I'm surprised to see such poorly considered statements from JD. Unless SMTP AUTH (just released in sendmail 3 weeks ago) works in every client, and is support in MS Exchange, then we (that is we as an operations community) don't have the technology to practically authenticate it yet. I too can write an authenticated SSL client & server to transfer mail between two computers. But its not useful unless its widely deployed. Statements to the contrary are just foolishness in an operational context such as a real business. We are running a _BUSINESS_, not a research lab, with one server and one specially developed client. We don't run relays out of laziness. We went out of our way to enable them. We go out of our way to monitor them for unauthorized use. We would certainly prefer an authenticated mail system. We have to live with what is currently deployed. What annoys me about the pressure from the junior antispammer league is they go from "gee, you know you can close those relays" We respond "Yes, we know. We operate them on purpose for business reasons". At times, I've explained these business reasons in detail. The technical conclusion is then that we have to operate relays. They then jump to "Thats unacceptable. You MUST CLOSE THEM". We say "No. Absolutely not." They say "Well, in that case we're going to start committing crimes against your service, posting to alt.2600, inciting attacks, and wasting your time, bandwidth, and computer resources until you agree to close them." We say, thats extortion. We say that crimes against our service are crimes. We report them, and they will get eventually get punished, and we will work hard to get paid for the services rendered and the damages done by criminals. We don't tolerate this sort of behavior. Most companies don't. --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On 11/24/99, Dean Anderson <dean@av8.com> wrote:
We respond "Yes, we know. We operate them on purpose for business reasons". At times, I've explained these business reasons in detail. The technical conclusion is then that we have to operate relays.
That's YOUR conclusion, Dean. Others have pointed out methods you could use that don't require the relays to be open. You have chosen to ignore them.
They say "Well, in that case we're going to start committing crimes against your service, posting to alt.2600, inciting attacks, and wasting your time, bandwidth, and computer resources until you agree to close them."
I think everybody on NANOG would agree that what you describe here is an inappropriate response. That does not, however, mean that leaving your relays open is okay. ---------========== J.D. Falk <jdfalk@cybernothing.org> =========--------- | "You can't grep dead trees." | | -- Eyvind Bernhardsen | ----========== http://www.cybernothing.org/jdfalk/home.html ==========----
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of J.D. Falk
On 11/24/99, Dean Anderson <dean@av8.com> wrote:
We respond "Yes, we know. We operate them on purpose for business reasons". At times, I've explained these business reasons in detail. The technical conclusion is then that we have to operate relays.
That's YOUR conclusion, Dean. Others have pointed out methods you could use that don't require the relays to be open. You have chosen to ignore them.
I actually still have a mail-hub with open relay. It is strictly for customer use. However, our customers are from all over the place and therefore I can not restrict access by domain or IP. As has been pointed out before, SMTP AUTH is less than 3-weeks old, unless someone here is willing to go on-record as advocating running pre-beta code in a production environment (No? I didn't think so).
They say "Well, in that case we're going to start committing crimes against your service, posting to alt.2600, inciting attacks, and wasting your time, bandwidth, and computer resources until you agree to close them."
I think everybody on NANOG would agree that what you describe here is an inappropriate response. That does not, however, mean that leaving your relays open is okay.
Actually, I had to close down a business service because of this issue and it disrupted a number of other MHSC business initiatives. The main reason is that many of the planned services could not be delivered without some sort of relaying capability. Yes, SMTP AUTH would have done the job (see above about advocating the use of unstable code) but that wasn't, and still may not be, available. MHSC has no desire to become an access provider, we are a services provider, as is dean. This means that, in order to provide services to someone, with an IP address not in our domain, we HAVE to allow for open relays, or not provide the services. Since when did NANOG become a business censor?
On Thu, 25 Nov 1999, Roeland M.J. Meyer wrote:
unless someone here is willing to go on-record as advocating running pre-beta code in a production environment (No? I didn't think so).
Show me one ISP/NSP out there who isn't running beta or alpha code somewhere in their infrastructure. Never ran a x.0 version of IOS? Never patched a piece of software with an "unsupported" patch to fix an issue affecting service? Never developed such a patch yourself (or had a staff member do so)?
MHSC has no desire to become an access provider, we are a services provider, as is dean. This means that, in order to provide services to someone, with an IP address not in our domain, we HAVE to allow for open relays, or not provide the services.
Incorrect. It's a customer training issue, and a little development time on your part. If you can't use SMTP AUTH, don't. Use POP-before-SMTP. Whip up a custom finger daemon to accept a username/password pair in the same manner. Create a webpage for your customers to enter a username and password on to authenticate themselves. Use a VPN. Use magic headers or subject lines that your MTA catches and uses as identity verification. Provide a web-based interface for your customer's email. Use UUCP. I could keep going for hours. What you're calling a show-stopper is merely an inconvenience and expense for you. Instead of spending a little time and effort working on a solution and training your customers on it's use (or several solutions, let the customer choose one that suits their needs best), you'd prefer to operate an attractive nuisance. The vast majority of service providers have been faced with your exact problem, and have solved it through development on their own, or with the assistance of free tools and patches. Just because you're too lazy/ill-funded to develop a solution to a problem YOU'VE created (by CHOOSING to offer that service to your customers), don't expect us to feel sorry for you.
