Verizon Email Restrictions

CodeMonkey5 writes: "The following excerpt is from a Verizon email sent to all Verizon customers regarding the use of their SMTP servers. The gist of it is that if you are using an email address other than that of Verizon in the 'From' field, you cannot use their SMTP servers. '...If you are sending email using an email address other than one provided by Verizon Online, this message affects you. Effective, August 8, 2001, you will no longer be able to send email from any email address other than the one provided by Verizon Online (this includes privately branded domains and secondary ISP accounts). We are taking this action as a result of our continuing efforts to improve the quality and reliability of Verizon's mail system and is one of several steps to help reduce spam. The effect of this change is that Verizon Online email will no longer support sending email from other ISP accounts or privately branded domains that are not hosted by Verizon Online ...'"

This really isn't so bad.

1) They are their servers and they really can enforce policies like this. While this really has nothing to do with spam they do have the right to make such a policy.

2) Most people these days use POP-BEFORE-SMTP or SMTP-AUTH in order to use a remote smtp server. It is a much better system because it allows people to actually send mail from THEIR server as opposed to relaying through their ISP's and having that in the headers.
For Security reasons alone I don't like my ISPs mail server in my headers and my mail server strips my IP from the outbound mail.

Again, this just really isn't that big of a deal, plus anyone on verizon's net can just run an SMTP server of their own and let other verizon users relay off of it. just create www.verizonrelay.com or something.

If you have questions about how POP-BEFORE-SMTP works just search google or email me offline, it really is a painless and easy system that all your remote users will love.

-davidu

Re:Uhhh.. how's this a problem?

This isn't really a relaying issue, though - they're just disguising it as one.

The real issue is that people are ordering Verizon, and either hosting their own domains (over DSL, with a static IP), or using other email addresses (such as domains they may have forwarding to their Verizon account, or alternate ISP accounts with better email packages/controls) - and Verizon doesn't like that.

The dream of all big consumer-oriented corporations is a huge closed-doors community, where once you're a customer, you have to do everything through them. That's what Verizon wants.

They want to guarantee that if you're a Verizon customer, that you USE your Verizon-branded email. That makes your address a "verified good" address, that they can then put on a list, along with your name, and any other personal information that you've given them, and sell to other companies.

They want to make sure that when you go for a domain for yourself, or your business, that you have NO CHOICE but to have Verizon host it - otherwise yo won't be able to take advantage of it through your existing Verizon 'net access account.

Were I a Verizon Online customer, which I'm not, I would be furious - even if this policy didn't affect me *now* - as it might in the future.

I'm very glad I went with Speakeasy for my DSL line, and not Verizon. It will be a sad day when Speakeasy implements any kind of policy like this.

As for options existing Verizon customers have - the best option would, of course, be to cancel your Verizon account, tell them the reason, and go with a competitor who has a saner policy. Barring that - is Verizon blocking SMTP sends from DSL customers running their own SMTP servers on static IPs? If not, it might not be a bad idea to pick up a cheap linux box and run Sendmail/Postfix/Exim/Qmail to handle external accounts.

Re:Non-Issue

Congratulations on completely missing the point.

• Mailing lists look at "from" or worse, envelope-sender when allowing you to post or subscribing you.
  
  
• Most mailers will take the From address, not the Reply-to, when
  adding to an addressbook.
  
  
• Most people don't even look at the reply-to.
  
  
• There exist broken mail gateways which lose the reply-to.
  
  
• Many mailers these days ignore reply-to entirely, because of broken
  mailing lists.
  
  
• Many broken mailing lists completely ditch the reply-to and put on
  their own.
  
  
• Slightly less broken mailing lists won't overwrite a reply-to, but
  that means that people on the list who expect that hitting R will
  reply to the list (because they've gotten used to the list setting
  reply-to) will accidently and possibly unknowingly not send things
  to the list when they want to.
  

I have been using the ats@acm.org address through several ISP changes
over 5 years or so and it has enabled people to find me after long
amounts of time. It only works because people will pull up old
emails of mine and see the address, and try it. No amount of telling
people what email address to use will stop short-lived addresses from
finding their way into people's addressbooks. No matter how much I
like OOL, eventually I'm going to stop using it because eventually,
I'm going to move off the island. (The odds of my wife completing her
PhD, doing two postdocs, and finding a tenured faculty position all
while sticking in this area are low, you know?)

I'm not precisely sure how ensuring a verizon return address would help
the spam issue. If it's sent through your IPs, you can track the
spam down no matter what the address. If it's not, you can't do
anything. (After all, you already refuse to relay from outside your
IPs.) It might make it slightly easier for other admins to lay blame,
but they're going to have to trace headers anyway to show that it
isn't someone relaying through uu.net and setting an verizon return
address.

Re:Just use your own relay.

iMac: $999
OS X: Included with the iMac
Sendmail: Free

Factual Slashdot Post: Priceless
---

From us that host domains

We are a small ISP and host domains and for some of the business in the area. We recently had a couple of them come to us with this problem. We don't want to install pop before smtp at this moment as we are rebuilding our datacenter. Since verizon dsl doesn't even offer static ip's to it's customers, we have 2 choices, tell the customer to use their verizon mail address and their @domainname address in the reply to field. Or us open up our mail server to accept mail from a /22. When talking to verizon they told our customer that they should just host with them. Spam my ass. -doon

Wrong Re:Move on, nothing to see here.

If this were to stop using their SMTP servers when you are not connected to the internet through Verizon Online, then this will be indeed OK. However, it sounds like even if you are dialed into the Verizon system, or connected via DSL, they are trying to prevent you from using their SMTP server, only because you are using an e-mail address from a domain not hosted by Verizon.

Usually an SMTP server is provided by your ISP, since you are part of their network when you are connected to their service, and they can contlrol who uses the SMTP servers based on IP address. POP and IMAP servers can be provided from any place. If you have your own domain, the hosting provider usually provides a pop server, so that you can have e-mail going to your domain.

There is no technical reason behind this decision, only an attempt to force the Verizon customers to host their domains with Verizon.

Shhh. It's a secret

I geuss I'll have to use the secret Reply-to: header.

That causes MORE problems

BellSouth requires the domain you use in the from field to resolve to a valid domain, which seems to be a much better solution than just requiring you to use their domain.

That just means the spammers will have to masquerade as a VALID domain - and some poor sysop who DIDN'T have anything to do with the spam will catch hell.

This is not their right, ethically

I am tired of corporations changing the rules of the game half-way through. I and many other college students in Boston use DSL and also use our @youruniversity.edu addresses. Because most universities do not have SMTP-AUTH servers - this would effectively prevent us from using our @edu addresses. This will not "reduce spam" and it will not make their "email" more reliable. Tell me how forcing me to use Verizon's email servers rather than ones of my own choosing is more reliable. This combined with the fact that Verizon can't operate any IP services reliably (in my experience) makes it seem even more asinine. This will not reduce spam as I can spam you just as easily through the Verizon smtp with nobody@nowhere.com as I can with nobody@verizon.net. Both are equally difficult or easy to trace to the origin "spamming" customer.

The reasons Verizon provides for doing this are a farce. I am sure the real reasons such as increased customer retention when locked into an email address, increased exposure to email recipients of the verizon.net domain name, etc. are the _real_ reasons for this corporate act of oppression.

Incredibly short sighted.

This is incredibly short sighted and probably actually contributes more spam than it stops. If current Verizon customers want to be able to send mail with a non Verizon return address they must get their return email host to open up relaying for Verizon IP's. In this scenario, it wouldn't take very long for spammers to start sending their bulk mail from Verizon IP's because of an increased likelyhook of finding open relays.

In short, by Verizon doing this they may have inadvertantly created an island haven for spammers to circumvent current anti-spam mechanisms.

