[nylug-talk] Spam Analysis

Chris Knadle Chris.Knadle at coredump.us
Thu Apr 12 07:52:03 EDT 2007 

On Wednesday 11 April 2007 14:25, Marco Romeny wrote:
> On 4/11/07, Chris Knadle <Chris.Knadle at coredump.us> wrote:
> > On Wednesday 11 April 2007 09:07, alex at pilosoft.com wrote:
> > > On Tue, 10 Apr 2007, Henning Follmann wrote:
> > > > Hello, the subject is not really conclusive but I did not know how to
> > > > summarize it properly. So I just did some analyzing where from spam
> > > > is sent to my domain. And I was surprised to see that actually
> > > > substantial amount is coming from network like cablevision, optonline
> > > > and verizon. When I was still customer of one ( well actually two) of
> > > > the above I remember that those companies forced me to use their
> > > > relay and blocking everything else on port 25. But now I see that
> > > > actually they don't even control spam. So what are they doing here?
> > > > Impose their cluelessness on their customers and boss me around under
> > > > the cover of "fighting spam", but actually doing nothing?
> > >
> > > If that is the case, you should use SPF. I think all of the above
> > > publish their SPF records.
> >
> >    Actually I don't see how SPF would apply here.  FIRST, from what I
> > understand it's not meant as a tool to prevent spam -- it's intent is to
> > check that mail from a domain hasn't been spoofed.  This also isn't as
> > effective as anyone might like -- all a spammer has to do is get a domain
> > name and not publish SPF records.
>
> I guess the idea is that it will deter spoofing from known domains.

   It was a good idea, but in practice it also gets in the way of roaming 
customers that want replies to go to their ISP.  If everyone turned SPF on 
for their domains, nobody would be able to send email if they were using 
their laptop at Kinkos, Starbucks, etc [or if they did, it would be rejected 
at the receiving MTA].  This is likewise what I ran into when I decided to 
use it for a domain of my own.

> > > Clients whine if they get port 25 filtered. Other people whine when you
> > > don't filter port 25. The only conclusion I can draw is "there's no
> > > pleasing some people"
> >
> >    There are issues either way.  I happen to be one using the outbound
> > port 25 capability to relay mail through my own mail server rather than
> > through the ISP's.  The main reason is so that I can read the mail logs
> > and know when an email was sent or what the problem is, rather than
> > having to wait 5 days for it to time out at the ISP, which is what can
> > happen in some cases. The prior ISP I had blocked outbound 25, which was
> > fine -- I just ran another MTA on an alternate port and sent from an
> > alternate port.
>
> It sure would be great if port 25 was closed for the masses, and that
> everyone started using the standards already set up in form of
> using 'delivery' for last-stop delivery, smtp-auth over ssl. A good
> public example would be just gmail. They do it the way it is kind of
> supposed to be done.

   Anytime I see the word "just" I automatically start to think that an 
oversimplification is taking place.  In this instance, if I wanted to 
duplicate "just Gmail", what would it take?  Is there a standards document 
explaining how to set up all the necessary services to do that?  [These are 
rhetorical questions for illustration.]

> I can agree with the idea that no ports should be blocked for outgoing
> access from any isp, but I can also see why such measures are in place.
> And any isp that don't offer secure smtp-auth should not be regarded
> as serious anyway... 

   I don't disagree, but not every ISP implments this as you'd expect.
   At least one ISP we had required smtp-auth over ssl, after which port 25 
was open to anywhere.  This would mean that a box that was part of a botnet 
would be blocked UNTIL the user got their email...

     -- Chris

-- 

Chris Knadle
Chris.Knadle at coredump.us

More information about the nylug-talk mailing list