Verizon Email Restrictions

CodeMonkey5 writes: "The following excerpt is from a Verizon email sent to all Verizon customers regarding the use of their SMTP servers. The gist of it is that if you are using an email address other than that of Verizon in the 'From' field, you cannot use their SMTP servers. '...If you are sending email using an email address other than one provided by Verizon Online, this message affects you. Effective, August 8, 2001, you will no longer be able to send email from any email address other than the one provided by Verizon Online (this includes privately branded domains and secondary ISP accounts). We are taking this action as a result of our continuing efforts to improve the quality and reliability of Verizon's mail system and is one of several steps to help reduce spam. The effect of this change is that Verizon Online email will no longer support sending email from other ISP accounts or privately branded domains that are not hosted by Verizon Online ...'"

Re:This really isn't so bad.

[davidu]

I unplugged my modem and tried to send you an e-mail, but it didn't work...

Errr....maybe I shoulda written "offlist"...

Have you tried to contact me via carrier pigeons?

-davidu

Re:This really isn't so bad.

[davidu]

Actually your wrong.

Verio runs pop-before-smtp across their ENTIRE network. It is easy to setup, pop-before-smtp done properly DOES work, as does SMTP-AUTH.

-davidu

This really isn't so bad.

[davidu]

1) They are their servers and they really can enforce policies like this. While this really has nothing to do with spam they do have the right to make such a policy.

2) Most people these days use POP-BEFORE-SMTP or SMTP-AUTH in order to use a remote smtp server. It is a much better system because it allows people to actually send mail from THEIR server as opposed to relaying through their ISP's and having that in the headers.
For Security reasons alone I don't like my ISPs mail server in my headers and my mail server strips my IP from the outbound mail.

Again, this just really isn't that big of a deal, plus anyone on verizon's net can just run an SMTP server of their own and let other verizon users relay off of it. just create www.verizonrelay.com or something.

If you have questions about how POP-BEFORE-SMTP works just search google or email me offline, it really is a painless and easy system that all your remote users will love.

-davidu

Re:This really isn't so bad.

[unitron]

Now if only you'd included a link to that carrier pigeon transfer protocol you could have picked up some major karma.

Re:This really isn't so bad.

[tshak]

Most people these days use POP-BEFORE-SMTP or SMTP-AUTH

Based on what evidance? I'll agree that both methods are catching on rapidly, but just read further down and you'll see posts of people who work for ISP's that have yet to implement this.

I for one am a huge proponent of sending mail through the actual domain of the from address, but until SMTP-AUTH is a standard (POP-BEFORE-SMTP is too slow and doesn't always AUTH properly after each POP) , I don't think Verizon should do this. Especially with the advent of very cheap and easy to setup domain names.

Re:This really isn't so bad.

[janpod66]

This is the first I hear about Verio doing this. They certainly never informed me about it.

Re:This really isn't so bad.

[janpod66]

They are their servers and they really can enforce policies like this. While this really has nothing to do with spam they do have the right to make such a policy.

In the same sense, they also have a "right" to drop every other packet you send, to give access to your credit card info on their server to some con artist, to replace all web pages traveling over their wires to you with their preferred ones, or to spam you with E-mail when you connect to their server. But many of those actions may constitute breach of contract or be in violation of other laws. And most are a good reason to switch and let everybody else know how lousy that company is. You see, that's our right as consumers.

This "it's their hardware and they can do what they want" argument doesn't imply that everybody should just quietly accept whatever stupidity a service provider commits. Make noise. Complain. Switch. Organize. Boycott. Those are your rights, and companies will listen when they stand to lose millions of dollars.

Re:Move on, nothing to see here.

[sjames]

No... You can block relaying by limiting based on IP address.

That blocks outside spammers, but does nothing to prevent spammers from signing up for an account and sending tons of spam from idiot@makemoneyfast.com. Typically, a spammer will have several such accounts.

All this policy does is makes sure that Verizon doesn't get used that way. It is an inconvieniance for people with legitimate reasons to use an alternate address as the from address, in much the same way that door locks and keyed ignition inconvieniance the legitimate owner of a car.

The solution is for the third party host to allow authenticated users to use their SMTP from any IP.

Re:From us that host domains

[Sabalon]

So, use smtp_auth. Doesn't matter where they come from - they have to validate themselves before they can send e-mail.

From someone who hosts domains.

Re:From us that host domains

[mattdm]

pair.net would have the same problem. The issues isn't that they don't provide a mail relay -- it's that they don't provide a mail relay that can be used directly by Verizon customers. This completely reasonable -- otherwise (without an authentication scheme) any Verizon customer could relay spam through their server.

Obviously, there are authentication schemes that can work around this (as suggested elsewhere in this message), but they're nonstandard and a pain for both the ISP and for the customers.

Re:Uhhh.. how's this a problem?

[Genom]

This isn't really a relaying issue, though - they're just disguising it as one.

The real issue is that people are ordering Verizon, and either hosting their own domains (over DSL, with a static IP), or using other email addresses (such as domains they may have forwarding to their Verizon account, or alternate ISP accounts with better email packages/controls) - and Verizon doesn't like that.

The dream of all big consumer-oriented corporations is a huge closed-doors community, where once you're a customer, you have to do everything through them. That's what Verizon wants.

They want to guarantee that if you're a Verizon customer, that you USE your Verizon-branded email. That makes your address a "verified good" address, that they can then put on a list, along with your name, and any other personal information that you've given them, and sell to other companies.

They want to make sure that when you go for a domain for yourself, or your business, that you have NO CHOICE but to have Verizon host it - otherwise yo won't be able to take advantage of it through your existing Verizon 'net access account.

Were I a Verizon Online customer, which I'm not, I would be furious - even if this policy didn't affect me *now* - as it might in the future.

I'm very glad I went with Speakeasy for my DSL line, and not Verizon. It will be a sad day when Speakeasy implements any kind of policy like this.

As for options existing Verizon customers have - the best option would, of course, be to cancel your Verizon account, tell them the reason, and go with a competitor who has a saner policy. Barring that - is Verizon blocking SMTP sends from DSL customers running their own SMTP servers on static IPs? If not, it might not be a bad idea to pick up a cheap linux box and run Sendmail/Postfix/Exim/Qmail to handle external accounts.

Re:Non-Issue

[Alan+Shutko]

Congratulations on completely missing the point.

• Mailing lists look at "from" or worse, envelope-sender when allowing you to post or subscribing you.
  
  
• Most mailers will take the From address, not the Reply-to, when
  adding to an addressbook.
  
  
• Most people don't even look at the reply-to.
  
  
• There exist broken mail gateways which lose the reply-to.
  
  
• Many mailers these days ignore reply-to entirely, because of broken
  mailing lists.
  
  
• Many broken mailing lists completely ditch the reply-to and put on
  their own.
  
  
• Slightly less broken mailing lists won't overwrite a reply-to, but
  that means that people on the list who expect that hitting R will
  reply to the list (because they've gotten used to the list setting
  reply-to) will accidently and possibly unknowingly not send things
  to the list when they want to.
  

I have been using the ats@acm.org address through several ISP changes
over 5 years or so and it has enabled people to find me after long
amounts of time. It only works because people will pull up old
emails of mine and see the address, and try it. No amount of telling
people what email address to use will stop short-lived addresses from
finding their way into people's addressbooks. No matter how much I
like OOL, eventually I'm going to stop using it because eventually,
I'm going to move off the island. (The odds of my wife completing her
PhD, doing two postdocs, and finding a tenured faculty position all
while sticking in this area are low, you know?)

I'm not precisely sure how ensuring a verizon return address would help
the spam issue. If it's sent through your IPs, you can track the
spam down no matter what the address. If it's not, you can't do
anything. (After all, you already refuse to relay from outside your
IPs.) It might make it slightly easier for other admins to lay blame,
but they're going to have to trace headers anyway to show that it
isn't someone relaying through uu.net and setting an verizon return
address.

