Blocking Port 25 Traffic'MyDoom' virus reheats the discussion ( old news - 02:56PM Thursday Jan 29 2004) tags: business · security · spamThis week's release of the MyDoom virus (and variant) has renewed the debate among many ISP's over the tactic of blocking outgoing port 25 traffic. Port 25/tcp is used for SMTP, the outgoing mail protocol, and is often blocked by ISP's to cut down on spam (whether intentional or due to infection). The block prevents users from sending outgoing mail via any third party mail-hosting services. What was once somewhat of a scattered practice is creeping toward an industry standard. DSL Extreme began doing so last fall (though they allowed users to be unblocked upon request). Larger ISP's like Earthlink made the decision to block outgoing port 25 traffic back in 2000, and a number of other large providers (Cox, MSN) have since followed suit. By forcing residential customers to only send mail via ISP mail-servers, companies can keep a lid on the volume of mass-mailing originating from their residential customers. Other ISP's take that tactic a bit further, blocking inbound port 25 traffic. Some claim this less common tactic is usually done to prevent users from running a mail server; forcing them to upgrade to a more substantive business account for the privilege. The ISP's themselves suggest that's often the general consensus, but blocking inbound port 25 traffic really helps them keep inadvertent open relays to a minimum, and therefore off of blacklists. Those ISP's who don't block outgoing port 25 traffic found themselves considering it anew after being slammed by the MyDoom virus this week. We spoke to Broadband Reports member " Krispy", the Network Security Administrator for Cogeco cable, about her company's plans to block port 25 traffic. "We currently filter inbound SMTP," she says. "We've discussed - and are discussing - outbound SMTP filters, but have not made any decisions yet; although recently Mydoom has sparked that conversation again."Australian cable broadband provider Optus this week decided to go ahead and block outgoing port 25 SMTP traffic, saying they'd be making only "case by case" exceptions. DSL provider Frontier.net also instituted the change this week after MyDoom bogged down their network much like every other ISP and business. In Frontier's case, they made the announcement last week via a fairly obscure "system alert" notification on the top left corner of their home-page. The change left many users writing to us to express their irritation and confusion, some suggesting they'd be changing providers over the company's decision. "The support person I spoke to groaned when I told him what the issue was. Said to call Customer Service and complain - but that it would be a 'waste of breath'." "I'll probably be switching to OOL within 24 hours," the user informs us. That won't be necessary. Users impacted by the change who utilize third party mail services ( like ours - check our forum for help), can simply re-configure your mail accounts to use smtp.frontiernet.net as your outgoing mail server in each instance. You shouldn't need to ditch your ISP (nor should you really, since they're fundamentally trying to do the right thing), though you may want to fire off a polite e-mail informing them such changes should be posted more conspicuously.
Related:- Qwest Employs New Malware Security
- Can Spam Act Celebrates Five Years Of Ineffectiveness
- Project Honey Pot: 1 Billion Spam Messages
- Tuesday Morning Links
- Tuesday Evening Links
- Wednesday Morning Links
- Thursday Morning Lnks
- Thursday Evening Links
|
page: 1 · 2  |
 
Tyrano2K
join:2001-07-29
Canada
1 edit | Just get a commricial service if someone wants an e-mail service all they have to do is just get a commircial service for 30bucks more.
So blocking port 25 on residential services just keeps the spam down a bit.
--
~Tyrano2K
-
Owner Of RP614 Firmware Site
( »home.cogeco.ca/~firmware/ ) | |
|  | 
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB | Re: Just get a commricial service But that won't work for the posters who make their livings sending spam.
If you're a spammer, and your ISP blocks outbound port 25, currently you pretty well have to change ISPs. | |
| | 
detfan
Premium
join:2002-12-29
Livonia, MI
| I cant even hit a reply to all if there are more them 1 people on the list.
You know when you get an email from a family member to the family.It is a complete joke.I understand the spam part of it, but if you cant reply to an email to all who got it whats the use?I had to family members arguing back and forth in an email last week, and couldnt tell them to stop if i hit reply all, instead of just reply... | |
| | | | | | |
detfan
Premium
join:2002-12-29
Livonia, MI
| Re: Just get a commricial service It falls into the same problem, I too have had the same problems emailing from my web server because of it, but someone told me to use my ISP as my SMTP to send the mail the problem is if the mailing list has more then 15 people on it (MY FAMILY) then it refuses to send it.
As if I owed you an explanation wiht your rude reply, you now have one!!!
Now shadup!!!! | |
|
| 
pfrealcom
@optonline.net
| my vongage phone service stopped working after i moved it to a frontiernet.net DSL connection. apparently in order to get the firmware update the isp needs to leave port 69 unblocked. i had to bring the cisco ata adapter to a optonline.net connection in order for it to update. it udated the firmware immediately and my Vonage service started working immediately. I am now going to have get rid of the Frontier DSL service. | |
|
| | |
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
 ·Comcast
| Thanks Idiots! I would hereby like to thank all the clueless, ignorant, lazy or just plain stupid computer users out there for prodding my ISP into reducing the functionality of my internet connection because they are too clueless, ignorant, lazy or just plain stupid to learn about basic things like virus protection and to finally stop clicking on every single email attachment without thinking first. Do you all buy cars without learning how to drive as well?
I don't run my own mail server, but I do send email through my own domain hosting company's email server (mail."mydomain.com"). And thanks to all of you stupid fools out there, now I won't be able to do that. Ugh.
--
Do the world a favor, Saddam. Kill yourself. | |
| | 
Camelot One
Premium,MVM
join:2001-11-21
Sarasota, FL
clubs:
| Re: Thanks Idiots! I am in the same boat. This will prevent all users from being able to say, send email from their work address at home. Anyone with a Road Runner accoun tfor example can only send email from their rr email address.
Stupid. Just plain stupid.
--
AMD XP2500+ @2388mhz/ Asus A7N8X-E Deluxe/ 2x 512Mb Kingston HyperX PC3500/ WD 120Gb on serial/ Gainward GF4 4600/ Enermax 465P-VE/Custom water cooler | |
| | | 
LBDSL
Lightning Bolt
VIP
join:2002-01-07
Auburn Hills, MI
| Re: Thanks Idiots! said by Camelot One  :
Anyone with a Road Runner accoun tfor example can only send email from their rr email address.
This isn't totally true, at least not in some parts of the US.
I have a few clients who use RoadRunner to access the net, but use us to host their site, and email.
They are able to use the SMTP server we give them with their hosting account to send mail.
--
Lightning Bolt Technologies | |
| | | 
Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
| said by Camelot One :
I am in the same boat. This will prevent all users from being able to say, send email from their work address at home. Anyone with a Road Runner accoun tfor example can only send email from their rr email address.
Stupid. Just plain stupid.
What's stupid is that Road Runner even considers the "From" address when relaying email - this is no kind of security (I understand Verizon did this too, perhaps they still do).
If the source IP address is from a "trusted" source - from within RoadRunner's own network - there is no good reason for disallowing users to include any From: address they wish, including valid work addresses.
An ISP that blocks outbound 25/tcp and limits users to the @isp.net From address is doing a bad thing.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site | |
| | | |
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| That is what REPLY-TO/reply address is for quote:
I am in the same boat. This will prevent all users from being able to say, send email from their work address at home. Anyone with a Road Runner accoun tfor example can only send email from their rr email address.
That is what the REPLY-TO (in OE accounts, the "reply address") is for.
SENT-BY (FROM or, in OE accounts, the "email address") is formally supposed to be the email address on the ISP the computer is actually on. As noted by another poster, only a few ISPs check this.
ISPs should not be limiting the REPLY-TO (unless maybe the customer has been a problem), but to follow the original intent of the standards, they all should have been limiting the SENT-BY.
My personal feeling is that ideally such filtering (port 25, spam, email virus) should a user configurable, and default to filtering for new accounts.
I think the problem is technical:
1. It increases overhead to add a bunch of individual IP addresses to port blocking rules in the router.
2. There is a bit of manual effort involved in updating the rules for individual customers.
It isn't dumb users that are responsible for "reduced functionality", it is the hackers and spammers who exploit them. | |
| | | | |
Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: That is what REPLY-TO/reply address is for said by keith2468 :
That is what the REPLY-TO (in OE accounts, the "reply address") is for.
SENT-BY (FROM or, in OE accounts, the "email address") is formally supposed to be the email address on the ISP the computer is actually on.
Says who?
This premise cannot possibly hold water, and it's hard to even know where to start.
