On 2010-06-25, at 08:07, Jay Daley wrote:
On 25/06/2010, at 12:47 PM, Nathan Ward wrote:
Of course, you should probably not be using port 25 for submission, or if your mail provider has RBLs running on their submission port then something isn't quite right.
In this case it was 587, authenticated over SSL. See below as to why the RBLs.
Also, surely RBLs should be consulted to decide whether to accept mail from an unauthenticated client, as opposed to you, who is presumably an authenticated client.
Not sure I agree. Infected + authorised is a deadly combination if you assume the authorisation always confers legitimacy. That would mean that a compromised host can send with impunity one it authorises.
I don't think anybody sane would argue that giving your users free reign to send spam (intentionally or otherwise) is a good idea. At the very least, this is a self-correcting problem since any mail relay that acted that way would soon find it difficult to relay mail to any other system. My impression from those who spend much of their time with this stuff is that the right thing is to authenticate your users and check each outbound message against a useful set of heuristics to avoid spam being relayed by your servers. "The client address is in a blacklist" by itself does not sound like a useful set of heuristics, to me (as you have discovered). Whilst it might be expedient to refuse connections from anonymous people in the Internet based on something as crude as "client address is in a blacklist", in the case of an authenticated user it seems far better to let them connect and deal with any apparent infection they have (drop mail, proactive phone call, whatever fits the budget) than it does to refuse to talk to them. The latter is almost guaranteed to cost you money in your helpdesk budget.
If the public connection is not actively managed, including receiving and responding to notifications then yes I imagine it will quickly be listed. But if someone there is paying attention then they should be able to pick on any listing and sort it out. I've done that many times in the past and it is not complicated.
Cleaning up public hotspots as spam sources sounds very much like whack-a-mole, even more so in a place where it's near guaranteed that the spam sources will have left the country by the time you try to follow up :-) Joe