[Fwd: Port 25 blocking]

[David Farber <dave () farber net>]

Begin forwarded message:

From: Phil Karn <karn () ka9q net>
Date: May 12, 2005 1:06:08 AM EDT
To: dave () farber net
Subject: [Fwd: Port 25 blocking]



From: Phil Karn <karn () ka9q net>
Date: May 11, 2005 4:56:15 PM EDT
To: rsk () gsp org
Cc: Lauren Weinstein <lauren () vortex com>
Subject: Port 25 blocking


>And blocking port 25 _bidirectionally_ is a recommended best practice
>for all consumer ISPs -- well over 90% of the spam/spam attempts  
logged
>here come from the estimated 100M zombies out there which are now
>participating in an ongoing global DoS attack via massive spamming.

I take *very* strong opposition to this statement. The job of an ISP  
is to deliver packets without discriminating on the basis of content,  
period. That content includes TCP port numbers. Only when a recipient  
complains that a particular user is spamming, attacking, or spreading  
malware should an ISP take any kind of action against the sender. And  
that action should consist of complete disconnection, not just  
blocking port 25.

Your approach simply causes unacceptable collateral damage. Many  
people prefer to run their own personal email servers. These are not  
spammers or virus writers. They have many perfectly legitimate  
reasons to run servers, ranging from wanting to avoid the invariably  
slow and unreliable servers provided by their ISPs, to wanting a  
readily accessible audit log confirming the actual delivery of their  
email, to wanting to use a third party's email service, to wanting to  
benefit from the extra degree of security protection provided by the  
STARTTLS encryption facility that can only be obtained when it's run  
to or from your own mail server.

There seems to be an implicit, unquestioned, almost mystic belief  
that somehow forcing all end users to route outbound mail through  
their ISPs' mail servers will magically stop spam and viruses.  
Apparently all those servers must be running some sort of 100%  
effective filter. The fact is, such filters don't exist or we'd *all*  
be running them. So the only way that an ISP's mail server can limit  
outbound viruses and spam is to throttle *all* outbound email from  
*all* users -- and that's exactly what usually happens in practice.  
That's one of the reasons so many users have the perfectly legitimate  
desire to run their own mail servers.

Many, if not most, inbound mail servers already run spam and virus  
filtering mechanisms to block malicious traffic in that direction.  
That is something I encourage as long as the recipient retains full  
policy control, because these servers are not perfect. One good  
approach, followed by some enlightened ISPs, provides IMAP servers  
and automatically places spam into a separate Junk folder where the  
user can still look at it for false positives if desired. I myself  
rarely find false positives, but I do make a point of reporting all  
phishing spams to the financial institution in question to help track  
their origins. This isn't possible if I don't get them.

Again, the overriding principle *must* be RECIPIENT CONTROL. The  
recipient may choose to delegate spam and virus filtering to his ISP.  
Or he may choose to do it himself, e.g., if he runs his own inbound  
mail server. That's his right too. But if sender-side blocking of  
port 25 becomes universal, then the right of the recipient to control  
what he receives is taken away. This is not acceptable.

Indeed, when an ISP forces all outbound mail through a single server,  
it actually impairs the recipient from doing certain kinds of  
filtering, such as source IP address blocking, because such a block  
would stop all email from all users of that ISP. Just another example  
of why sender-side port 25 blocking is such a bad idea.

Your own argument shows, unintentionally I'm sure, that it's a bad  
idea. Every ISP on the planet has to do port 25 blocking, or the bad  
guys will simply move to those ISPs that don't. In particular, many  
ISPs that already do block port 25, either directly or by submitting  
their dynamic IP address blocks to the MAPS DUL, still offer static  
IP addressing without port blocking as an option. I subscribe to such  
a service myself (Speakeasy DSL's "sysadmin" option, where they  
specifically promise to never block any port) precisely so I can run  
my own email server with a minimum of hassle.

Such unblocked services are obviously also available to spammers and  
would-be virus writers. So the logical consequence of your argument  
is to pass a law that *no* end user may ever be allowed to send a  
packet to port 25. Then how do you legally define an "end user"?  
Would an ISP need a formal government license to run an email server  
that sends directly over port 25? Is this the direction you *really*  
want to take the Internet, where the power and utility have always  
come from the lack of red tape and government regulation in the  
provision of useful services to others?

Think through the consequences of what you're advocating, and I think  
you'll have to conclude that it's just a bad idea. The only workable  
approach is for the recipients to retain policy control over what  
they receive, and your recommendation takes that away.

--Phil





-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/