First, and most broadly, your online identity is anything you want it to be, and in my book, you "are" any email address to which you have valid access to the mailbox. This gives me probably a half a dozen email addresses, none of which is the "real" address unless I say one of them is.
Second, many people purchase IP services with the sole intent of routing IP packets, and they do not buy into the additional services (email, web space, home page) that the ISP may offer. I have Pac*Bell DSL, but as far as I know I don't have a @pacbell.net email address.
Finally, there is no required connection between "email address" and "physical location" - otherwise this premise would play havoc with the salesman on the road: does he get a new "Sent-From" email address in every hotel?
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site | |
|
| | 
ChrisN4BSA
Premium
join:2002-05-31
Clearwater, FL
1 edit | This isn't totally true. I'm net admin for a company here in Tampa, and was able to use our company SMTP server (port 25) via my home Roadrunner connection.
However - just today we have implemented a new non standard inbound SMTP port that will allow us to get around the port 25 filtering for those employees that are lucky enough (or is that unlucky?) to be on an ISP that blocks port 25 SMTP traffic.
And - as much as it sucks, amen for the ISP's blocking port 25. I hate to be punished for clueless users, but if it helps slow down the spread of viruses that spread via email, I'm all for it. I'm sick & tired of having to spend hours every day checking our mail quarantine because of all spam zombies in the wild. | |
| | | | cbs228
Geeks Of The World, Unite
join:2000-09-04
Saint Louis, MO
| Re: Thanks Idiots! Indeed. For access to business servers or other SMTP servers that your ISP blocks, a simple ipfw rule on the server machine (or the router the server is behind) will fix this:
sudo ipfw add fwd serveraddress,25 tcp from any to me inboundport
Where serveraddress is the address of the server (usually "localhost") and inboundport is the port you want to listen on in addition to 25.
NOTE: I'm not responsible for any damage to your machine running this command may incur. Always modify ipfw rules locally as they may interrupt tcp/ip access. Tested on MacOS 10.3.2.
--
"If you stare too long into the abyss the abyss stares back at you." -Nietzsche
GENERAL FAILURE READING ©: DRIVE
(A)bort, (R)etry, (F)rivolous Lawsuits, (B)ribe Congress? | |
| | | | | | | | | 
dilettante
join:2002-01-01
Haslett, MI
| Re: Thanks Idiots! I've often thought that licensing (certifying) users might be a reasonable tactic. Something where you'd agree to random external audits of your network (scans and other penetration tests, monitoring traffic over an interval).
But there are cost and privacy issues I suppose, and it would really cut into the lucrative "granny (grandpaw?) AOL" market of low-use, unsophisticated users.
But I have to wonder... wouldn't it make economic sense to offer high bandwidth to "certified" users and lower bandwidth and blocked ports to those "potential problem users" who are likely to get hijacked - at the same or similar prices? If you keep your network clean and properly isolated and your boxes secure and use adequate throttling mechanisms... [takes a breath] any real hazard from running services is minimal. Violations or complaints and you'd get dropped back to the "wild west" service with ports blocked.
Sort of a "being responsible grants privileges" policy.
But maybe that's precisely where those high-cost commercial offerings come in: you pay for the privilege of being responsible. Everyone else "swims with the fishes" wearing a hardsuit. | |
|
| | | 
RARPSL
join:1999-12-08
Suffern, NY
| said by ChrisN4BSA :
This isn't totally true. I'm net admin for a company here in Tampa, and was able to use our company SMTP server (port 25) via my home Roadrunner connection.
However - just today we have implemented a new non standard inbound SMTP port that will allow us to get around the port 25 filtering for those employees that are lucky enough (or is that unlucky?) to be on an ISP that blocks port 25 SMTP traffic.
And - as much as it sucks, amen for the ISP's blocking port 25. I hate to be punished for clueless users, but if it helps slow down the spread of viruses that spread via email, I'm all for it. I'm sick & tired of having to spend hours every day checking our mail quarantine because of all spam zombies in the wild.
The DESIGNATED port to use to inject Email (ie: Send it from a Mail Client) is 587 NOT 25. The problem is that many ISPs are too lazy to activate this port and require SMTP AUTH to access it. Most just say use Port25 and block out-going Port25 to other servers. IMO, ANY ISP that blocks outgoing (to non-ISP Owned SMTP Servers) that DOES NOT accept incoming Email from their customers (while those customers are using Non-ISP Connectivity) on Port 587 is a Hypocrite. | |
|
| | | | MWR2NY
join:2002-02-06
Edgewood, MD
| Re: Thanks Idiots! I'm on Comcast and last November when Comcast decided to block port 25 they didn't tell anybody including their own tech support. I went about a week without being able to send mail through my own domain. It took a couple days of tech support at my web host to figure out a work around. Comcast and other ISP's should of posted something to let everyone know what they were doing. | |
| | | | Nice Try5
join:2003-04-17
Silver Spring, MD | Re: Thanks Idiots! I don't believe comcast is blocking 25 in my area. I can still send and receive mail. | |
| | | | |
purdyturdy
@207.46.x.x
| Re: Thanks Idiots! Same here, Seattle area and can send mail through Comcast to my own SMTP server at another ISP (which uses SMTP auth).
-template-
I say they should block port X, because a virus/trojan/worm/backdoor/spammer/hax0r could pass traffic through that port to do naughty things.
-endtemplate- | |
|
| | | |
| |
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
·Comcast
| said by jester121 :
Since you're on Comcast you can use whatever you want in the FROM address on your e-mail, and send it through smtp.comcast.net. In other words, the e-mail shows up as coming from "pnh102@yourdomain.com".
First, why should I have to do anything differently? I am not sending out viruses or spam so I should not be inconvenienced. Go punish the idiots who refuse to properly protect their machines. Its not rocket science or brain surgery, anyone who is willing to read up on the topic can do it.
Second, its mail.comcast.net, not smtp.comcast.net 
said by jester121 :
Unless the recipient looks at the headers, there's no way they'd even notice it.
True, but still it begs the question, why should someone who is not part of the problem be inconvenienced?
--
Do the world a favor, Saddam. Kill yourself. | |
| | | | | | | | |
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
·Comcast
| Re: Thanks Idiots! said by jester121 :
The correct address is smtp.comcast.net
Oops... you are indeed correct, my bad! Goes to show you how often I use my Comcast email LOL.
--
Do the world a favor, Saddam. Kill yourself. | |
|
| | | 
en102
Canadian, eh?
join:2001-01-26
Valencia, CA | If your hosting company is somewhat decent, they should have the ability to do web mail, or allow you to use another port, or better yet, run SMPTS on port 465 (SMTP over SSL) | |
| | |
Camelot One
Premium,MVM
join:2001-11-21
Sarasota, FL
clubs:
| Re: Thanks Idiots! said by en102 :
If your hosting company is somewhat decent, they should have the ability to do web mail
And if your ISP was decent, your hosting company shouldn't have to. I hate webmail. SSL is an option I guess, but I still have a problem with ANY port blocking that is not done by me.
--
AMD XP2500+ @2388mhz/ Asus A7N8X-E Deluxe/ 2x 512Mb Kingston HyperX PC3500/ WD 120Gb on serial/ Gainward GF4 4600/ Enermax 465P-VE/Custom water cooler | |
| | | |
en102
Canadian, eh?
join:2001-01-26
Valencia, CA | Re: Thanks Idiots! I can see the day, when all ISP's will be running discount web for NAT traffic, and browsers will be full of cookies as well.... I weep for that as well. | |
|
| | |
| | hescominsoon
join:2003-02-18
Brunswick, MD | Re: Block 25, then some will make it 21 or 22 I have 4 domains i manage so frankly if I am not able to use my own domains servers for e-mail(which have a larger attachment allowance) then I will change isp's(and have once)..
--
God Blesshttp://www.faithwalk.org | |
| | dda
Premium
join:2003-12-29
Bolton, MA
| Anybody want to introduce email address port-ability? Look how well that is going in the Cellphone world.
I believe many companies, starting with pobox.com implemented "email address portability." I have "vanity domain" just for said portability; that address should always get to me, no matter how often I change ISPs (mediaone.net -> attbi.com -> comcast.net -> ??? ).
The (lack of) portability in the telephone world is entirely different and was partially a way for a cell provider to lock you into their service. Good for them, bad for you. | |
| |
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB | quote:
Next thing you know is that someone will write a virus that uses port 80. Quick the sky is falling let block outbound port 80?
They have. Quite a few actually. For example, Code Red. | |
|
pcscdma
Chocobo Chocobo Random Battle
Premium
join:2004-01-14
Winterset, IA
clubs:
| Good for them whenever a worm comes out, ISPs have somewhat of a responsibility of temporarily cutting off access to the ports affected if they aren't something useful like 80.
I don't find outgoing 25 to affect me at all, since Earthlink doesn't allow my IP range and they have a webmail portal. | |
| | 
GeekNJ
Premium
join:2000-09-23
Waldwick, NJ
1 edit | Re: Good for them How about all ISPs implement virus checking at their mail servers. That would prevent any inbound mail that is infected from entering their network and getting to their subscribers computers.
Instead of relying on hundreds of thousands of subscribers to stay current on every virus, wouldn't it be easier for the ISP or mail server provider to provide centralized protection?
--
Have you tweaked your OOL connection? | |
| | |
pcscdma
Chocobo Chocobo Random Battle
Premium
join:2004-01-14
Winterset, IA
clubs:
| Re: Good for them said by GeekNJ :
Instead of relying on hundreds of thousands of subscribers to stay current on ever virus, wouldn't it be easier for the ISP or mail server provider to provide centralized protection?
That is almost like relying on Microsoft for all software.
Each AV has benefits and drawbacks. Symantec has been getting a bad review and it seems like Trend is getting better and better. If Trend reacted slower than other vendors it would not be very good for end-users.
Not staying current on antivirus is just being plain ignorant. | |
| | | |
GeekNJ
Premium
join:2000-09-23
Waldwick, NJ
| Re: Good for them I think you misunderstood my point. I don't feel it eliminates the need for individuals to run AV software. Obviously though, if we all were doing it and staying up to date, the viruses wouldn't be propagating. Since that isn't the case, additional production would be beneficial to all!
--
Have you tweaked your OOL connection? | |
|
| | |
GeekNJ
Premium
join:2000-09-23
Waldwick, NJ
| Bad move :-( So what happens next... a virus that figures out what your ISPs mail server is and sends out mail through that, just as it would any other email server? Any way to protect against that?
Blocking 25 is not the right solution and hurts those that do have legitimate needs for sending mail out through a mail server that doesn't belong to their ISP. I pay for web hosting which includes email from a company (my ISP doesn't provide hosting). I can't use that mail server that I pay for as an outgoing mail server? Sounds pretty dumb to me.
--
Have you tweaked your OOL connection? | |
| | 
lakino
Premium
join:2003-04-03
Campbell, CA
| Re: Bad move :-( said by GeekNJ :
So what happens next... a virus that figures out what your ISPs mail server is and sends out mail through that, just as it would any other email server? Any way to protect against that?
Blocking 25 is not the right solution and hurts those that do have legitimate needs for sending mail out through a mail server that doesn't belong to their ISP. I pay for web hosting which includes email from a company (my ISP doesn't provide hosting). I can't use that mail server that I pay for as an outgoing mail server? Sounds pretty dumb to me.
Another problem is that many ISPs only allow a certain size limit to outgoing mail. Part of the reason I pay each month to host my own domain name and have mail routed through them is so that I have NO limits whatsoever on outgoing as well as incoming mail. I can send out 100 meg attachments or receive 100 meg attachments. I'd like to see someone try doing that via SBC/YAHOO.
--
Why do people like .sig files so much? Baffling to me... | |
| | 
crowdx
join:2001-10-12
Concord, CA
| I really think you guys have this wrong. What the ports that they are blocking are doing is only preventing "email servers" from home being able to send and receive email. I own two domains and host each for $4.99 a month and this allows me 10 email addresses per domain name. I can send and receive exactly as if I was using my ISP's email, the only main difference for me apart from the fact that my emails use my domain name in the address, is that I also can send large emails which would normally be rejected by isp's normal email size limits.
So I agree it is a nuisance to those who want to run email servers locally from their home office or house, but for other users this will not affect them. | |
| | | |
crowdx
join:2001-10-12
Concord, CA | Yes, but if commercial companies that web host for us find that port 25 is blocked, they will have to switch so as to make their service still accessible.
