Why can't DNS servers perform spam or mal-ware blocking/filtering?

[Gabriele Neukam]

On that special day, Virus Guy, ([email protected]) said...

Instead of always updating your hosts file or updating (innoculating)
your browser with programs like AdAware/Spybot, doesn't it make more
sense to use a DNS server that is constantly updating it's own lists
and essentially blocking junk domains?

Microsoft prefers a different method.
http://www.phishreport.net/about_PRN.html


Gabriele Neukam

(e-mail address removed)

 

[Gabriele Neukam]

On that special day, Jeffrey F. Bloss, ([email protected])
said...

and some
attacker compromises a server in say... one of eBay's clusters.

And before you ask, how such a thing could happen, look at this
incident, that happened last year.

http://www.theregister.com/2004/11/23/register_restores_adserver/

Note that it wasN't TheRegisters' fault, that an ad server was
compromised.


Gabriele Neukam

(e-mail address removed)

 

[Jeffrey F. Bloss]

Anyone that is operating a server (HTTP, NNTP, SMTP, etc) for business

[...]

We're not discussing someone who might be running a server here, we're
talking about the innocent "average user" whose machine is compromised and
made to act as a *clandestine* server. Sanctioning these people, be they
individuals or businesses, is akin to jailing the victim of a burglar
because their locks weren't strong enough.

Judicious host blocking of repetitive or negligent offenders may be
acceptable, but your proposition seems to suggest otherwise. You even go
beyond a cause/effect scenario to include blocking of those who have
committed no more serious a crime than registering a new domain. I can't
help but attach the label "absurd" to this idea. No personal attack
intended mind you, and if I misperceive your position please clarify.

or recreation, and who's domain has not been identified as one that
historically hosts or support spam/UCE/phishing/fraud/identity theft,
will never get their domain included in a blocking list (such as a
hosts file, or Adaware, or Spybot, etc) if their servers get

On the contrary, I distinctly remember earlier this year (Feb/Mar?) when
Spybot's host blocking caused it's users to be unable to access the
"Survivor Series" web site due to a mishandling of some well known tracking
cookies. The details escape me at the moment, and I'm too lazy to

The idea of applying the same blocking on a DNS server applies
similarly.

Exactly. And it amplifies any negative side effect of that blocking
considerably.

It would not be effective or logical [you call it
"victimizing them"] to apply such blocking to someone's domain if
their machines were victimized by mal-ware. [But read this: Blocking
their domain WHILE THEY ARE INFECTED is actually a good thing.

It's not a good thing at all. Blocking an entire domain because one or even
a handful of users' machines might be compromised is quite litterally
punishing an entire *neighborhood* because one or two residents have been
victimized by a burglar.

It
would prevent the distribution of secondary payloads if their machines
were unwittingly hosting them, and more than likely their site would
crash because of the unwanted traffic being directed to them].

OK, you lost me here. What is it about blocking a domain that might cause
some server to "crash"?

There have been (few? many?) server farms that have been comprimized
over the past year or two. They are usually cleaned up within 24
hours. None of those domains (I'm sure) have ever made it into
Spybot's or AdAware's blocking or immunization data base.

CBS might disagree with you.

Ummm... Survivor was a CBS thingy, right?

I would
expect the same to happen in a DNS-based domain blocking strategy. I
don't know why you can't understand that.

I disagree with it because I have some experience running DNS servers, and
know from that experience why your proposal is unworkable in the real
world. It's simply not possible to remove entire sections of the net from
the vision of large groups of users without creating problems. Typically,
far more problems than you solve.

If I run a small business, I might want to point my machines to a DNS
server (operated by myself, or a third party, maybe for free, maybe on
a subscription basis) that blocks all new domains until they are 2
months old (in addition to blocking known-bad domains).

As an option I might agree, but I fail to see any significant benefit from
blocking the hundreds or thousands of new domains that spring up every day
to prevent bad traffic from the 10 or so that are abusers. And yes, I just
pulled those numbers out of my ass. But I think it's safe to say that
the ratio between "good" registrations and "bad" ones is tipped
considerably in favor of the good. The ROI just doesn't seem to be there.
YMMV. I suppose at this point it's a matter of preference, as long as it's
*left* as a preference.

