OT: Question

[Ken A]

Rick Cooper wrote:
>  
> 
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info 
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ken A
>> Sent: Friday, April 03, 2009 3:53 PM
>> To: MailScanner discussion
>> Subject: Re: OT: Question
>>
>> Kevin Miller wrote:
>>> Ken A wrote:
>>>
>>>> Why not use it? It's usable only if you understand it, and it can
>>>> be 'inconvenient' for customers to have to send through a defined
>>>> list of outgoing servers.
>>> Um, maybe I'm just a lot slower than the rest of you, but I think
>>> "It's usable only if you understand it" applies to
>>> sendmail/postfix/MailScanner, etc. just as well.  That's why we're
>>> not being paid minimum wage.  This job requires a bit of thinking.
>>> If set up right on the back end, there's very little the 
>> customer has
>>> to do.  For a customer to send, they *have* to configure their mail
>>> client with an outgoing server.  The mail has to be sent somewhere.
>>> If they can figure out how to set up their client, what's 
>> the problem
>>> w/them picking a specific set of email servers?  
>> That is a good question. But I answered it. It's 
>> inconvenient. Customers 
>> may have more than one ISP, more than one business, more than 
>> one domain 
>> hosted, parked, here, there, etc. They switch their From: address in 
>> their email client depending on many things, but they leave their 
>> outgoing server the same. Yes, MUAs could do a better job of tying 
>> outgoing mail server to the From: address chosen.
>>
>> Currently, asking customers to _not_ send through some other 
>> mail server 
>> when they are borrowing a computer, or using their whatever mobile 
>> device on some crippled cell network is inconvenient for the 
>> customer. 
>> ISPs operate on a fairly slim margin these days. Support 
>> calls can doom 
>> an ISP. If SPF was a silver bullet, it might be worth pushing it on 
>> users, but it's not.
>>
>> Ken
>>
> 
> [...]
> 
> Kind of inconvenient to drive sober for some people sometimes too. This is a
> problem with the open nature of the internet. Don't get me wrong I am not
> looking for the internet police to appear, but no one wants to do anything
> about anything. It's inconvenient to pay taxes but I want roads to drive on,
> bridges that cross rivers, police, fire departments, etc so I have to pay
> taxes. If every ISP enforced sane security rules within their auspice the
> net would be a different place today. Every entity that is the authority for
> a given address space should be responsible to making sure their space is
> clean. I have no problem with someone running a mail service from their
> home, their business, etc. But they need to be clean and assigned the
> privilege by their ISP. If an ISP allows for services to be run they should
> require the party have a valid domain, a proper DNS (at least symmetrical)
> and sane server installation. If they get complaints they should shutdown
> what ever Ips are assigned the given clients until it is demonstrated they
> have repaired whatever issues they had.

Rick,
For the record, we do all this and more, as do most ISPs. We walk a line 
between the net neutrality folks and the DPI guys. Freedom is something 
with REAL value on the Internet, and it IS in peril. But, ISPs don't 
have to be draconian to be good netitizens, and it doesn't make them 
ambivalent if policies don't all line up with your top 10 pet peeves.


> 
> I am not saying ask customers to do anything... Make rules and enforce them,
> people do what is required much more consistantly than what is requested.
> And, IMHO, any ISP that goes "wild west" and allows "whatever" should not be
> in business, they are bad for everyone's business.

We are talking about SPF, so I think you are going a little "wild west" 
with the topic ;-) I hope that my attempt to explain that deficiencies 
in SPF combined with the inconvenience that is forces on customers is 
not construed to be a 'whatever' policy. I think we can disagree without 
that sort of creative extrapolation..

> 
> This is normal civil interaction in almost every instance of any community
> except that of the internet. And BTW, people who sell heroin are just trying
> to make a buck too... Why should they give a crap what their making a buck
> does to their communities any more than an ISP who runs a loose ship?
> 

Again, we are talking about SPF, which is a bit of a weak attempt at 
containing a problem that exists due to spammers, not customers. ISPs 
must choose what to enforce, and what to request of customers based on 
the /real/ impact.

For example, blocking outgoing port 25 traffic from dynamic space is a 
good thing to do. Blocking 110 and 143, as you suggested earlier is not 
a good thing to do, at least not for an ISP. The corporate and edu 
worlds are quite different.

Have a nice weekend,
Ken


> Rick
> 
>  
>>
>> Since most servers
>>> are set not to relay, they're limited to a defined set of servers by
>>> definition, no?
>>>
>>>> ISPs, web hosts, a large number of mail server admins (myself 
>>>> included), cannot set hard fail for most small business domains. 
>>>> Customers expect email to _work_, and they send from a number of 
>>>> locations using a number of systems (work, home, library, college, 
>>>> etc). Setting hard fail will only generate calls to your support
>>>> desk unless customers understand the implications.
>>> Um, yeah.  Not sure what's so hard about that.  If I'm off at some
>>> remote location I access my email via a web interface.  
>> OWA, at work,
>>> and my ISP's squirrel mail for home email.  Mail sent from 
>> there goes
>>> out one of my servers and the user neither knows nor cares 
>> which.  If
>>> I needed to send via an interface other than the web I'd configure
>>> auth on the mail server.  If a user can enter a server name 
>> when they
>>> configure the client, they can surely enter their username/password
>>> in the same configuration dialog.  Or am I missing something?
>>>
>>>> Wouldn't it be great if customers read about SPF on the support 
>>>> section of your web site, and were thrilled about it? Reality 
>>>> check... Most customers do not care about SPF, and have no interest
>>>>  in learning about it unless it can benefit them in some immediate
>>>> way - if their domain is being actively spoofed, for example. In 
>>>> practice, this rarely happens.
>>> Users don't need to know about SPF.  The mail admin does.  When the
>>> user gets an account, you give them instructions on setting up their
>>> client.
>>>
>>> In practice, domains are often spoofed.  My users are frequently
>>> joe-jobbed.  I've set SPF to hard fail.  None the less, I 
>> still see a
>>> number of NDRs coming in.  One of my users got over 500 of them
>>> yesterday.  That was an anomaly, but it could have been prevented if
>>> the remote servers had just checked my SPF records before accepting
>>> and bouncing the mail.  Even if people don't publish SPF it is quite
>>> easy to check for it, either in spamassassin or a milter.
>>>
>>> I just don't see what's so impractical about SPF.  It's not a
>>> cure-all, but it stops a lot of the noise and would stop more with
>>> just a little thought and planning.
>>>
>>> YMMV...
>>>
>>> ...Kevin
>>
>> -- 
>> Ken Anderson
>> Pacific Internet - http://www.pacific.net
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website! 
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
> 
> 
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> 


-- 
Ken Anderson
Pacific Internet - http://www.pacific.net