In message
To be fair though, in mentioning an opt-out system I was thinking of clueful users deliberately running their own servers that would notice within minutes that port 25 had been blocked - not the SMTP AUTH crowd which may be significantly less clued up and not notice why their previously working 'Email Thingy" isn't working anymore.
The clueful users can always build tunnels and route stuff through the tunnels. I do this from my laptop when working in various organisations where I still want to send mail via my own mail server (because, eg, it's the only one listed in the SPF rules). SMTP AUTH is harder, but at least as a first cut simply permitting connections that did SMTP AUTH would probably select for the "good" connections and ignore the bad ones. Much the same for STARTTLS -- anything using that is probably not malware, at least at present. Most malware barely manages to interoperate with SMTP servers let alone actually supporting "fancy" features. As I've suggested before blocking some of these services by default, and providing an "enable this service again" automatic system for clueful users would be nearly as useful as trying to do layer-7 filtering on the protocol. It could even require turning on again with every reconnection, totally doing away with the need for the ISP to store anything associating permissions with the user. (Anyone who can't automate a GET of, eg, http://ihaveaclue.$ISP/enable?services=smtp or similar on reconnect doesn't have the necessary clue.) On a related tack, I am seriously considering writing to the appropriate government ministers and suggesting that, as part of their proposed anti-spam legislation, a legal duty be placed on people not to connect/allow to remain connected an insecure/0wned/infected system under their control. With the first breach resulting in mandatory disconnection of the system from the network, not to be reconnected until person had completed a course on "network security" and had their machine certified "cleaned up" by someone appropriate. Subsequent breaches resulting in that and fines and/or longer periods of mandatory disconnection. IMHO such insecure/0wned/infected systems are a nuisance (in the legal sense of the word) and thus the owners of them should be responsible for the damage they cause. Ewen