At 5:01 PM -0700 4/12/05, George Ou wrote pointlessly to both me and
the list with broken quoting
-----Original Message-----
From: asrg-bounces(_at_)ietf(_dot_)org
[mailto:asrg-bounces(_at_)ietf(_dot_)org] On Behalf Of Bill
Cole
Sent: Tuesday, April 12, 2005 3:26 PM
To: asrg(_at_)ietf(_dot_)org
Subject: RE: [Asrg] article: port 25 blocking
Have you looked at how port 25 blocking is actually being done by even the
minimally competent ISP's? SBC is an example of one such. 8 months ago they
had a press release and sent mail to all customers about the coming rollout
of port 25 blocking. With that they included a way to preemptively request
exemption and they made clear that customers with static address accounts
would be excluded by default.
To my profound shock, SBC has actually managed to execute that rollout with
reasonable speed and accuracy. There may well be some ISP's who are
implementing port 25 blocking without exempting users with static IP
assignments, but I believe they would be the minority.
SBC's willingness to provide exceptions for anyone who asks may be unusual,
but it is not unique.
You're always free to implement port 25 blocking on your side for inbound
traffic which effectively achieves the same thing for your network.
No, I cannot, because I cannot tell which addresses on some other
network are dynamically assigned and which are statically assigned
and which are dynamically assigned to people who have received
permission from the owners of the address space (i.e. their ISP) to
use any dynamic address assigned to them for an unknown period for
SMTP. It is not possible for me to set that up. The owner of the
address space can.
You
just need to implement a large ACL yourself that might be synchronized with
a large shared database somewhere on the net. Why do you want everyone else
to implement outbound port 25 blocks for you?
I don't. I want ISP's to act responsibly. I expect any network owner
to assure that no abusive traffic comes out of their network. Failing
to do that is not acceptable, no matter what the business model of
the network owner says.
If an ISP would rather sell second-class service to customers who
can't be bothered with securing their own machines than assure that
they only allow responsible customers to remain customers for any
length of time, that is their choice. Most consumer-focused ISP's
have chosen irrevocably to sell to careless customers, so they have
to find ways to either cut off the bozos fast or to wall them in so
that they are less of a nuisance. I'd much prefer the swift and sure
cutoff, but few ISP's like that option.
Bottom line is, you'll have the same problem convincing people to block
outbound 25 as you will convincing them to implement SPF.
ISP's have been implementing port 25 blocking in gradual and
constantly growing numbers for 6 years. SPF implementation in any way
that can reduce acceptance of primary spam is at a dead halt, if not
retreating, because it does harm to early adopters on both ends.I
wish that were not so, but I have been massively outvoted by people
who like traditional forwarding and do not see it as a harmful relic
of a lost time.
On the other side, port 25 blocking is a net benefit to the
implementing ISP immediately, which is why it has been spreading
steadily since the days of throwaway dialup accounts as the preferred
spam route. It is implemented unilaterally by the party that benefits
from it, in contrast to SPF which cannot be correctly implemented in
any way that actually cuts into spam without bilateral participation
of domain owners and receiving sites to publish '-all' records and to
actually enforce them. Until such time as both are widely done,
traditional forwarding and other practices that break SPF will remain
common and anyone trying to enforce hard-line SPF on either end will
get breakage.
SPF just happens
to be a better solution in my opinion.
SPF addresses a very different problem set from port 25 blocking. It
is a mystery to me why you persist in presenting SPF as an
alternative to port 25 blocking. The only alternative to port 25
blocking (or equivalently tight restrictions on user behavior) is
serious policing of customer security such that compromised machines
are not provided access to the network. That would be an expensive
means for ISP's to assure that their networks do not emit spam and
also don't have a bunch of zombies on them. Port 25 blocking only
stops the spam and limits one sort of value the zombies have to their
controllers.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg