> Hardly. At least so far, it is not actually illegal, and thus not
> criminal - at least not (as far as I've heard) in any relevant
> jurisdiction. Nor, as far as I can see, is it harassment, though it
Are you trying to say that when my mail server connects to theirs (or vice
versa) and gets a diskfilling denial of service due to spam that causes my
system to crash and or become unusable, which takes out service for
thousands of my customers, isn't harassment? Of COURSE it is.
> Oh, nonsense. Say, on a network not connected in any way to the
> worldwide Internet, where the (local) convenience *does* outweigh the
> (small) risk.
WRONG - give me an example of this "local convenience". Just take 10 minutes
to configure the allowable src/dst and it wont be necessary. So what you are
saying is it's ok to create a dangerous situation rather than configure it
right to only allow relaying from truely local domains because it's "out of
reach". I see two problems with your stance. First, that system MAY be "off
the net". But what if a year later it's decided to add it to the net? Or
second, what happens if it's configured for open relaying and is behind a
firewall, and later some hacker gets around the firewall (read: VPN)? They
then have a machine "ready to r0ck dudez!". Just do your JOB in the first
place, instead of being LAZY and none of this is an issue.
Let me give you an analogy in response. Setting a can of gasoline and an
open flame lantern next to eachother on the sidewalk of a busy street is a
STUPID idea. But you know what? Setting a can of gasoline and an open flame
latern next to eachother in the privacy of your own home, behind locked
doors... is *STILL* irresponsible. It's just plain LAZY.
> Not "needed". Just, like most security, a risk/benefit analysis, here
> coming out in favor of the low setup and maintenance cost.
setting it up right IS low setup and low maintenance. Setting it up wrong is
begging for high cost. More specifically, an admin who takes the route of..
"Oh, I'm just going to allow open relay because it SHOULDNT cause a
problem", is someone who is careless and more importantly, leaving a large
timebomb waiting for some other admin later (or themselves) to step on.
I could ALMOST see your point if configuring the allowable src/dst was a non
trivial task. The fact is, it takes just a couple minutes. So sys admins who
use that excuse are just plain lazy, and irresponsible. Unfortunately, they
are not just putting themselves at peril, they are putting others at peril
due to their laziness.
Jay
---
[This E-mail scanned for viruses by Declude Virus]
Received on Thu Sep 02 2004 - 12:57:38 BST