Dear Swinog members
Until now, we provided an authenticated smtp-server for our customers and a separate "open" smtp-server for customers with email-adresses from other providers. We would like to shut down the relaying server and have the customers use the smtp-servers from their mail-provider (gmx, gmail, bluewin etc.).
Now we found out that bluewin doesn't allow authenticated smtp-relay from users outside their ip-range, so all our customers with bluewin-mailadresses would have no smtp-server available.
I am sure that some of you had the same issue and would be interested how other (small) isp's have resolved this problem.
Thank you, Roger Schmid
Roger Schmid wrote:
Dear Swinog members
Until now, we provided an authenticated smtp-server for our customers and a separate "open" smtp-server for customers with email-adresses from other providers. We would like to shut down the relaying server and have the customers use the smtp-servers from their mail-provider (gmx, gmail, bluewin etc.).
Which is the one they should be using unless they are using an authenticated gateway. Note that with the advent of SPF/DKIM etc using a host not inside the authorized set of servers might at one point not be possible anymore.
Now we found out that bluewin doesn't allow authenticated smtp-relay from users outside their ip-range, so all our customers with bluewin-mailadresses would have no smtp-server available.
I am wondering what your setup is here. Is it:
a) cust-in-your-address-space -> $you -> $bluewin b) cust-in-bluewin-address-space -> $you -> $bluewin c) something else ?
Also, if those people are using email provided by BlueWin, why would you be relaying mail for them, with their From, why are they not using the Bluewin mailservers (which I hope do SMTP-AUTH).
I am sure that some of you had the same issue and would be interested how other (small) isp's have resolved this problem.
SMTP AUTH doesn't care about what the From/To are. You can perfectly authenticate with the local user/pass for the relay and then allow any From/To combo you want, the user is authenticated anyway.
Also you can even enable having this in the headers, eg:
Received: from [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0] (spaghetti.ch.unfix.org [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jeroen) by abaddon.unfix.org (Postfix) with ESMTPSA id 1E5E335A523 for nanog@nanog.org; Fri, 16 May 2008 19:09:42 +0200 (CEST)
(postfix main.cf: smtpd_sasl_authenticated_header = yes)
Which quite clearly shows that it was me sending mail. This is a good thing btw, as then you can, when an abuse report comes in, easily see who it was, instead of having to find it in the logs and crossmatch message-id's.
Greets, Jeroen
Hi Roger,
Now we found out that bluewin doesn't allow authenticated smtp-relay from users outside their ip-range, so all our customers with bluewin-mailadresses would have no smtp-server available.
That's not entirely correct:
smtpauth.bluewin.ch will relay mails from non-bluewin-ip-ranges IF the mailaccount belongs to a non-free Bluewin/Swisscom 'Abo'.
+-------------------------------------------------------------------------------------------+ | Pay account (= Mailaccount | - Can use mail.bluewin.ch from bluewin-range | | is 'attached' to an ADSL abo | - Can use smtpauth.bluewin.ch from EVERYWHERE | +-------------------------------+-----------------------------------------------------------+ | Free account | - Can use mail.bluewin.ch from bluewin-range (of course..)| | | - Can use smtpauth.bluewin.ch from bluewin-range | | | - Can NOT use smtpauth.bluewin.ch from non-bluewin IPs | +-------------------------------+-----------------------------------------------------------+
Otherwise spammers would open 100th's of free accounts and use them to send spam from non-bluewin IPs :-/
Regards, Adrian
On Fri, Jun 13, 2008 at 10:13 AM, Adrian Ulrich swinog@blinkenlights.ch wrote:
Hi Roger,
Now we found out that bluewin doesn't allow authenticated smtp-relay from users outside their ip-range, so all our customers with bluewin-mailadresses would have no smtp-server available.
That's not entirely correct:
smtpauth.bluewin.ch will relay mails from non-bluewin-ip-ranges IF the mailaccount belongs to a non-free Bluewin/Swisscom 'Abo'.
+-------------------------------------------------------------------------------------------+ | Pay account (= Mailaccount | - Can use mail.bluewin.ch from bluewin-range | | is 'attached' to an ADSL abo | - Can use smtpauth.bluewin.ch from EVERYWHERE | +-------------------------------+-----------------------------------------------------------+ | Free account | - Can use mail.bluewin.ch from bluewin-range (of course..)| | | - Can use smtpauth.bluewin.ch from bluewin-range | | | - Can NOT use smtpauth.bluewin.ch from non-bluewin IPs | +-------------------------------+-----------------------------------------------------------+
Thank you for clearing this up. So we have to give bluewin-users with free bluewin mail-accounts an smtp-account on our servers I think.
Otherwise spammers would open 100th's of free accounts and use them to send spam from non-bluewin IPs :-/
I see the problem, but perhaps something like a captcha would also be sufficient to prevent this.
Regards, Adrian _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Roger Schmid wrote: [..]
Otherwise spammers would open 100th's of free accounts and use them to send spam from non-bluewin IPs :-/
I see the problem, but perhaps something like a captcha would also be sufficient to prevent this.
SMTP-Captcha's? :)
How do you envision that?
Greets, Jeroen
On Fri, Jun 13, 2008 at 10:52 AM, Jeroen Massar jeroen@unfix.org wrote:
Roger Schmid wrote: [..]
Otherwise spammers would open 100th's of free accounts and use them to send spam from non-bluewin IPs :-/
I see the problem, but perhaps something like a captcha would also be sufficient to prevent this.
SMTP-Captcha's? :)
;-) www-captcha's, on account-signup.
How do you envision that?
