Greetings, Let me explain the situation and see if I can get anyone to tell me how they are handling it. We are offering wholesale dialup ports. When a user connects he is authenticated and can do whatever it is he/she wants to do on the net. Unfortuantely some have decided that they will relay spam off of other servers. To address this i have proposed installing filters that will only allow these folks to connect to port 25 of the ISP that has bought the ports. This way they are not able to relay off of anyone elses machine that is using port 25 and the buyer of the ports should have the correct measures set up to prevent bulk mail from going out. Will this be sufficient, providing that the server they are allowed to connect to has set up his mail server to prevent massmailing..? Suggestions/comments? *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* | Harold Willison AGIS Network Engineering | * Senior Network Engineer 313-730-5151 * | noc@agis.net 313-730-1130 x-5649 | | harold@agis.net 24 hours a day, 7 days a week | | <bold><italic> <underline>http://www.agis.net</underline></italic></bold> |<bold><italic> </italic></bold>\*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/
On Wed, Oct 28, 1998 at 06:23:09PM -0500, Harold Willison wrote:
Will this be sufficient, providing that the server they are allowed to connect to has set up his mail server to prevent massmailing..?
This is off topic for this list, really; but I'd be happy to discuss this with you. Can we talk about this off the list? Thanks. -- Steve Sobol [sjsobol@nacs.net] Part-time Support Droid [support@nacs.net] NACS Spaminator [abuse@nacs.net] Spotted on a bumper sticker: "Possum. The other white meat."
At 06:23 PM 10/28/98 -0500, Harold Willison wrote:
Greetings,
Let me explain the situation and see if I can get anyone to tell me how they are handling it.
We are offering wholesale dialup ports. When a user connects he is authenticated and can do whatever it is he/she wants to do on the net. Unfortuantely some have decided that they will relay spam off of other servers.
This is a problem.
To address this i have proposed installing filters that will only allow
these
folks to connect to port 25 of the ISP that has bought the ports. This way they are not able to relay off of anyone elses machine
The problem is for companies like ours that live by selling mail acounts to users of other ISPs. They need POP and SMTP access to our mail servers, from whereever they are calling. We are running sendmail v8.9.1 with all the anti-relay stuff and RBL besides. The problem you have is the same one we have for secured SMTP, maybe easier. How do you tell the site is secure? In this case testing for open relays is well known. What I really suggest, and this takes some work on your part, is to contact the site's admin and inform them of their open-relay status. If they won't close the relay, block them. Alternatively, you can assume that if they haven't gotten their relays closed by now they are too clue-less to do so and block them immediately, with notification.
that is using port 25 and the buyer of the ports should have the correct measures set up to prevent bulk mail from going out.
Will this be sufficient, providing that the server they are allowed to connect to has set up his mail server to prevent massmailing..?
Suggestions/comments? *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* | Harold Willison AGIS Network Engineering | * Senior Network Engineer 313-730-5151 * | noc@agis.net 313-730-1130 x-5649 | | harold@agis.net 24 hours a day, 7 days a week | | <http://www.agis.net>http://www.agis.net | \*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/
___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ I bet the human brain is a kludge. -- Marvin Minsky
On Wed, Oct 28, 1998 at 04:54:30PM -0800, Roeland M.J. Meyer wrote:
What I really suggest, and this takes some work on your part, is to contact the site's admin and inform them of their open-relay status. If they won't close the relay, block them. Alternatively, you can assume that if they haven't gotten their relays closed by now they are too clue-less to do so and block them immediately, with notification.
This works for sites that (a) speak English (b) have a clue (c) aren't steeped in a dozen levels of bureaucracy that make it hard to push changes like this through. I don't think Harold's idea is a bad one. -- Steve Sobol [sjsobol@nacs.net] Part-time Support Droid [support@nacs.net] NACS Spaminator [abuse@nacs.net] Spotted on a bumper sticker: "Possum. The other white meat."
[ On Wed, October 28, 1998 at 18:23:09 (-0500), Harold Willison wrote: ]
Subject: Despamming wholesale dialup
To address this i have proposed installing filters that will only allow these folks to connect to port 25 of the ISP that has bought the ports. This way they are not able to relay off of anyone elses machine that is using port 25 and the buyer of the ports should have the correct measures set up to prevent bulk mail from going out.
That's an *excellent* solution! I'm *very* happy that any ISP in your position would choose it, and doubly happy that you have! -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
Harold Willison writes:
We are offering wholesale dialup ports. When a user connects he is authenticated and can do whatever it is he/she wants to do on the net. Unfortuantely some have decided that they will relay spam off of other servers. To address this i have proposed installing filters that will only allow these folks to connect to port 25 of the ISP that has bought the ports. This way they are not able to relay off of anyone elses machine that is using port 25 and the buyer of the ports should have the correct measures set up to prevent bulk mail from going out. Will this be sufficient, providing that the server they are allowed to connect to has set up his mail server to prevent massmailing..?
We do this already. AT&T Canada has already committed to doing this. It will not totally stop spam, but it will impact the way it is done now, and will force the spammers to pound the mail server of their own ISP to get the bulk mail out, instead of spreading the load over the net. That may successfully break many bulk mail programs. I would suggest doing it. Keep in mind one point. Many people who have domains hosted at various web providers, where they pick up their mail there, too, use dialup providers like you and/or your resellers for actual connectivity of their PCs since they don't get that through the web provider that hosts their domain. What that means is that many legitimate dialup customers will be sending their mail _FROM_ a domain name that is NOT one that the dialup provider or reseller is necessarily configured to recognize. Often such outgoing mail is blocked as "source forgery" and these people just use the SMTP server at their web provider. The above breaks this. So some kind of alternative needs to be provided. We do this only for dynamically addressed dialups. This is done through RADIUS so I can turn it off individually per account, and do so on a case by case basis with explanation of need. This might mean adding a new field to your customer account database. I call mine "allow_smtp". -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
[ On Wed, October 28, 1998 at 19:47:01 (-0600), Phil Howard wrote: ]
Subject: Re: Despamming wholesale dialup
Keep in mind one point. Many people who have domains hosted at various web providers, where they pick up their mail there, too, use dialup providers like you and/or your resellers for actual connectivity of their PCs since they don't get that through the web provider that hosts their domain. What that means is that many legitimate dialup customers will be sending their mail _FROM_ a domain name that is NOT one that the dialup provider or reseller is necessarily configured to recognize. Often such outgoing mail is blocked as "source forgery" and these people just use the SMTP server at their web provider. The above breaks this. So some kind of alternative needs to be provided.
I don not think any alternative is required, at least not for the general dial-up access account (see below). People cannot have their cake and eat it too. I think some of these situations have taken the "virtual" business just a bit further than is practical and now the rest of us are suffering under enormous spam loads as a result. Even worse, of course, are those virtual ISPs which attempt to offer SMTP servers too. I would suggest that the only viable way these types of businesses should operate is by using some kind of third-party roaming service (eg. iPass) whereby the user is authenticated at the virtual ISP and at least in theory then the roaming service could pass back authorized SMTP server IP numbers, etc. which could be installed in the dial-up filters once the user has been authorized. These sorts of arrangements do require agreements between the virtual ISP and the dial-up provider though -- either through an access broker like iPass, with direct relationships.
We do this only for dynamically addressed dialups. This is done through RADIUS so I can turn it off individually per account, and do so on a case by case basis with explanation of need. This might mean adding a new field to your customer account database. I call mine "allow_smtp".
Specifically authorized exceptions to filter policies are OK, especially when they help further cement the relationship between a customer and his/her ISP. Hopefully you charge a service fee for making such exceptions though! ;-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
Greg A. Woods writes...
We do this only for dynamically addressed dialups. This is done through RADIUS so I can turn it off individually per account, and do so on a case by case basis with explanation of need. This might mean adding a new field to your customer account database. I call mine "allow_smtp".
Specifically authorized exceptions to filter policies are OK, especially when they help further cement the relationship between a customer and his/her ISP. Hopefully you charge a service fee for making such exceptions though! ;-)
Not for dedicated accounts. Dialup accounts have to pay for a static IP address to get it ($5/mo for first IP). Non-static just don't get it at all. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
At 11:27 PM 10/28/98 -0500, Greg A. Woods wrote:
[ On Wed, October 28, 1998 at 19:47:01 (-0600), Phil Howard wrote: ]
Subject: Re: Despamming wholesale dialup
Keep in mind one point. Many people who have domains hosted at various web providers, where they pick up their mail there, too, use dialup providers like you and/or your resellers for actual connectivity of their PCs since they don't get that through the web provider that hosts their domain. What that means is that many legitimate dialup customers will be sending their mail _FROM_ a domain name that is NOT one that the dialup provider or reseller is necessarily configured to recognize. Often such outgoing mail is blocked as "source forgery" and these people just use the SMTP server at their web provider. The above breaks this. So some kind of alternative needs to be provided.
I don not think any alternative is required, at least not for the general dial-up access account (see below). People cannot have their cake and eat it too. I think some of these situations have taken the "virtual" business just a bit further than is practical and now the rest of us are suffering under enormous spam loads as a result.
I disagree, but the mechanism for implementing this involves making the customer buy an SSH client. They connect with a VPN tunnel and the problem goes away, as long as port 22 is available. The problem is that many firewall admins think port 22 is a security hole (back-door). After all, when the port is named "security" that means you're supposed to block it, right? The point is that often ports 25, 80, and 110 are the only legitimate means of access. We've even had to run SSL on port 80 for some customers because their local firewall only allowed port 80.
