North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ingress SMTP

  • From: Michael Thomas
  • Date: Wed Sep 03 12:41:16 2008

Jay R. Ashworth wrote:
On Wed, Sep 03, 2008 at 11:56:51AM -0400, Justin Scott wrote:
As a small player who operates a mail server used by many local businesses, this becomes a support issue for admins in our position. We operate an SMTP server of our own that the employees of these various companies use from work and at home. Everything works great until an ISP decides to block 25 outbound. Now our customer cannot reach our server, so they call us to complain that they can receive but not send e-mail. We, being somewhat intelligent, have a support process in place to walk the customer through the SMTP port change from 25 to one of our two alternate ports.

The problem, however, is that the customer simply cannot understand why their e-mail worked one day and doesn't the next. In their eyes the system used to work, and now it doesn't, so that must mean that we broke it and that we don't know what we're doing.

I feel your pain, local compadre, but I'm on their side.


Here's your script:

"Allowing unfiltered public access to port 25 is one of the things that
increases everyone's spam load, and your ISP is trying to be a Good
Neighbor in blocking access to anyone's servers but their own; many ISPs
are moving towards this safer configuration. We're a good neighbor, as
well, and support Mail Submission Protocol on port 587, and here's how
you set it up -- and it will work from pretty much anywhere forever."

I think this all vastly underrates the agility of the bad guys. So lots of
ISP's have blocked port 25. Has it made any appreciable difference?
Not that I can tell. If you block port 25, they'll just use another port and
a relay if necessary.

But the thing that's really pernicious about this sort of policy is that it's
a back door policy for ISP's to clamp down on all outgoing ports in
the name of "security". And it's almost plausible, except for the annoying
problem that the net becomes secure and useless in one swell foop.


That said, I heard a pretty amazing claim made by somebody while
I was still at the big ol networking company that ISP's in general
not only didn't know which of their customers computers were
owned, but that they didn't want to know. Even putting aside the
claim of blissful ignorance, port 25 blocking is nothing more than
a Maginot Line for the larger problems of infected computers. If
we really wanted to curb spam, why don't we just put them in the
penalty box until they are remediated? Heck, that even stops lots
of other attacks that have nothing to do with port 25 too.

Mike