If I'm a big ISP, I might get lots of support calls if I block
newly-registered domains for 2 months. But not necessarily 2 days or
2 weeks. Or maybe I won't block domains based on
date-of-registration, but still block known-bad domains.

You've just run the gambit from "insane" to "of course" in three
sentences. Blocking new registrations simply because they're new is
silly at face value. Mind numbingly absurd if done for months at a time.
OTOH, blocking domains with no redeeming values (they do exist) should be
SOP in my opinion.

You do
realize that any customer of the ISP can still point their computer to
any DNS on the internet they want to (that will allow connections from
them that is).

Of course I do. Most laypersons do not, however, which is why implementing a
blocking DNS server as the default is a bad thing.

Item (1) above is presupposition. Item (2) is not.

Yes, and it's (1) that's the glaring problem.

You've got to be kidding. Domain registrars have no public profile or
exposure.

You're suggesting "Godaddy" has the same market share and clientele as
other, more "professional" registrars?

Look at someone like Go Daddy. They take money from all sorts of
bad-guys that register domains for the sole purpose of being used for
phishing scams or spam campaigns. I would love to be able to block

They have no way of knowing the intent of a customer before the fact, but
I'll agree that they do seem to be victimized more than other registrars.
Possibly because of their price list...??

That's another interesting point. The possibility that a DNS based blocking
scheme might become perjudicial against "low end" providers who commit no
crime beyond offering discount services to people who can't afford the
"real McCoy". A potential for financial class based disparity if you ask
me.

domains based on the registrar, but I can't see any way to execute a
mechanism that does that. If you could, THEN registrars would have an
interest to take business only from "clean" customers.

By blocking out-bound port-25 packets, you prevent users from setting
their out-going SMTP server to point to a machine outside the ISP's
network.

I think you're missing the point here. You can't block "outgoing port 25" as
you suggest because SMTP doesn't reside on port 25 alone. You have to bock
outgoing packets with an arbitrary source port, and a *destination* port of
25. This is an important point because it negates the possibility that you
can reliably distinguish between a client, and a server. Or any other
software that might use destination port 25 for that matter.

Blocking connections destined for port 25 outside your "network" might
theoretically prevent some spam traffic (issues of tunneling and such left
for other discussions), but it would *also* break a considerable amount of
legitimate traffic. Some scenarios might include...

An employee working from home, needing to use the company's business server
to answer corporate emails.

Any user who might purchase a domain and host it remotely, who wants to
utilize the email accounts that come with that service.

I'm sure that given a little time we could come up with a few more.

You can still set the in-coming SMTP server to point to any
(external) machine anywhere on the internet, and you set your

There's no such thing as an "incoming SMTP server". Incoming mail is POP3,
on a completely different port.

out-going server to that of your ISP's server. You can send all the
e-mail you want, and it will appear to recipients as if it came from
the external server.

You still haven't explained why such a configuration wouldn't work in
your case. (you may not like to use your ISP's SMTP server to relay

My ISP does not provide the level of control and features the outside server
provides, and accessing that server by a "proxy" through my ISP completely
negates some of those features.

your out-going e-mail, but you haven't explained technically why it
wouldn't work in your case).

And by the way, your ISP could easily block your ability to operate an
SMTP server if it violates the terms of your contract (and yes, you

Technically I'm not running a server. I'm running server software as a
client, and accessing third party servers directly. By virtue of my chosen
software this is the way it has to be done, however there are softwares for
other platforms that are "true" clients, and accomplish the same thing.
That's the essential problem with your proposal, there's no way to tell the
difference.

The internet at large has paid a heavy price (in terms of spam, in
terms of trojanized machines that send/relay spam) by not blocking
out-bound port-25 packets from dynamic or residential IP space. The

The fact that a price has been exacted can't be denied, but shooting your
dog in the leg because it has fleas just doesn't seem like a viable option
to me. There's *nothing* about the internet that can't exploited in some
way. It's the nature of the beast. Crippling it in vain attempts to deny
the obvious is ultimately unproductive.

Of course it would.

Not a snowball's chance my friend. Viruses and other malware *already* use
tunneling techniques to circumvent firewalls. Bypassing a block on outbound
connections targeted at port 25 would be as trivial as changing a couple
lines of code to place that traffic on port 80 for instance. Ports aren't
"locked" into any specific usage, the blocks would be easily detected, and
compromised machines outside the perimeter of the block could easily be
used as open relays. The whole thing is honestly quite trivial to set up.

Yes it is. There are ways for you to operate your own server - ways
that probably involve paying an extra $10 a month for a business or
commercial connection. You and your 10 buddies are getting a free
ride at the expense of having a (residential) network infrastructure
that allows spam from infected machines.

Total rubbish. Me and my "buddies" are doing nothing more than using our
connections to enjoy the added features of a third party email provider, no
different than any other person who might sign up for an account at HotPop,
VFEmail, MailShack, any domain hosting service on the planet, or any one of
the other tens of thousands of providers/scenarios which might include some
sort of third party transport of outgoing mail.

I'm sorry, but you're just *way* over the top here. Honestly.

--
Hand crafted on October 13, 2005 at 13:28:32 -0400

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-Groucho Marx

 

[me]

Just out of curiosity, why would you consider
challenge/response methods, like the ones implemented by
almost every mailing list in existence to thwart the
subscription of a third party, "insane"? They might be a
little "cumbersome" for the average user, but their purpose
is to *promote* some level of sanity.

Or were you implying that setting challenge/response as a
default for any new account would be crazy??

Do a little digging. Some C/R's, e.g., do not understand mailing
lists.

OTOH, it's possible the our definitions of C/R differ (I don't
know if there is a C/R "standard").

J

 

[Jack]

Anyone that is operating a server (HTTP, NNTP, SMTP, etc) for
business

[...]

We're not discussing someone who might be running a server here,
we're talking about the innocent "average user" whose machine is
compromised and made to act as a *clandestine* server. Sanctioning
these people, be they individuals or businesses, is akin to jailing
the victim of a burglar because their locks weren't strong enough.

Look, Mr. Bloss, you don't seem to get it. If Mr and Mrs Average User
are not competent to operate a motor vehicle on the highway, but they do
it anyway, they get locked up. Nobody calls them an "innocent victim".

You *don't* get locked up for operating a server on the internet while
incompetent; the worst that will happen to you is that you won't get to
send mail direct-to-MX. So ****ing what? Mr and Mrs Average User don't
even know what direct-to-MX means, and nor do they want to.

Judicious host blocking of repetitive or negligent offenders may be
acceptable, but your proposition seems to suggest otherwise.

Are you a spam apologist? Repetitive and negligent users of
internet-connected computers should be made to take an internet driving
test, and should be disconnected until they can show a minimum level of
competence. At the very least, they should be prevented from accessing
widely-abused ports such as port 25.

Actually, "repetitive" abuse should never occur, because the ISP
"should" be coming down on their heads like a ton of bricks, on the
first offence.

Someone who operates a computer that is running abusive software on a
computer for which they are responsible is an internet abuser. If they
don't know what software they are running, then they should be
firewalled, the same as children get put in playpens. It's for their own
protection, as well as everyone else's.

Since ISPs don't do this to the majority of the children they sign up as
customers, the rest of the internet has no choice but to take what
measures they can against the devastating effects of children who have
got behind the wheel. That's not making the children into victims; it's
a matter of avoiding becoming a victim yourself.

People who own computers that are emitting spam are not "victims". They
are either spammers or incompetents.

 

[Leythos]

We're not discussing someone who might be running a server here, we're
talking about the innocent "average user" whose machine is compromised and
made to act as a *clandestine* server. Sanctioning these people, be they
individuals or businesses, is akin to jailing the victim of a burglar
because their locks weren't strong enough.

If you use a RBL, most people also use the RBL's that include the
Dynamic IP ranges of most IPS's - I know it's made a BIG difference in
the amount of spam that we get.

I don't see any reason for Residential users to offer services, that
being said, there is business service that can be used by those types
and those IP ranges are excluded from RBL's unless they spam.

I would love to see DNS lists that black-hole traffic like 135~139, 445,
and SMTP from Dymanic IP ranges, but since we create AUTO-BLOCK for
probes from 445 and 1026, and we use RBL's for SMTP, and we block most
non-US based countries IP ranges, we don't have much need for the DNS
block list mentioned.

If ISP's would just block 135~139, 445 and 25 outbound from dynamic IP
ranges, the Net would be a lot nicer place.

 

[Tim Smith]

Just out of curiosity, why would you consider challenge/response methods,
like the ones implemented by almost every mailing list in existence to
thwart the subscription of a third party, "insane"? They might be a little
"cumbersome" for the average user, but their purpose is to *promote* some
level of sanity.

They generate a huge amount of junk mail to third parties. Spammers often
use forged return addresses. If your address happens to be one that
spammers pick, you end up getting a deluge of challenges.

This has led to two responses.

1. Some people put in filters that recognize challenges and drop them. This
means people who use a C/R system will never see mail from these people.

2. Some people put in filters that recognize challenges and reply to them.
The person using the C/R system them gets the spam.

If everyone were to adopt SPF, and C/R systems were to drop mail from forged
senders instead of sending a challenge, then *maybe* C/R would be a good
idea, but until that happens, it is not.

 

[Jeffrey F. Bloss]

Look, Mr. Bloss, you don't seem to get it. If Mr and Mrs Average User
are not competent to operate a motor vehicle on the highway, but they do
it anyway, they get locked up. Nobody calls them an "innocent victim".

Irrelevant straw man. It's not a matter of an operator being penalized
because of their competency level or something they've done. It's a matter
of an operator being penalized because their car's locks are insufficient
to keep car thieves from stealing it.

But thanks for your input anyway.

--
Hand crafted on October 13, 2005 at 14:53:17 -0400

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-Groucho Marx

 

[Jeffrey F. Bloss]

Do a little digging. Some C/R's, e.g., do not understand mailing
lists.

Sorry man, you lost me here. Probably my fault.

OTOH, it's possible the our definitions of C/R differ (I don't
know if there is a C/R "standard").

I was more or less thinking in generic terms, where email sent to an address
is replied to automatically with some sort of "reply to this email with a
subject of WHATEVER" to complete your subscription... or more specifically,
to begin having your email relayed to it's final destination. The challenge
could be almost anything.

Most mailing lists implement some variation of this so that a third party
can't subscribe someone to a bunch of lists. But I'm sure you already know
that.

--
Hand crafted on October 13, 2005 at 15:58:17 -0400

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-Groucho Marx

 

[Mike Easter]

What plausible reason is there to prohibit someone from using an
outside email provider? Aside from draconian control or sheer anal
retentiveness I can't think of one. Truth be known, users are FAR
more likely to have a safe and happy emailing experience with most
third party providers than they are with their ISP's standard
service. Dedicated email providers typically offer much better spam
and virus filtering for example. How many ISP's offer
challenge/response systems for instance. Or white listing?

Agreeing with your main theme; disagreeing with one of your 'such as'
remarks.

Altho' I completely agree with your theme of allowing port 25 and my
ability to use other email providers besides my own connectivity
provider; I completely disagree with your characterization of the
availability of challenge/response toward spam as something which
represents a good kind of spam control.

Just for the record, my own provider EL, claims to be doing selective
port 25 blocking, but in reality EL is doing absolutely nothing about
its thousands of proxified mindspring user IPs which are both spewing
spam and which are listed in blocklists all over the place demonstrating
them to be both spamsources in such as spamcop and proxy trojans in such
as cbl and njabl an also putting out huge amounts of mail/spam in
senderbase's databases.

And, my own provider is 'guilty of' providing an option to perform
challenge/response in its 'high' spamblocking configuration which would
challenge those items which are not whitelisted but not recognized as
spam by its leaky spamfilter. Challenges are a very abusive thing to be
doing to the forged Froms which universally are found on spam and virus
propagations, and those challenge mails coming from EL servers are
reportable as abusive mail and those challenges can cause my provider
EL's servers to get themselves blocklisted, which endangers the delivery
of my own mail.

Things that endanger my own mail delivery from my provider is another
argument in favor of your main theme, which is in favor of port 25
accessibility.

So, EL fits into 3 different arguments here. EL should be selectively
blocking the port 25 of thousands of its proxified trojan spamsourcing
user IPs. EL is not blocking port 25 'universally' - which is good. EL
provides an option for its users to challenge spam, which is bad. EL
provides options for its users to configure the spam blocker to be off
and also an option for not challenging the suspect mail, but managing
that mail in a non-challenging way.

 

[Jeffrey F. Bloss]

They generate a huge amount of junk mail to third parties. Spammers often
use forged return addresses. If your address happens to be one that
spammers pick, you end up getting a deluge of challenges.

ACK. But it's a matter of which is worse... a single challenge sent for each
spam, or the potential that a list that doesn't challenge can be used to
flood a users mailbox with all the posts from that list until the user can
unsubscribe.

Two different types of attacks of course, from two completely different
sources most likely. But the numbers work out in favor of the C/R scenario
as far as I'm concerned.

This has led to two responses.

1. Some people put in filters that recognize challenges and drop them.
This means people who use a C/R system will never see mail from these
people.

2. Some people put in filters that recognize challenges and reply to them.
The person using the C/R system them gets the spam.

I disagree with this on principal. Another case of punishing the victim as
far as I'm concerned.

If everyone were to adopt SPF, and C/R systems were to drop mail from
forged senders instead of sending a challenge,

I'd say it's not possible to make this call reliably.

then *maybe* C/R would be a
good idea, but until that happens, it is not.

I see it as a lesser of two evils. I remember all too well the days when
mailing lists didn't all use C/R to verify subscriptions, and the horror it
caused some users who were the victims of what amounted to early script
kiddys who though subscribing an email address to 100 or so arbitrary lists
would prove their manhood.

--
Hand crafted on October 13, 2005 at 16:08:11 -0400

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-Groucho Marx

 

[Mike Easter]

I see it as a lesser of two evils. I remember all too well the days
when mailing lists didn't all use C/R to verify subscriptions, and
the horror it caused some users who were the victims of what amounted
to early script kiddys who though subscribing an email address to 100
or so arbitrary lists would prove their manhood.

You are confusing mailing list confirmation methods with challenges to
spam.

No spam should be challenged. Challenging non-spam is debatable.

Personally I am against challenging non-spam as well as spam -- that is,
I don't want my mail to be challenged and most likely I will not
correspond with anyone who challenges my mail.

However, I am 100% in favor of, and am completely insistent upon,
confirmations for mailing lists.

That confirmation email applied to mialing list subscription is not to
be considered 'challenge/response' applied to spam.

 

[Jeffrey F. Bloss]

If you use a RBL, most people also use the RBL's that include the
Dynamic IP ranges of most IPS's - I know it's made a BIG difference in
the amount of spam that we get.

I agree, and I've use one here at home off and on. But there's a *huge*
difference between RBLs. Some are positively anal about who they list, and
some don't go far enough.

I see DNS level blocking of any IP block that includes incidental
occurrences of abuse as way to far to the 'A' side. As I said, it has it's
place, but that place isn't as a front line defense against BadThings(tm).

I would love to see DNS lists that black-hole traffic like 135~139, 445,

I agree this far, but only because these things were never intended to be
opened to the public in general as far as I'm concerned. They're "internal"
protocols that MS mucked up beyond recognition.

They're also things that can be easily firewalled with no penalty on
legitimate users.

and SMTP from Dymanic IP ranges,

BZZZZZ... sorry but no. There's no way to reliably throttle SMTP activity
without kicking the snot out of people who simply want to use third party
mail providers, for instance.

but since we create AUTO-BLOCK for
probes from 445 and 1026, and we use RBL's for SMTP, and we block most
non-US based countries IP ranges, we don't have much need for the DNS
block list mentioned.

That's a sane solution IMO. Assuming an intelligent RBL selection of course.

If ISP's would just block 135~139, 445 and 25 outbound from dynamic IP
ranges, the Net would be a lot nicer place.

If you disconnect your PC from the net all together, the problem totally
evaporates. But what fun would that be? <g>

--
Hand crafted on October 13, 2005 at 16:19:06 -0400

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-Groucho Marx

 

[Jeffrey F. Bloss]

Agreeing with your main theme; disagreeing with one of your 'such as'
remarks.

Altho' I completely agree with your theme of allowing port 25 and my
ability to use other email providers besides my own connectivity
provider; I completely disagree with your characterization of the
availability of challenge/response toward spam as something which
represents a good kind of spam control.

I never meant to portray C/R as a method of SPAM control. It was only an
example of a type of service that third party providers offer, but most
ISP's do not. Along with "white listing", which I think I mentioned in the
same breath. They're just two strategies of many that have varied uses in
different scenarios, spam being one, but it's not some magic bullet. If I
mislead anyone to believe I thought otherwise, I apologize.

--
Hand crafted on October 13, 2005 at 16:39:02 -0400

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-Groucho Marx

 

[Jeffrey F. Bloss]

You are confusing mailing list confirmation methods with challenges to
spam.

No, I'm not. I only brought it up as an example of some feature that most
ISP's didn't offer, but some third party providers do. Along with white
listing. And I noted that a generic form of C/R was typically part of
Mailing list subscriptions.

I apologize if I misled people to believe that I thought C/R was an
effective spam solution. Never my intention. I fully realize the peril of
replying to *any* spam.

Personally I am against challenging non-spam as well as spam -- that is,
I don't want my mail to be challenged and most likely I will not
correspond with anyone who challenges my mail.

I suppose that's a matter of two bulls butting heads. <g>

Personally, I would never use C/R to personal email either unless it was an
account I wished to limit to a certain list of users. In which case
white/gold listing would likely be a better choice.

However, I am 100% in favor of, and am completely insistent upon,
confirmations for mailing lists.

Of course. I was around when they didn't do this, and saw the havoc first
hand. Not pretty.

--
Hand crafted on October 13, 2005 at 16:46:58 -0400

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-Groucho Marx

 

[Leythos]

BZZZZZ... sorry but no. There's no way to reliably throttle SMTP activity
without kicking the snot out of people who simply want to use third party
mail providers, for instance.

Sorry, there is nothing nice about people sending SMTP traffic out of
their homes to the world. They can relay through their ISP and most
ISP's are switching to blocking outbound SMTP from anything but their
own SMTP servers.

 

[Jeffrey F. Bloss]

Sorry, there is nothing nice about people sending SMTP traffic out of
their homes to the world. They can relay through their ISP and most
ISP's are switching to blocking outbound SMTP from anything but their
own SMTP servers.

So you're saying third party email providers don't offer anything above and
beyond what your typical ISP chooses to use as today's definition of
"sufficient"?

Or no business person would ever need to respond to a company email from
home??

Or no "residential" user would ever have any use for the SMTP services that
are included with their store bought web host???

/me shakes head in disbelief


And for the record, "most ISP's" are doing nothing of the sort.

--
Hand crafted on October 13, 2005 at 19:51:34 -0400

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-Groucho Marx

 

[Leythos]

So you're saying third party email providers don't offer anything above and
beyond what your typical ISP chooses to use as today's definition of
"sufficient"?

No, that's not what I said, but you can think that way. I personally
install RBL filters at every clients mail server and one of the RBL's is
a Dynamic IP list. Installing that RBL removed about 40% of the spam
alone, almost 85% with the other RBL's.

Or no business person would ever need to respond to a company email from
home??

You really take things to the extreme. While I'm sure that many small
companies that are still growing work from home or use cheap residential
class internet service - like DSL or Cable modem service instead of a
Business Class service on a IP range that's not on the RBL's, it's not
an excuse for people that operate mail servers to allow those users. The
people that run SMTP services outside of their ISP are only doing so for
some lame reason - like the mail provider doesn't know how to setup
secure connections, etc...

Or no "residential" user would ever have any use for the SMTP services that
are included with their store bought web host???

I've seen many Hosting plans that include email, and using a ISP as the
outbound relay doesn't stop the user from fetching email from those
services. With the way things are changing in the world, the amount of
spam increasing, there is no valid business reason to allow email
inbound from Dynamic IP ranges when so many solutions exist to not use
them.

