[Mimedefang] FTC asks ISPs to crack down on zombie PCs

[James Ebright]

On Wed, 25 May 2005 08:51:18 -0500 (CDT), Ian Mitchell wrote

> Personally, I'm highly opposed to blocking outbound port 25. There 
> are some of us who don't have the resources to run a domain on a business
> class line. 

Where are you located at? We charge $5.00/mo for a single static ip which
would most likely work in your situation (We are in Sprint/Bellsouth ILEC
areas), Doesn't matter if you are DSL or Dial-up for that price (but a MTA on
the other side of a dialup.. yuck!). With dedicated circuits we usually
include a single or small block depending on the circuit (as most ILECS will
as well) after you justify the space allocation (we use ARINs forms since
thats what we need to fill out as well).

> So by cutting our port 25, we are now forced to limit which domains 
> we can send email too. I have to add special rules to those specific 
> domains that choose to deny my emails to forward through my ISP's 
> MTA. The point of running an MTA is so you don't have to do that.

Running an MTA on the other side of dynamic IP space is usually a bad idea
unless you forward all of it through your providers MTA from your own (easy to
do in sendmail). Otherwise you will end up being blocked by a LARGE number of
providers using DNSBLs for dynamic IP space.

> 
> > * block outbound port 25 except for designated MTAs. Define a SPF record
> > for
> > said MTAs. Implement SMTP Auth.
> 
> Only if the email presents itself as being from that domain, if someone's
> running a domain on an IP of that ISP, then that domain should have 
> an SPF record that SHOULD allow the emails to go through. I 
> advertise a hard SPF record for my domain, I allow email to only 
> come from my IP. Unfortunately due to the rules that I have to set 
> up for certian ISP's that limit port 25, I have to allow my ISP to 
> act as a relay in the SPF record as well. Not my most ideal 
> solution. But it's that kind of backwardness you get when people 
> start breaking things ;)


Wow, first off, are you rewriting your SPF records every time your IP updates
via the dynamic IP space via mydyndns.org? Your SPF record allows your current
dynamic IP as well as charter.com's SPF record if any (your cable provider).

Honestly, I would bet you are in violation of RFC2821 with regards to reverse
DNS requirements for a SMTP server, you are against the thought that your ISP
(charter) might (and most likely will) start blocking port 25 outbound and
that you might have to require your private MTA (rogue MTA) to relay all of
its outbound mail through charters mail servers, which is actually how it
should have been setup in the first place (and again, is pretty easy to do,
just involves a few mc file edits to hide your mta as the opriginator), and
claim all of this due to either your security expertise or to not being able
to afford a static IP assignment? Look at the bigger picture.

Also, I do hope you have a business account with charter as they specifically
forbid "servers" in their terms of service agreement for residential accounts.
Also, I know Cox Communications and Time Warner here both provide a single
static for no extra cost if you ask for a business account and pretty much all
of the DSL providers including my ISP do for business level DSL accounts and
can for residential for a small fee ($5.00/mo from us for a single static).

Sorry, I just can't help but shudder at the thought of running a businesses
MTA and MX of record over a dynamic IP using dyndns or any similar service,
esp since the risks are so high and the cost to do it right is probably about
the same you are paying to dyndns for their service.

Jim

--
EsisNet.com Webmail Client