ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] article: port 25 blocking

2005-04-12 11:12:46
from [George Ou] [Permanent Link] 
-----Original Message-----
From: asrg-bounces(_at_)ietf(_dot_)org 
[mailto:asrg-bounces(_at_)ietf(_dot_)org] On Behalf Of
James Lick
Sent: Tuesday, April 12, 2005 8:00 AM
To: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] article: port 25 blocking


Port 25 blocking is also a least privileges model.  Consumer ISPs block all

outgoing port 25, then punch a few holes in the firewall for their own mail
servers and the few customers that request an exemption.  
Sounds quite manageable to me.

How can it be "least privileges" unless you micromanage IP ACLs?  All it
takes is a few ISPs to not participate and you have leakage.  There are also
lots of non-consumer IP blocks out there too.  Permitting only SPF compliant
servers has virtually no leakage.


It's a chicken and egg problem that I don't think any ISP in their right

might would go along with.

At some point, we're going to have to bite the bullet and adopt some sort of
domain level authentication.  Email is a server problem that is best handled
at the DNS and SMTP servers.  Don't try to push this off to the network
administrators and router ACLs.


Your blog says that port 25 blocking is controversial with users.  I submit

that it is controversial to a miniscule number of users.  On the other hand,
requiring an SPF pass on all incoming email right now would cause huge
amounts of legitimate mail to be blocked.  How controversial do you think
that will be?  Already we have a number of respected anti-spammers who are
quite opposed to SPF because hard fails are occasionally false positives.
You're gonna have people bouncing off the walls if you reject soft fail and
unknown status and only allow SPF pass messages.

SPF enforcement would work if the top 50 ISPs implemented it in unison.
They don't need to implement a hard fail at first, maybe a 48 delay and slap
a "non-SPF" warning on every subject header.  Then start jacking it up to 4
days, 8 days, and then hard fail.  Is this easy?  No.  But we need to stop
skirting beating around the bush and start dealing with the real problem.


George


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Asrg] article: port 25 blocking, Mark
Next by Date:  RE: [Asrg] article: port 25 blocking, Daniel Feenberg
Previous by Thread:  Re: [Asrg] article: port 25 blocking, James Lick
Next by Thread:  RE: [Asrg] article: port 25 blocking, Larry Seltzer
Indexes:  [Date] [Thread] [Top] [All Lists]