Fun new policy at AOL

Technically no, There is no reason for a customer to have direct access to the net so long as the ISP can provide appropriate proxies for the services required.
It gets complex, it gets hard to manage but it can be done. There is a stigma against proxing because of the early days when stale content was all over the place. Does a dynamically assigned dialup/DSL user even need a valid routable IP? For games? Maybe games should be more NAT friendly.

We do remove the filters for customers that have a valid need and show that they have a clue out it all works.

-Matt

Matthew Crocker wrote:

Technically no, There is no reason for a customer to have direct access to the net so long as the ISP can provide appropriate proxies for the services required.
It gets complex, it gets hard to manage but it can be done. There is a stigma against proxing because of the early days when stale content was all over the place. Does a dynamically assigned dialup/DSL user even need a valid routable IP? For games? Maybe games should be more NAT friendly.

How many ISPs actively provide ALG�s for the 50% of their traffic which consists of the
peer2peer applications? Or is the most popular "killer app" not a required service?

RIAA & friends would love you if you declared HTTP the only allowed protocol. Would
also give a boost to the applications implementing IP over HTTP.

Pete

Only a few problem here:

1) Bootstrapping it - as long as you need to accept legacy SMTP because
less than 90% of the mail is being done the new way, you have a hard sell
in getting anybody to go to the effort of buying in.

2) Feel free in working out arrangements with 4,000 other ISPs, or getting
stuck with a provider. You thought it sucked trying to get a route announced
for multihoming, this is going to be a lot worse.

3) Go read up on why ADMD/PRMD sucked in X.400 (hint - see (2)).

Shouldn't customers that purchase IP services from an ISP use the ISPs
mail server as a smart host for outbound mail? We block outbound port

For some, sure. Maybe even most. That doesn't mean all. Are you a
fairly small, perhaps boutique, provider? Such players have very
different rules than ones with more than one kind of customer.

25 connections on our dialup and DSL pool. We ask our customers that
have their own mail servers to configure them to forward through our
mail servers. We get SPAM/abuse notifications that way and can kick

Asking is one thing, forcing is another. Giving the option but leaving
the choice entirely up to the customer's discretion is yet another.
Giving a default, but allowing customers to request exceptions, with
reasonably automated tests to verify they can handle it... well, you get
the idea.

You get SPAM/abuse notifications without diverting all mail through you.
You need to investigate either way (unless you trust unknown third parties
more than your own customers), which still doesn't require all mail to
pass through your server.

the customer off the network. We also block inbound port 25
connections unless they are coming from our mail server and require the
customer setup their MX record to forward through our mail server. We
virus scan all mail coming and going that way. We protect our
customers from the network and our network from our customers. We are
currently blocking over 3k Sobigs/hour on our mail servers. I would
rather have that then all my bandwidth eaten up by Sobig on all of my
dialup/DSL connections.

Do you also limit your customers' use of web traffic? Bandwidth, at
the end of the day, is still bandwidth. Having it all eaten up is a
problem, but not enough justification to take away all choice. Your
own border shouldn't be that much greater than the aggregate total
of your customers, should it? That'd be bandwidth you pay a lot for
and can't use. Usual model would suggest your downstream customers
represent some value more bandwidth from you than your incoming server
could get, or perhaps 1:1.

What if I have my own virus scanner? What if your mail server is too
slow because all those scans chew up a lot more resources than my own
traffic on my server will? What size attachments do you allow? What
spam filters do you run; do they account for sender IP in the same
probability weighting that mine does? Even per-user configuration of
filters like Postini represents a reduction in choice that may not
fly with all customers, particularly small and home busineses. Finding
solutions that account for the broadest number of cases is useful.

If you provide a server architecture doc the way I can expect to see
line topo docs, then maybe I'll trust you to get it right, or maybe not.
Expecting to tell customers, "I know how to run an email server better
than you," doesn't fly in this age of bonehead ISPs, at least not for
a lot of us/them. Perhaps you do the former; if so, please let me know if
you provide service in the San Francisc/Sillycon Valley area, as our
choices in home/small pipe have declined quite a bit these years. =)

SMTP & DNS should be run through the servers provided by the ISP for
the exact purpose. There is no valid reason for a dialup customer to
go direct to root-servers.net and there is no reason why a dialup user
should be sending mail directly to AOL, or any mail server for that
matter (besides their host ISP)

Let's back up. It's entirely possible, even probable, that any ISP I
go to will provide good Internet (pipe) and bad Service (protocols),
or vice-versa. If they're good pipe, I can setup my own server, and
have everything I need. Providing reliable and high-rate connectivity
does not mean I trust you, or anyone else, to run an extra man in the
middle. You, of course, are not required to trust your customers, and
your policy will self-select out the ones who disagree, but suggesting
it's applicable in enough cases to be a general standard misses the
point.