Greets, Jeroen
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Roger Schmid wrote:
On Fri, Jun 13, 2008 at 10:52 AM, Jeroen Massar jeroen@unfix.org wrote:
Roger Schmid wrote: [..]
Otherwise spammers would open 100th's of free accounts and use them to send spam from non-bluewin IPs :-/
I see the problem, but perhaps something like a captcha would also be sufficient to prevent this.
SMTP-Captcha's? :)
;-) www-captcha's, on account-signup.
Just display the captcha from the signup on $pornsite, a person will fill it in for you, captcha bypassed. If it is interesting and cheap for then to abuse it, they will.
Greets, Jeroen
Jeroen Massar schrieb:
Just display the captcha from the signup on $pornsite, a person will fill it in for you, captcha bypassed. If it is interesting and cheap for then to abuse it, they will.
Do you have a current, working example for that? (Just for research purposes, of course) ;-))))
Rainer
Rainer Duffner wrote:
Jeroen Massar schrieb:
Just display the captcha from the signup on $pornsite, a person will fill it in for you, captcha bypassed. If it is interesting and cheap for then to abuse it, they will.
Do you have a current, working example for that? (Just for research purposes, of course) ;-))))
Do you mean the sites where they show those pages or example of the code which does this? For the first, the only site that comes close to it is http://www.ipv6experiment.com, but that won't be employing any captcha's, thus I guess you'll just have to google for your dose of 'biology lessons' to research with. For the latter, http://www.php.net, or whatever language you use for your site.
Roger Schmid wrote:
nice idea, didn't think occur to me :)
It is what defeats captcha's on daily basis. Which is why in a captcha one should always include the name or logo of the site in the image, that way the user might realize that they are being used and at least it will be easy to see which service is being abused by the site.
Greets, Jeroen
Hi
Rainer Duffner schrieb:
Jeroen Massar schrieb: Do you have a current, working example for that? (Just for research purposes, of course) ;-))))
Well, I found an article mentioning the idea: http://www.boingboing.net/2004/01/27/solving-and-creating.html
But it doesn't seem to provide an implementation.
Regards Peter
On Fri, Jun 13, 2008 at 10:58 AM, Jeroen Massar jeroen@unfix.org wrote:
Roger Schmid wrote:
On Fri, Jun 13, 2008 at 10:52 AM, Jeroen Massar jeroen@unfix.org wrote:
Just display the captcha from the signup on $pornsite, a person will fill it in for you, captcha bypassed. If it is interesting and cheap for then to abuse it, they will.
nice idea, didn't think occur to me :)
Jeroen Massar writes:
Just display the captcha from the signup on $pornsite, a person will fill it in for you, captcha bypassed. If it is interesting and cheap for then to abuse it, they will.
The approach is mentioned in an excellent talk by Louis von Ahn, who invented the CAPTCHA:
http://video.google.com/videoplay?docid=-8246463980976635143&q=Google+te...
Hi
Jeroen Massar schrieb:
Roger Schmid wrote: [..]
Otherwise spammers would open 100th's of free accounts and use them to send spam from non-bluewin IPs :-/
I see the problem, but perhaps something like a captcha would also be sufficient to prevent this.
SMTP-Captcha's? :)
I guess he means captchas at the page where you register a free bluewin-account ;-)
But if you give the spammers a real reason to break captchas they will find a way to do it. And then you can run for the next smart thing to do. Giving people an SMTP-Account at some server they pay for anyway is far better.
SPF will, of course, cause you trouble. For that you would need an SMTP-Account at a server *listet in the SPF-record for the domain bluewin.ch*. Since nobody but bluewin themselves can provide that... yeah... you can guess what happens...
Regards Peter
Roger Schmid schrieb:
On Fri, Jun 13, 2008 at 10:13 AM, Adrian Ulrich swinog@blinkenlights.ch wrote:
Hi Roger,
I see the problem, but perhaps something like a captcha would also be sufficient to prevent this.
I don't think so. Spammer signing up for free accounts is also a "social" problem in that the spammers (or the people they pay) don't have much choice. You can't solve social problems with technology (much as we would like).
Rainer
Hi,
Thank you for clearing this up. So we have to give bluewin-users with free bluewin mail-accounts an smtp-account on our servers I think.
Well, they could call our helpdesk and ask them to disable the 'Restricted IP-Range' feature for a specific mailaccount.
Our helpdesk will disable it as long as: #1: The user asks us to do it ;-) #2: His postal-address or telephone-number has been verified
I see the problem, but perhaps something like a captcha would also be sufficient to prevent this.
It wouldn't prevent it, it just makes it harder. (Some spammers don't even use bots to create accounts. Using real people appears to be cheaper sometimes..)
Regards, Adrian
Adrian Ulrich schrieb:
I see the problem, but perhaps something like a captcha would also be sufficient to prevent this.
It wouldn't prevent it, it just makes it harder. (Some spammers don't even use bots to create accounts. Using real people appears to be cheaper sometimes..)
It always takes time until you have enough evidence to close an account. First there have to be a couple of spam-runs which are identified as spam (and not just as some newsletters a couple of recievers forgot or weren't aware they ordered it) and then he will, of course, tell you his computer got hijacked etc. Besides that real spammers are normally people you simply don't want to get in contact with. They often answer with endless and pointless pseudo-legal argumentations and a lot of FUD. Even some threats are possible (like "we will watch what you write in the usenet" or "we see that your employer is doing something which might be illegal").
Regards Peter
-
Adrian Ulrich -
Jeroen Massar -
Peter Guhl Listenempfänger -
Rainer Duffner -
Roger Schmid -
Simon Leinen