On Mon, 10 Aug 2009, Matus UHLAR - fantomas wrote:
On 10.08.09 11:07, Charles Gregory wrote:
IMNSHO You shouldn't. You should only allow *your* customers with pop
e-mail accounts on *your* servers to send mail.
1.
If more customers send spam from the same IP address without authentiaction,
you only can disable them all, not only the one who really spams.
Not at all. I know who logs on when, and I can easily disable their
access.
If an user (accidentally) gets a spamming engine on computer he does not
use for sending spam, you will get spammed even if user does not notice
nor configure anything.
So far this has seemed less of a risk than having someone use a phished
password from a third-party IP. Our user has to have their whole computer
compromised, rather than just be tricked into sharing a password.
If a customer uses your mailboxes, it is your customer no matter where he
connects from.
Correct.
If a customer with a notebook, PDA or whatevet connects through different
company, he should not be required to change SMTP server.
"Should" is debatable. All a question of which option is most secure
versus the corresponding (in)convenience.
If a customer is hosted on your servers and you or he use SPF to
(hopefully) ensure that only he sends mail from his e-mali address, he
_MUST_ use your servers since other ISP _can not_ verify the address
validity and ownership.
A good argument, provided that using SMTP-AUTH does not increase the risk
of ruining the reputation of my server.
Requiring of changing SMTP servers with changed connection is anything
but _not_ smooth operations.
(nod) A nuisance that makes me seriously consider SMTP-AUTH.
And if you insist on providing e-mail services to any broken computer in
you IP range, instead of supporting your customers roaming elsewhere,
yes, it's sad and stupid.
The two are not really related. I can provide IP-Range services for
controlled/monitored IP's, with accountability for possible hackers, and
it makes no difference to whether I allow SMTP-AUTH.
I do not care if that's common in Australia or wherever for 20 years or
so. It's broken design and brings you much more problems you will have
to cope with, when anyone starts spamming through your servers.
Actually, it was advocated strongly in NA too, but times change, and the
user population is much more mobile. But I never see "it was always done
that way" as *any* sort of argument for how something *should* be done.
Relatively rare. We have much more users spamming directly from IP
addresses we haven't started requiring authentication from (the time is
near, just prepare some changes and we'll announce the policy change)
than those spamming through authenticated SMTP.
Hmmmmmm.... Maybe this is the reason the number of phishing spams has been
rising? :)
- C
