Reviewing SMTP authentication

Following my last post about having to cancel a small number of customer accounts due to spam being sent via our email service using those accounts I have been reviewing the approach UKFSN takes to providing an outbound email service and I am considering some changes.

There are a number of options I am evaluating, some of which are briefly detailed below

1. Keep the existing service as it is with customers able to send email via our servers if they are on a UKFSN broadband connection or if they authenticate the SMTP session with their account username and password. While this would have the benefit of not breaking anything for customers it would do nothing to address the problem of keeping the UKFSN email service secure when some customers fail to keep their account credentials secure.

2. Stop providing an outbound email service via SMTP for those who are not on a UKFSN broadband connection. If UKFSN no longer supports authenticated SMTP it cannot be abused. This approach would simplify my life significantly and would not impact those who use the UKFSN webmail service or send email from their broadband connection however it would remove a service that some customers rely upon. While I am loath to withdraw a service customers are using I am not willing to have the UKFSN email service abused to send spam or to continue paying the increasing cost of dealing with the fallout when a customer account is used to send it.

3. Continue to provide an outbound authenticated SMTP service but change the authentication mechanism to something other than account credentials so that those account credentials cannot be abused if a customer gets a virus or trojan on their PC. This would be disruptive to customers and might well require more technical ability that many customers have to use thus creating more demand for support in an area I am not happy to provide that support – there are too many different email clients for me to spend my time trying to learn how to configure them all.

I’m not sure which approach is best. Given that this service currently costs more to run than it generates in income I am not willing to spend too much effort or money on it.

Advertisements
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.