The Old Joel on Software Forum: Part 3 (of 5)

ISP taking liberties?

Recently I tried to send mail using the SMTP on my own colocated server through my dialup connection. It seemed to work fine but it also worked when the server was down!

Reason? The ISP redirects ALL port 25 traffic to it's own SMTP servers. I discovered this when I tried telnetting to my server.

Now, they don't specifically mention this activity anywhere in their terms/conditions and when asked they refuse to provide documentation for 'security reasons'.

I'm not sure that contractually they have the right to change the final destination of my IP traffic, certainly not without me knowing about it.

Anyone got any ideas on this?

gwyn
Thursday, January 29, 2004

I'd say you should check your contract very closely. I bet they left themselves the right to do it. I understand why they're doing it, too, and I can't say I really blame them. Sucks if it's something that's stopping you up... you could always use a VPN as a by-pass for it.

Brad Wilson (dotnetguy.techieswithcats.com)
Thursday, January 29, 2004

Maybe they want to check all outgoing email for virusses and spam. If so I applaud them.

Jan Derk
Thursday, January 29, 2004

I've looked at the contract. There is nothing that alludes to it. And it's all done without my knowledge.

The company is Freeserve (UK arm of Wanadoo). I've had a lot of hassle with trying to get email support and answers to questions from them; they simply failed to respond so I rang up one of their directors at home on Monday evening to get some answers.

This particular issue looks like it could be fun to pursue as a thorn in their side so I'm now threatening them with a breach of contract claim. For the fun of it.

Ultimately I just want to waste as much of their time as they have mine!

Hope noone here works for Wanadoo and spoils my fun!

gwyn "don't fuck with me" di nero
Thursday, January 29, 2004

Jan, I suspect you're right, they don't want to be the connection that allows someone to start spamming through an unprotected SMTP gateway.

I applaud them as well. They just need to be a little more open about what they do adn what the customer can and can't expect

gwyn
Thursday, January 29, 2004

Brad, I should also mention that I do have VPN access to my server but it's no good being 'inside the box' when I want to test the security and functionality from an external source.

gwyn
Thursday, January 29, 2004

They've been doing that for years, we used to be with them. As for legal, it's their network, I'm reasonably sure they can do what they want.

At least most isp's have gotten over the idea of shutting down all incoming port 80 traffic to 'prevent the spread of the internet worms'.

Colin Newell
Thursday, January 29, 2004

"They've been doing that for years, we used to be with them. As for legal, it's their network, I'm reasonably sure they can do what they want."

It's not just "their network" ... it's a network that customers are *paying* to use. They have a responsibility to inform customers of things like this.

T. Norman
Thursday, January 29, 2004

lots of ISPs block traffic on port 25. that's reasonable if overkill. but actually redirecting anything other than a known security risk (e.g. 'virus of the week phones home to 127.0.0.1, so block that address) is a dangerous precedent.

anyone here ever going to buy a belkin router again, for example?

mb
Thursday, January 29, 2004

"This particular issue looks like it could be fun to pursue as a thorn in their side so I'm now threatening them with a breach of contract claim. For the fun of it."

Must be a Linux user. No one else could get all up in arms like this over it, or decide to be such an ass on purpose.

Zactly.
Thursday, January 29, 2004

"They have a responsibility to inform customers of things like this."

What law requires that?

Do you mean ethically? Bullshit. Like the previous poster said, it's their network. They can admin it how they like. If you aren't happy with them hijacking all outbound port 25 traffic, then get a new service. *shrug*

Brad Wilson (dotnetguy.techieswithcats.com)
Thursday, January 29, 2004

"This particular issue looks like it could be fun to pursue as a thorn in their side so I'm now threatening them with a breach of contract claim. For the fun of it."

Boy, do you need to get laid, badly.

Just me (Sir to you)
Friday, January 30, 2004

need to get laid? well you can never get too much so I guess I'd agree!

And no, not a Linux dood, but probably would be if there were enough hours in the day.

However, this boils down to a point of principle. I don't know what it's like for you yanks but these days quality of service and products in the UK has turned to shit.

In the last couple of weeks I have had problems with products and the customer of 2 big companies; Candy/Hoover and Sky. In both these cases I've had their MDs on the phone to sort the issues out, because it's the only way to get things done unless you want to expend lots of your own time crawling throughtr their maze of customer services/care/relation or whatever they call it; all designed to NOT to give you what you need in a timely manner!

Now as a point of principle I decided some time ago that I would no longer put up wuth shit service and if my time was wasted with it then I would waste more of their time in response.

Too many people are apathetic and put up with it. Which means that they get away with it, which just means getting more of the same in the future.

This is a proactive approach which is often at odds in today's reactive society. In fact so at odds that almost any proactive people are treated with the same disdain as soothsayers and witches.

The fact of the matter is that there are a growing number of companies in the UK that if I have a problem with I get put through almost immediately to someone who will sort it out because they still have records of what happened last time they messed me about.

Freeserve / Wanadoo are midway in that education process but what it also teaches them is that there are people who will not put with shit and they don't know who they are so they need to be a little bit more careful when dealing with everyone.

Gwyn
Friday, January 30, 2004

Nope, freeserve have done forever (as does AOL) to stop spammers signing up.
Use port 587 to a smarthost or get service from a commercial ISP.
You will however find that direct to MX from dialup ranges is widely blocked outright. AOL no longer accept direct to MX from cable modems and DSL ranges.
Our corporate ISP in the UK (demon) told AOL all the IP addresses that should have direct to MX servers on (i.e. their smarthosts, plus folks like us who provide our own MX for incoming mail) PLUS because their userbase historically has been tech savvy they told users that if they did want to run their own smarthosts they would tell AOL for those users.
Life is tough and since the spammers started using home users machines via trojans this situation will get to be normal.
I pay someone to smarthost my home domain away from my ISP (along some websites) because my ISP is a cable modem provider and I'm sure their smarthosts will end up in blocking lists occasionally (spamcop is good example) due to trojanned home users.

Peter Ibbotson
Friday, January 30, 2004

"If you aren't happy with them hijacking all outbound port 25 traffic, then get a new service. *shrug*"

Just let me know that *BEFORE* I sign up and have already paid the setup fee and first month's service, OK? They are free to do what they want as long as they INFORM THE CUSTOMER FIRST. Why do you think they have the right, legally or ethically, to keep this a secret?

T. Norman
Friday, January 30, 2004

"these days quality of service and products in the UK has turned to shit"

Yeah? Try going to Germany, it is far worse.

Friday, January 30, 2004

"Just let me know that *BEFORE* I sign up and have already paid the setup fee and first month's service, OK? They are free to do what they want as long as they INFORM THE CUSTOMER FIRST. Why do you think they have the right, legally or ethically, to keep this a secret?"

Did you ask? This street goes both ways.

Brad Wilson (dotnetguy.techieswithcats.com)
Sunday, February 1, 2004

Let me expound.

There is such a thing as "reasonable expectation". For example: the reasonable expectation for the typical home ISP user is that they'll be able to browse the web; the unreasonable expectation is that they'll be able to run a web server. Therefore, I'd consider it inappropriate behavior if the ISP prohibited web browsing without being told up front, but not inappropriate behavior if the ISP prohibited web serving without being told up front.

Basically, if what you're doing isn't something 99% of people are going to be doing, you have no right to expect that it will necessarily work. ESPECIALLY in this case, where you're talking about being able to poke into random mail servers, an activity that is generally associated with spamming.

I'm sorry, but I can't shed any tears if you didn't ask up front about this.

Brad Wilson (dotnetguy.techieswithcats.com)
Sunday, February 1, 2004