Does the name 'Ed Kelleher' ring any bells?

From: der Mouse <mouse_at_Rodents.Montreal.QC.CA>
Date: Thu Sep 2 13:11:52 2004

>> Nor, as far as I can see, is it harassment,
> Are you trying to say that when my mail server connects to theirs (or
> vice versa) and gets a diskfilling denial of service due to spam that
> causes my system to crash and or become unusable, which takes out
> service for thousands of my customers, isn't harassment?

No, I'm not. I'm saying that the open relay is not harassement.
Certain uses that can be made of it are, but in itself it is not. I
can crank-call you while you're sleeping from a pay phone, too, but the
phone is not the harassment; the calls are. (An open relay is an
invitation to such abuse, hence the "accomplice before and during"
part, but that's all.)

>> Oh, nonsense. Say, on a network not connected in any way to the
>> worldwide Internet, where the (local) convenience *does* outweigh
>> the (small) risk.
> WRONG - give me an example of this "local convenience".

Lower maintenance cost. Lower setup cost.

> Just take 10 minutes to configure the allowable src/dst and it wont
> be necessary.

It requires figuring out how to configure it, if nothing else, and it
really isn't always necessary. In particular, it is not for _you_ to
say when the risk outweighs the benefit on _somone else's_ setup.

I note that all your "but what if"s assume that the setup is an ongoing
thing. Suppose I'm experimenting with some captured malware on three
machines completely isolated from anything else (nothing but sneakernet
from the net to it, nothing at all from it to the net except for my
knowledge resulting from the analysis), all of which will have their
disks wiped when I'm done. Where's the risk? Maybe I'll accidentally
run an Ethernet cable to the wrong side of the room? I think that's
significantly less likely than my misconfiguring an on-the-net server
as open by mistake.

> Or second, what happens if it's configured for open relaying and is
> behind a firewall,

I didn't say "behind a firewall"; I said "not connected in any way to
the worldwide Internet".

>> Just, like most security, a risk/benefit analysis, here coming out
>> in favor of the low setup and maintenance cost.
> setting it up right IS low setup and low maintenance.

Not as low as setting it up totally open - especially when it's an
unfamiliar MTA.

/~\ The ASCII der Mouse
\ / Ribbon Campaign
 X Against HTML mouse_at_rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Received on Thu Sep 02 2004 - 13:11:52 BST