely lacked server-server authentication, or a way to distinguish between client and server, and that then every day, for ten years, hundreds and thousands of professional criminals used weaknesses in the monopoly OS to plant software completely under their control on fifty million (or so) of these vulnerable hosts, and then took advantage of the aforementioned weakness in the protocol to own anywhere from a quarter to 90% of all inbound transmissions to your server- all selling illegal, immoral, or extralegal services and products, to the point that some users of that protocol literally drown in said deluge, and also that a major proportion of said submissions were addressed to users who don't exist, never existed, only exist because of inventive viruses (see "monopoly OS"), or completely fictional and created by aforementioned professional abusers, and sold to other naive abusers, or were the helpful notices provided to said forged addresses after accepting the submissions, rather than rejecting at submission time. Oh, and outbound connections aren't expected from the vast majority of those hosts. Yes, I think this a reasonable response to use everything at our disposal to refuse the majority of the unwanted submissions. But hey, I'm just a mail admin with 65% inbound mail identified as abusive. Obviously I don't have any of these hypothetical concerns. -- join us! http://hesketh.com/about/careers/web_designer.html join us! hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!