i think you'll find that port 25 is blocked going anywhere except
the operator's outgoing MTA
this is to require authentication to send email, exercise rate
limiting, and other anti-spam-sending strategies
if the ISP is going to be held responsible for the behavior of
their clients, then the ISPs are going to take some action to
police that behavior
note i'm not suggesting this is a good idea, just that it's what has
happened given the current reality
there is a huge disconnect here. one camp claims that mail sending
should not be allowed by just "anyone", since that ability is
instantly abused by Bad Guys. another camp claims that forcing email
through alien MTAs is a violation of the end-to-end principle,
privacy, assorted other good ideas.
both are right at some level
there *is* no notion of "strong identity" in the network world today
and i know of no serious attempt to create one, probably for good
this means that actions on the Internet are inherently anonymous, or
at least unaccountable because the only "identity" arises from a
contractual business relationship between a person and an access
provider. the access provider is therefore held to be a proxy for
the individual since he does (or at least should, at some level)
have a role in allowing that individual to take various actions.
one major source of the problem is the ease in which Internet access
is available. one can get a dial-up account quite readily and the
credentials required are trivial to acquired, especially for someone
determined to acquire them.
so if a Bad Guy acquires access, he can do a lot in the amount of
time required for the business feedback loop to deny access and
cancel the account. in the mean time, the Bad Guy has acquired
numerous other accounts and when one fails, he just starts using
a new one.
This is essentially a "disposable identity". The identity is the
binding inherent in the business relationship with an access provider,
and when it becomes worthless, it is discarded and a new one is used.
A consequence of the ease with which credentials can be acquired is
the ease with which new accounts, and hence new identities, can
To fix this at the "source", so to speak, it would require
making access *much* harder to get. simply matching credit cards,
etc, is insufficient (credit cards are easy to get), so this leads
to a world where some kind of background check would be required.
I don't think anyone wants to pursue that. (at least seriously)
So what's left?
As I said earlier, the alternative is to provide the ability to
intercede in network behavior fast enough to have any effectiveness.
This generally means preventing sending email without some form
of vetting. This usually means authentication and then some
additional behavioral control on top of it. Rate-based models seem
to be the least intrusive. They allow people doing "real people"
things to proceed with essentially zero interference while spam
senders are thwarted to some significant effect. If a client
has a real need to have the behavior limits altered, the provider
can enter into an addendum to the service agreement. this still
provides for a degree of behavior monitoring to police the impact
on the rest of the network.
I will end by noting that many people are in both of the camps
described above - they want a "throat to choke" proxy for individual
behavior, but they want unimpeded ability to send email themselves.
while I agree with the desire, it is self-contradictory.