|
All Archives /
aussie-isp /
2006-03
|
<<< Date >>> | |
| Permanent Link | ||
|
Date: Fri, 31 Mar 2006 06:22:28 +1000 (EST)
From: Ross Wheeler To: Brendan O'Dea Cc: Aussie ISP List Message-Id: <Pine.BSF.4.33.0603310609520.975-100000@home.albury.net.au> In-Reply-To: <20060330135741.GA8407@londo.c47.org> Subject: Re: [Oz-ISP] Spam code? |
Followups: <442C5CD3.2090308@webdock.com.au> |
|
On Fri, 31 Mar 2006, Brendan O'Dea wrote: > On Thu, Mar 30, 2006 at 12:20:10PM +1100, Marc-Adrian Napoli wrote: > > > >http://www.smh.com.au/news/breaking/spam-code-a-worlds-first/2006/03/28/1143441140324.html > > > >Is everyone serious about implementing these changes? > > It's not entirely daft. While I don't believe that ISPs should be > responsible for the inbound SPAM received by their customers, taking > steps to reduce outbound SPAM is reasonable: > > "Under the new code, ISPs will have to [...] provide a system of > handling complaints." > > If this means providing a working a b u s e @ d o m a i n then it's merely > re-enforcing RFC 2142. > > "They will also have to impose reasonable limits on the rate at which > subscribers can send email." > > This is similarly reasonable. Given that 99.9% of home users should > legitimately only be sending mail: > > a) via the ISPs mail servers, and > b) would send on average dozens (at most hundreds) of messages per day, "rate" doesn't say or indicate if that's in messages/day, kilobits/second or some other limit. Few ISPs today have "business" and "home" distinctions on their products, and a good number of businesses have valid reason to send thousands of e-mail messages at a time (hell, I'm a small ISP and I have customers including wineries and ski resorts who have member/customer databases of many thousands who have opted-IN to periodic sending). > surely it makes sense to make the default policy for those users match > those assumptions: limiting port 25 outbound to just your mail servers, > and implementing outbound quotas on your mail servers. > > The average customer won't notice these restrictions at all, and it > reduces the amount of SPAM proxied through those customer PCs which are > infected by viruses considerably. > > For that 0.1% of customers for which this is a problem, ensure that you > provide an opt-out facility. Anyone noticed a whole host of new provisions that snuck into the code before it was registered that were not in the draft code? SOME of the more concerning ones include: >A Service Provider should publish SPF records compliant with the relevant >Internet standards (see http://spf.pobox.com), for each domain >administered by it, specifying its policies for the sending of email from >that domain. Some of us already do, but it DOES cause problems to some legitimate users. By way of example, a person "Ray" operates a business. From his office, he hs a connection to isp1 and conducts his business through isp1 with his business domain and email address. When Ray goes home, he uses another internet connection through isp2. Under these provisions, he CANNOT send mail out through isp1 mail server while connected to isp2, and everyone will reject mail sent with his business e-mail address through isp2 because SPF records will prevent it. >Where technically and commercially viable, operators of equipment (such >as LNS or RAS hosts) which terminates user sessions with dynamically >allocated addresses MUST cause such sessions' outgoing connections to be >dropped where they are attempting to contact a remote host on TCP port 25. Yes, we implemented this years ago. Got very little flack over it, but we DID punch holes for those we knew had legit mail servers, and for those who provided justifiable reasons for needing port 25 open on outbound. How about the situation where home users wish to (or are required under company policy) to send mail to/through their work smtp servers? Not all use SMTP-AUTH, quite a few use SMTP-after-POP. >ISPs should not distribute Customer Premises Equipment (CPE) for >connection to the Internet by their Subscribers that is so configured by >default as to be susceptible to being remotely administered across the >Internet. Can ISPs reasonably SELL such CPE to a customer in a "LOCKED" condition where the user simply cannot change it? Is this reasonable? If customer "Fred" subscribes to isp1 adsl service and purchases a suitable modem (CPE), does ISP configure AND LOCK that device, so if Fred subsequently churns to isp2, he cannot reconfigure his modem? And if it's NOT locked, what will prevent the user simply doing a "factory reset" and restoring unsafe defaults (or configuring through lack of technical know-how the modem/router in such a manner as to make it "non-compliant")? I see a LOT of potential for problems in this entire document, but it's all rather too late now. ---- email "unsubscribe aussie-isp" to m a j o r d o m o @ a u s s i e . n e t to be removed. |
|