[geeks] consumer internet service

David Cantrell geeks at sunhelp.org
Mon Aug 20 15:44:13 CDT 2001


On Mon, Aug 20, 2001 at 02:03:58PM -0400, joshua d boyd wrote:
> On Mon, Aug 20, 2001 at 06:48:09PM +0100, David Cantrell wrote:
> > >              It's just that the ISP would need to have a system in place
> > > to quickly detect and deal with open relay abuse (perhaps have a volume
> > > trigger that spools up a certain amount for manual review).
> > I take it you mean manual review of whether there's an open relay, not
> > manual review of the message content!
> Manual review of the content could be icky, but then, what if it was a
> large amount of actuall non spam email?  You don't want to just chuck
> that, but if it is spam, you don't want to pass it on.  I don't know which
> I'd prefer.

That's why you check the user's server to see if they're breaking the
rules.  There's not much you can do about spam other than giving the
user the option to have their mail filtered by your procmail-a-like.

If you tell the users in advance that you'll be enforcing quotas, then
I would still not want the ISP to be looking at the content of my mail.
Whether I value reliability over privacy I don't know - the issue has
never arisen.

> > Or to charge for breaking the rules - by for instance running an open
> > relay.  This is certainly an option if they only accept payment by
> > credit card.
> 
> I can't stand it when companies only except payment by credit card.  A
> company can bill me (one local computer store does that.  I walk out with
> my merchandise, and the bill arrives in the mail a few days later), or
> they can ask me to pay up front, but currently, I refuse to do business
> with people who only except credit cards.

Yes, you have that option.  However, that is one way for the ISP to
have a good chance of getting their money if they do have to charge a
penalty.  In .uk there is the alternative of requiring payment by
Direct Debit*, but I get the impression that there is no equivalent
scheme in .us.

> You still can't charge a penalty for an open mail relay.  If they don't
> pay up, just cut off their service.

Yes you can, you put something in the contract saying "if you run an open
relay we will bill you X hundred $currency_units, and we will cut off
your mail service until you fix it.  Do it twice and we send da boyz
round with blunt instruments".  You do, of course, need to explain what
an open relay is and also ensure that any software *you* supply is
configured to behave itself.

> > Don't forget also that much monitoring can be automated.  For example,
> > you can automate the probe for an open relay.
> 
> I have to confess, I'm not really sure of the intricacies of what an Open
> Relay is.

It's a mail server which will accept SMTP connections from anywhere for
delivery to anywhere.  This used to be a Good Thing, as mail would get
handed from server to server as it wended its way across the net.  Now,
however, this is a liability as it is an excellent way for spammers to
hide their tracks, and you want to arrange for your server to only accept
mail:
  from known-friendly sources to anywhere, or
  to your own servers from anywhere

To test whether a server is an open relay, you connect to it from an
unauthorised address, and try to deliver to an external address.
For instance, connect from penderel.state51.co.uk to millersville.edu's
server and try to send mail to david at cantrell.org.uk.

If the server doesn't complain, that's a pretty good indication that
it's an open relay, but to be on the safe side I'd not do anything
about it until it actually delivers mail to that outside address.

* - direct debit is a scheme where you can give a company authority to
debit variable amounts directly from your bank account.  There are
numerous safeguards in the system - for instance, it is only available
to bodies with good trading histories, and any unauthorised debits are
refunded *by the bank* promptly and with very little hassle**. Presumably
businesses with too many unauthorised debits get the same sanctions as
those with too many credit card chargebacks.

** - well, that's my experience of the refunds anyway.

-- 
David Cantrell | david at cantrell.org.uk | http://www.cantrell.org.uk/david

   Educating this luser would be something to frustrate even the
   unflappable Yoda and make him jam a lightsaber up his arse
   while screaming "praise evil, the Dark Side is your friend!".
                              -- Derek Balling, in the Monastery



More information about the geeks mailing list