Best of the ISP-Lists

The Window For Rotten Meat

Members of the ISP-UNIX list discuss how to protect your system when you allow webhosters to run e-mail from their servers in your system. How do you prevent spammers from abusing your generosity?

[March 22, 2001]

On the ISP-UNIX list in February, TK explained,

"We do web hosting, and we offer free POP email access for users' domains. The problem is that those people are accessing from different ISPs. How do you handle this? Do you let people send email from anywhere, or do you restrict it?"

A number of respondents advised forcing your users to stay with their ISP:

[MC recalled] "We had some relaying opened up for a few customers, and the spammers found it and began spamming through our server. If customers use different ISPs, we make them use their ISPs sendmail server. Their reply address is still to their domain on our servers, and unless someone looked at the header, no one would notice."

[CT added] "We had the same problem. We allowed open relay to a few domains, and needless to say, it's best to just plain say no. You will have less stress in the long run."

[KD agreed] "I think the de facto standard has become whoever provides your Internet access provides your SMTP server. If you explain the reasons for this to the customer, and let them know that this is the standard policy that pretty much all ISPs use, they generally understand."

Others suggested POP before SMTP:

[MM offered] "Try POP before SMTP. You can get information at the following link: http://spam.abuse.net/tools/smPbS.html. Basically, when someone checks their POP mail, they are allowed to access the sendmail server for a period of time."

[DV agreed] "POP before SMTP is the only method of authentication that we allow our clients to use, and it is very effective at preventing spammers relaying through. The only real problem with it is that Outlook doesn't support it. It forces you to 'send and receive' instead of 'receive and send,' but you can get around this."

DB felt passionately about a third option:

"No! POP before SMTP is old news. Let's not add more sites that will need conversion. SMTP AUTH is your friend, and is supported in all major mail clients. See http://www.sendmail.org/~ca/email/auth.html."

TD offered a handy summation of the choices available:

"Here are your options. First, POP before SMTP: when someone checks mail using POP, the IP they're coming from is added to the list of IPs allowed to relay for ten minutes or so. Second, Authenticated SMTP: extensions to SMTP now exist to support passwords. Third, make them use their ISP's mail server for SMTP. Any of them should work fine: I suggest advocating the third and supporting the first."

—End