johnp wrote:
Why should I bother with authenticating my users smtp log-in
with anything other than POP-before-SMTP? That is similar to
the ISP's log-in - a plain username/password combination.
With APOP it's better than USER + PASS. POP-before-SMTP is
very clumsy in some situations, one story I heard: User's PC
is always online and automatically checks POP (once per 15
minutes or similar). At the same time the user is roaming
and wants to send mail from his laptop. That can result in
collisions blocking the roaming user.
And POP-before-SMTP once used to be "this IP may send for some
time", but if it's a dyn. IP another user of the same ISP can
get and abuse it to spam (for "another user" read zombie): It
is not necessarily straight forward to analyze this problem -
the abused IP wasn't "enabled" by the spammer, but by another
innocent user who used it before to access his POP mailbox.
If it's restricted to check IP and MAIL FROM (the famous 2476
"enforced submission rights") it's almost as "good" as ESMTPA
(SMTP AUTH), but otherwise it's clumsy. And for roaming users
that's in fact only "not much worse".
I might now have to relax that in order to keep some of my
customers because opening the extra 2 windows to configure
Outlook on one occaision is difficult for them
My stoneage MUA doesn't support SMTP AUTH at all... <shrug />
And so far I was too lazy to finish the 25-to-587 dummy relay
script. But old software and lazy users are no new problem ;-)
attitudes of most USA ISP's about SMTP appear to be a bit
casual - I haven't checked other countries yet
Old software and lazy users are the same issue everywhere.
The POV of an ISP is different, they have RADIUS for their
resident users, and abuse desks to deal with zombies, or a
cheap excuse "block 25" (for criminal ISPs like SpamCast).
USA generates more than 50% of the worlds spam
IMO s/USA/SpamCast/ - black and white hats everywhere, BR,
China, Korea, <insert more usual suspects>
Bye, Frank
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com