Thanks, @Townman. So, @mooblie - I was not 'vehemently' defending Plusnet - just pointing out the facts nicely summarised above. FYI - I will rock the boat with PN when they mess up, just look at some of my other posts, especially on the 'Feedback' board.

---

@Townman wrote:

 

 

3. SMTP Authentication when connecting from an alien network is not sufficient - if it were there would be little defence from account credentials having been hacked

I, and the thousands of other mail providers out there that don't do what Plusnet do, disagree with that. Does anyone know of *any* other mail provider that does this?

Compromised account credentials - or unacceptable use of the account by the owner (same outcome, different cause) - should be handled by removing/restricting access to that account. That's why you have authentication because it brings with it accountability. Reputation-based IP restrictions are not the right solution to this particular problem.

---

@MJN wrote:

---

Compromised account credentials - or unacceptable use of the account by the owner (same outcome, different cause) - should be handled by removing/restricting access to that account. That's why you have authentication because it brings with it accountability. Reputation-based IP restrictions are not the right solution to this particular problem.

---

Also agreed.  If I ("I" being established by my credentials, not my IP) misbehave, punish ME.

But not if I just happen to inherit a baddie's previous IP. 

That's just being technically lazy, and pi**es off existing customers.

If only it were that simple.

IP addresses can get a bad reputation using multiple credentials across multiple email hosts.  Thereby the IP gets a global poor reputation and appropriately gets blackballed ... in an attempt to stop the substantial volumes of SPAM which the same users complain not enough is being done to block it.

The alternative of course is to just allow any old Tom, Dick or Harry access to the relay server to distribute shed loads of SPAM, thereby get the main Plusnet server's a bad reputation and screw up mail for everyone.  I have seen it happen... its ugly and crippling for the whole organisation, not just an inconvenience for a few users.

---

@Townman wrote:

If only it were that simple.

---

It might not be 'simple' per se, but it is relatively straightforward. Other mail providers manage to cope without adopting tools intended to help protect against undesirable mail delivery from unauthenticated (and therefore) untrusted MTAs.

---

@Townman wrote:

The alternative of course is to just allow any old Tom, Dick or Harry access to the relay server to distribute shed loads of SPAM, thereby get the main Plusnet server's a bad reputation and screw up mail for everyone.

---

No, that's not the alternative, thanks to SMTP Authentication. It turns 'any old Tom, Dick or Harry' into 'Customer A, Customer B and Unknown Bad Guy X'. The first two can authenticate and relay (regardless where they are connecting from, even the dirtiest of ISPs out there) and the last can't. Not only does it provide authentication, in turn it also enables authorisation (i.e. now we know who they are what are they allowed to do? Send as many emails as they like, or are they rate- or cap-limited? Any email they like or just ones that don't look like spam and/or contain malware?) and accountability (i.e. who sent what and when so you can look back in time and determine who was responsible for doing Bad Things and take appropriate action if you didn't spot it and prevent it at the time). If Customer A decides to get up to no good you act accordingly, just as if they were doing it without SMTP AUTH whilst connected on-net to Plusnet's own network (as they know who has what IP address at any point in time and so that's the authentication and accountability covered without requiring a username and password - they can't do this when he's connecting externally hence SMTP AUTH is used to fill that gap).

I agree with you @MJN . An authenticated user should never have e-mail blocked based on the source IP. A compromised or suspected compromised user could/should have access suspended pending investigation.

Plusnet's policy of blocking an authenticated user from sending e-mail based on the reputation of the IP address which is out of the user's control is just broken behaviour. I know of no other e-mail provider that does this.

I haven't used Plusnet's e-mail service for years, and I'd encourage everyone that wants a reliable e-mail service not to use Pluenet's.

Given the number of problems with it (both mail transfer and webmail), I wouldn't be surprised if it is one of the services that Plusnet will drop in the next year as they simplify their offerings.

@MJN: We are getting nowhere, here - but thanks to you and others for your support.  Best to stop with the brick wall and head-banging I fear now.

To Plusnet: I still cannot send any emails - what a surprise: - six days after I started this particular thread (and I've had this problem on and off for weeks/months now)  I still get:

"READ Apr 23 17:54:14.843 [kCFStreamSocketSecurityLevelTLSv1_2] -- host:relay.plus.net -- port:587 -- ....

....535 ...authentication rejected as source IP has a poor reputation"

Supposed to right itself? Please!

Thanks a bunch, Plusnet. Way to go with customer support.

---

@Townman wrote:
You’ve got a compromised IP address from YOUR ISP. 

---

Well, no, that's not what he's got at all. He's using an IP address that - lets say for arguments sake - was the temporary home for someone doing something bad in the past. That person has now moved on and, more to the point, the OP is *authenticating* himself with Plusnet so Plusnet now know *exactly* who is attempting to send mail through them and thus can make the OP accountable for everything he does in accordance with the AUP that he had to agree to on sign up. Exactly the same as if the OP was posting on-net with the exception that they don't need to authenticate him as they know who he is from the IP they've assigned to him. If the OP happens to be that bad guy his actions will soon give him away, regardless where he's posting from. Indeed, a middle ground could be employed here - put the address on probation and in doing so limit the amount of damage that can be done (severe rate and cap limits) whilst the OP proves he's the new tenant, and a good paying one at that.

What do you expect Plusnet to do? Rewrite their security model?

---

I can't speak for the OP but, personally, yes that's exactly what I think should Plusnet do. They should take the same approach as every other mail platform out there that accepts authenticated SMTP submissions. As one of those operators I can confidently say it works for us; I see no reason why it wouldn't work for Plusnet.

@mooblie Do you want to PM me the IP address you're on? (Visiting something like https://www.whatismyip.com/ will tell you if you don't know it) We can look up various other databases to see what reputation it has outside of Cloudmark. It may well turn out to be a well-known hideout of the Russian Business Network.

---

@Townman wrote:
You’ve got a compromised IP address from YOUR ISP. What do you expect Plusnet to do? Rewrite their security model?

Yes! They should not block authenticated users, even if the shared IP address they happen to be using has previously been used for something that Cloudmark disapproved of.

I can understand that you don’t like it and it does not suit you, but this protects the email platforms for the rest of the user base

---

No it doesn't. The bad actor is long gone and is now using an IP address that isn't blocked. What it does do is prevent a valid authenticated Plusnet customer from sending any e-mails!

---

@Townman wrote:
Resolution of this lays with the IP owner see https://help.proofpoint.com/Proofpoint_Essentials/Email_Security/Administrator_Topics/Other_Features...

---

That's sidestepping the cause of the issue, and at best would just buy some time until it happens again. Plusnet shouldn't be factoring IP reputation in to authenticated SMTP submission - changing *that* is the proper resolution.

---

@Townman wrote:
Resolution of this lays with the IP owner

Removal of the IP from the blocklist can indeed only be done by the IP owner - but Three are not going to bother as one IP address can be shared between hundreds of people, and it is likely that some of them will do something that will put the IP back on the list.

So basically, a Three customer can  very simply perform a DoS attack on ALL Plusnet e-mail users that use Three while away from home. But is isn't only Three - it can happen with EE, O2, and Vodafone too, and could happen with any ISP that uses dynamic IP addresses (i.e. most of them).

So by using this blocking policy Plusnet are enabling unintentional DoS attacks.

Cloudmark's own description states:

• Many providers will use a shared IP address for their services. If other users are sending mail out from the same IP address as you, their sending patterns could be the reason for the poor reputation.

Unfortunately that doesn't help the people that cannot send e-mails, despite them doing nothing wrong and authenticating.