Even worse, of course, are those virtual ISPs which attempt to offer SMTP servers too. I would suggest that the only viable way these types of businesses should operate is by using some kind of third-party roaming service (eg. iPass) whereby the user is authenticated at the virtual ISP and at least in theory then the roaming service could pass back authorized SMTP server IP numbers, etc. which could be installed in the dial-up filters once the user has been authorized. These sorts of arrangements do require agreements between the virtual ISP and the dial-up provider though -- either through an access broker like iPass, with direct relationships.
We do this only for dynamically addressed dialups. This is done through RADIUS so I can turn it off individually per account, and do so on a case by case basis with explanation of need. This might mean adding a new field to your customer account database. I call mine "allow_smtp".
Specifically authorized exceptions to filter policies are OK, especially when they help further cement the relationship between a customer and his/her ISP. Hopefully you charge a service fee for making such exceptions though! ;-)
You whole scheme fails because of over-loaded middle-man charges. Too many pint-sized bills from too many sources. The accounting alone would be a nightmare. ___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ I bet the human brain is a kludge. -- Marvin Minsky
[ On Wed, October 28, 1998 at 23:40:34 (-0800), Roeland M.J. Meyer wrote: ]
Subject: Re: Despamming wholesale dialup
I disagree, but the mechanism for implementing this involves making the customer buy an SSH client. They connect with a VPN tunnel and the problem goes away, as long as port 22 is available. The problem is that many firewall admins think port 22 is a security hole (back-door). After all, when the port is named "security" that means you're supposed to block it, right? The point is that often ports 25, 80, and 110 are the only legitimate means of access. We've even had to run SSL on port 80 for some customers because their local firewall only allowed port 80.
That's an even better way virtual ISPs can provide access to "virtual" services. (It's better for both the client and the vISP because it means no data in the raw across joe-who's dial-up networks and the rest of the internet.) The issues surrounding this scheme that come from brain-dead firewall administrators who don't really understand what's going on, or from brain-dead users who are ignoring their company security policy and trying to access virtual ISPs from within their company network, are of course very real, but they're not show-stoppers as you've proven.
You whole scheme fails because of over-loaded middle-man charges. Too many pint-sized bills from too many sources. The accounting alone would be a nightmare.
Actually, no, it doesn't, at least in the case of the one such dial-up brokerage service I mentioned. They do all the accounting for you. It even integrates directly into your own dial-up accounting if you happen to have dial-up ports too. I don't think they currently return the SMTP server's IP to the dial-up providor, but the dial-up provider can probably be reasonably sure that such a user isn't likely to spam. Of course if this method of doing business for bulk dial-up becomes predominant and bulk ISPs begin to block port 25 as described above then it will be necessary for the broker to facilitate transmittal of information necessary for more secure dial-up port filters. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
Perhaps you should consider outsourcing your email - http://www.cp.net On Wed, 28 Oct 1998, Harold Willison wrote:
Greetings,
Let me explain the situation and see if I can get anyone to tell me how they are handling it.
We are offering wholesale dialup ports. When a user connects he is authenticated and can do whatever
it is he/she wants to do on the net. Unfortuantely some have decided that they will relay spam off of other servers.
To address this i have proposed installing filters that will only allow these folks to connect to
port 25 of the ISP that has bought the ports. This way they are not able to relay off of anyone elses machine
that is using port 25 and the buyer of the ports should have the correct measures set up to prevent bulk mail from
going out.
Will this be sufficient, providing that the server they are allowed to connect to has set up his mail server to prevent massmailing..?
Suggestions/comments?
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
| Harold Willison AGIS Network Engineering |
* Senior Network Engineer 313-730-5151 *
| noc@agis.net 313-730-1130 x-5649 |
| harold@agis.net 24 hours a day, 7 days a week |
| <bold><italic> <underline>http://www.agis.net</underline></italic></bold> |<bold><italic>
</italic></bold>\*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/
finger neck@hunter.hating.com
On 11/02/98, mark <neck@hating.com> wrote:
Perhaps you should consider outsourcing your email -
Sssh! That'd mean /we/ have to deal with his spam. *grin* -- J.D. Falk <jdfalk@cp.net> "A name indicates what we seek. Special Agent In Charge (Abuse Issues) An address indicates where it is. Critical Path, Inc. A route indicates how we get there." -- Jon Postel (1943-1998)
participants (7)
-
Harold Willison
-
J.D. Falk
-
mark
-
Phil Howard
-
Roeland M.J. Meyer
-
Steven J. Sobol
-
woods@most.weird.com