Not only that, it completely defeats the purpose of having a local mail relay in the first place. Verizon customers who can't send mail the way they want will start running their own smtp servers, which will probably be misconfigured, once again creating more opportunity for spammers. WinSMPT anyone?

Finally, it seems like a rather Draconian policy to force all of your ISP customers to use your service for email. What's next? Are they going to start advertising in the emails? Compiling information on their customer base?

This is just wrong in so many ways.

Annoying, but a reasonable policy to enforce.

This isn't really a question of 'relaying' mail through their servers, it's more a question of preventing users on Verizon's network from forging the SMTP 'From' address, when sending outgoing mail through Verizon's mail hosts. This is a reasonable policy to enforce.

It prevents forgery, but also prevents users from using other legitimate email addresses as the sender- since there is no way for Verizon to know an address is legitimate, except for the one address they've assigned to the customer.

There's another tactic that some ISPs are using to prevent spamming- blocking or redirecting end-user connections to any port 25 at any remote host except for the ISPs own mail servers. If Verizon were to combine their anti-forgery rule with a 'you must use our mail hosts' rule, that would be a serious inconvenience to legitimate users.

There is a solution.

If you absolutely must send mail with the 'From' being a domain other than your ISP, see if the actual owner of the domain will set up a POPmail server with 'XTEND XMIT' support, allowing you to send out your mail from an authenticated POP session. Note that this is entirely different from the 'pre-authenticating SMTP relay access' technique that was found to be buggy recently.

Re:This is not their right, ethically

I am tired of corporations changing the rules of the game half-way through. I and many other college students in Boston use DSL and also use our @youruniversity.edu addresses. Because most universities do not have SMTP-AUTH servers - this would effectively prevent us from using our @edu addresses.

Simple solution - your university should have an SMTP-AUTH relay available. Hell, my free email service does - why can't your university? Don't blame Verizon for a problem at your uni.

"That old saw about the early bird just goes to show that the worm should have stayed in bed."

Non-Issue

I'm a Verizon DSL customer, and this is an utter non-issue. For ~ $25/year, I have my own domain through a DDNS provider and I just run my own mail server. No sweat, and a good deal more reliable than Verizon's has been over the past year.

For the students who are suffering because they can no longer claim to be @foobar.edu when sending through @verizon.net, may I suggest a quick look at RFC2822 [ohio-state.edu]? Mail programs don't respond to the "From" address, they respond to the "Reply-To" address.

The early bird gets the worm, but the second mouse gets the cheese.

Re:Move on, nothing to see here.

No... You can block relaying by limiting based on IP address. If they were to prevent relaying simply by the from field, anyone in the world could spam through their servers simply by tacking @verizon.com or whatever to a bogus e-mail address. Many people have third party web hosting companies for their domains and use their ISP's e-mail servers for outgoing. This is going to be a big problem, as most web hosts don't allow relaying either.

Re:From us that host domains

You're missing an option: SASL authentication. My Postfix mailserver is configured to use this and it works out fairly well. The major clients (Outlook, etc) seem to have support for it.

It's configured like this:

smtp_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client,
reject_maps_rbl,
permit
smtpd_recipient_restrictions =
reject_unknown_recipient_domain,
check_recipient_access
hash:/usr/local/etc/postfix/access,
permit_mynetworks,
permit_sasl_authenticated,
permit_auth_destination,
reject

The client section allows my networks (you'd put in localhost and your dialup links) and SASL authenticated people, without checking DNS or the RBL (which is important if you are using the DUL; otherwise their machine may be listed and denied).

The recipient section allows SASL-authenticated people to send to addresses other than the auth_destination ones - in other words, to relay.

So, unless I'm missing something (like a big mail client that doesn't support SASL at all), there's a pretty good way for you and people like you to still provide supplementary addresses. And I think this move really will cut down on spam.

Real motive a disincentive from changing ISPs?

Although in principal I'm all for reducing spam, refusing paying customers the ability to send mail that is returnable to the account they choose would be very annoying. Most people don't like to use their ISP provided email addr because if people come to know them by that addr, [store it in their address book, rolodex, etc], then the customer is more locked into not switching ISP's because they would then lose that address.

They are their own servers and all, they can provide whatever level and type of, cough, service, they want to. If I was using verizon I would consider strongly switching ISP's right away.

Also, there is the question of whether or not it is really necessary to use them as a mail gateway. One can always run one's own invocation of sendmail, and it would happily squirt off mail with any return address you wanted. That is, unless they have transparently proxied port 25, and put this additional restriction on it. Course, that wouldn't be so transparent a proxy anymore, would it.

I'll have to wait until I know more, but I really don't like any additional restrictions on use. Besides, spam really isn't much of a problem to me anyway. Just use seperate addresses for different classes of mail. Keep the spam coming to one or two, and have others for private and personal contacts.

---

Re:WHOAH...

Many of the more savvy users start their own mail servers on verizon's network to act as a local relay.

In many cases, this isn't a viable option. The IP addresses assigned by cable and DSL providers tend to be listed on the MAPS dialup list. Refusing to accept mail from machines on that list is, in my opinion, one of the safer and more conservative anti-spam measures that a number of hosts have instituted.

At my second job, we've got business DSL and a static IP address (which isn't listed on the MAPS DUL). However, we still have to relay outgoing mail through our provider's mailserver because of one rather prominent national ISP (Hint: "You've got mail") that chooses to silently discard messages that we attempt to send directly to their mail server. We mailed their postmaster about this, but never got a reply.

If our DSL provider were to do the same thing as Verizon, it would be entirely unacceptable. We're trying to run a business here, and we want the added professional look of From addresses that end in @(ourcompanyname).com.

WHOAH...

Wait a dern minute here...

I can understand blocking outgoing port 25 on your network except for your mail server and thus assuring that all mail is routed through the ISP's mail server - Mindspring/Earthlink has been doing this for quite a while! But not relaying mail for your local users (regardless of from address) breaks one of the core reasons for having LOCAL mail servers. What the hell else are people going to do? Most third partys' mail servers are locked down to allow local relay only (as well they should be!). Yeah there are a few open relays out there, but everyone won't be able to find one. I for one won't be opening up my server!

Here's what I see happening:
This will actually increase Verizon Online's network's contribution to spam...

1. Verizon blocks their users from using their mail servers for foo@bar.com accounts
2. Many of the more savvy users start their own mail servers on verizon's network to act as a local relay.
3. Some of these people aren't going to be savvy enough and some of these servers will not be configured correctly such that they are open relays (not hard AT ALL to do)
4. Some spammers find these open relays
5. Verizon's network is now contributing to the spam

Basically, what this tells me is that they are too lazy to police their own users by dealing with spammers when they occur and instead have opted to just say "It isn't us! We're secured!"

Re:Move on, nothing to see here.

What if you have your own domain name for E-mail purposes, like if you have your own small business? So much for that, unless the people hosting your E-mail have an SMTP server available, which may not be the case if you're just using it for forwarding to your Verzion POP3 box. Ideally you could set up a SMTP server, but that isn't always feasible in the real world, and if Verizon starts blocking outgoing SMTP (like a lot of ISPs, including mine [swbell.com] do already) you're SOL.

At any rate, if the point is to stop spammers, it's not necessarily going to be very effective, since there's no reason a spammer couldn't give a bogus @verzion.com E-mail address (or, worse, use somebody else's real one).

Not sure what to think

Obviously this is not a kosher thing to do with regards to established norms of Internet community and openess. But, this ain't 1993. I seriously doubt how much spam this will prevent.