/me shakes head in disbelief


And for the record, "most ISP's" are doing nothing of the sort.

Sorry, you're living on borrowed time - I see places like AOL, Road
Runner, Earth Link, ComCast, Adelphia.... implementing it in different
regions.

If you purchase Business Class service they don't limit you like they do
Residential connections.

 

[Jeffrey F. Bloss]

No, that's not what I said, but you can think that way.

What you *said* was there's no reason to allow *:25 connections outside the
neighborhood. When I asked the above question you waffled with this...

I personally
install RBL filters at every clients mail server and one of the RBL's is
a Dynamic IP list. Installing that RBL removed about 40% of the spam
alone, almost 85% with the other RBL's.

I personally don't care if you dance naked around your mail servers by the
light of a full moon. You're still not on par with "XYZ email", and it's
not your place to decide what email provider I choose to use as long as
sending emails is still legal regardless.

You really take things to the extreme.

Extreme my ass...

While I'm sure that many small
companies that are still growing work from home or use cheap residential
class internet service - like DSL or Cable modem service instead of a

I use to work for Xerox. A good portion of my work day was spent on line.
Almost all that time was spent outside the corporate offices oddly enough,
and a portion of it was from <gasp> my home.

If my home *OR* my local office ISP had blocked access to my "dinky little
company's" email servers I'd have been out of a job.

I've seen many Hosting plans that include email, and using a ISP as the

I haven't seen many that don't.

outbound relay doesn't stop the user from fetching email from those
services.

Excuse me... "fetching"? What about "responding"? What about *using* the
services you've paid for?

Waffle.

Sorry, you're living on borrowed time - I see places like AOL, Road
Runner, Earth Link, ComCast, Adelphia.... implementing it in different
regions.

I don't. And I deal with it every day. What I do see is failed experiments
like SBC where the attempt is made, but mechanisms to remove those blocks
automatically on request *must* be put in place to satisfy the customer.

I'm sorry, but you are truly way out in left field on this one. I realize
SPAM and other crap is a real life problem, but flatly laying waste to an
entire protocol and almost every business or hobby that utilizes it in any
way outside some anal retentive BOFH's idea of "OK" is utter lunacy.

--
Hand crafted on October 13, 2005 at 20:41:06 -0400

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-Groucho Marx

 

[Tim Smith]

ACK. But it's a matter of which is worse... a single challenge sent for each
spam, or the potential that a list that doesn't challenge can be used to
flood a users mailbox with all the posts from that list until the user can
unsubscribe.

Two different types of attacks of course, from two completely different
sources most likely. But the numbers work out in favor of the C/R scenario
as far as I'm concerned.

OK, let's clarify the terminology here. When you sign up to a mailing
list, and they send back something asking if you really signed up, and
you have to respond to that in order to be added to the list, this is
usually called "confirmed opt-in".

Confirmed opt-in is considered standard practice, and mailing lists that
do NOT use it usually get in trouble (e.g., the servers they are sent
from end up on spam blacklists).

When you send mail to someone in order to communicate with them, and
they send back am automated challenge that you must reply to, in order
for your original mail to be released from some kind of holding area so
they will see it, that is usually called a "challenge/response" system
(C/R system).

It is C/R systems that are a problem. Here's the difference. Suppose a
spammer is forging your domain (or worse, you full email address).
During a normal spam run, they might hit an occasional mailing list
(although most mailing lists use web-based sign up, not email-based sign
up nowadays). Assuming the mailing list doesn't recognize this as bogus
and thinks it might be a sign up request, you will get *one*
confirmation message.

When that same spammer hits an ISP that is using a C/R system, you end
up getting hundreds or thousands of challenges.

Basically, you generally only get abused by confirmed opt-in when
someone actually sets out to abuse you (e.g., someone who doesn't like
you goes around and tries to sign you up to a bunch of mailing lists).
C/R systems, however, generate a lot of abuse as part of their normal
operation.

The bottom line: if an ISP installs a C/R system, there is a good chance
they will end up on spam blacklists.