nanog mailing list archives
Re: Outgoing SMTP Servers
From: Douglas Otis <dotis () mail-abuse org>
Date: Tue, 25 Oct 2011 16:37:37 -0700
On 10/25/11 12:31 PM, Ricky Beam wrote:
On Tue, 25 Oct 2011 12:55:58 -0400, Owen DeLong <owen () delong com> wrote: > Wouldn't the right place for that form of rejection to occur be at > the mail server in question?
In a perfect world, yes. When you find a perfect world, send us an invite.
> I reject lots of residential connections... The real issue here is *KNOWING* who is residential or not. Only the ISP knows for sure; and they rarely tell others. The various blocklists are merely guessing. Using a rDNS name is an even worse guess.
Agreed. Don't expect a comprehensive list based upon rDNS containing specific host names with IPv6. That would represent a never ending process to collect.
> However, senders who authenticate legitimately or legitimate > sources of email (and yes, some spam sources too) connect just > fine.
Authenticated sources can be traced and shutoff. If a random cablemodem user has some bot spewing spam, the only way to cut off the spam is to either (gee) block outbound port 25, or turn their connection off entirely. As a responsible admin, I'll take the least disruptive path. (I'll even preemptively do so.)
Blocking ports is not free, but don't expect all DSL providers to unblock port 25 unless it is for a business account. Price differentials help pay for port blocking.
In a perfect world, all SMTP transactions would cryptographically authenticate managing domains for the MTA. With less effort and resources (than that needed to check block lists) IPv6 could continue to work through LSNs aimed at helping those refusing to offer IPv6 connectivity. Blocking at the prefix requires block list resources 65k times greater than what is currently needed for IPv4. IPv6 announcements seem likely to expand another 6 fold fairly soon as well.
In comparison, cryptographic authentication would be more practical, but a hybrid Kerberos scheme supported by various third-party service providers could reduce the overhead. Is it time for AuthenticatedMTP?
-Doug
Current thread:
- Re: Outgoing SMTP Servers, (continued)
- Re: Outgoing SMTP Servers Mark Andrews (Oct 26)
- Re: Outgoing SMTP Servers Leigh Porter (Oct 26)
- Re: Outgoing SMTP Servers Mark Foster (Oct 26)
- Re: Outgoing SMTP Servers Mark Andrews (Oct 26)
- Re: Outgoing SMTP Servers Bjørn Mork (Oct 27)
- Re: Outgoing SMTP Servers Jay Ashworth (Oct 26)
- Re: Outgoing SMTP Servers William Herrin (Oct 25)
- Re: Outgoing SMTP Servers Owen DeLong (Oct 25)
- RE: Outgoing SMTP Servers Matt McBride (Oct 25)
- Re: Outgoing SMTP Servers Ricky Beam (Oct 25)
- Re: Outgoing SMTP Servers Douglas Otis (Oct 25)
- Re: Outgoing SMTP Servers Scott Howard (Oct 26)
- Re: Outgoing SMTP Servers Owen DeLong (Oct 26)
- Re: Outgoing SMTP Servers Bjørn Mork (Oct 27)
- RE: Outgoing SMTP Servers Brian Johnson (Oct 27)
- Re: Outgoing SMTP Servers Valdis . Kletnieks (Oct 27)
- Re: Outgoing SMTP Servers Robert Bonomi (Oct 27)
- RE: Outgoing SMTP Servers Brian Johnson (Oct 27)
- Re: Outgoing SMTP Servers William Herrin (Oct 27)
- RE: Outgoing SMTP Servers Brian Johnson (Oct 27)
- Re: Outgoing SMTP Servers Valdis . Kletnieks (Oct 27)