ISPs

[Ian Batten]

On 27 Feb 08, at 1434, Roland Perry wrote:
>
> Not sure I understand. Are you saying it's OK for them to block  
> your outbound SMTP? Abuse process that involve a lot of one-to-one  
> conversation with customers don't scale very well.

Outbound SMTP blocking (ie you can only send mail via the ISP's  
servers) is pretty common, if not standard, practice these days,  
surely?  And not just ISPs: I know at least two Russell Group  
universities which block port 25 in and out of the site other than  
via centrally-managed relays.

In passing, there's an amusing cyclical nature to security  
practices.  We've spent the last fifteen years with a structure of  
having a DMZ containing application relays (mail, squid, etc) and the  
main business operating on RFC1918 IP numbers, without NAT.  So the  
only way on and off the site is via the application relays.  It  
causes a few problems, and there's been a handful of cases where  
we've had to use packet-level gateways, but it's largely been  
effective at avoiding contamination.  In 1994 this was fairly common  
practice.  Five years ago I had the odd dust-up with new employees  
who claimed that I was being unreasonable and their previous employer  
allowed everyone unfettered access to the Internet via NAT.  Now I  
don't get any complaints, and outbound firewalling (which our  
structure provides inherently) is very much the beat of the streets...

ian