Home page logo
/

nanog logo nanog mailing list archives

Re: Fun new policy at AOL
From: Matthew Crocker <matthew () crocker com>
Date: Thu, 28 Aug 2003 12:00:29 -0400



On Thursday, August 28, 2003, at 11:07 AM, Joel Jaeggli wrote:

On Thu, 28 Aug 2003, Matthew Crocker wrote:


Shouldn't customers that purchase IP services from an ISP use the ISPs
mail server as a smart host for outbound mail?

applying that standard just how large do you have to get before
you "graduate" to running your own smtp server. "I'm sorry we won't accept
mail from you because you're not an lir?"


If a larger corporation showed that they have a clue we remove the filters. If we start getting virus/spam notifications on again we re-enable the filter. We are either primary or backup MX for all of our customers. We can implement a port 25 inbound filter on a customer and their inbound mail is unaffected. We can then contact the customer and work with them to fix their broken mail server and remove the filter.

We make the determination based on skill level of the customer, not their size.

How does this sound for a new mail distribution network.

Customers can only send mail through their direct provider
ISPs can only send mail to their customers and their upstream provider. They purchase the ability to send mail to the upstream as part of their bandwidth. ISPs can contact and work out other direct mail routing arrangements between themselves. For example, ISP A could send directly to ISP B if there is a large amount of A -> B mail. Both ISPs have to agree. ISPs form a trusted ring of mail servers for direct connection. All others get shipped upstream to the next available mail server. All mail servers are known, logged and can be kicked off the network by the upstream provider.

A central core of distributed mail servers gets built by each backbone ISP. The backbone ISPs peer with one another (trust each others mail). backbone ISPs accept mail from their customers and can block that mail if their customer doesn't have a clue.

Everything is logged, everything is validated. Setting up a mail server involves more than getting a static IP and setting up an MX record. SPAM is eliminated because it can't enter the trust ring unless it goes through an ISP. That ISP can be kicked off if they allow spammers. Viruses are managed because they can be tracked back to their origin. block at the core. virus protection could also be made a requirement for entering the trusted mail ring. Mail servers are set to deny all mail by default, opening up connections from trusted hosts as you build trusts relationships. Contact information needs to be maintained. I can't get into Sprints trust ring unless I can contact them

This can be phased into service by setting up trusted and untrusted mail servers. All mail entering untrusted mail servers has a higher spam score and cannot be forwarded outside the local network. Trusted mail (i.e. from customers) can be forwarded upstream to other trusted,non-trusted mail servers.

-Matt


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault