Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

More on outbount port 25 blocking

From: David Farber <dave () farber net>
Date: Mon, 19 Mar 2007 09:53:37 -0400


Begin forwarded message:

From: Carl Hutzler <cdhutzler () aol com>
Date: March 19, 2007 9:36:11 AM EDT
To: dave () farber net
Subject: More on outbount port 25 blocking

For IP...

-Carl

******************
The most effective method to stopping spam is blocking it as close to the origination point as possible. And logging.
Why? Well simply put, once spam is successfully injected into the mail transport infrastructure, it is very difficult for machines to tell the difference between good email (ham) and bad email (spam). Yes, we have great systems in place to try and detect the differences and filter the bad ones out, but none are perfect and false positives are always the by-product. 

A quick history of Spammer Evolution (similar to the cockroach):
1) Spammers need IP addresses in order to originate mail. Without a machine on the internet, a spammer can not inject spam into the system.
2) Spammers in the old days used to purchase large address spaces and bandwidth to send mail, but antispammers got very good at blocking the subnets. So spammers turned to masking their actual connectivity by "creating" millions of IP addresses that could be used to send spam. These machines are referred to as zombies or bot nets but are basically a windows PC infected with a virus that allows the machine to act as a proxy which is in the control of the spammer. Spammers now send the spam through one of these compromised machines (typically a Windoze PC on a always on broadband connection) which masks their true network identity.
Most (>99%) of these infected PCs have no legitimate requirement to transmit unauthenticated email data on port 25. In an improved world, Port 25 should only be used for sending unauthenticated email data from mail server to mail server (Mail Transmission Agents - MTAs). Mail Clients (MSAs) should always authenticate before being allowed to submit (originate) mail. Even if the client is on the server's "trusted internal network", it should be a requirement for the client to always authenticate before sending mail. Period. Clients always authenticate to read mail, why do we allow anonymous submission of mail? 

http://mipassoc.org/spamops/draft-hutzler-spamops-05.txt
I know blocking port25 from end-user machines works well and without major side-effects. I did it for a large ISP and saw the sustainable results. We then did it on behalf of most of the other ISPs in the world...we did it on our side even if the other ISPs were unable or not competent enough to do it themselves. And the result was nothing less than spectacular and sustainable. 

******

What are the downsides to blocking Port25?
1. People on consumer broadband networks trying to run mail servers on their DHCP addresses 2. People who have web hosting (or similar) accounts that need to submit mail "off network" and their hosting company does not provide an alternative port (e.g. 587) 3. People who are using POP3 before SMTP as their authentication method (John, who created that anyway ;-) 

All of the downsides are solvable:
1. ISPs can whitelist their members who run mail servers to allow port25 outbound from those hosts. Remember, this is <<1% of the population. 2. Web hosting companies can start listening for authenticated email traffic on alternative ports, like 587 3. Anyone using POP3 before SMTP should be migrating to SMTP AUTH standards. Period. 

******
I am an engineer. And while system designs always strive for the perfect, we never let the good enough get in the way of fielding a workable solution. So if I could reduce spam by 80% and not have any impact on 99%++ of the population of internet users, I would do it. And for the <<1% of the people who do run mail servers on their broadband connection, lets whitelist them and let them have port25 access. Have a sign-up page for the user and let them say "I need port 25 access, please open it for me". Done. 

I think everyone would be a lot happier.

\Carl Hutzler



-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/@now
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: