13 Jun
2008
13 Jun
'08
9:35 a.m.
Dear Swinog members
Until now, we provided an authenticated smtp-server for our customers
and a separate "open" smtp-server for customers with email-adresses
from other providers. We would like to shut down the relaying server
and have the customers use the smtp-servers from their mail-provider
(gmx, gmail, bluewin etc.).
Now we found out that bluewin doesn't allow authenticated smtp-relay
from users outside their ip-range, so all our customers with
bluewin-mailadresses would have no smtp-server available.
I am sure that some of you had the same issue and would be interested
how other (small) isp's have resolved this problem.
Thank you,
Roger Schmid
13 Jun
13 Jun
9:44 a.m.
Roger Schmid wrote:
Dear Swinog members
Until now, we provided an authenticated smtp-server for our customers
and a separate "open" smtp-server for customers with email-adresses
from other providers. We would like to shut down the relaying server
and have the customers use the smtp-servers from their mail-provider
(gmx, gmail, bluewin etc.).
Which is the one they should be using unless they are using an
authenticated gateway. Note that with the advent of SPF/DKIM etc using a
host not inside the authorized set of servers might at one point not be
possible anymore.
Now we found out that bluewin doesn't allow
authenticated smtp-relay
from users outside their ip-range, so all our customers with
bluewin-mailadresses would have no smtp-server available.
I am wondering what your setup is here. Is it:
a) cust-in-your-address-space -> $you -> $bluewin
b) cust-in-bluewin-address-space -> $you -> $bluewin
c) something else ?
Also, if those people are using email provided by BlueWin, why would you
be relaying mail for them, with their From, why are they not using the
Bluewin mailservers (which I hope do SMTP-AUTH).
I am sure that some of you had the same issue and
would be interested
how other (small) isp's have resolved this problem.
SMTP AUTH doesn't care about what the From/To are.
You can perfectly authenticate with the local user/pass for the relay
and then allow any From/To combo you want, the user is authenticated anyway.
Also you can even enable having this in the headers, eg:
Received: from [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0]
(spaghetti.ch.unfix.org [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested) (Authenticated sender: jeroen)
by abaddon.unfix.org (Postfix) with ESMTPSA id 1E5E335A523
for <nanog(a)nanog.org>rg>; Fri, 16 May 2008 19:09:42 +0200 (CEST)
(postfix main.cf: smtpd_sasl_authenticated_header = yes)
Which quite clearly shows that it was me sending mail. This is a good
thing btw, as then you can, when an abuse report comes in, easily see
who it was, instead of having to find it in the logs and crossmatch
message-id's.
Greets,
Jeroen
10:13 a.m.
Hi Roger,
Now we found out that bluewin doesn't allow
authenticated smtp-relay
from users outside their ip-range, so all our customers with
bluewin-mailadresses would have no smtp-server available.
That's not entirely correct:
smtpauth.bluewin.ch will relay mails from non-bluewin-ip-ranges IF the mailaccount
belongs
to a non-free Bluewin/Swisscom 'Abo'.
+-------------------------------------------------------------------------------------------+
| Pay account (= Mailaccount | - Can use mail.bluewin.ch from bluewin-range
|
| is 'attached' to an ADSL abo | - Can use smtpauth.bluewin.ch from EVERYWHERE
|
+-------------------------------+-----------------------------------------------------------+
| Free account | - Can use mail.bluewin.ch from bluewin-range (of
course..)|
| | - Can use smtpauth.bluewin.ch from bluewin-range
|
| | - Can NOT use smtpauth.bluewin.ch from non-bluewin IPs
|
+-------------------------------+-----------------------------------------------------------+
Otherwise spammers would open 100th's of free accounts and use them to send spam from
non-bluewin IPs :-/
Regards,
Adrian
10:48 a.m.
On Fri, Jun 13, 2008 at 10:13 AM, Adrian Ulrich <swinog(a)blinkenlights.ch> wrote:
Hi Roger,
Thank you for clearing this up. So we have to give bluewin-users with
free bluewin mail-accounts an smtp-account on our servers I think.
Now we found out that bluewin doesn't allow
authenticated smtp-relay
from users outside their ip-range, so all our customers with
bluewin-mailadresses would have no smtp-server available.
That's not entirely correct:
smtpauth.bluewin.ch will relay mails from non-bluewin-ip-ranges IF the mailaccount
belongs
to a non-free Bluewin/Swisscom 'Abo'.
+-------------------------------------------------------------------------------------------+
| Pay account (= Mailaccount | - Can use mail.bluewin.ch from bluewin-range
|
| is 'attached' to an ADSL abo | - Can use smtpauth.bluewin.ch from EVERYWHERE
|
+-------------------------------+-----------------------------------------------------------+
| Free account | - Can use mail.bluewin.ch from bluewin-range (of
course..)|
| | - Can use smtpauth.bluewin.ch from bluewin-range
|
| | - Can NOT use smtpauth.bluewin.ch from non-bluewin IPs
|
+-------------------------------+-----------------------------------------------------------+
Otherwise spammers would open 100th's of free
accounts and use them to send spam from
non-bluewin IPs :-/
I see the problem, but perhaps something like a captcha would also be
sufficient to prevent this.
Regards,
Adrian
_______________________________________________
swinog mailing list
swinog(a)lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
10:52 a.m.
Roger Schmid wrote:
[..]
SMTP-Captcha's? :)
How do you envision that?
Greets,
Jeroen
Otherwise
spammers would open 100th's of free accounts and use them to send spam from
non-bluewin IPs :-/
I see the problem, but perhaps something like a captcha would also be
sufficient to prevent this.
10:55 a.m.
On Fri, Jun 13, 2008 at 10:52 AM, Jeroen Massar <jeroen(a)unfix.org> wrote:
Roger Schmid wrote:
[..]
SMTP-Captcha's? :)
;-) www-captcha's, on account-signup.
Otherwise spammers would open 100th's of free accounts and use them to
send spam from
non-bluewin IPs :-/
I see the problem, but perhaps something like a captcha would also be
sufficient to prevent this.
How do you envision that?
Greets,
Jeroen
_______________________________________________
swinog mailing list
swinog(a)lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
10:58 a.m.
Roger Schmid wrote:
On Fri, Jun 13, 2008 at 10:52 AM, Jeroen Massar
<jeroen(a)unfix.org> wrote:
Just display the captcha from the signup on $pornsite, a person will
fill it in for you, captcha bypassed. If it is interesting and cheap for
then to abuse it, they will.
Greets,
Jeroen
Roger Schmid wrote:
[..]
SMTP-Captcha's? :)
;-) www-captcha's, on account-signup. Otherwise
spammers would open 100th's of free accounts and use them to
send spam from
non-bluewin IPs :-/
I see the problem, but perhaps something like a captcha would
also be
sufficient to prevent this. 
11:03 a.m.
Jeroen Massar schrieb:
Just display the captcha from the signup on $pornsite, a person will
fill it in for you, captcha bypassed. If it is interesting and cheap
for then to abuse it, they will.
Do you have a current, working example for that?
(Just for research purposes, of course)
;-))))
Rainer
11:12 a.m.
Rainer Duffner wrote:
Jeroen Massar schrieb:
Do you mean the sites where they show those pages or example of the code
which does this? For the first, the only site that comes close to it is
http://www.ipv6experiment.com, but that won't be employing any
captcha's, thus I guess you'll just have to google for your dose of
'biology lessons' to research with. For the latter, http://www.php.net,
or whatever language you use for your site.
Roger Schmid wrote:
Just display the captcha from the signup on $pornsite, a person will
fill it in for you, captcha bypassed. If it is interesting and cheap
for then to abuse it, they will.
Do you have a current, working example for that?
(Just for research purposes, of course)
;-)))) nice idea, didn't think occur to me :)
It is what defeats captcha's on daily basis. Which is why in a captcha
one should always include the name or logo of the site in the image,
that way the user might realize that they are being used and at least it
will be easy to see which service is being abused by the site.
Greets,
Jeroen
11:13 a.m.
Hi
Rainer Duffner schrieb:
Jeroen Massar schrieb:
Do you have a current, working example for that?
