I do agree on Jeroen's comment. Redirecting and doing content inspection is evil.
I've seen a similar case with a nation wide operator in another country. What they did was simply block port 25 except for their own mailserver. This might sound nasty but after all, all swisscom customers should use the bluewin mailserver except if they use some corporate server in which case they for sure want to use SSL and should be able to use the specific SSL port.
I think the most important thing to note is that endusers must know that the connection is limited for a specific reason (fighting spam distribution by customers) and that they can opt out if they have a specific need for it.
On 08.03.2010, at 13:49, Jeroen Massar wrote:
Steven.Glogger@swisscom.com wrote:
Hi everyone
To officially talk about the "mail problems on port 25 with swisscom dsl" I would like to give you some (technical) information.
Thanks for the extensive explanation!
One question there though: do you send a message to all customers actually stating that you are going to do this? Especially the content-inspection part which infringes on the freedom of speech and privacy of the people using your connectivity.
One can't expect them to go to the Swisscom website all the time thus a letter or at least an email is very appropriate.
As for the rest: (short: don't do content inspection) I fully agree with things that a lot of spam will come from DSL etc. BUT the part where you are effectively MITM connections, being judge on what people are allowed or not allowed to send(*) is a really really bad thing.
(* = I for instance send/receive viruses sometimes because I am taking a look at them, not because they are spreading. Same for spam, if you are postmaster@ or abuse@ then you need to look at them if you want to handle them.)
The really worrying part is the connection stealing. When you are able to do that for SMTP and especially as you are doing content inspection there (if you look at it as a person or not does not matter, something is looking at it and interpreting it), then you can also do it for HTTP and any other protocol.
I wonder what crack-pot of a government official will come next to then demand that you actually start doing that for port 80 too and start blocking sites which for instance say "UBS is bad" or "Switzerland sucks" and I don't know what, heck just on the "Host:" header.
Any kind of inspection is a bad thing and will cause some politician to make you do it for every other protocol: HTTP first, DNS later.
Which will in the end mean that the governments control the internets for the general folks and only the technically savvy people will be doing full crypto everywhere which at one point or another will then be banned out, nevertheless it will mean that we will not have a proper internet anymore, quite a shame of the country where WWW was invented.
Will we start to block completely port 25 in the future? No, absolutely not.
I rather have that you actively block port 25 without any inspection and just like you are offering now allow people to request the port to be opened. This avoids the whole legal issue with doing a MITM.
Yes, it will raise the support cost too as customers who are not using SUBMISSION over port 587 as they are supposed to will have problems. But your support folks can point to an easy URL where they can figure that out.
And actually the http://www.swisscom.com/p25 url which points to: http://www.swisscom.ch/res/hilfe/sicherheit/spam25/index.htm Already states that. It does *NOT* state that you are doing content inspection. Please keep it that way.
This method IMHO is pure infringement of privacy.
Please reconsider this setup and just block port 25 instead of doing this inspection.
A last nasty question: how do you guarantee that some person does not get access to the spam-filtering box and then can read along with almost every single email send on the Swisscom network?.... oh my...
Greets, Jeroen
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog