[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Ports 465/587 in exit policy (was Re: Update to default exit policy)



But it is worth noting that ISPs often are very unfriendly to spam. I've received several abuse notifications from my dedi's ISP due to tor exit traffic, all of it because of outgoing spam using insecure webmail services (where my node's IP shows up in the headers as originating IP). I imagine they'd take direct spam (from you to a mailserver) much more seriously, so it could create more problems for node operators if their nodes are involved in that so directly. I would say that is reason enough to not open port 25 by default, and likewise with 465/587 *IF* they are commonly unsecured. Running an exit node is difficult enough already without having the ISP all over you for being a spammer :P

It's an interesting balancing act, but might be worth trying for the uses it does have. The other option would be for operators to explicitly allow these ports to gmail IPs, but there might be quite a few of those, and it wouldn't take care of other providers.

- John Brooks

On Wed, Sep 3, 2008 at 10:36 PM, Roger Dingledine <arma@xxxxxxx> wrote:
On Sun, Aug 31, 2008 at 04:32:29PM +0100, Dawney Smith wrote:
> Dawney Smith wrote:
>
> >> I know this has been discussed before, but I thought I'd bring it up
> >> again. The following rules are in the default exit policy and I can't
> >> see any reason why they would be:
> >>
> >> reject *:465
> >> reject *:587
>
> So is there going to be a change to the default Exit Policy?
>
> Dawn

Hi Dawn,

Thanks for sticking with this. I'm probably the closest person there is
for changing the default exit policy. I confess I still haven't worked
my way through all the off-topic garbage on or-talk from a few weeks ago.

Unfortunately, I'm not up on all the different ways that people screw up
configuring their mail services these days. Back in 2005 when we first
added 465 and 587 to the exit policies:
http://archives.seul.org/or/cvs/Sep-2005/msg00090.html
we did it because people showed up and explained that many sites were
running services on those ports that were basically equivalent to what
they run on port 25.

It sounds like nobody has any objections to opening these ports back up.
And it sounds like it could help those folks using gmail, etc.

So I am inclined to do it.

We can do it in the 0.2.1.x development series, and that way it'll be
pretty easy to change our minds if anything comes up.

(Ultimately, I don't think it should even be necessary to reject port
25 by default. The spammers are doing great on the Internet already,
and Tor is tremendously inefficient compared to the spamming engines
they use now. But these economic arguments are too subtle when used on a
really really angry person, so we've preferred the simpler "Tor doesn't
allow that" approach so far.)

Thanks,
--Roger