(Just for research purposes, of course)
;-))))
Well, I found an article mentioning the idea:
http://www.boingboing.net/2004/01/27/solving-and-creating.html
But it doesn't seem to provide an implementation.
Regards
Peter
11:03 a.m.
On Fri, Jun 13, 2008 at 10:58 AM, Jeroen Massar <jeroen(a)unfix.org> wrote:
Roger Schmid wrote:
>
> On Fri, Jun 13, 2008 at 10:52 AM, Jeroen Massar <jeroen(a)unfix.org> wrote:
Just display the captcha from the signup on $pornsite, a person will fill it
in for you, captcha bypassed. If it is interesting and cheap for then to
abuse it, they will.
nice idea, didn't think occur to me :)
5:05 p.m.
Jeroen Massar writes:
Just display the captcha from the signup on $pornsite,
a person will
fill it in for you, captcha bypassed. If it is interesting and cheap
for then to abuse it, they will.
The approach is mentioned in an excellent talk by Louis von Ahn, who
invented the CAPTCHA:
http://video.google.com/videoplay?docid=-8246463980976635143&q=Google+t…
--
Simon.
11:03 a.m.
Hi
Jeroen Massar schrieb:
Roger Schmid wrote:
[..]
SMTP-Captcha's? :)
I guess he means captchas at the page where you register a free
bluewin-account ;-)
But if you give the spammers a real reason to break captchas they will
find a way to do it. And then you can run for the next smart thing to
do. Giving people an SMTP-Account at some server they pay for anyway is
far better.
SPF will, of course, cause you trouble. For that you would need an
SMTP-Account at a server *listet in the SPF-record for the domain
bluewin.ch*. Since nobody but bluewin themselves can provide that...
yeah... you can guess what happens...
Regards
Peter
Otherwise
spammers would open 100th's of free accounts and use them
to send spam from
non-bluewin IPs :-/
I see the problem, but perhaps something like a captcha would also be
sufficient to prevent this.
10:57 a.m.
Roger Schmid schrieb:
On Fri, Jun 13, 2008 at 10:13 AM, Adrian Ulrich
<swinog(a)blinkenlights.ch> wrote:
I don't think so.
Spammer signing up for free accounts is also a "social" problem in that
the spammers (or the people they pay) don't have much choice.
You can't solve social problems with technology (much as we would like).
Rainer
Hi Roger,
I see the problem, but perhaps something like a captcha would also be
sufficient to prevent this.
11:48 a.m.
Hi,
Thank you for clearing this up. So we have to give
bluewin-users with
free bluewin mail-accounts an smtp-account on our servers I think.
Well, they could call our helpdesk and ask them to disable the
'Restricted IP-Range' feature for a specific mailaccount.
Our helpdesk will disable it as long as:
#1: The user asks us to do it ;-)
#2: His postal-address or telephone-number has been verified
I see the problem, but perhaps something like a
captcha would also be
sufficient to prevent this.
It wouldn't prevent it, it just makes it harder. (Some spammers don't even use
bots to create accounts. Using real people appears to be cheaper sometimes..)
Regards,
Adrian
1:57 p.m.
Adrian Ulrich schrieb:
It always takes time until you have enough evidence to close an account.
First there have to be a couple of spam-runs which are identified as
spam (and not just as some newsletters a couple of recievers forgot or
weren't aware they ordered it) and then he will, of course, tell you his
computer got hijacked etc. Besides that real spammers are normally
people you simply don't want to get in contact with. They often answer
with endless and pointless pseudo-legal argumentations and a lot of FUD.
Even some threats are possible (like "we will watch what you write in
the usenet" or "we see that your employer is doing something which might
be illegal").
Regards
Peter
I see the
problem, but perhaps something like a captcha would also be
sufficient to prevent this.
It wouldn't prevent it, it just makes it harder. (Some spammers don't even use
bots to create accounts. Using real people appears to be cheaper sometimes..)
5471
days inactive
5471
days old
15 comments
6 participants
participants (6)
-
Adrian Ulrich -
Jeroen Massar -
Peter Guhl Listenempfänger -
Rainer Duffner -
Roger Schmid -
Simon Leinen