I can think of a number of businesses (including some who are fairly well
known in email software, services, etc) who came up with the use of DSL
as a server home. They may not rely on it for their primary bandwidth
(which would probably be foolish), but particularly for things like DNS
and SMTP, both of which provide for multiple addresses and locations,
could sanely choose to maintain secondary servers over a completely
isolated alternate pipe. Remember, BGP fails, ISPs fail, T1 cards fail,
routers fail, etc. Having that last "home" DSL connection may just save
some companies from going totally unreachable at times. That's worth
$79.99/month in many books.

There is a perfectly good reason for direct access: We buy IP
connectivity. We don't buy {list of specific applications} connectivity.
If I create a new network application, how many ISPs are going to sit
there and create a new proxy so it will work? Even on the outside chance
that I could talk my own ISP into it since I pay them, it's not going to
be a very useful app if one of the prerequisites is "must be a customer
of ISP X".

-c

In article <BF09F282-D970-11D7-828E-000A956885D4@crocker.com>, Matthew
Crocker <matthew@crocker.com> writes

Everything is logged

I have some policemen friends who will immediately add you to their Xmas
card list!

In article <4236FCAF-D971-11D7-828E-000A956885D4@crocker.com>, Matthew
Crocker <matthew@crocker.com> writes

There is no reason for a customer to have direct access to the net

Unless that's what they thought "Internet Access" was all about

so long as
the ISP can provide appropriate proxies for the services required.
It gets complex, it gets hard to manage

And why do we know this? Because people doing this aren't 100%
successful at it.

Not to mention all the reconfiguration issues as the customer moves from
provider to provider. Either when they fall out with the provider (which
gives him every incentive to assist the departing customer ... not) or
if they are a mobile user (I often hop daily between approximately three
providers).

How does this sound for a new mail distribution network.

Only a few problem here:

1) Bootstrapping it - as long as you need to accept legacy SMTP because
less than 90% of the mail is being done the new way, you have a hard sell
in getting anybody to go to the effort of buying in.

Play with DNS MX records like QMTP does.

Something like

crocker.com IN MX 65000 trusted-mx.crocker.com # Trusted connections are tried first
        IN MX 66000 untrusted-mx.crocker.com # untrusted are tried second.

untrusted-mx.crocker.com accepts mail from everyone just as regular SMTP works today.
trusted-mx.crocker.com uses DNSRTTL (Real Time Trust List) to only accept connections from IPs it trusts.
ISP runs an internal DNSRTTL list and/or there is a Internet wide list of trusted ISPs

sending mail server knows the rules, attempts to connect on trusted-mx.crocker.com If accepted it uses its private key to sign a message. If not, resort to the untrusted-mx.crocker.com host
trusted-mx.crocker.com looks up the IP in its RTTL (Real Time Trust List), accepts the connection and using DNS pulls the public key of the sending mail server.
trusted-mx.crocker.com validates the signed message using the public key and accepts the mail.

Current SMTP traffic (untrusted) tries to connect to trusted-mx.crocker.com which rejects the connection so it tries the next higher MX record (untrusted-mx.crocker.com)

You could have several RTTLs on the network maintained by certain people (Paul Vixie ??, AOL, etc). ISPs can use their own and/or one of the Internet ones.
ISPs need to request access to an RTTL by the maintainer and needs to meet requirements of that RTTL. Each RTTL could have different/more strict rules to gain access.

As more and more ISPs join the RTTLs more traffic is handled by the trusted mail servers. ISPs can file a formal complaint if spam is coming in from a trusted source. They can either block them internally or petition to have them removed from the RTTL. ISP always has the option of not using a specific RTTL and forces the traffic back to untrusted.

The untrusted mail server starts getting less and less traffic. More and more messages are marked as SPAM/auto deleted. Untrusted is always available but starts off with a very high spam score. ISP customers can choose to accept mail from untrusted mail servers if they want with some easy procmail scripts (if Recieved by header has untrusted-mx.crocker.com, put in SPAM folder)

All of the technology is in place today. Just need to reverse the RBL to become an RTTL

Maybe I should write up an IETF-draft. Anyone want to help me with that?

Seems pretty simple to me, It can be implemented today without affecting existing mail servers.

2) Feel free in working out arrangements with 4,000 other ISPs, or getting
stuck with a provider. You thought it sucked trying to get a route announced
for multihoming, this is going to be a lot worse.

No need to do that. Just establish a couple RTTLs and have ISPs register/validate themselves with the RTTL. Once in the RTTL they would be trusted by everyone using the RTTL. Access to an RTTL requires that the ISP meet certain specifications. Develop a '10 commandments of mail serving'.

1. Thou shall not relay
2. Thou shall not distribute viruses more than 1 day old
3. Thou shall not distribute UCE
4. Thou shall not covet thy neighbors mail server

...

Shouldn't. There are privacy implications of having mail to be recorded
(even temporarily) at someone's disk drive.

--vadim

Shouldn't customers that purchase IP services from an ISP use the ISPs
mail server as a smart host for outbound mail?

Shouldn't. There are privacy implications of having mail to be recorded
(even temporarily) at someone's disk drive.

If your ISP violates your privacy or has a privacy policy you don't like, find another one.
If your ISP doesn't allow your domain through, attachments of a certain size or quantity of RCPT TOs, find another one.
If the ISP is too restrictive you can't do what you want, find another one
If the ISP isn't restrictive and your IP gets black holed because of another customer, find another one.
The market will decide what is acceptable.

I filter a chunk of stuff for my users. It is a service to help protect them as well as me. If they ask for and appear to have a clue I will remove filters for customers. I'll never force them to do it 'my way or the highway' but by default customers are filtered. 99% of them are happy that I am doing it and think it is a good thing. 1% call and I remove the filters. Simple RADIUS update and they are back to full, unfiltered Internet. I do this on all my dialup, DSL, dedicated circuits. Everything is built from either LDAP or RADIUS (which comes from LDAP anyway) information about the customer. Pull down menu to select/deselect a filter and reconnect. It isn't all that hard and for 99% of my customers I am saving myself a ton of work in the long run.

I'm not huge by any stretch of the imagination but I'm pretty good sized for my area. I think my current network design/management could easily scale to the 100's of thousands and/or millions of customers. I'm in the 10's of thousands now.

-Matt

Play with DNS MX records like QMTP does.

Something like

crocker.com. MX 65000 trusted-mx.crocker.com.
    MX 66000 untrusted-mx.crocker.com.

there are at least two problems with this approach. one is that an mx
priority is a 16 bit unsigned integer, not like your example. another
is that spammers do not follow the MX protocol, they deliberately dump
on higher cost relays in order to make the victim's own inbounds carry
more of the total workload of delivery. (additionally, many hosts do
more spam filtering on their lower cost MX's than on their higher cost
(backup?) MX's, and the spammers know this, and take advantage of it.)

How do I know that?

As a hobby, I'm running a community site for an often misunderstood
sexual/lifestyle minority. Most of patrons would be very unhappy if there
was an uncontrolled record of their affiliation with the community (such
as mail logs) - they may trust me, but not some anonymous tech at the ISP!

So, no third-party SMTP relays for me.

--vadim

In article <86792543-D982-11D7-828E-000A956885D4@crocker.com>, Matthew
Crocker <matthew@crocker.com> writes

If your ISP ... <does a bad thing> ... find another one.

Great in theory, but the market is imperfect. Even if money (and the
loss you'd incur from terminating your current ISP early) isn't the main
issue. Many countries, even those with de-regulated comms markets, don't
have a very wide choice. Ask for something a bit out of the ordinary
(like a dial-up account with static IP), and the choice is reduced even
further.

That's why we must encourage all ISPSs to be good guys, because we don't
want Government Regulators setting standards in these areas, do we?

Matthew Crocker wrote:

Shouldn't customers that purchase IP services from an ISP use
the ISPs
mail server as a smart host for outbound mail?

Look carefully at that question and find the logic error.

.......

In case you missed it, the customer purchased 'IP' service, not 'ISP mail
service'.

We block outbound port
25 connections on our dialup and DSL pool. We ask our customers that
have their own mail servers to configure them to forward through our
mail servers. We get SPAM/abuse notifications that way and can kick
the customer off the network. We also block inbound port 25
connections unless they are coming from our mail server and
require the
customer setup their MX record to forward through our mail
server. We
virus scan all mail coming and going that way. We protect our
customers from the network and our network from our
customers. We are
currently blocking over 3k Sobigs/hour on our mail servers. I would
rather have that then all my bandwidth eaten up by Sobig on all of my
dialup/DSL connections.

Running a walled garden is fine as long as that is what your customers are
signing up for. One question though, why aren't you also running a web proxy
and NetNanny to protect your customers from the 'bad' content on port 80?
What makes port 25 so special?

SMTP & DNS should be run through the servers provided by the ISP for
the exact purpose. There is no valid reason for a dialup customer to
go direct to root-servers.net and there is no reason why a
dialup user
should be sending mail directly to AOL, or any mail server for that
matter (besides their host ISP)

This line of thinking leads us to a cabal that has complete control over
communication. Think about it, a few large organizations allow/encourage
abuse, then claim that the only resolution to the abuse is to route all
communication through the centrally controlled servers. We end up back in
the PTT style monopolies where censorship becomes trivial.

Tony

That's why we must encourage all ISPSs to be good guys, because we don't
want Government Regulators setting standards in these areas, do we?

if recent activity in the VoIP market is any indication, then we here
won't have much input as to when and how the ISP market gets regulated.

If the customer is purchasing IP only service, then they need to either purchase the *right* kind of IP service to operate their own ISP services off that connection, or they need to purchase ISP services from another vendor and then use that vendor's smarthost. If the company they purchase IP services from blocks outbound port 25 except to their own smarthost, then the customer needs to buy ISP services from a vendor who offers mail services on an alternate port, or use the IP provider's smarthost. This is not rocket science here.

The days of "I'm not an ISP but I play one on my residential-service dynamically allocated IP connection to the Internet" are over, just as the days of open relays are over. Adjust, adapt, and move on.

jc

Mike Tancsa wrote:

>WTF. This IP is NOT dynamic. The client has had it for about two years.

What is the IP address they are rejecting ?

> Unless AOL is downloading the
>entire routing pools from all ISPs on a daily basis, how do they know
>which IPs are dynamic and which are static;)

What would BGP tables tell you about internal routing and DNS ?

         ---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike

It's 216.161.123.79

IP does match forward and reverse.

As a few others have mentioned, the mail server behind their firewall is
handling outbound mail only. It pops their inbound mail from another
source. We've chosen this solution due to how their membership database
is integrated with the address books in their Exchange server and due to
the limitations that their mail service provider has put on them--not to
mention the
fact that their mail service provider has been unstable in the past for
sending. Internet service provided is great, they just can't do mail
well.

I've got an external server I can relay through if need be--and since
their IP _IS_ static, it's not really a problem. It just ticks me off
because I know there are a lot of others who will be in this boat.

Does the IP address of your client's SMTP server have a reverse DNS entry
(PTR record) assigned to it?

It seems to be a new "best practice" to not accept e-mail from an IP address
that doesn't have a PTR record assigned. Furthermore, if those PTR records
indicate anything like "dial" "dns" "cable" then more 'strict' policies tend
to reject them.

If you can't get your upstream to modify the PTR records to your
specifications (or delegate the block to you) then another way around this
would be to configure your client's SMTP server to forward to the provider's
"smart host" (e.g. a SMTP relay server with a known address and appropriate
PTR record configured to accept relay traffic from customer IP's). Not the
most elegant but a serviceable workaround none the less.

HTH

Ben

If one ISP (Demon has been mentioned) has the ability for end users on static
IPs to smtp to other major ISPs (AOL has been mentioned) but lots of other ISPs
cant send mail from end users to these major ISPs .. arent these major ISPs
producing an anti-competitive market?

Steve

If they are creating lists by regex / name analysis

79.123.161.216.in-addr.arpa name = ddslppp79.desm.uswest.net

looks awfully 'dynamic'/pool like... If AOL wants to do something so shotgun like, thats their prerogative. But apart from examining the name, there is no way to tell that that IP address is being assigned to the same customer.

         ---Mike