ISP Mail servers suck, it is years since I have used their services. | |
|
Seven1
join:2002-07-24
Lexington, KY
·Insight Communicat..
| Block it if you will It would irritate me if my ISP did block outgoing port 25, but I'd live with it. I run my own hosting business and I made sendmail accessible on port 26 as well as 25, a long time ago. I did it since Cox was blocking outgoing 25 and some of my customers were getting pissed about not being able to send email because of that. | |
| ParanoiaInc
join:2002-08-28
Tucker, GA | Block Port 25 & Revise SMTP Protocol While I recognize the necessity of blocking port 25, I also recognize that SMTP without authentical (like POP) is just asinine. | |
| |
en102
Canadian, eh?
join:2001-01-26
Valencia, CA | Re: Block Port 25 & Revise SMTP Protocol How true... my old TimeWarner/RR didn't require authentication on SMTP, but my SBC/Yahoo sure does.
Neither of them blocked direct outbound SMTP though.  | |
|
black flag
Home Is Where The Broadband Is
join:2002-11-17
Chicago, IL | Block my 25, I'm gone. As soon as my ISP blocks my outgoing SMTP, I'm gone. | |
| 
HiVolt
Premium
join:2000-12-28
Toronto, ON
·TekSavvy Cable
 ·TekSavvy DSL
| Sympatico Canadian DSL ISP Bell Sympatico has been blocking outbound port 25 SMTP traffic for as long as I could remember.
Thankfully, I am not stuck using their crappy, often bogged down & blacklisted SMTP servers, my WebHost conveniently runs a mail server on port 26.
--
Please Visit PlanetMADtv.
Want to see MADtv on DVD? Sign the Petition! | |
| 
GlobalMind
Domino Dude, POWER Systems Guy
Premium
join:2001-10-29
Hollywood, FL
| How I would find it annoying..... Is that my domain mail runs through my web host, so I need to connect to that mail server over my ISP. Shut down outbound port 25 and I have to figure out another way to send my mail.
My host requires authentication for mail xfer at this point, trying to help reduce any instances of abuse.
Closing it down to "sorry but you have to use OUR mail service or none" is looking like yet another sad side effect of the scum out there.
K.
--
TheGlobalMind.com
"On a clear disk you can seek forever" | |
| | medfly
join:2003-05-15
Windsor, CO | Re: How I would find it annoying..... just have your mail server listen on port 26 as well and connect to it there. SImple and easy solution, thats what i do | |
|
djrobx
join:2000-05-31
Valencia, CA
 ·AT&T U-Verse
 ·PHONE POWER
| I like the DSLExtreme approach They block it by default. Why have it open for viruses to exploit unsuspecting people and spammers if it's not needed by a large majority of customers? But if I want it for any reason, it can be unblocked by filling out a quick web form. DSLExtreme does not forbid servers in its AUP so I'm comfortable that they'll continue to support my ability to unblock that port.
I also don't really have a big problem with port 25 blocks as long as the ISP's server accepts any FROM address. But from a service that supports servers I do, of course, want the ability to unblock.
-- Rob
--
\\ROB - a part of the SCB local network | |
| russotto
join:2000-10-05
Collegeville, PA | No blocking thank you. Stay off my Port 25. And every other port, too. I want a 1st class connection to the Internet, not some dumbed-down port-blocked substitute. | |
| 
gruggni
Oxygen Gets You High
join:2003-07-28
Corpus Christi, TX | live by smtp die by smtp The tittle says it all. | |
| 
linicx
Caveat Emptor
Premium
join:2002-12-03
United State
·CenturyLink
| Checkmate? Will closing Port 25 accomplish the task at hand? I don't think so, but it will irritate legitimate business owners who use Port 25. Will it stop open relay bulk mailing? Not unless ALL providers -- from Root and TLD to the mom and pop small town operation -- adopt and then implement the same standards. To accomplish this massive feat, the big guys must be willing to absorb the cost of freely helping the little guys because not everyone knows how to block Ports or close relays or install spam filters. I can think of 3-4 providers in my own area who are either totally clueless or are just so overwhelmed with spam they stopped trying to plug the dam long ago. Whining about new users is counter productive, We were all once new users too. I had people who took the time to teach me the social rules of Internet Etiquette and how to avoid viruses. Because of my teachers, I make sure every one of my clients are taught the same things. You can't teach everyone, everything, but you can teach your friends the basics.
To Opt-in or opt-out of spam is a complete waste of time because it is a voluntary action that requires my cooperation. Do I really want my email redirected to another spammer because I clicked the opt-out button? I don't think so.. been there, done that before.
The real checkmate might be hidden in mail programs like Q Mail right now. If mail containing attachments or commands including HTML cannot be received or mailed it will stop the spread of virus, trojans, worms and other nasties because there will be no way to execute them. With cut and paste functions there is no reason to insert an active link to a URL in email either - except it is convenient to the person who receives it. The problem will be separating the wheat from the chaff so that legitimate business is unimpeded and granny can get pictures of the new baby.
--
Be careful what you ask for - you just might get it. | |
| |
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| Re: Checkmate? Do criminal penalties stop crime?
No.
Does that mean we disband police forces and close jails?
No. We accept that total solutions to real problems are rare, and go for affordable solutions that reduce the incidence of those real problems.
Will blocking port 25 *reduce* spam and abuse?
Yes, quite a bit. So we should do it. | |
|
bmn
? ? ?
Premium,ExMod 2003-06
join:2001-03-15
hiatus
| Just bypass it... »Bypassing the outgoing SMTP (port 25) block...
Those instructions should work with just about every provider. I used it for months when Cox arbitrarily decided to block SMTP on the egress.
--
Male by birth... Geek by choice
"A cardinal American virtue, 'ambition', promotes a cardinal American vice, 'deviant behaviour.'" | |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| Legislation needed 1. It isn't dumb users that are responsible for "reduced functionality", it is the hackers and spammers who exploit them.
You don't blame young women for the actions of rapists -- this is the same kind of thing. Don't blame fellow victims.
2. There should be federal legislation in each country allowed to connect to the Internet that all ISPs provide egress filtering for their retail customers, to ensure that source IPs are not spoofed.
That is not to say that egress filtering should be mandatory on all networks, just that it should be mandatory on the public Internet that various national governments paid to found.
Voluntary action hasn't worked, because such filtering costs ISPs money, due to overhead, and the primary benefit goes to customers on other ISPs.
Preventing spoofed source IP addresses for all traffic would go a long way to preventing not just spam, but also DoS and DDoS attacks.
3. It should be mandatory that all email server software on the public Internet all confirm source IP addresses, and all maintain the standard audit trail of headers indicating where messages are received from.
4. My personal feeling is that ideally filtering of things like port 25, spam, and email viruses should easily user configurable, and default to filtering for new accounts.
For port 25 filtering, I think the problem is technical:
a) It increases overhead to add a bunch of individual IP addresses to port blocking rules in the router.
b) There is a bit of manual effort involved in updating the rules for individual customers.
5. As for sending email using the email server at work, so that replies to your emails go back there, that is what the REPLY-TO (in OE accounts, the "reply address") is for.
SENT-BY (FROM or, in OE accounts, the "email address") is formally supposed to be the email address on the ISP the computer is actually on.
ISPs should not be limiting the REPLY-TO (unless maybe the customer has been a problem).
However, to follow the original intent of the standards, they all should have been limiting the SENT-BY.
-----
We've given voluntary standards a good long try. They haven't worked.
The Internet was originally designed to function for a few thousand highly responsible academic, engineering and scientfic users, using small basic communications software packages.
It has been a long time since that represented the Internet community.
And it has been a long time since the software used passed out of the small and basic catagory.
Now we have hackers, crackers, spammers; and we have enormous software packages (even games use comparitively complex software communications).
And so much of the Internet is motivated by free enterprise doing it cheap and quick and keeping our individual costs down.
Clearly we now need enforced common minimum standards for public health and safety on the public Internet. | |
| | shortt
join:2002-04-09
| Re: Legislation needed said by keith2468 :
Clearly we now need enforced common minimum standards for public health and safety on the public Internet.
As far as I know, spam is only bad for your health if you eat it. | |
| | sherpaboy
join:2001-07-06
Seattle, WA
| quote:
There should be federal legislation in each country allowed to connect to the Internet that all ISPs provide egress filtering for their retail customers, to ensure that source IPs are not spoofed.
Every time something isn't running perfectly, it's time to turn to the feds. Remember; if they are with the federal government they must be smarter than the rest of us. They had the right idea about the 18th amendment here in the states (that worked real well, it validated the Mafia). The federal drug war is also a good idea. We are spending billions of dollars to kill a few poor farmers... and for what? So that prices are driven up for the Mafia (again), and drugs continue to flow into the country. Johnson's Great Society, State schools, Federally mandated retirement called social security. My father knew he was going to die, but he still was required to pay into social security because the government thought he was too incompetent to take care of his family.
quote:
That is not to say that egress filtering should be mandatory on all networks, just that it should be mandatory on the public Internet that various national governments paid to found.
