An ISP mail server should not be able to proxy emails for non-ISP addresses. And you should be able to route a mail message via the messaging service of your choice. What I am saying is that you should not do this via SMTP. Use a SSL or VPN or a private authenticated port (an external mail service should provide one of these options).
A mailserver should have two sides - an internal public (and/or external private) interface for outgoing mail and an external public interface for incoming mail. If a mailserver on the internet accepts mail on an external public interface and reroutes it back out to the internet it is an Open Mail relay and will be abused by spammers. Mail servers like this end up on blocklists. I am pretty sure that IBM employees working outside the IBM network have to use VPN software to establish a connection to the IBM network before they can send email via the internal public interface of the IBM mail server. This is the case in the UK - someone I know works for IBM and I have helped him config and test his home network.
My own ISP connected domain email is routed via DynDNS.org Outbound Mailhop Service - this uses a non-SMTP port that is authenticated - my home server routes all outgoing mail via this connection - no ISP mailserver required. I pay for this service, and it is very reliable. It stops other people (AOL, BT) from blocking my SMTP connections because it is using a dynamic ISP-supplied IP address. And I don’t blame them for rejecting this email. I wish more email servers did this.
This does not affect Webmail systems - they use HTTP/HTTPS for everything and can’t be abused in the way SMTP can. I can use my webmail from anywhere, and I can use a Thunderbird and a VPN from my laptop. Easy and secure.
The first option is realistic, and scalable, and does not actually break any RFCs - the second is not.
I like idealism - I really do. But the Internet is being abused by people who take advantage of the ideals. And ISPs already restrict these ideals significantly for practical and economic reasons (as noted, Bittorrent and p2p traffic restrictions). Spam and botnets cause huge problems now, and will get worse. I get emails from a friend 3 days to a week after they send it - because their ISP mailserver is bogged down, probably with spam - and this spam is generated by compromised PCs. So this is the easiest target, and the least damaging solution.
This is, without a doubt, the best idea I’ve read on this board in a long time.
I completely agree that for casual users, all email is default routed thru the ISP on port 25. No casual user is setting up port 25 SMTP transfers to a server outside their ISP, and although Si is speaking for the UK, I can assure you that corporate users in the US who do this (e.g. logging in to work from home) routinely do this via a virtual private network. This leaves a small class of legitimate individuals who may need to send mail messages directly to an external server (and these folks know what they’re doing, so they can figure out how to use a different port than the mail standard or be charged a nominal fee for the service), and the spammers, who are basically robbing personal resources (not only by clogging my inbox but by hijacking someone’s personal PC to send this garbage) and abusing the spirit of the RFC’s.
The idea is so good, in fact, that the only reason my ISP (YahooDSL) hasn’t done it is that none of their subscribers is asking for it (they are obviously already doing something similar to block folks who use illegal music-trading services). I have just sent an email to my ISP’s tech assistance, and I urge everyone here to do the same.
Thanks, that explains it better. So you’re saying an ISP’s mailserver will:
a) Accept outgoing mail provided it was generated internally and it will forward this mail on to the next server. Presumably identifying internal mail is based on network topology and not IP address. So if a SMTP packet comes in on a certain set of interfaces, then they are internal.
b) Accept incoming mail from any location provided it is destined for an internal address. Identifying internal addresses here would just be done by IP address.
So that is how you lock-down the ISP’s mailserver and prevent the server from being a relay, but my question was how do you lock-down off-ramp SMTP traffic so that no one in the ISP’s control would be a mail relay?
The simple case would be to block all traffic on that port provided it doesn’t come from the ISP’s mailserver. This would be to filter by putting the mailserver on the edge of the network. But my question about IBM is not about an individual user, but that for one of their offices, IBM has an ISP and an IBM mailserver sitting in the address space served by that ISP. When the IBM mailserver goes to fire off an email to Microsoft, how does it do this? If the ISP is filtering outgoing SMTP traffic, then the IBM traffic would get dropped. Unless they added an additional IBM mailserver filter. Or another option would be for IBMs mail to go through the ISP’s mailserver so that it could go off-ramp. Adding filters or proxying are the parts that I don’t think are scalable.
Sorry if I am missing something fundamental. It seems like this solution would work well if an ISP is just a cloud of home users and you simply eliminate their ability to send SMTP on port 25. Maybe you’re suggesting that ISPs divide their networks into residential and enterprise networks. Your filter rules as outlined would apply to the residential side, but not to the enterprise? Maybe even this division already exists at most ISPs and you are just considering the residential side?
I’ve thought for a while that something that could probably cut down a lot of problems would be encryption. One of the most basic encryption tools is a digital signature. We commonly use digital certificates to vet websites but digital signatures could easily be used to establish sender identity surety. If everyone used encryption to sign their mail, and everyone used an address book of digital signatures from known parties to screen their mail, it would cut down on a lot of the spam since spammers could be reasonably sure that few people would even see their message if it wasn’t signed by a known party. Site spoofing is well known and guarded against reasonably well by most browsers. Even Netscape back in the day supported digital certificates. A similar awareness campaign and drive for industry standard mail encryption/signing would probably be similarly successful.
Digital signatures create a de facto processor burden on the spammer (as an earlier poster suggested) since generating a large number of them would take up resources at best, and might be practically unworkable for spammers at worst. It would give ISPs and users tools for screening messages, with an ID tag that is independent of IP address and ostensible sender and very difficult or practically impossible to fake. With optional expiration dates and unique session keys appended to messages it could pinpoint where the mail was compromised, exactly what agency leaked/sold the address and when. It would also (again, like an earlier poster mentioned) invalidate communications channels past a user-defined time period. I’m frankly surprised that encryption hasn’t already been used more widely for these purposes.
Correct. In general, the IP address defines topology. A packet should not be able to reach the internal interfaces from anywhere but inside the network. ISPs should be also [new rant] be stopping packets with spoofed source addresses.[/new rant]
For incoming mail, the email address is the only thing that matters. The only place that requires an IP address for email is when a sending server says “I have an email for joe@xxxx.com. Where do I send emails for xxxx.com?” once it has that ip address, it sends the message. The Email server is the endpoint for emails, and customers pick up emails from there (there may be forwarding to multiple internal servers, and hosted domains, but it is all done on the email address)
There is a distinction between ISP hosting and residential users, and I was considering residential home user when talking about spam botnets (because it is residential PCs that are used to send spam - a compromised server is a point source, easy to spot and stop). When an ISP directly hosts a server or supplies a fixed IP address (or address space) it will reside on a different internal IP subnet to the residential addresses. This allows different rules. That said, the ISP should be evaluating the setup of client equipment to ensure that it is securely configured, just as backbone providers should be looking at their clients (ISPs and big corps) too. In terms of manageability and scalability, a big ISP has lots of routers, proxies, traffic shapers and firewalls to manage, and tools to automate that configuration. If they can detect and restrict p2p traffic and heavy users, they can stop unneeded SMTP traffic.