On Mon, Mar 14, 2005 at 11:02:51AM +0000, Tony Finch wrote:
> At the moment we allow unauthenticated message submission for machines on
> our network, but we're planning to remove this option over the course of
> the next 18 months. (It'll take that long because we have several thousand
> computers to reconfigure.) This is part of a general effort to require
> secure authentication for access to our email services.
>
> I'm hoping that this will help us to keep ahead of increasingly clever
> spam zombies and email viruses.
We're (mostly) just finished a similar migration, but on a much much
much smaller scale. We are now down to just two IP address for which we
act as an unauthenticated smarthost.
One thing we have found which can be used as a slight incentive is to
make sure that authenticated and unauthenticate mails you relay have
differing source IP addresses for outbound connections. This is quite
easy to achieve with exim's "interface" option.
By creating this distinction for outgoing mail, and explaining that
there is a higher likelyhood of the address used for unauthenticated
mail ending up on an RBL, it effectively "taints" the unauthenticated
service and can help people see the genuinely better service offering
from the authenticated service.
Of course in reality the difference in likelyhood may not be that great
(though in todays environment I waould say it's significant) and it
usually takes slightly more than a wary spambot infection using your
relay to end up on a relay, but all the same the message that your mail
may be seen to come from a more "spammy" source is a powerful one.
If you have the addresses to spare, adding the few lines to an exim
config acts as an instant incentive and added benefit to an
authenticated service :)
--
Colm MacCárthaigh / HEAnet, Teach Brooklawn, / Innealtóir Líonra
+353 1 6609040 / Bóthar Shelbourne, BÁC, IE / http://www.hea.net/