Why allowing local relaying can still be bad

[Old+Man+Kensey]

sourcehunter wrote:

I can understand blocking outgoing port 25 on your network except for your mail server and thus assuring that all mail is routed through the ISP's mail server - Mindspring/Earthlink has been doing this for quite a while! But not relaying mail for your local users (regardless of from address) breaks one of the core reasons for having LOCAL mail servers. What the hell else are people going to do? Most third partys' mail servers are locked down to allow local relay only (as well they should be!). Yeah there are a few open relays out there, but everyone won't be able to find one. I for one won't be opening up my server!

The problem with allowing random-relay from local IPs is that your customers can still spam through your mailservers while disguising their address. You can blast a lot of spam even through a 28.8 connection before you get caught.

I remember when MindSpring turned off port 25 access to the outside world -- a lot of their customers made the same complaints I'm seeing here. Turning off outbound 25 is actually a much more draconian measure than this -- it still allows legitimate access to third-party SMTP servers that allow it.

The bottom line is, this is understandable and I see it all the time.

Re:Why allowing local relaying can still be bad

[mpe]

The problem with allowing random-relay from local IPs is that your customers can still spam through your mailservers while disguising their address.

But if you still allow them to use any possible address applicable for the ISP (including a completly made up one) they you arn't buying much.
Unless you were to do some kind of real time mapping of the IP to the account. Even then simply setting appropriate mail headers will enable spammers to be easily identified without annoying legitimate users.

Re:Annoying, but a reasonable policy to enforce.

[TheSync]

They ALREADY block outgoing Port 25 traffic

I'm on Verizon DSL, and we're not blocked on port 25 currently.

Re:Just use your own relay.

[Sethb]

iMac: $999
OS X: Included with the iMac
Sendmail: Free

Factual Slashdot Post: Priceless
---

This is actually a BIG restriction

[KyleCordes]

Some of the early posters confused open relaying with normal SMTP behaviour and normal ISP behaviour.

For example, I have my own domain, kylecordes.com. It's hosted by an internet hosting provider. I receive email there.

My ISP for internet access is Speakeasy. I send email through them, but that email is marked *from* my email address, which is @kylecordes.com. Speakeasy does not force me to have any email I send through them marked @speakeasy.net.

Speakeasy is not an open relay; they are correctly handling outgoing SMTP only for their own customers (including me). They know it's me because I connect through their network.

Were I a Verizon customer, I would be unhappy. I don't wish to use an @verizon email address... that's why I got my own domain name.

The Verizon policy looks like a way to try to force their branding onto all of their customers' email address.

Re:This is actually a BIG restriction

[M-G]

Speakeasy is not an open relay; they are correctly handling outgoing SMTP only for their own customers (including me). They know it's me because I connect through their network.

Exactly! Once the person is authenticated through the ISP's network, the ISP knows who they are. If a bunch of bulk traffic goes through their servers, with a non-Verizon From: address, they should be able to figure out what customer it came from, and term them for AUP violations.

This strikes me more as a corporate strategy to attempt to lock in users and get Verizon's name broader exposure via e-mail addresses than any kind of security or anti-spam tool.

Re:Real motive a disincentive from changing ISPs?

[KyleCordes]

[Paying customers who are unaware of the benefits
provided by Reply-To: headers are also very annoying.]

Sending out email with a From: that lists a residential throwaway ISP mail account and only the Reply-to: lists your real, long-term, paid-for-the-domain email account, looks rather unprofessional. Some mail clients either don't handle Reply-to very well.

Re:That is a misinterpretation.

[KyleCordes]

[hosted your domain through Verizon]

How dare I wish to:

* already have hosting arrange somewhere else and not want to switch

* want to buy a flavor of hosting that Verizon does not offer

* Have more than one ISP for whatever reason... obviously at most one can be the same place I host my domain.

* etc.

[Verizon doesn't want to be relaying mail for non-customer domains]

Indeed they don't.

It would make a lot more sense, though if they were interested in relaying mail only for their *customers* regardless of domain, rather than only for *customer domains* per se. My ISP (which is not Verizon) has the desired behaviour, for example.

[don't think this qualifies as a "Your rights online"]

Agreed. But it does seem like a customer-hostile policy.

Common carrier?

[HiThere]

I'm not sure exactly the legal meaning of common carrier, but it seems to me that Verison may be one. As such, to what extent does it (legally) have the right to engage in anti-competitive acts? (Of course, it may have cleared this with the government ahead of time...)

Caution: Now approaching the (technological) singularity.

Move on, nothing to see here.

[_Stryker]

So what is the problem? It sounds like to me that they are actually tightening up their mail servers and not allowing relaying. Isn't this the exact thing that we say all ISPs should be doing? This measure doesn't stop you from sending your own email from your own mail server.

---

Re:Move on, nothing to see here.

[_Stryker]

If you are using a web hosting company that has no provision for sending mail, they you have made a poor choice of hosting companies. Any decent hosting company will have an SMTP server setup for the companies they host. There are different ways of allowing the mail to be relayed, but probably the most common these days is POP before SMTP, which means you have to check your POP mail before you can send anything via SMTP. Another popular solution is SMTP AUTH.
---

Re:Move on, nothing to see here.

[ibbey]

Certainly running your own SMTP server is a great solution for the slashdot crowd. But, cmon, do you really expect the avaerage small (i mean really small) business to have the resources to do this? For many businesses, this will be a MAJOR inconvenience. If you are top small to be able to afford a geek, and you're not technical enough (or to busy to) to run your own server, your screwed. Add to that the chance that Verizon may begin to use other "anti-spam" measures (like blocking port 25), and it rapidly becomes apparent that there is no way the average person can run their own server. And since Verizon is probably the only Broadband available to many of it's subscribers, and this begins to be a significant problem.

And of course this policy almost forces Verizon to begin blocking port 25. Since many people WILL now be running their own SMTP servers, but won't really understand what they are doing, suddenly Verizon will be the home to many, many open relays. So, to prevent the new spam created by their policy, they will have to block port 25. Frankly, this policy makes Earthlink's port blocking seem downright welcome (and certainly a hell of a lot more effective.).

Re:Move on, nothing to see here.

[penguinboy]

1. It's annoying for people who legitimately want to use a different return address. For example, I have Earthlink and I've never used the email address they provided. That has received tons of spam from day one and Earthlink doesn't have the same sort of filtering you can get elsewhere.

2. Actually, many ISPs *are* preventing you from running your own mail servers. Earthlink and Mindspring started this a long time ago - you can't connect to port 25 on any machine besides their own mail servers. I had to set up a mail server elsewhere on the net and create a tunnel from my network to it to get my functionality back. Earthlink/Mindspring also did the 'our email address only' thing quite some time ago.

Re:Move on, nothing to see here.

[mpe]

Any decent hosting company will have an SMTP server setup for the companies they host. There are different ways of allowing the mail to be relayed

Non of which is described in the relevent RFC (or for that matter is even necessary.)
Effectivly what is going on here is crude hacks being piled on top of each other to address MUA software ignoring the specifications in the first place.

Re:Move on, nothing to see here.

[mpe]

That blocks outside spammers, but does nothing to prevent spammers from signing up for an account and sending tons of spam from idiot@makemoneyfast.com

Instead they can use makemoneyfast@verizon.com
The real problem here is Verizon verifying the real world identity of their customers otherwise even if spammers get thrown off they may come back

The solution is for the third party host to allow authenticated users to use their SMTP from any IP.

IMHO a better long term solution is
Get rid of all third party relaying. (Having to do MX lookups and actually send the whole message to the entire list makes spamming more difficult, time consuming and exposes the spammer's machine to such techniques as Telegrubing)
Minimal usage of dynamic IP addressing and a mechanism to easily tie IP address usage to a specific acount where dynamic IP addressing is unavoidable. (If someone does misbehave they can be more easily identified)
Traffic monitoring and shaping. e.g. if more than x% of TCP datagrams are for SMTP drop the extra ones on the floor. (If someone trys to do nothing but send SMTP email then their effective bandwidth is highly restricted. To rather less than x% since any retransmissions are subject to the same rules.)

Re:Move on, nothing to see here.

[mpe]

Certainly running your own SMTP server is a great solution for the slashdot crowd. But, cmon, do you really expect the avaerage small (i mean really small) business to have the resources to do this? For many businesses, this will be a MAJOR inconvenience. If you are top small to be able to afford a geek, and you're not technical enough (or to busy to) to run your own server, your screwed.

