> On Mon, 10 Aug 2009, Matus UHLAR - fantomas wrote: >> On 10.08.09 11:07, Charles Gregory wrote: >>> IMNSHO You shouldn't. You should only allow *your* customers with pop >>> e-mail accounts on *your* servers to send mail. >> 1. >> If more customers send spam from the same IP address without authentiaction, >> you only can disable them all, not only the one who really spams.
On 10.08.09 14:56, Charles Gregory wrote: > Not at all. I know who logs on when, and I can easily disable their > access. I should made that more clear: If there are more _concurrent_ users on the same IP (home/office network with NAT), you only can block them all or none of them. Even if they have separate mailboxes. You need SMTP auth to be able to block only the spamming one. >> If an user (accidentally) gets a spamming engine on computer he does >> not use for sending spam, you will get spammed even if user does not >> notice nor configure anything. > > So far this has seemed less of a risk than having someone use a phished > password from a third-party IP. Our user has to have their whole computer > compromised, rather than just be tricked into sharing a password. Don't you even run webmail being accessible from outside your network? >> If a customer is hosted on your servers and you or he use SPF to >> (hopefully) ensure that only he sends mail from his e-mali address, he >> _MUST_ use your servers since other ISP _can not_ verify the address >> validity and ownership. > > A good argument, provided that using SMTP-AUTH does not increase the risk > of ruining the reputation of my server. What I'm saying is that it's much easier to block authenticated user, especially if he changes IPs. >> And if you insist on providing e-mail services to any broken computer >> in you IP range, instead of supporting your customers roaming >> elsewhere, yes, it's sad and stupid. > > The two are not really related. I can provide IP-Range services for > controlled/monitored IP's, with accountability for possible hackers, and > it makes no difference to whether I allow SMTP-AUTH. I found it out that it's much safer to ask everyone to authenticate, it makes problem with more-or-less anonymous IP addresses (nearly) disappear. >> I do not care if that's common in Australia or wherever for 20 years or >> so. It's broken design and brings you much more problems you will have >> to cope with, when anyone starts spamming through your servers. > > Actually, it was advocated strongly in NA too, but times change, and the > user population is much more mobile. But I never see "it was always done > that way" as *any* sort of argument for how something *should* be done. I had the feeling reading some posts in this thread :) >> Relatively rare. We have much more users spamming directly from IP >> addresses we haven't started requiring authentication from (the time is >> near, just prepare some changes and we'll announce the policy change) >> than those spamming through authenticated SMTP. > > Hmmmmmm.... Maybe this is the reason the number of phishing spams has > been rising? :) I guess so. Luckily many phishes are detectable by SA or ClamAV. I think I'll take all phishes that come onto our company's mailboxes and will try to create some filters... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
