how-to block ads
|
Camelot One
Premium,MVM
join:2001-11-21
Sarasota, FL
clubs:
| Re: Thanks Idiots! I am in the same boat. This will prevent all users from being able to say, send email from their work address at home. Anyone with a Road Runner accoun tfor example can only send email from their rr email address.
Stupid. Just plain stupid.
--
AMD XP2500+ @2388mhz/ Asus A7N8X-E Deluxe/ 2x 512Mb Kingston HyperX PC3500/ WD 120Gb on serial/ Gainward GF4 4600/ Enermax 465P-VE/Custom water cooler | |
|  
LBDSL
Lightning Bolt
VIP
join:2002-01-07
Auburn Hills, MI
| Re: Thanks Idiots! said by Camelot One  :
Anyone with a Road Runner accoun tfor example can only send email from their rr email address.
This isn't totally true, at least not in some parts of the US.
I have a few clients who use RoadRunner to access the net, but use us to host their site, and email.
They are able to use the SMTP server we give them with their hosting account to send mail.
--
Lightning Bolt Technologies | |
| 
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by Camelot One :
I am in the same boat. This will prevent all users from being able to say, send email from their work address at home. Anyone with a Road Runner accoun tfor example can only send email from their rr email address.
Stupid. Just plain stupid.
What's stupid is that Road Runner even considers the "From" address when relaying email - this is no kind of security (I understand Verizon did this too, perhaps they still do).
If the source IP address is from a "trusted" source - from within RoadRunner's own network - there is no good reason for disallowing users to include any From: address they wish, including valid work addresses.
An ISP that blocks outbound 25/tcp and limits users to the @isp.net From address is doing a bad thing.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site | |
| | 
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| That is what REPLY-TO/reply address is for quote:
I am in the same boat. This will prevent all users from being able to say, send email from their work address at home. Anyone with a Road Runner accoun tfor example can only send email from their rr email address.
That is what the REPLY-TO (in OE accounts, the "reply address") is for.
SENT-BY (FROM or, in OE accounts, the "email address") is formally supposed to be the email address on the ISP the computer is actually on. As noted by another poster, only a few ISPs check this.
ISPs should not be limiting the REPLY-TO (unless maybe the customer has been a problem), but to follow the original intent of the standards, they all should have been limiting the SENT-BY.
My personal feeling is that ideally such filtering (port 25, spam, email virus) should a user configurable, and default to filtering for new accounts.
I think the problem is technical:
1. It increases overhead to add a bunch of individual IP addresses to port blocking rules in the router.
2. There is a bit of manual effort involved in updating the rules for individual customers.
It isn't dumb users that are responsible for "reduced functionality", it is the hackers and spammers who exploit them. | |
| | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: That is what REPLY-TO/reply address is for said by keith2468 :
That is what the REPLY-TO (in OE accounts, the "reply address") is for.
SENT-BY (FROM or, in OE accounts, the "email address") is formally supposed to be the email address on the ISP the computer is actually on.
Says who?
This premise cannot possibly hold water, and it's hard to even know where to start.
First, and most broadly, your online identity is anything you want it to be, and in my book, you "are" any email address to which you have valid access to the mailbox. This gives me probably a half a dozen email addresses, none of which is the "real" address unless I say one of them is.
Second, many people purchase IP services with the sole intent of routing IP packets, and they do not buy into the additional services (email, web space, home page) that the ISP may offer. I have Pac*Bell DSL, but as far as I know I don't have a @pacbell.net email address.
Finally, there is no required connection between "email address" and "physical location" - otherwise this premise would play havoc with the salesman on the road: does he get a new "Sent-From" email address in every hotel?
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site | |
| 
ChrisN4BSA
Premium
join:2002-05-31
Clearwater, FL
1 edit | This isn't totally true. I'm net admin for a company here in Tampa, and was able to use our company SMTP server (port 25) via my home Roadrunner connection.
However - just today we have implemented a new non standard inbound SMTP port that will allow us to get around the port 25 filtering for those employees that are lucky enough (or is that unlucky?) to be on an ISP that blocks port 25 SMTP traffic.
And - as much as it sucks, amen for the ISP's blocking port 25. I hate to be punished for clueless users, but if it helps slow down the spread of viruses that spread via email, I'm all for it. I'm sick & tired of having to spend hours every day checking our mail quarantine because of all spam zombies in the wild. | |
| | cbs228
Geeks Of The World, Unite
join:2000-09-04
Saint Louis, MO
| Re: Thanks Idiots! Indeed. For access to business servers or other SMTP servers that your ISP blocks, a simple ipfw rule on the server machine (or the router the server is behind) will fix this:
sudo ipfw add fwd serveraddress,25 tcp from any to me inboundport
Where serveraddress is the address of the server (usually "localhost") and inboundport is the port you want to listen on in addition to 25.
NOTE: I'm not responsible for any damage to your machine running this command may incur. Always modify ipfw rules locally as they may interrupt tcp/ip access. Tested on MacOS 10.3.2.
--
"If you stare too long into the abyss the abyss stares back at you." -Nietzsche
GENERAL FAILURE READING ©: DRIVE
(A)bort, (R)etry, (F)rivolous Lawsuits, (B)ribe Congress? | |
| | | | | 
dilettante
join:2002-01-01
Haslett, MI
| Re: Thanks Idiots! I've often thought that licensing (certifying) users might be a reasonable tactic. Something where you'd agree to random external audits of your network (scans and other penetration tests, monitoring traffic over an interval).
But there are cost and privacy issues I suppose, and it would really cut into the lucrative "granny (grandpaw?) AOL" market of low-use, unsophisticated users.
But I have to wonder... wouldn't it make economic sense to offer high bandwidth to "certified" users and lower bandwidth and blocked ports to those "potential problem users" who are likely to get hijacked - at the same or similar prices? If you keep your network clean and properly isolated and your boxes secure and use adequate throttling mechanisms... [takes a breath] any real hazard from running services is minimal. Violations or complaints and you'd get dropped back to the "wild west" service with ports blocked.
Sort of a "being responsible grants privileges" policy.
But maybe that's precisely where those high-cost commercial offerings come in: you pay for the privilege of being responsible. Everyone else "swims with the fishes" wearing a hardsuit. | |
| | 
RARPSL
join:1999-12-08
Suffern, NY
| said by ChrisN4BSA :
This isn't totally true. I'm net admin for a company here in Tampa, and was able to use our company SMTP server (port 25) via my home Roadrunner connection.
However - just today we have implemented a new non standard inbound SMTP port that will allow us to get around the port 25 filtering for those employees that are lucky enough (or is that unlucky?) to be on an ISP that blocks port 25 SMTP traffic.
And - as much as it sucks, amen for the ISP's blocking port 25. I hate to be punished for clueless users, but if it helps slow down the spread of viruses that spread via email, I'm all for it. I'm sick & tired of having to spend hours every day checking our mail quarantine because of all spam zombies in the wild.
The DESIGNATED port to use to inject Email (ie: Send it from a Mail Client) is 587 NOT 25. The problem is that many ISPs are too lazy to activate this port and require SMTP AUTH to access it. Most just say use Port25 and block out-going Port25 to other servers. IMO, ANY ISP that blocks outgoing (to non-ISP Owned SMTP Servers) that DOES NOT accept incoming Email from their customers (while those customers are using Non-ISP Connectivity) on Port 587 is a Hypocrite. | |
| | | |
|
·