Since when did NANOG become a business censor?
Since when did NANOG become a forum for hosting issues? This will be my only post to this thread on this list; take it to inet-access or rbl-discuss, if you must. -- Edward S. Marshall <emarshal@logic.net> http://www.xnet.com/~emarshal/ ------------------------------------------------------------------------------- [ Felix qui potuit rerum cognoscere causas. ]
Btw. They, antispammers, have one usefull policy. Yes, you can keep OPEN RELAY, if you agree to restrict RELAYING FROM the wrong (existing in the ORBS or other) sources. It's just enougph for the business. Alex R. On Wed, 24 Nov 1999, Dean Anderson wrote:
Date: Wed, 24 Nov 1999 17:13:59 -0500 From: Dean Anderson <dean@av8.com> To: J.D. Falk <jdfalk@cybernothing.org>, nanog@merit.edu Subject: Re: ARIN whois
I'm surprised to see such poorly considered statements from JD.
Unless SMTP AUTH (just released in sendmail 3 weeks ago) works in every client, and is support in MS Exchange, then we (that is we as an operations community) don't have the technology to practically authenticate it yet. I too can write an authenticated SSL client & server to transfer mail between two computers. But its not useful unless its widely deployed. Statements to the contrary are just foolishness in an operational context such as a real business. We are running a _BUSINESS_, not a research lab, with one server and one specially developed client.
We don't run relays out of laziness. We went out of our way to enable them. We go out of our way to monitor them for unauthorized use. We would certainly prefer an authenticated mail system. We have to live with what is currently deployed.
What annoys me about the pressure from the junior antispammer league is they go from "gee, you know you can close those relays"
We respond "Yes, we know. We operate them on purpose for business reasons". At times, I've explained these business reasons in detail. The technical conclusion is then that we have to operate relays.
They then jump to "Thats unacceptable. You MUST CLOSE THEM".
We say "No. Absolutely not."
They say "Well, in that case we're going to start committing crimes against your service, posting to alt.2600, inciting attacks, and wasting your time, bandwidth, and computer resources until you agree to close them."
We say, thats extortion. We say that crimes against our service are crimes. We report them, and they will get eventually get punished, and we will work hard to get paid for the services rendered and the damages done by criminals. We don't tolerate this sort of behavior. Most companies don't.
--Dean
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Aleksei Roudnev, (+1 415) 585-3489 /San Francisco CA/
On Wed, 24 Nov 1999, Dean Anderson wrote:
We don't run relays out of laziness. We went out of our way to enable them. We go out of our way to monitor them for unauthorized use. We would certainly prefer an authenticated mail system. We have to live with what is currently deployed.
You obviously did go out of your way to enable them, seeing as how theres much better ways out there than having an open relay. Monitoring your servers for unauthorized use won't prevent spam. You don't have to live with open relay, you choose to live with it because you're too incompetant to do it the right way.
What annoys me about the pressure from the junior antispammer league is they go from "gee, you know you can close those relays"
We respond "Yes, we know. We operate them on purpose for business reasons". At times, I've explained these business reasons in detail. The technical conclusion is then that we have to operate relays.
They then jump to "Thats unacceptable. You MUST CLOSE THEM".
A perfectly logican thing to say. The Internet is a communications medium, a place of Internet exchange. It is not there to make you money. Just because what you're doing is an accepted business practice (screw the world to make a few bucks), doesn't make it ok, and something that everyone should live with.
We say "No. Absolutely not."
They say "Well, in that case we're going to start committing crimes against your service, posting to alt.2600, inciting attacks, and wasting your time, bandwidth, and computer resources until you agree to close them."
So what you're saying is, its ok for you to screw with the Internet, but its not ok for the Internet to screw with you? Its ok for you to waste the Internet's time, bandwidth, and resources, but when someone does it to you its a crime? MMMMMMMKAY _.,+=~`^"-.,_.,+=~`^"-*.,_.,+=~'`^"-.,_.,+=~`^"-.,_.,+=~`^"-.,_.,+=~`^"-., Jesse Schachter .,. Systems Administrator The Protosource Network .,. Main Number: (888) 643-8558 <JSchachter@PSNW.COM> .,. Fax: (559) 490-8630 _.,+=~`^"-.,_.,+=~`^"-.,_.,+=~`^"-.,_.,+*=~`^"-.,_.,+=%~`^"-.,_.,+=~`^"-.,
participants (6)
-
Alex P. Rudnev
-
Dean Anderson
-
Edward S. Marshall
-
J.D. Falk
-
Jesse Schachter
-
Roeland M.J. Meyer