A pure SMTP server is not actually a very complex piece of programming. If you only want to send mail then not only do you have something marginally more complex than a printer spooler it also requires zero configuation and maintence.
The reason many MTAs are complex is that they tend to support various transports and things not required by the spec. e.g. being able to operate as a third party relay.

Re:Move on, nothing to see here.

[harlows_monkeys]

This does nothing to stop relaying, since they obviously can't require the "From" address to be a Verizon address on incoming mail from outside their network, or no one from outside would be able to mail to Verizon customers! :-)

You stop relaying by configuring your SMTP server to not accept outside mail unless it is addresses to your customers.

All this does is annoy their own customers who have their own domains.

Basically, Verizon is clueless about spam.

Re:Move on, nothing to see here.

[harlows_monkeys]

And what happens when they start blocking outbound port 25 access except to their server?

Re:Move on, nothing to see here.

[harlows_monkeys]

Wrong. Almost no other ISP does this. What you are probably thinking of is that most ISP's check the IP address of the sender, and won't relay if the sender is not one of their customers.

Checking the IP address is good. Checking the "From" line is increadibly stupid, and won't close any holes.

Re:Move on, nothing to see here.

[wizman]

No... You can block relaying by limiting based on IP address. If they were to prevent relaying simply by the from field, anyone in the world could spam through their servers simply by tacking @verizon.com or whatever to a bogus e-mail address. Many people have third party web hosting companies for their domains and use their ISP's e-mail servers for outgoing. This is going to be a big problem, as most web hosts don't allow relaying either.

Re:Move on, nothing to see here.

[aozilla]

Fortunately I'm not on Verizon, but if I were I'd be pitching a fit. Nothing to see? What if I want my mail to be from my hotmail account but I also want to use my browsers email program to compose? I like reading my email on hotmail because I don't have to download anything, buy I like to compose on my browser becasue hotmails sucks.

I am on Verizon DSL, and I do exactly this, for exactly the reason you describe. I also use my own SMTP server, using POP before SMTP to send email from my own domain. I never use @verizon.com, and I never use Verizon's SMTP server. As long as they don't block outbound SMTP, things will be fine for me (and you'll always be able to send hotmail since that uses HTTP over port 80).

Re:Move on, nothing to see here.

[hillct]

The tremendous lack of technical detail here (on the part of Verizon) makes it difficult to judge the validity of their actions. It sounds like they're simply closing open relays - a good thing - because they talk about people using their SNMP servers.

It is possible that in fact what they are actually doing is blocking port 25 (SNMP) trafic at their routers that does not originate from their SNMP servers. This is a popular move on the part of most ISPs which (in conjunction with header rewriting on their SNMP servers) prevents any spam from coming from IPs they own without having a valid return address.

I have not recieved the letter so I don't have the full detail, but it sounds like they're not doing port based filtering (yet). If they are in fact proposing such filtering, I can fully understand the objections. I use Verizon DSL (carrier side) but elected to use a small local ISP rather than (at the time) GTE.net specifically because smaller ISPs are generally less likely to risk pissing off their customers with stupidness like this.

Those using Verion's ISP service have my sympathy.

--CTH

--

Re:Move on, nothing to see here.

[DeadMeat+(TM)]

What if you have your own domain name for E-mail purposes, like if you have your own small business? So much for that, unless the people hosting your E-mail have an SMTP server available, which may not be the case if you're just using it for forwarding to your Verzion POP3 box. Ideally you could set up a SMTP server, but that isn't always feasible in the real world, and if Verizon starts blocking outgoing SMTP (like a lot of ISPs, including mine do already) you're SOL.

At any rate, if the point is to stop spammers, it's not necessarily going to be very effective, since there's no reason a spammer couldn't give a bogus @verzion.com E-mail address (or, worse, use somebody else's real one).

Re:Move on, nothing to see here.

[jrp2]

Yes, but MANY ISPs, perhaps most, block outbound port 25. I don't know if Verizon does. If an ISP were to reject emails not from their domain, and block port 25, this would be a major problem. I guess you can still use the "Reply To" header, but that is kind of weak.

Overall, this move is a headache for those of us that try to do work from home, expecially those that are not techies. I can't tell you how many headaches this is going to cause various support organizations and customers. I totally believe that the defacto standard method of ISPs restricting by IP to their own networks only was a decent way to approach this.

The real problem is that as each ISP takes a different approach, the problem gets more and more complicated as the corporate and non-ISP email providers help desks need to track solutions by ISP for how customers need to configure outbound mail.

I'll go even further to say this solves nothing. If I were a spammer running on Verizon I would just use a fake address within the Verizon domain to circumvent it (eg. fake_user@verizon.com).

Bottom line, really bad idea, a sizable percentage of their honest customers are going to be seriously inconvenienced by this and it does little to prevent spam.

Re:i think the cluetrain ran you over a ways back

[Skapare]

His point was that you don't need to make an SMTP connection to some other mail server for sending outbound mail with your own private e-mail address. I just tested it on a mindspring dialup to be certain. It works fine.

There are two ways to send mail out with your own private e-mail address. Mindspring blocks one of them (the one most abused by spammers because it lets them do the relaying) but not the other. They may have volume throttling on their servers to keep any one IP address from sending more than some limit through at once. That would stop most spamming through their own servers.

You do need to check your attitude problem. While ckuhtz wasn't specifically addressing the point you made, he was pointing out the alternative you have for sending e-mail. You might have a preference for not using his solution, but there is no evidence whatsoever in his posting that he is ignorant about how SMTP and such work. In fact he seems rather well informed to me. Your personal flame on him was uncalled for. Lighten up. If you don't like being narrowed to using the ISP mail server for outbound mail, talk about that without flaming people. Or make the capitalist move.

Re:That is a misinterpretation.

[Skapare]

Hosting the domain with Verizon isn't always an option. Some people have their vanity e-mail addresses in other domains where they don't own the whole domain. For example I'm working on setting up an email forwarding system for the domain ham.org for ham radio operators. If you were a ham and wanted to use callsign @ham.org, you could receive your mail once the email address is registered, but you can't use it in the FROM: field for outbound mail as a Verizon customer. And it's not a domain you can host with them, either.

This is a perfectly valid story, given the complications it really does cause for people. Do you really want to let a company like Verizon manage your domain? I wouldn't.

Re:Again, you misinterpret.

[Skapare]

Most likely they will soon, if they do not already, restrict port 25 outbound to just their own servers. Earthlink/Mindspring does it, and it substantially reduced the sourcing of relayed SPAM from their network. I believe Verizon will end up doing this, too, because what they are doing now will have only minimal effect or SPAM reduction, and when people start running their own mail servers, there will be the new exposure to having relays within their network (not everyone who wants to run a mail server to host a vanity domain will be running something secure). And it won't further their marketing goals that probably prompted this particular restriction.

I understand perfectly. I don't know what Verizon literally does at a given moment (I don't get any service from them, fortunately), but I do see the ways they generally do things, and it's not good. This is only the first step, and a bad misstep, too.

User authentication and limitations to From

[Midnight+Thunder]

The problem with requiring the 'From' field to contain an address from the Verizon domain is that every spammer know how to hack a 'From' field. This now means that we will be having a lot more spam apparently originating from the 'Verizon' domain.

The better approach is to use user authentication at the e-mail server. I have come across a fair number of SMTP servers that require you to authenticate yourself, preferbly with the help of SSL, before you can send your e-mail through them. Couple this with IP verification, as Verizon should know which IP ranges they own, it make it would very difficult for a spammer to relay e-mail via their server.

Now if only more e-mail clients supported SSL.

Actually..

[mindstrm]

I see it completely the other way around. I can understand forcing your mail server to only accept mail marked the way you want it to be (such as, from your domain)...
but an ISP forbidding connections to other SMTP servers directly from it's users? That's a crime. What if I have my own mail servers elsewhere? I'm not allowed to connect? That's right.

IT's when these two things are combined there is a real problem; to me, internet access & internet services are two totally different things; they should be sold as such. I don't want mail services from my isp... I shouldh't have to shoulder the cost of them.. I just want unrestricted forwarding of IP, and I'm willing to pay for it.

From us that host domains

[doon]

We are a small ISP and host domains and for some of the business in the area. We recently had a couple of them come to us with this problem. We don't want to install pop before smtp at this moment as we are rebuilding our datacenter. Since verizon dsl doesn't even offer static ip's to it's customers, we have 2 choices, tell the customer to use their verizon mail address and their @domainname address in the reply to field. Or us open up our mail server to accept mail from a /22. When talking to verizon they told our customer that they should just host with them. Spam my ass. -doon

Re:From us that host domains

[slamb]

You're missing an option: SASL authentication. My Postfix mailserver is configured to use this and it works out fairly well. The major clients (Outlook, etc) seem to have support for it.

It's configured like this:

smtp_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client,
reject_maps_rbl,
permit
smtpd_recipient_restrictions =
reject_unknown_recipient_domain,
check_recipient_access
hash:/usr/local/etc/postfix/access,
permit_mynetworks,
permit_sasl_authenticated,
permit_auth_destination,
reject

The client section allows my networks (you'd put in localhost and your dialup links) and SASL authenticated people, without checking DNS or the RBL (which is important if you are using the DUL; otherwise their machine may be listed and denied).

The recipient section allows SASL-authenticated people to send to addresses other than the auth_destination ones - in other words, to relay.

So, unless I'm missing something (like a big mail client that doesn't support SASL at all), there's a pretty good way for you and people like you to still provide supplementary addresses. And I think this move really will cut down on spam.

Re:Translation:

[PigleT]

> they can now improve service by restricting
> service?

Sounds like it. Ever heard of `relay'ing? It's not hard. It means you send email from/to a non-local domain through a server. It's a good way to increase the amount of spam, to allow relaying....
My initial reactions are along the lines of `what's this doing here? closing down an open relay is a damned good thing!'.

PS 2+2=4. This is not rocket-science.


~Tim
--
.|` Clouds cross the black moonlight,

Re:Translation:

[VP]

Wrong.

You have a domain name hosted by XYZHostingCompany.com, but you connect to the internet from xyzISP.com. You have the domain myDomain.com and the email address me@myDomain.com.

Yep, and if I connect to the internet through xyzISP.com, they can confirm that I am a legitimate customer, since they gave me the IP address. This is not relaying! The From: address has nothing to do with stopping relaying.

XYZHostingCompany.com has a special relaying server setup for its clients at relay.XYZHostingCompany.com

Many hosting companies don't have a special relaying server. Besides, doesn't this mean that a spammer with forged From: address has just found an open-relay server?

xyzISP.com SHOULD NOT be letting you send mail as me@myDomain.com because they don't have anything to do with that domain, if they let that domain through, they would basically be letting everything through, which means they would be used to send lots and lots of SPAM (which would, of course, degrade the level of service for their valid clients).

This is BS. The ISP assigns the IP address to their customers, and don't allow anyone from an invalid IP address to connect to their SMTP servers. They don't have to rely on the domain of the From: field to stop relaying...

Wrong Re:Move on, nothing to see here.

[VP]

If this were to stop using their SMTP servers when you are not connected to the internet through Verizon Online, then this will be indeed OK. However, it sounds like even if you are dialed into the Verizon system, or connected via DSL, they are trying to prevent you from using their SMTP server, only because you are using an e-mail address from a domain not hosted by Verizon.

Usually an SMTP server is provided by your ISP, since you are part of their network when you are connected to their service, and they can contlrol who uses the SMTP servers based on IP address. POP and IMAP servers can be provided from any place. If you have your own domain, the hosting provider usually provides a pop server, so that you can have e-mail going to your domain.

There is no technical reason behind this decision, only an attempt to force the Verizon customers to host their domains with Verizon.

Re:Wrong Re:Move on, nothing to see here.

[mpe]

If you have an email with a different domain, shouldn't that domain have its own SMTP sever that you can use? If it doesn't, you couldn't send SMTP mail from that account anyway, so I don't see the problem here...

This is utter nonsense, please read RFC 2821.
You are confusing the (rather poor and crippled) behaviour of a certain set of programs with actual specifications.

Shhh. It's a secret

[Fapestniegd]

I geuss I'll have to use the secret Reply-to: header.

Re:WAS an issue

[CharlieG]

The problem is that ORIGINALLY (back in late June when I sumbitted this story and it was rejected) they were saying that your Reply-To: also had to point to a Verizon domain! They have since clarified that this is NOT so, but by then, I had changed over to Roadrunner, so who cares

Re:Verizon does NOT block off-network port 25 conn

[mpe]

I've been a Verizon customer since 8/96 and I barely ever use their DNS, SMTP, or POP3 servers. Yes, I'm a horrible netizen, in that my Linux firewall uses world root DNS servers, and updates the list once a month with 'dig'. I alternate my diald between prodigy and verizon sessions.

If you are using more than one ISP then use of ISP servers complicates things for you anyway. Since you need to mess around changing things and restarting services in ip-up/ip-down

Re:Annoying, but a reasonable policy to enforce.

[mpe]

You are telling me Verizon doesn't know their customer's IP address when they connect to the SMTP server, or if they know it, that Verizon cannot enforce their AUP based on that information?

How large a company are they also have they grown by buying up other ISP's...

They cannot detect an IP address sending hundreds of e-mails per second?

You could even do this automatically. An IP address with is only opening TCP connections to port 25 is rather obvious.

Re:This is not their right, ethically

[mpe]

Simple solution - your university should have an SMTP-AUTH relay available.

Probably even more to blame are those people who write software with the requirement for a third party relay. When this was never actually part of the spec in the first place.
Even though there have been recent revisions the basics of RFC974 still stand. Yet too many people treat using third party relays as though it is the canonical way to do things.

Re:This isn't so bad...

[mpe]

another "anti-spam" trick ISPs have been using is to block outbound requests on port 25. This prevents their customers from using outside SMTP servers (and really causes a hassle for us web hosting companies trying to figure out why people can't send mail with their account's servers...)

As well as messing up anything which does follow the published specifications (and dosn't need a third party relay in the first place.)

Do you think enough people would drop an ISP who did this to make it a really bad idea, or do some of these ISPs have enough mindless zombies as clients that they could get away with it?

In the case of home win9X machines on dialups it isn't likely to even be an issue... Or maybe that an synonym for "mindless zombies".

Re:My other accounts

[mpe]

Same holds true for my Cayman Islands mailbox. Both do not have open relays as they are supposed to, so I can't sent mail with their servers

No absolutly nobody should be providing open relays. Indeed if you read RFC 2821 you will not even find the kind of restricted third party relays advocated.
There is only one canonical way to be sending SMTP email.
Problem is some people though they knew better and created programs which require third party relays to operate at all.

Re:It is a BIG deal. You are missing the big pictu

[mpe]

Blocking outgoing smtp to other non verizon smtp servers is acceptable, forcing email to go through their servers. That will allow verizon to have a log of all outgoing port 25 email from their network.

Except that port blocking and transparent proxying is the hard way to do things if all you want is a log of connections to TCP port 25.
tcpdump will do this...

Re:Why is this important? Because...

[mpe]

Nope, it's the fault of whoever invented SMTP. It's such a stupid system, as far as protecting against spam

Actually this is a consquence of software which demands third party relays. Something which is outside the spec in thr first place. If RFC 2821 were actually followed then it would be considerably harder for spammers...

Re:this is a good idea...

[mpe]

Also, I you CC a lot you'll be wasting bandwitch since your mail server has to connect to all the people who you send the mail

How many legitimate emails do you think this applies to? Also the people who'd be most inconvenienced by not being able to use a third party relay as an expander are spammers

Re:Translation:

[mpe]

These are not an open mail relays. Only verizon customers can acess the verizon mail relays.

Some ISP provided third party relays are only one step removed from open relays. The critical factor is if the ISP has procedures in place to verify the customer is who they claim to be before they are allowed access...

Re:Not sure what to think

[macdaddy]

I haven't set up my RR account (kscable) either. I don't even use their DNS. After the last bad case of router flap I almost dropped their sorry asses. Now if they blocked my outbound tcp/25 connections and forced me to use their SMTP *and* forced me to only use a rr.com address, I'd tell them to -- ---- ---------- and tunnel from my firewall to my server (I should probably do that anyways, tell them off and tunnel).

--

You are an idiot: i've done it

[MadAhab]

I sent mail from a *nix machine over dialup using their servers and putting whatever the fuck I pleased in the From: line.

I host a POP server for some folks who send e-mail over dialup link with a "From" address of their domain for which I MX.

I could give a flying fuck what their customer support says, and I've never called them for anything, ever. Earthlink is handling this stuff in a reasonable way that limits the work they have to do to squash SPAM while keeping options mostly acceptable for their customers. Check you facts against reality before you go insulting people, asswipe.

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Re:Non-Issue

[MadAhab]

Which would be nice if all MUAs were compliant with RCF2822, or if it didn't confuse the average user to reply to an address that isn't in the "From" line they see...

But if what you're saying is correct, then Verizon's new policy could be stated as "Run your own mail server, or use our email addresses", which sucks for many customers, to be sure. Especially if their static DSL IPs are on the DUL, which would be surprising and stupid. But otherwise, it is a fair and freer approach to Earthlink's "block port 25" solution. For one thing, it won't leave you wondering if the word "Scientology" gets a copy of your email forwarded to a windowless building somewhere.

But if what you're saying is incorrect, then I will NEVER buy DSL from Verizon, and I wouldn't use it if it were free.

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Verizon does NOT block off-network port 25 conns!

[LinuxHam]

That's the point. They ALREADY block outgoing Port 25 traffic so, yes, that is why this is such a big deal.

No they don't. I'm a Verizon user in Pennsylvania and I can connect on port 25 to any SMTP server on the net that will allow me to. I'm not an Earthlink customer, but several posts above indicate that Earthlink blocks all outbound port 25 connections to all servers except for their own outbound SMTP servers. Your high-port solution applies to Earthlink users.

I've been a Verizon customer since 8/96 and I barely ever use their DNS, SMTP, or POP3 servers. Yes, I'm a horrible netizen, in that my Linux firewall uses world root DNS servers, and updates the list once a month with 'dig'. I alternate my diald between prodigy and verizon sessions. Work pays for my unlimited Prodigy account, but it disconnects after 7 hours of connect time, and Verizon limits monthly usage to 150 hours. So I leave diald on Verizon for normal surfing periods, but switch over to Prodigy when I'm doing multi-day, restartable downloads.

I personally agree with this policy. If you still want to spam you can, but you can't tie up their SMTP servers. If you want to forge an alternate, legitimate From: address, you still can, too, with a little more work. I'm not sure if I think hosting companies should offer this same type of restricted service for their own hosted domains (without SMTP-AUTH or POP-before-SMTP), because I understand that it forces spammers to select valid 'From' domains, thereby releasing wrath of spam fighthers upon already over-worked sysadmins.

So far, it seems POP-before-SMTP or that XTND XMIT feature are best to me.
--
Steve Jackson

Why is this in Your Rights?

[Kwil]

I don't get it.. an ISP says if you want to send mail through us, it has to be mail FROM us, and this is somehow construed as restricting our rights?

If it was the only ISP in town, maybe, but as it is, I don't see the big deal. It's not like my normal web-mail services don't have provision for sending something directly from them.

A pain? Sure. But lets reserve our energies for the real battles.

Re:Why is this in Your Rights?

[harlows_monkeys]

The problem with this is that it accomplishes zero to reduce spam. There are two possible reasons why Verizon could be doing this:

1. They think it will reduce spam. If so, they are completely clueless. This is bad because it is bad in general to have large ISPs that have no idea how to run a network, and also they might become less responsive to spam because they think they have solved the problem.

2. They want to make people use an @verizon address, so it will be harder for people to run their own domains, thus tying people to Verizon. Email has become widespread enough to make it very painful to change email addresses. Spend a year or two using an @verizon.com address, and you'll be very reluctant to switch providers, even if the new provider offers much better service.

Either of these is worth a "real" battle.

Re:Use reply-to

[Velox_SwiftFox]

[...]However, one company I host email for found that their ISP started blocking outgoing port 25 - they couldn't use our server anymore - till we just redirected a high port (like 3000 or something) to port 25 on their email server - they updated their clients and it works fine - ISPs can't block ports > 1024 without causing major disruptions in client traffic.

I assume you mean they can't block all the high ports. Blocking a few, e.g. Xindows' favorite ports, has little noticable effect. Note that there isn't any really valid reason to block other ports even if they somehow detect SMTP traffic to them, because spammers aren't going to be using them - said spammers won't be scanning high ports for open relays, and anyone with enough technical cluefulness to set this up probably isn't going to leave their mail server open anyway.

If you really want to give a spiteful IP that just wants to force you to both use their email domain in addresses and use only their servers, put your external SMTP server on port 80. Or 880, et cetra.

That causes MORE problems

[Ungrounded+Lightning]

BellSouth requires the domain you use in the from field to resolve to a valid domain, which seems to be a much better solution than just requiring you to use their domain.

That just means the spammers will have to masquerade as a VALID domain - and some poor sysop who DIDN'T have anything to do with the spam will catch hell.

More Verizon incompetence.

[ktakki]

As a Verizon victim...err, customer, this would affect me as well. Except I stopped using their SMTP server when it started choking on my outgoing mail (hanging in the middle of DATA).

And though I've never used my bellatlantic.net address ever, it somehow manages to receive about ten pieces of spam each day, starting with the very first day my DSL went live.

Then there's the news swerver, which fell down and went boom a couple of weeks ago (collateral damage from the Hipcrime floods?). Instead of rebuilding the spool, they just started from scratch.

Their Tier 2 techs are pretty clueful, but Tier 1 tech support is staffed by some human-fish hybrid.

k.


--
"In spite of everything, I still believe that people
are really good at heart." - Anne Frank

Might drive hosting revenues...

[q2k]

Sounds like an attempt to increase hosting revenues to me. I imagine a lot of people use Verizon for their ISP but host their domains elsewhere as the major ISP's hosting prices are usually on the high side. Of course, if you own your domain name - what ISP you are using is transparent more or less so I would think changing ISP's will be easier than moving your domain to Verizon.

Re:Translation:

[intuition]

These are not an open mail relays. Only verizon customers can acess the verizon mail relays. Just because verizon customers can send emails that purport to be from a non-local domain to a non-local domain does not make them open relays.

Again, even with this policy I can just as easily spam you with a nobody@verizon.net and it would be just as easy or hard for verizon to track me down if i used nobody@nobody.net

This is not their right, ethically

[intuition]

I am tired of corporations changing the rules of the game half-way through. I and many other college students in Boston use DSL and also use our @youruniversity.edu addresses. Because most universities do not have SMTP-AUTH servers - this would effectively prevent us from using our @edu addresses. This will not "reduce spam" and it will not make their "email" more reliable. Tell me how forcing me to use Verizon's email servers rather than ones of my own choosing is more reliable. This combined with the fact that Verizon can't operate any IP services reliably (in my experience) makes it seem even more asinine. This will not reduce spam as I can spam you just as easily through the Verizon smtp with nobody@nowhere.com as I can with nobody@verizon.net. Both are equally difficult or easy to trace to the origin "spamming" customer.

The reasons Verizon provides for doing this are a farce. I am sure the real reasons such as increased customer retention when locked into an email address, increased exposure to email recipients of the verizon.net domain name, etc. are the _real_ reasons for this corporate act of oppression.

Re:This is not their right, ethically

[Arker]

I am tired of corporations changing the rules of the game half-way through. I and many other college students in Boston use DSL and also use our @youruniversity.edu addresses. Because most universities do not have SMTP-AUTH servers - this would effectively prevent us from using our @edu addresses.

Simple solution - your university should have an SMTP-AUTH relay available. Hell, my free email service does - why can't your university? Don't blame Verizon for a problem at your uni.

"That old saw about the early bird just goes to show that the worm should have stayed in bed."

Re:This is not their right, ethically

[misheast]

No, if your university adopted this same policy, it would only mean that you could not use your @yourdomain.com addresses with their smtp servers. If you want to use @yourdomain email addresses, you would have to use @yourdomain's smtp servers. I don't see why it is their responsibility to relay mail that isn't also hosted by them. If you want ot use a secondary mail account, you should provide a secondary smtp server.

Incredibly short sighted.

[jidar]

This is incredibly short sighted and probably actually contributes more spam than it stops. If current Verizon customers want to be able to send mail with a non Verizon return address they must get their return email host to open up relaying for Verizon IP's. In this scenario, it wouldn't take very long for spammers to start sending their bulk mail from Verizon IP's because of an increased likelyhook of finding open relays.

In short, by Verizon doing this they may have inadvertantly created an island haven for spammers to circumvent current anti-spam mechanisms.

Not only that, it completely defeats the purpose of having a local mail relay in the first place. Verizon customers who can't send mail the way they want will start running their own smtp servers, which will probably be misconfigured, once again creating more opportunity for spammers. WinSMPT anyone?

Finally, it seems like a rather Draconian policy to force all of your ISP customers to use your service for email. What's next? Are they going to start advertising in the emails? Compiling information on their customer base?

This is just wrong in so many ways.

Re:And the point is?

[LocalYokel]

It doesn't prevent spam at all -- if anything, it's an inconvenience. To spam on Verizon's servers, all the one has to do is forge an @verizon.com email address. Meanwhile, you wouldn't be able to send anything addressed as being from your gnu.org email address.

--

References for 'XTEND XMIT'

[Nonesuch]

It is available as a patch for Qmail pop3d and is built into many other POP servers, including the stock Berkeley popper.

Client support is primarily in Eudora- the option to enable this feature is tricky to find in the free Eudora client- in eudora.ini, set 'UsePOPSend=1'.

Annoying, but a reasonable policy to enforce.

[Nonesuch]

This isn't really a question of 'relaying' mail through their servers, it's more a question of preventing users on Verizon's network from forging the SMTP 'From' address, when sending outgoing mail through Verizon's mail hosts. This is a reasonable policy to enforce.

It prevents forgery, but also prevents users from using other legitimate email addresses as the sender- since there is no way for Verizon to know an address is legitimate, except for the one address they've assigned to the customer.

There's another tactic that some ISPs are using to prevent spamming- blocking or redirecting end-user connections to any port 25 at any remote host except for the ISPs own mail servers. If Verizon were to combine their anti-forgery rule with a 'you must use our mail hosts' rule, that would be a serious inconvenience to legitimate users.

There is a solution.

If you absolutely must send mail with the 'From' being a domain other than your ISP, see if the actual owner of the domain will set up a POPmail server with 'XTEND XMIT' support, allowing you to send out your mail from an authenticated POP session. Note that this is entirely different from the 'pre-authenticating SMTP relay access' technique that was found to be buggy recently.

Re:Annoying, but a reasonable policy to enforce.

[baptiste]

If Verizon were to combine their anti-forgery rule with a 'you must use our mail hosts' rule, that would be a serious inconvenience to legitimate users.

That's the point. They ALREADY block outgoing Port 25 traffic so, yes, that is why this is such a big deal. The only way for Verizon customers to send email from their own domains is to either switch ISPs or find an email hosting company that can accept SMTP mail from a higher port that won't be blocked.

Re:Annoying, but a reasonable policy to enforce.

[baptiste]

Well then apparently there are different policies depending where you are. I know people on Verizon who cannot send email using external servers due to Port 25 restrictions - perhaps this is a throwback prior to Verizon being created and thus different customers have different setups.

References?

[TomatoMan]

If you absolutely must send mail with the 'From' being a domain other than your ISP, see if the actual owner of the domain will set up a POPmail server with 'XTEND XMIT' support, allowing you to send out your mail from an authenticated POP session. Note that this is entirely different from the 'pre-authenticating SMTP relay access' technique that was found to be buggy recently.

Do you have any references for XTEND XMIT, or an explanation of the bugs in pre-authenticating SMTP? A google search I just ran didn't turn up very much.

TomatoMan

Non-Issue

[bill.sheehan]

I'm a Verizon DSL customer, and this is an utter non-issue. For ~ $25/year, I have my own domain through a DDNS provider and I just run my own mail server. No sweat, and a good deal more reliable than Verizon's has been over the past year.

For the students who are suffering because they can no longer claim to be @foobar.edu when sending through @verizon.net, may I suggest a quick look at RFC2822? Mail programs don't respond to the "From" address, they respond to the "Reply-To" address.

The early bird gets the worm, but the second mouse gets the cheese.

Why is this important? Because...

[friedegg]

My university decided they wanted to stop spam, so they restricted smtp to accounts within their local network. If you're not on campus, or on the handful of dialup accounts, you can not use their server to send email. But, they say, you can use your ISP to send email! Just set your from address to your university address, and no one you're writing to will know the difference. However, that won't work now thanks to Verizona's new policy.

Is this entirely Verizon's fault? No. Is this entirely my university's fault? No. But who gets hurt? The users. In both cases, the person paying for the service. Yes, there are ways around it, but not ways the average user will know or should have to go to the trouble of.

So, do not simply think this is a non-issue.

Re:Why is this important? Because...

[aozilla]

Is this entirely Verizon's fault? No. Is this entirely my university's fault? No.

Nope, it's the fault of whoever invented SMTP. It's such a stupid system, as far as protecting against spam.

For those who don't get it...

[Omeganon]

Let me give you a perfectly legitimate example of why this is bad. Let's say that I have my own personal account with a smaller ISP without national dialup. I also have my corporate email, again without national dialup. Now, both of these SMTP servers have limitations on them such that you can not send email through them unless you are using an IP that is on their network. This is a perfectly reasonable relay-limiting technique. Now, I also travel a lot so I've got to have some kind of national dialup so that I can send and receive both corporate and personal email. Because of the aforementioned anti-relay technique (currently in use by most ISP's), I would only be able to send through my dialup providers SMTP server. Now Verizon is saying that even though I am paying for an national dialup account, with use of their SMTP servers, I can no longer use it for one of the most popular reasons [business] people get national dialup accounts. I really don't think this will fly in the long run because those users will either put up a stink or move somewhere else. It's unduly limiting and won't really prevent what they want to prevent. The spammers will start using @verizon.com in the From: field and use a Reply-To: or put it in the body of the message.

actually, this sucks pretty bad

[keithmoore]

• it keeps you from having your own domain for email
• it keeps you from using a third-party service that provides a stable email address (like pobox.com)
• it locks you into Verizon's service if you don't want to lose traffic at your verizon.com email address
• it keeps you from using Verizon as an ISP if you want to use your company's email address while you travel (yes, you can use a tunnel, but that's a pain)

It might seem okay for them to make whatever restrictions they like for their SMTP servers, but unless they're willing to sell a nailed-up connection with a static ip for a reasonable price, it's not practical for their customers to run their own servers.

Granted, it's somewhat better than blocking port 25, as earthlink does, but it still sucks.

It's getting so that you can't do anything on the net (other than browse the web and exchange email using your assigned address) without getting your ISP's permission.

As bad as SPAM is, it doesn't justify having content police for the Internet. What's next - active monitoring of IP packets for copyrighted material?

That is a misinterpretation.

[1nt3lx]

If you were a customer of Verizon and hosted your domain through Verizon then you would be able to send and receive e-mail to your domain.

Verizon doesn't want to be relaying mail for non-customer domains. Meaning, if I host slashdotsucks.com with Verizion, I can send and receive e-mail from timothy.should.not.post@slashdotsucks.com. However, if I was a Verizon customer, but hosted slashdotsucks.com with another company they would not allow me to send e-mail from timothy.should.not.post@slashdotsucks.com through their servers.

I thought this was standard configuration anyway. I am a Verizon Online subscriber but I use my e-mail services through work.

I don't think this qualifies as a "Your rights online" type of thing, it probably should have been rejected.

I just realized I'm going to receive negative moderation points for saying slashdotsucks.com. Slashdot doesn't suck, this is an unusually terrible story and it is something which really didn't need to be posted. Perhaps timothy should join JonKatz on my Blocked Editors list. I've already got SlashBack blocked.

Re:WHOAH...

[aozilla]

Because 90% of the SMTP mail that doesn't relay through the ISP mail server is spam?

I bet the same percentage of traffic through verizon's relay which does not have a from of verizon.com is a forgery.

Personally, 100% of the SMTP mail I send out does not relay through verizon.com, and is not spam. I know that doesn't disprove your 90% figure, but I would be personally affected by a port blocking measure and would seriously oppose it.

Mail from adomain.com should go through the SMTP server of adomain.com, since only that server has any ability to check the validity of that address. Actually, I'm not convinced that there aren't SMTP servers that enforce this restriction. Blocking 25 would not let you send mail to those systems from your vanity domain.

Re:WHOAH...

[aozilla]

Wow, then i couldn't send out ANY mail from a domain i manage, since our hosting provider doesn't do SMTP from customers (they just accept incoming mail to the domain and either POP3 or forward it) and we don't have the cash to get a mail machine somewhere.

Well, yes, I think this is the way it should work. If we were to design a protocol from scatch, surely that would be how we would do it. Hosting providers like yours would simply not be allowed. Due to historical reasons, we have to accept that some people will be in your situation though.

If only the ISPs would just go after the spammers, instead of treating us all like criminals... What if the USPS would refuse to accept your mail unless you put your current address on it, as opposed to your P.O. Box, or your work address, or your friend's address when she's over at your house and needs to send a letter, etc.? But most people are too clueless about the Internet to care, or are too blinded by the "Spam is evil! Death to spam at all costs!" mantra to notice...

I completely agree with you on this point. It should be the responsibility of the mail recipient to set the rules. It is simple enough to simply refuse mail which is sent with a from an address which does not match the relay server. It is completely trivial to block 99.9999% of unsolicited email. Simply block all email which is not using a From: address from which you have solicited email. But this of course is not what people want. People want to allow unsolicited email, but not unsolicited commercial email. Well, short of AI, you just ain't gonna get that. So you better settle for blacklists.

Re:no it's not. (Re:no, this is different)

[dorzak]

Yeah, both of those 'features' were turned on by Earthlink under threat of lawsuit by either MAPS or ORBS. I don't remember which one. The way to work around it are as follows:

Use your domain address in the reply-to address to get around the FROM issue. Domains that are hosted with Earthlink, or that customers have e-mail addresses through Earthlink with are exempt from this, they are considered valid FROM addresses examples: mac.com

Set your SMTP server to listen on a different port.

These were turned on to defeat the typical script kiddie, and because as part of the settlement Earthlink agreed to implement end-to-end accountability for when users spam. It isn't about the resources of the mail server, although it is cloaked in that by many.

The problem is spammers used to simply use the incorrect FROM field to try and hide. That is easy to stop because with the ISP headers on the e-mail it is easy to track down the spammer and cancel their account. SMTP auth is set up.

Next step spammers took was to sign up with DSL with one provider and use open relay SMTP servers all day. Yes, you can run around swatting open relays all day and get nowhere to stop spammers. So MAPS or ORBS went after Earthlink to set up some accountability for people connecting with them and then using open relays.

While I dislike port 25 blocking it is here to stay. Yes, spam is bad, but fighting it should not inconvenience the average user, or legitimate business use. Mindspring had it for about year before they merged with Earthlink.

There is one exception to Port 25 blocking on that network. Customers with static IP IDSL, SDSL, Frame and Point to Point, since many of them host their own mail servers and are responsible for their own actions.

Another thing that is used as a simple measure to prevent incoming spam is only accepting mail from hosts which meet the following criteria: - You can reverse look up the IP - The resulting name is listed in the mx for the record they reverse as.

Real motive a disincentive from changing ISPs?

[sanemind]

Although in principal I'm all for reducing spam, refusing paying customers the ability to send mail that is returnable to the account they choose would be very annoying. Most people don't like to use their ISP provided email addr because if people come to know them by that addr, [store it in their address book, rolodex, etc], then the customer is more locked into not switching ISP's because they would then lose that address.

They are their own servers and all, they can provide whatever level and type of, cough, service, they want to. If I was using verizon I would consider strongly switching ISP's right away.

Also, there is the question of whether or not it is really necessary to use them as a mail gateway. One can always run one's own invocation of sendmail, and it would happily squirt off mail with any return address you wanted. That is, unless they have transparently proxied port 25, and put this additional restriction on it. Course, that wouldn't be so transparent a proxy anymore, would it.

I'll have to wait until I know more, but I really don't like any additional restrictions on use. Besides, spam really isn't much of a problem to me anyway. Just use seperate addresses for different classes of mail. Keep the spam coming to one or two, and have others for private and personal contacts.

---

Re:Real motive a disincentive from changing ISPs?

[IronChef]

RR has different capabilities in different parts of the country. Probably because they absorbed a mess of smaller companies...

I used to use RR in LA and I wanted to get a static IP and a second email address. They couldn't do either -- at any price. Simply not possible. I checked around and saw that RR customers in other parts of the country could buy those services, and finally managed to get an answer from sales on why I couldn't.

Personally I am all in favor of cable company incompetence. My ATT cable connection here in seattle is fast enough, fairly reliable, and doesn't block any ports. I have become totally dependent on my in-house server, if they started blocking ports I'd be shopping for business DSL the same day.

Forcing users to violate RFC 822

[3247]

This actually forces users to violate RFC 822, the mail format standard: The From header field must contain the author or authors of the message, not the actual sender.
So whenever a Verizon user wants to send a message that was not written by her or him, he is forced to violate RFC 822.
The correct solution would be to force a valid account in the From or Sender field (but maybe that's what Verizon ios doing anyway).

Re:WHOAH...

[Erasmus+Darwin]

Many of the more savvy users start their own mail servers on verizon's network to act as a local relay.

In many cases, this isn't a viable option. The IP addresses assigned by cable and DSL providers tend to be listed on the MAPS dialup list. Refusing to accept mail from machines on that list is, in my opinion, one of the safer and more conservative anti-spam measures that a number of hosts have instituted.

At my second job, we've got business DSL and a static IP address (which isn't listed on the MAPS DUL). However, we still have to relay outgoing mail through our provider's mailserver because of one rather prominent national ISP (Hint: "You've got mail") that chooses to silently discard messages that we attempt to send directly to their mail server. We mailed their postmaster about this, but never got a reply.

If our DSL provider were to do the same thing as Verizon, it would be entirely unacceptable. We're trying to run a business here, and we want the added professional look of From addresses that end in @(ourcompanyname).com.

Spanish Telecom also does that

[Tirs]

Telefónica, the Spanish almost-monopolistic telecom company, began to do this some months ago, and the only problems that arose were that THEY DID NOT WARN THE USERS BEFORE. The "end" users, the ones with modem connection and two-emails-a-day, had no problem. The e-mail-junkies (like me) and the heavily-Internet-dependant companies (like the one I work for) simply set up their own Linux SMTP servers in their old, already-replaced, no-longer-usable-for-desktop 486 (or, if they use Linux in their desktops, as it is my case at home, just set up an SMTP server which I fire up only when I need it, to save RAM).
Bottom line: NO PROBLEMO.

Re:Earthlink is configured this way

[david+duncan+scott]

MSN does the same thing -- I've had to configure email for some of our clients who run mail through our servers but dialup through MSN. You can still send as yourself -- you don't have to send as "@msn.com"

However, the point to remember is that either of these approaches works. It's only if Verizon does BOTH that there will be a problem.

Re:My other accounts

[Technician]

My wife is a student living at home (offcampus). We point a mail profile to the school POP. This would kill reading and replying to mail from the school mailbox. Same holds true for my Cayman Islands mailbox. Both do not have open relays as they are supposed to, so I can't sent mail with their servers. What good is getting mail that you can't reply to using the proper address? I don't want to go to the school just to reply to school mail, or worse, the Cayman Islands just to reply to mail. I don't want to give everyone at the school my local ISP mailbox. I'm keeping it spam free. The school account will close at the end of the year and all the varsity signup stuff will go away with it! With that restriction, I can't use Verison as a ISP. That kills one quarter of the usefullness. The reply to addresses in my mail are valid.

