Mailing List SIMS@mail.stalker.com Message #12923
From: Tom Marsh <tom@tommarsh.net>
Subject: Windows SMTP service / Fighting spam with good network design
Date: Fri, 2 May 2003 07:44:54 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: Apple Mail (2.552)
How are spammers able to use folks sitting out there with DSL and Cable accounts? Is being able to use a standard PC as an open relay without some kind of email server installed a weakness of the Wintel world?

NT 4.0 Server installs the SMTP service by default, and starts it at boot-up with NO RESTRICTIONS. Windows 2000 improves on this idiocy only slightly: It only installs a fully functional unrestricted SMTP server if you install IIS and don't drill-down manually to say "No SMTP server." The workstation versions (NT Wkstn and 2000 Pro) give you a SMTP server if you install IIS and don't specifically tell it not to have one. Again, totally unrestricted SMTP server... so yes, an open relay.

This is, of course, quite stupid. But look who/what we're talking about, too... (Microsoft. "Who do you want to spam today?")

I agree that this sucks, but blocking all dynamic IPs is extreme. I have several smaller companies who have dynamic IPs on their business DSL connections. (Bad contracts signed by prior consultants... Not my fault, but I have to deal with it.) You certainly wouldn't want to block e-mail from legitimate businesses who wanted to buy your service, would you? Yet this is what would happen in many cases.

Unless you are receiving a TON of spam in your box, or these spammers are managing to relay, banning dynamic IPs is overkill.

In my opinion, the best solution is good network design from the start. I started tommarsh.net off with one IP, one private subnet, and a couple router settings. And while I understand this is a perfectly legit way to run a mail server, next week I'm moving to a different model...

I'll be using a mail gateway for relaying that requires SMTP-auth to send messages to a third party. Then put SIMS on a private subnet and allow 25 inbound connections to the SIMS box from only ONE ip... The mail gateway. Users then come into your private cloud on 110 via port forwarding (from a public IP.) The gateway machine relays all legit mail to SIMS for client retrieval, and drops the garbage. SIMS then relays using the gateway ("Relay via foreign host") and not its own internal SMTP server.

The really ideal way to implement that would be to have two NICs in the SIMS box and have SIMS listen for POP requests on one IP, and SMTP connections on another. Preferably on separate, secure subnets. Of course, I haven't found a SIMS setting to do this just yet...

If anybody at Stalker who writes code wants to implement a "listen on what IP" function, that would be really, really cool.

</ramblings>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster