Auteur: W B Hacker Date: À: exim users Sujet: Re: [exim] How do ISP's restrict access without authentication
Charlie wrote: > Hi,
> I was wondering how exactly ISP's - that don't require authentication -
> manage to restrict access to their customers only.
> I know that Exim can restrict access by IP address, but IP addresses can be
> spoofed (and very often are spoofed by automated scanners which search for
> SMTP servers that are open in this way).
> How then, do ISP's manage to prevent their servers from being abused?
> In other words, if an ISP only authenticates based on IP address, then
> surely that would leave their server open to abuse.
> The answer to this question will help me a lot.
> Thanks
>
>
Simple, really. Though the explanation may be less so..
;-)
A 'connectivity' ISP is what we are talking about here - specifically an entity
that provides (broad)bandwidth. Not all also offer mail services, but most do.
Their customers are connected to their host(s) over a network the ISP controls.
Whether that is cable-modem, [a|d]dsl, or fiber to the desktop, all arrivals
(with whom we are concerned herein) attach from access points under the control
of that ISP - even if routed over intervening contract carriers.
In this environment, all IP's assigned to the almost-always present NAT device,
are issued from a pool (Allocated Portable) controlled by the connectivity ISP,
and traverse only routers they control.
In effect, the customers are 'inside' a ring-fence, hence 'known' to be from
those attached to their network and in their billing system, and no others.
Ergo, their system 'knows' which customer is on which assigned-from-pool IP at
any given date/time, as the IP may be changed at intervals from 15 minutes (PCCW
ADSL PPoe) to a few times a year.
NB: Examples include PCCW, HKCable (Hong Kong), Comcast, Verizon, SWBell (USA),
BTL (UK). IOW - fiber, cable, or telco 'major carriers' with physical
outside-plant. Nothing to do with the MTA, per se - everything to do with the
network architecture.
Exceptions - big as they are - include MSN/Hotmail, Gmail, yahoo, AOL - who
ordinarily do NOT provide fiber, cable, or copper to the average residence or
business. These have to rely on userid:password auth just as a one-man shop does.