But, in the end, the servers ARE theirs. If they don't want to share, or if they want to limit thier customers abilities, we can do thing the Capitalist way. Not buy thier service, and use other smtp servers. I've had RoadRunner for over a year now, and haven't even setup my *@rr.com accounts. I use thier DNS, but that's it. Perhaps I don't fully understand the implication of Verizon (Sprint) doing this, but I don't really see how it will amount to a hill of beans.

This isn't so bad...

Most people who have "outside" domains will also have outside SMTP mail servers to use. Only those people with those forwarding address services, etc. will really be affected. I almost never use my ISP's email service anyway... ;)

There is an interesting potential issue here, however...lately, another "anti-spam" trick ISPs have been using is to block outbound requests on port 25. This prevents their customers from using outside SMTP servers (and really causes a hassle for us web hosting companies trying to figure out why people can't send mail with their account's servers...). You have to wonder if an ISP will ever try to implement both the From: field restriction and the blocking of port 25, all in the name of "preventing spam..." Perhaps this could be a way for ISPs to more effectively enforce those stupid TOS clauses about not using your Internet connection for business purposes? Do you think enough people would drop an ISP who did this to make it a really bad idea, or do some of these ISPs have enough mindless zombies as clients that they could get away with it? I can't see it working, because there are too many people out there now who do have mail at their own web sites or from other services, but you never know...you wouldn't think so many people would put up with the crap that AOL throws at it's users, but they're still the biggest "sort-of-ISP" out there...

DennyK

Re:This really isn't so bad.

They are their servers and they really can enforce policies like this. While this really has nothing to do with spam they do have the right to make such a policy.

In the same sense, they also have a "right" to drop every other packet you send, to give access to your credit card info on their server to some con artist, to replace all web pages traveling over their wires to you with their preferred ones, or to spam you with E-mail when you connect to their server. But many of those actions may constitute breach of contract or be in violation of other laws. And most are a good reason to switch and let everybody else know how lousy that company is. You see, that's our right as consumers.

This "it's their hardware and they can do what they want" argument doesn't imply that everybody should just quietly accept whatever stupidity a service provider commits. Make noise. Complain. Switch. Organize. Boycott. Those are your rights, and companies will listen when they stand to lose millions of dollars.

Third Party Relays

If you have a secondary email account (I have 6 from 4 different ISP's) then you should set up your secondary accounts to use the correct servers. This is what we have black-listing for (to stop third party relays). All mail servers I host not only block relays, but also reject messages where the From: domain doesn't properly resolve with reverse DNS. The affect is that we have less than 1 spam on our servers a day, out of about 750,000 mails a day. We also block the "From:" address (Forging a root email or admin email) except on the administrative system (not only IP checking, but because they are on the same segment it checks the MAC address against the static MAC table). I think Verizon is FINALLY doing something right, and their customers should email them and thank the sys admin who finally got through some middle management's thick skull to implement standard blocking. Congrats to Verizon! Good work in NOT getting black-listed for relaying. (Had they not done this, and been black-listed, would there be an article on slashdot about the evils of a company that allows third-party relays?)

Re:Move on, nothing to see here.

Yes, but MANY ISPs, perhaps most, block outbound port 25. I don't know if Verizon does. If an ISP were to reject emails not from their domain, and block port 25, this would be a major problem. I guess you can still use the "Reply To" header, but that is kind of weak.

Overall, this move is a headache for those of us that try to do work from home, expecially those that are not techies. I can't tell you how many headaches this is going to cause various support organizations and customers. I totally believe that the defacto standard method of ISPs restricting by IP to their own networks only was a decent way to approach this.

The real problem is that as each ISP takes a different approach, the problem gets more and more complicated as the corporate and non-ISP email providers help desks need to track solutions by ISP for how customers need to configure outbound mail.

I'll go even further to say this solves nothing. If I were a spammer running on Verizon I would just use a fake address within the Verizon domain to circumvent it (eg. fake_user@verizon.com).

Bottom line, really bad idea, a sizable percentage of their honest customers are going to be seriously inconvenienced by this and it does little to prevent spam.