ingress SMTP

Michael Thomas mike at mtcc.com
Wed Sep 3 16:40:20 UTC 2008


Jay R. Ashworth wrote:
> On Wed, Sep 03, 2008 at 11:56:51AM -0400, Justin Scott wrote:
>   
>> As a small player who operates a mail server used by many local 
>> businesses, this becomes a support issue for admins in our position.  We 
>> operate an SMTP server of our own that the employees of these various 
>> companies use from work and at home.  Everything works great until an 
>> ISP decides to block 25 outbound.  Now our customer cannot reach our 
>> server, so they call us to complain that they can receive but not send 
>> e-mail.  We, being somewhat intelligent, have a support process in place 
>> to walk the customer through the SMTP port change from 25 to one of our 
>> two alternate ports.
>>
>> The problem, however, is that the customer simply cannot understand why 
>> their e-mail worked one day and doesn't the next.  In their eyes the 
>> system used to work, and now it doesn't, so that must mean that we broke 
>> it and that we don't know what we're doing.
>>     
>
> I feel your pain, local compadre, but I'm on their side.
>
> Here's your script:
>
> "Allowing unfiltered public access to port 25 is one of the things that
> increases everyone's spam load, and your ISP is trying to be a Good
> Neighbor in blocking access to anyone's servers but their own; many ISPs
> are moving towards this safer configuration. We're a good neighbor, as
> well, and support Mail Submission Protocol on port 587, and here's how
> you set it up -- and it will work from pretty much anywhere forever."
>
>   
I think this all vastly underrates the agility of the bad guys. So lots of
ISP's have blocked port 25. Has it made any appreciable difference?
Not that I can tell. If you block port 25, they'll just use another port and
a relay if necessary.

But the thing that's really pernicious about this sort of policy is that 
it's
a back door policy for ISP's to clamp down on all outgoing ports in
the name of "security". And it's almost plausible, except for the annoying
problem that the net becomes secure and useless in one swell foop.

That said, I heard a pretty amazing claim made by somebody while
I was still at the big ol networking company that ISP's in general
not only didn't know which of their customers computers were
owned, but that they didn't want to know. Even putting aside the
claim of blissful ignorance, port 25 blocking is nothing more than
a Maginot Line for the larger problems of infected computers. If
we really wanted to curb spam, why don't we just put them in the
penalty box until they are remediated? Heck, that even stops lots
of other attacks that have nothing to do with port 25 too.

       Mike




More information about the NANOG mailing list