nanog mailing list archives

Re: Outgoing SMTP Servers

From: Douglas Otis <dotis () mail-abuse org>
Date: Tue, 25 Oct 2011 16:37:37 -0700

On 10/25/11 12:31 PM, Ricky Beam wrote:

 On Tue, 25 Oct 2011 12:55:58 -0400, Owen DeLong <owen () delong com>
 wrote:
> Wouldn't the right place for that form of rejection to occur be at
> the mail server in question?

 In a perfect world, yes. When you find a perfect world, send us an
 invite.

> I reject lots of residential connections...

 The real issue here is *KNOWING* who is residential or not. Only
 the ISP knows for sure; and they rarely tell others. The various
 blocklists are merely guessing. Using a rDNS name is an even worse
 guess.

Agreed. Don't expect a comprehensive list based upon rDNS containingspecific host names with IPv6. That would represent a never endingprocess to collect.

> However, senders who authenticate legitimately or legitimate
> sources of email (and yes, some spam sources too) connect just
> fine.

 Authenticated sources can be traced and shutoff. If a random
 cablemodem user has some bot spewing spam, the only way to cut off
 the spam is to either (gee) block outbound port 25, or turn their
 connection off entirely. As a responsible admin, I'll take the
 least disruptive path. (I'll even preemptively do so.)

Blocking ports is not free, but don't expect all DSL providers tounblock port 25 unless it is for a business account. Pricedifferentials help pay for port blocking.

In a perfect world, all SMTP transactions would cryptographicallyauthenticate managing domains for the MTA. With less effort andresources (than that needed to check block lists) IPv6 could continue towork through LSNs aimed at helping those refusing to offer IPv6connectivity. Blocking at the prefix requires block list resources 65ktimes greater than what is currently needed for IPv4. IPv6announcements seem likely to expand another 6 fold fairly soon as well.

In comparison, cryptographic authentication would be more practical, buta hybrid Kerberos scheme supported by various third-party serviceproviders could reduce the overhead. Is it time for AuthenticatedMTP?


-Doug

Current thread:

Re: Outgoing SMTP Servers, (continued)
- - - Re: Outgoing SMTP Servers Mark Andrews (Oct 26)
    - Re: Outgoing SMTP Servers Leigh Porter (Oct 26)
    - Re: Outgoing SMTP Servers Mark Foster (Oct 26)
    - Re: Outgoing SMTP Servers Mark Andrews (Oct 26)
    - Re: Outgoing SMTP Servers Bjørn Mork (Oct 27)
    - Re: Outgoing SMTP Servers Jay Ashworth (Oct 26)
    - Re: Outgoing SMTP Servers William Herrin (Oct 25)
    - Re: Outgoing SMTP Servers Owen DeLong (Oct 25)
    - RE: Outgoing SMTP Servers Matt McBride (Oct 25)
    - Re: Outgoing SMTP Servers Ricky Beam (Oct 25)
    - Re: Outgoing SMTP Servers Douglas Otis (Oct 25)
    - Re: Outgoing SMTP Servers Scott Howard (Oct 26)
    - Re: Outgoing SMTP Servers Owen DeLong (Oct 26)
    - Re: Outgoing SMTP Servers Bjørn Mork (Oct 27)
    - RE: Outgoing SMTP Servers Brian Johnson (Oct 27)
    - Re: Outgoing SMTP Servers Valdis . Kletnieks (Oct 27)
    - Re: Outgoing SMTP Servers Robert Bonomi (Oct 27)
    - RE: Outgoing SMTP Servers Brian Johnson (Oct 27)
    - Re: Outgoing SMTP Servers William Herrin (Oct 27)
    - RE: Outgoing SMTP Servers Brian Johnson (Oct 27)
    - Re: Outgoing SMTP Servers Valdis . Kletnieks (Oct 27)

(Thread continues...)