Re: Getting open smtp servers fixed
- Date: Fri, 11 Sep 1998 17:48:13 +0100 (BST)
> c) filter out all port 25 tcp connections from dialup customers unless
> they are to yoru smarthost(s).
>
> The spammer can still use the smarthost (much as if they were using an
> open relay, of course) but you by forcing all the mail through a
> single point the ISP can more easily detect the spammer early on.
>
> Legitimate customers shouldn't mind being constrained to route all
> their mail via your smarthost. Nonetheless some ISPs might very well
> feel unable to implement this strategy for whatever reason.
I agree that control at the IP (well, TCP) level is very attractive and
have a strong dislike of keyword-based message rejection. [The 'value' of
an individual legitimate message can be very high to the recipient - and
this is the potential cost of a false positive match. By definition one
would not look at the messages which are discarded, so the system fails
silently. And if you do scan the discarded messages then the approach
loses much of its point, IMHO.]
A variant of the 'block outbound ports' approach would be to use port
forwarding as is sometimes done on port 80 to 'transparently' :-) force
customers/staff to use a web proxy/cache.
I don't think much would break if an ISP 'grabbed' all outbound port 25
packets and redirected them to its mail relay. [SMTP AUTH?] It would seem
to be less problematic than grabbing port 80, in fact.
This then has all the advantages of a centralised server (throttling,
accountability etc) without the disadvantages of dialup customer
reconfiguration and support calls when people dial into an ISP with their
work laptop which is still set to use the work SMTP relay.
If a suitable dial-up user 'control' methodology can be identified and
well-documented then all you need is a far-reaching educational campaign
for ISPs :-) [It would boil down to 'forward port 25 if you can, block it
otherwise]
The big ISPs can buy/will already have the necessary routers, the smaller
ones can just use a Linux box between their dialups and the outside world.
Anyone doing port 80 redirection will already have the necessary hardware,
software and expertise.
Would this work?
regards,
jb
--
John Berthels
Email: j.berthels@localhost
X.400: /G=john/S=berthels/O=nexor/P=nexor/A=cwmail/C=gb/