Fine, since the majority of the Internet is privately funded.
quote:
Preventing spoofed source IP addresses for all traffic would go a long way to preventing not just spam, but also DoS and DDoS attacks.
I guess I can agree with you here, but I never thought of it much since my ISP has been doing anti-spoofing since they were founded, but I don't think we need the feds. Maybe ISP's could be blacklisted for not filtering spoofed addresses.
quote:
We've given voluntary standards a good long try. They haven't worked.
...so it's time for federal legislation. Why? Because whenever I have a problem it is up to the federal government to fix it for me. Fast food joints cause an obesity problem, lets legislate. Swimming pools contribute to drownings, lets legislate. People don't know how to plan for retirement, lets legislate. People don't give enough to charity, lets legislate. People drink too much, lets legislate.... (oops! tried that already). Lets legislate. Lets legislate. Lets legislate. Lets legislate.
quote:
The Internet was originally designed to function for a few thousand highly responsible academic, engineering and scientfic users, using small basic communications software packages.
Actually, DARPA originally envisioned the Internet as a self healing computer communications network that would survive a nuclear attack. If it had not moved into the private sector, you would probably paying a lot more (albeit in taxes) for much less bandwidth.
quote:
And so much of the Internet is motivated by free enterprise doing it cheap and quick and keeping our individual costs down.
Yes. Why? Because you (joe consumer) continue to scream that $50.00 for 3 megabits is a rip off. Joe consumer wants cheap internet, not well thought out Internet. Beta was better than VHS. Mac was better that MS. People demand cheap, and then complain when they get it.
quote:
Clearly we now need enforced common minimum standards for public health and safety on the public Internet.
If you want to fix the problem, stop buying products problems from Redmond. Outside of SPAM, that would fix most of what ails the net! | |
|
Shrapnel64
Premium
join:2001-01-24
Hayes, VA
| Cannot send email now to mydomain.com mail server Not sure if this has been posted already, because of the numerous amounts of replies, but...in regards to sending mail by blocking outbound 25 ports to other mail servers.
You can still do this by using your ISP's mail server to send messages, although you're actually relaying it to the server in which your account is based on.
This is how I have my business account setup on my Cox HSI with the same problem. I setup the email address, for the username I used username@mydomain.com and pop3 mail.mydomain.com; for outgoing (smtp) I use pop.east.cox.net and it works just fine...sends just like I sent it to the server directly. | |
| | rx7mike
join:2004-01-23
West Bend, WI
| Re: Cannot send email now to mydomain.com mail server I think every ISP in wisconsin blocks port 25. I dont use my isp email because for one I dont even know what the password is cause i have never used it and 2 i own several domains and ive been getting mail at those email address's for years. Now I ahve to log into my web based email clients so i can email people. How lame is that. I hope COVAD my new dsl provider is not like that. | |
|
kd6cae
P2p Shouldn't Be A Crime
join:2001-08-27
Lancaster, CA
·RoadRunner Cable
·DSL EXTREME
| blocking outbound port 25 is stupid! Here's my personal view of providers that block port 25. For residential accounts, blocking inbound 25 I can live with, but what good is blocking outbound 25? I for instance prefer to send email via a friend's mail server. tell me what the devil is wrong with wanting to send email via a server that isn't your IsPS? As far as having a mail server listen on a nonstandard port such as 26, I suppose that may work however if I understand the way email works, the mail server sending the message to it's destination needs to comunicate with the destination mail server and all comunication between the servers is done on port 25! So if I send a message to you@yourdomain.com via my mail server if outbound port 25 was blocked at my mail server, then even if you were accepting connections on another port my server would assume the server was down! It has no way to connect with an alternate port. I guess what I'm saying is the only ports that should be blocked are inbound ports and even then only on residential accounts! Maybe on business accounts you could block ports 135-139, 445 and ports such as that that noone has ever used. And if someone needs to use those ports they should be able to unblock them for their connection. In other words give us some flexibility here. | |
| 
ssj4android
Redefining Reality
join:2002-04-14
Wyoming, MI | Comcast isn't blocking port 25 outbound I just checked, it works fine. I have a 67. ip. | |
|
| | |
|
|
Old news...
·
Block 25, then some will make it 21 or 22
Look how well that is going in the Cellphone world.