ietf-asrg
[Top] [All Lists]

RE: [Asrg] article: port 25 blocking

2005-04-12 19:41:57
At 5:01 PM -0700 4/12/05, George Ou wrote pointlessly to both me and the list with broken quoting
-----Original Message-----
From: asrg-bounces(_at_)ietf(_dot_)org 
[mailto:asrg-bounces(_at_)ietf(_dot_)org] On Behalf Of Bill
Cole
Sent: Tuesday, April 12, 2005 3:26 PM
To: asrg(_at_)ietf(_dot_)org
Subject: RE: [Asrg] article: port 25 blocking


Have you looked at how port 25 blocking is actually being done by even the
minimally competent ISP's? SBC is an example of one such. 8 months ago they
had a press release and sent mail to all customers about the coming rollout
of port 25 blocking. With that they included a way to preemptively request
exemption and they made clear that customers with static address accounts
would be excluded by default.
To my profound shock, SBC has actually managed to execute that rollout with
reasonable speed and accuracy. There may well be some ISP's who are
implementing port 25 blocking without exempting users with static IP
assignments, but I believe they would be the minority.
SBC's willingness to provide exceptions for anyone who asks may be unusual,
but it is not unique.


You're always free to implement port 25 blocking on your side for inbound
traffic which effectively achieves the same thing for your network.

No, I cannot, because I cannot tell which addresses on some other network are dynamically assigned and which are statically assigned and which are dynamically assigned to people who have received permission from the owners of the address space (i.e. their ISP) to use any dynamic address assigned to them for an unknown period for SMTP. It is not possible for me to set that up. The owner of the address space can.

You
just need to implement a large ACL yourself that might be synchronized with
a large shared database somewhere on the net.  Why do you want everyone else
to implement outbound port 25 blocks for you?

I don't. I want ISP's to act responsibly. I expect any network owner to assure that no abusive traffic comes out of their network. Failing to do that is not acceptable, no matter what the business model of the network owner says.

If an ISP would rather sell second-class service to customers who can't be bothered with securing their own machines than assure that they only allow responsible customers to remain customers for any length of time, that is their choice. Most consumer-focused ISP's have chosen irrevocably to sell to careless customers, so they have to find ways to either cut off the bozos fast or to wall them in so that they are less of a nuisance. I'd much prefer the swift and sure cutoff, but few ISP's like that option.

Bottom line is, you'll have the same problem convincing people to block
outbound 25 as you will convincing them to implement SPF.

ISP's have been implementing port 25 blocking in gradual and constantly growing numbers for 6 years. SPF implementation in any way that can reduce acceptance of primary spam is at a dead halt, if not retreating, because it does harm to early adopters on both ends.I wish that were not so, but I have been massively outvoted by people who like traditional forwarding and do not see it as a harmful relic of a lost time.

On the other side, port 25 blocking is a net benefit to the implementing ISP immediately, which is why it has been spreading steadily since the days of throwaway dialup accounts as the preferred spam route. It is implemented unilaterally by the party that benefits from it, in contrast to SPF which cannot be correctly implemented in any way that actually cuts into spam without bilateral participation of domain owners and receiving sites to publish '-all' records and to actually enforce them. Until such time as both are widely done, traditional forwarding and other practices that break SPF will remain common and anyone trying to enforce hard-line SPF on either end will get breakage.

SPF just happens
to be a better solution in my opinion.

SPF addresses a very different problem set from port 25 blocking. It is a mystery to me why you persist in presenting SPF as an alternative to port 25 blocking. The only alternative to port 25 blocking (or equivalently tight restrictions on user behavior) is serious policing of customer security such that compromised machines are not provided access to the network. That would be an expensive means for ISP's to assure that their networks do not emit spam and also don't have a bunch of zombies on them. Port 25 blocking only stops the spam and limits one sort of value the zombies have to their controllers.


--
Bill Cole
bill(_at_)scconsult(_dot_)com


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg


<Prev in Thread] Current Thread [Next in Thread>