Re:My other accounts

[Technician]

Sorry for the unclear wording... I tried to say they have it right by being closed, which is the way it belongs.

WHOAH...

[sourcehunter]

Wait a dern minute here...

I can understand blocking outgoing port 25 on your network except for your mail server and thus assuring that all mail is routed through the ISP's mail server - Mindspring/Earthlink has been doing this for quite a while! But not relaying mail for your local users (regardless of from address) breaks one of the core reasons for having LOCAL mail servers. What the hell else are people going to do? Most third partys' mail servers are locked down to allow local relay only (as well they should be!). Yeah there are a few open relays out there, but everyone won't be able to find one. I for one won't be opening up my server!

Here's what I see happening:
This will actually increase Verizon Online's network's contribution to spam...

1. Verizon blocks their users from using their mail servers for foo@bar.com accounts
2. Many of the more savvy users start their own mail servers on verizon's network to act as a local relay.
3. Some of these people aren't going to be savvy enough and some of these servers will not be configured correctly such that they are open relays (not hard AT ALL to do)
4. Some spammers find these open relays
5. Verizon's network is now contributing to the spam

Basically, what this tells me is that they are too lazy to police their own users by dealing with spammers when they occur and instead have opted to just say "It isn't us! We're secured!"

Not sure what to think

[daniel_isaacs]

Obviously this is not a kosher thing to do with regards to established norms of Internet community and openess. But, this ain't 1993. I seriously doubt how much spam this will prevent.

But, in the end, the servers ARE theirs. If they don't want to share, or if they want to limit thier customers abilities, we can do thing the Capitalist way. Not buy thier service, and use other smtp servers. I've had RoadRunner for over a year now, and haven't even setup my *@rr.com accounts. I use thier DNS, but that's it. Perhaps I don't fully understand the implication of Verizon (Sprint) doing this, but I don't really see how it will amount to a hill of beans.

Re:Use reply-to

[baptiste]

What's the problem?

You obviously have never run a small business. Small business owners want their business to appear biger and more professional to be attractive to customers. Sending email from address X reply to address Y appears amateurish and presents them as technically challenged. Small companies need Internet access and sometimes Verizon is the only game in town. You used to be able to host email at a web hosting company till ISPs started blocking ALL outgoing SMTP traffic. So much for that. So folks found they could send using their ISP server while still using their domain in their email. Now Verizon is blocking that. Its sad and in teh end will only hurt Verizon.

I'm lcuky enough to have an ISP that doesn't pull hair-brained schemes like this - but they are small and understand who their customers are. However, one company I host email for found that their ISP started blocking outgoing port 25 - they couldn't use our server anymore - till we just redirected a high port (like 3000 or something) to port 25 on their email server - they updated their clients and it works fine - ISPs can't block ports > 1024 without causing major disruptions in client traffic.

So now those of us hosting small (and even large) ISPs/hosting companies are faced with not just fighting spammers, but fighting brain-dead ISPs who would rather impact their customers in the name of blocking spam. Problem is there is ALWAYS a work around!

The bottom line is, if you are faced with this problem and can find someone else with an email server - see if they can either redirect a high port to port 25 on their firewall or on the mail server itself.

Re:Third Party Relays

[baptiste]

If you have a secondary email account (I have 6 from 4 different ISP's) then you should set up your secondary accounts to use the correct servers.

Problem is you CAN'T DO THIS with Verizon since they block ALL outgoing SMTP traffic except traffic FROM their email servers. Thus, your client CANNOT use a secondary email server to send email - the traffic is blocked - plain and simple. Thus this decision means you MUST send email from verizon's domain or not at all unless you use a web based client to send email directly from your secondary ISP's servers OR find an ISP willing to redirect a higher port > 1024 to port 25 on their mail server to get around the Port 25 traffic blocks.

This isn't so bad...

[DennyK]

Most people who have "outside" domains will also have outside SMTP mail servers to use. Only those people with those forwarding address services, etc. will really be affected. I almost never use my ISP's email service anyway... ;)

There is an interesting potential issue here, however...lately, another "anti-spam" trick ISPs have been using is to block outbound requests on port 25. This prevents their customers from using outside SMTP servers (and really causes a hassle for us web hosting companies trying to figure out why people can't send mail with their account's servers...). You have to wonder if an ISP will ever try to implement both the From: field restriction and the blocking of port 25, all in the name of "preventing spam..." Perhaps this could be a way for ISPs to more effectively enforce those stupid TOS clauses about not using your Internet connection for business purposes? Do you think enough people would drop an ISP who did this to make it a really bad idea, or do some of these ISPs have enough mindless zombies as clients that they could get away with it? I can't see it working, because there are too many people out there now who do have mail at their own web sites or from other services, but you never know...you wouldn't think so many people would put up with the crap that AOL throws at it's users, but they're still the biggest "sort-of-ISP" out there...

DennyK

Re:This isn't so bad...

[jrp2]

Earthlink already did, months ago.

No, they didn't. I use smtp.mindspring.com and smtp.earthlink.net and both relay just fine (when on their network of course). I NEVER use my ISP issued address in any way, always using either a work address or my personal domain, no problems whatsoever. If you are not using one of the servers above, try them, you'll like them. Yes, they do block port 25.

what a bogus argument

[janpod66]

Of course the servers are theirs. What does that have to do with anything? "The Capitalist Way" doesn't just mean that you take whatever your business partner dishes out quietly. It means that you check your contracts for breach of contract, it means that you let your business partners know when they screwed up, and it means that when you switch to a different provider, you publicize your position and problems with business partner to ensure that others make well-informed decisions.

The counterbalance to a billion dollar company with excellent internal communications is not an individual consumer that makes anonymous choices, it's millions of consumers with a collective interest. And that's why it is important for consumers and customers to get in touch over the Internet and share ideas, like, in a little way, is happening here. You see, that's the Capitalist way.

Third Party Relays

[the_brat_king]

If you have a secondary email account (I have 6 from 4 different ISP's) then you should set up your secondary accounts to use the correct servers. This is what we have black-listing for (to stop third party relays). All mail servers I host not only block relays, but also reject messages where the From: domain doesn't properly resolve with reverse DNS. The affect is that we have less than 1 spam on our servers a day, out of about 750,000 mails a day. We also block the "From:" address (Forging a root email or admin email) except on the administrative system (not only IP checking, but because they are on the same segment it checks the MAC address against the static MAC table). I think Verizon is FINALLY doing something right, and their customers should email them and thank the sys admin who finally got through some middle management's thick skull to implement standard blocking. Congrats to Verizon! Good work in NOT getting black-listed for relaying. (Had they not done this, and been black-listed, would there be an article on slashdot about the evils of a company that allows third-party relays?)

Is the FTC winning?

[6EQUJ5]

They want your spam at: uce@ftc.gov

Don't mess with the Feds. Now if only they had a place to report pop-up ads...

Not as bad as 1st.net

[ChaseTec]

1st.net blocks ALL SMTP traffic. Not just to keep people from other networks from using their SMTP servers, but to keep their own customers from using outside SMTP servers. It shouldn't be to long now till someone does both of these things to completely prevent people from using other email address while connected to them.

Why is this really a problem?

[Fez]

I am on Verizon's network and have never used their SMTP server, so this isn't a big deal. I think requiring their own From: address is a Good Thing(tm) overall. I would also support an action to block outgoing connections to port 25 if it meant less spam being released into the wild.

I currently run a mail server on my home network that I use for outgoing mail. The only downside is that mail (very rarely) gets rejected because my IP is on a list of known "dialup" IP addresses and mail servers that check against that list reject mail from them. I've only had that happen once.

Seems to me anyone could tunnel SMTP over SSH to an SMTP server that is outside their network. Why would that be so hard? And it wouldn't require any auth because to the remote it should appear to be coming from @localhost. Plus, at least for the first hop, the traffic is encrypted.

Granted I've never set that up, but it seems like an easy solution.