On Tue, 27 May 2003, John C Klensin wrote:
Scott,
Good try, but no cigar. This would be entirely reasonable if
open relays were the only way to accomplish what you are after.
They are the only way to accomplish some things, like offering RFC 821
SMTP service to customers outside our your address space.
But, if open relays were used this way, the spam flow through
those open relays are such that "aol/roadrunner/etc" would start
blocking the IP addresses of those relays. Back to square one,
with no gain.
Type 1 spammers don't abuse open relays. In my experience, Type 3 abusers
(anti-spammers in some cases), do this. For example, about a year ago, I
got into an argument with two radical antispammers. Suddenly, 2400 hundred
different IP addresses started trying to abuse our relays. This continued
for about 10 days, and then abated. Fortunately, our relay monitoring
software blocked this, but it still involved sorting through (no
exaggeration) millions of messages. After that, (and still continuing
aperiodically), someone began trying to send viruses through a relay
address advertised by a European open relay blacklist, forging my address.
Coincidence? I don't think so. Not given other more overt threats and
abuse by antispammers, such as Chris Neill and others.
Instead, there are at least two options available for that host
on a "residential" network (both in heavy use today):
(i) The host uses a relay supplied by its ISP, one that
is not blocked by "aol/roadrunner/etc". This is more or
less satisfactory depending on what additional
restrictions the ISP imposes on that relay, but the
typical restrictions (much as I think they are
unreasonable) have very little impact on the typical
residential user who corresponds actively with
"aol/roadrunner/etc users".
(ii) The host uses a relay with which its owners have
established some sort of business relationship and which
relay is in a position to authenticate the host (via SSL
certificates, SMTP AUTH, or some combination of a tunnel
and authentication).
(ii) isn't an option.
Here's a short answer:
1) This is not a standard. It is optional, even if eventually
standardized.
2) There are only about 15 mail clients that support it.
3) It doesn't scale for non-dialup ISPs
4) Time Warner called it "unsuitable for business".
5) It doesn't reduce spam. Spammers are not outsiders. It fails to
violate Shannon's theorem.
6) about a thousand other mail clients don't support it, and have no plans
to.
I was a big fan of open relays a decade ago, but am no longer
convinced that they are the required solution to any problem we
need to solve.
There were no "open relays" a decade ago. There were "anonymous relays"
back then. This "anonymous relay" problem had nothing to do with SMTP, but
was a problem with reverse DNS, and lack of a numeric IP address in the
Received: header. This problem was been fixed around 1993.. It is not
possible to send anonymous email through an open relay. (you still hear
this from radical antispammers, though).
And, no, I don't believe that either of the measures above will
significantly reduce the volume of spam.
Then why bother at all?
--Dean