i think you'll find that port 25 is blocked going anywhere except the operator's outgoing MTA this is to require authentication to send email, exercise rate limiting, and other anti-spam-sending strategies if the ISP is going to be held responsible for the behavior of their clients, then the ISPs are going to take some action to police that behavior note i'm not suggesting this is a good idea, just that it's what has happened given the current reality there is a huge disconnect here. one camp claims that mail sending should not be allowed by just "anyone", since that ability is instantly abused by Bad Guys. another camp claims that forcing email through alien MTAs is a violation of the end-to-end principle, privacy, assorted other good ideas. both are right at some level there *is* no notion of "strong identity" in the network world today and i know of no serious attempt to create one, probably for good reasons this means that actions on the Internet are inherently anonymous, or at least unaccountable because the only "identity" arises from a contractual business relationship between a person and an access provider. the access provider is therefore held to be a proxy for the individual since he does (or at least should, at some level) have a role in allowing that individual to take various actions. one major source of the problem is the ease in which Internet access is available. one can get a dial-up account quite readily and the credentials required are trivial to acquired, especially for someone determined to acquire them. so if a Bad Guy acquires access, he can do a lot in the amount of time required for the business feedback loop to deny access and cancel the account. in the mean time, the Bad Guy has acquired numerous other accounts and when one fails, he just starts using a new one. This is essentially a "disposable identity". The identity is the binding inherent in the business relationship with an access provider, and when it becomes worthless, it is discarded and a new one is used. A consequence of the ease with which credentials can be acquired is the ease with which new accounts, and hence new identities, can be acquired. To fix this at the "source", so to speak, it would require making access *much* harder to get. simply matching credit cards, etc, is insufficient (credit cards are easy to get), so this leads to a world where some kind of background check would be required. I don't think anyone wants to pursue that. (at least seriously) So what's left? As I said earlier, the alternative is to provide the ability to intercede in network behavior fast enough to have any effectiveness. This generally means preventing sending email without some form of vetting. This usually means authentication and then some additional behavioral control on top of it. Rate-based models seem to be the least intrusive. They allow people doing "real people" things to proceed with essentially zero interference while spam senders are thwarted to some significant effect. If a client has a real need to have the behavior limits altered, the provider can enter into an addendum to the service agreement. this still provides for a degree of behavior monitoring to police the impact on the rest of the network. I will end by noting that many people are in both of the camps described above - they want a "throat to choke" proxy for individual behavior, but they want unimpeded ability to send email themselves. while I agree with the desire, it is self-contradictory. -mo