Markie
join:2003-07-26
Kalispell, MT | Boo
Boo to that. Punishing the innocent is never a cool thing. Kick off the spammers, don't block ports for the rest of us. This ought to be a bigger target of the net neutrality folks... |
|
Tweak
Premium
join:2002-06-08
Oklahoma City, OK
 ·Cox HSI
| Are you joking blocking outbound port 25 is one of the most effective methods in combating spam. Net neutrality is not about dictating How ISPs should run their networks. Net neutrality is about making sure traffic is treated equally and not discriminated against for competitive reasons. |
|
PapaMidnight
join:2009-01-13
Baltimore, MD
1 edit | I think he's more in reference to the block on port 80. But no argument about the latter part.
Edit: TLS or SSL are always options. |
|
tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
 ·Hollis Hosting
 ·Verizon Online DSL
·Fairpoint Communic..
| reply to Tweak
said by Tweak  :Are you joking blocking outbound port 25 is one of the most effective methods in combating spam. How does blocking outbound Port 25 help? I agree inbound but fail to see what blocking outbound port 25 accomplishes.
What it will do is annoy customer's like me that have a hosted domain and use off network SMTP server.
/tom |
|
RARPSL
join:1999-12-08
Suffern, NY
| reply to PapaMidnight
said by PapaMidnight :TLS or SSL are always options. NO they are not since VZ does not support SSL on their POP or SMTP Servers (and does not support the SMTP-over-SSL and POP-over-SSL Ports [465 and 995 respectively]).
BTW: The blocking of Port25 is for attempts to connect to Non-VZ SMTP MSA Servers (Mail Injection from Clients) when using VZ connectivity. The activation of Port587 is good news since it means that you can now securely use the VZ MSA Servers when connected to some other Network (such as a WiFi or Hotel) where your UserID/PW can be monitored/stolen.
Even Better would be if VZ provided SSL support (as mentioned above). |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| reply to tschmidt
said by tschmidt :How does blocking outbound Port 25 help? I agree inbound but fail to see what blocking outbound port 25 accomplishes. Outbound port 25 access allows a Verizon subscriber to access port 25 on a remote host. Such as an infected Verizon user's computer connecting to my mail server on port 25. If Verizon blocks outbound port 25 access, that means no 'bots on Verizon customers' infected computers can connect to my server.
The spammer does not need inbound port 25 access to the infected computer; any of the 65,535 TCP ports will suffice. But they can't get to the target gateway mail server from the Verizon network if the Verizon network chokes off port 25.
I watched the logs on my server, and, in 2004, SBC was the worst, followed by Comcast. In 2005, both SBC and Comcast implemented some form of blocking of outbound port 25. SBC opted for a blanket block on all users, and dubious connections from residential SBC IP addresses dropped dramatically. Comcast implemented a reactionary approach; block their subscribers when excessive SMTP activity was detected.
SBC dropped off the radar, and Comcast fell to near last place; Road Runner and Verizon became the top dogs in my dirty list.
The most recent rewrites of the email RFCs more clearly specify that port 25 access should be only used for mail transfer by email services, and that end user message submission should be done over port 587.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
·Hollis Hosting
·Verizon Online DSL
·Fairpoint Communic..
| said by NormanS :Outbound port 25 access allows a Verizon subscriber to access port 25 on a remote host. It has been common practice for residential ISPs to block inbound Port 25 for years for exactly that reason.
said by NormanS : that end user message submission should be done over port 587. I read it over last night after I posted. I'll have to contact my hosting service to see what they support. I'm in New England, Verizon sold assets to FairPoint but I have to assume they will adopt similar policy at some point.
I'm in favor of steps that reduce spam but some ISPs have adopted rather silly an ineffective anti-spam measures that make life difficult.
/tom |
|
Tweak
Premium
join:2002-06-08
Oklahoma City, OK | Its not ineffective you have had fellow posters explain to you that its very effective in blocking spam. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| reply to tschmidt
said by tschmidt :said by NormanS :Outbound port 25 access allows a Verizon subscriber to access port 25 on a remote host. It has been common practice for residential ISPs to block inbound Port 25 for years for exactly that reason. Blocking inbound port 25 has no effect on compromised computers' access gateway (MX) mail servers. You could block inbound port 25 to every Verizon customer, leave outbound port 25 unblocked, and compromise Verizon customer computers would be able to make connections to my gateway mail server unimpeded (unless the source IP address was in a blocking list, and my server queried same).
FWIW, neither AT&T (in the legacy SBC regions), nor Comcast block inbound port 25 by default. Comcast only blocks port 25 on evidence of abuse from their customer; that is a bidirectional block when implemented. AT&T (legacy SBC regions only) just blocks outbound port 25; though their block is bidirectional for AT&T Worldnet DSL and AT&T Southeast (legacy Bellsouth) customers.
said by NormanS : that end user message submission should be done over port 587. I read it over last night after I posted. I'll have to contact my hosting service to see what they support. I'm in New England, Verizon sold assets to FairPoint but I have to assume they will adopt similar policy at some point. I'm in favor of steps that reduce spam but some ISPs have adopted rather silly an ineffective anti-spam measures that make life difficult.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to Markie
Once again, legitimate users are penalized for the actions of a few bad apples.
That said, I'm ok with port 25 blocking, only if:
1) the block is outbound only, not inbound, and
2) users have an option of having the block removed upon request.
While the majority of "average" users don't need port 25 (provided the ISP's mail servers accept mail on an alternate port such as 587, and they educate the users on how to configure their email clients to use said port), there are legitimate uses for outbound port 25 for power users:
1. One may maintain an offsite mail server and need to test connectivity to said server on port 25.
2. One may be using a non-ISP email service that doesn't accept connections on ports other than 25.
2. One may use nmap or other port scanning tools, and such tools won't report blocked ports.
Also, blocking port 25 is merely a band-aid. Spammers will find other ways to spew their crap (such as posted elsewhere where some spammers were trying to social engineer authentication info from users). For every ISP that blocks 25, there are 10 more that don't have it blocked and the spammers will just go there. Plus, what's to stop spammers from using the bots they already have to issue a DDOS attack, which can be done, port 25 blocked or not.
It's better to boot infected users and get them to clean up their act, than it is to "band-aid" their hemorrhaging.
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| said by kpatz :It's better to boot infected users and get them to clean up their act, than it is to "band-aid" their hemorrhaging. Might as well boot customers who lose their accounts to social engineering while you are at it.
Actually, this could be good for bandwidth hogs, as well. We'd probably be booting a significant (greater than 5%) percentage of the Internet users in the U.S. if we did this. Thus, fewer users chasing bandwidth. Those using their Internet connections heavily would have fewer competitors for bandwidth; a good thing in their eyes, I am sure. 
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
