stephen at sprunk.org
Wed Sep 3 12:07:22 CDT 2008
Alec Berry wrote:
> Michael Thomas wrote:
>> But the thing that's really pernicious about this sort of policy is
>> that it's a back door policy for ISP's to clamp down on all outgoing
>> ports in the name of "security".
> I don't think ISPs have anything to gain by randomly blocking ports. They may block a port that is often used for malicious behavior (135-139, 194, 445, 1433, 3306 come to mind) as a way to reduce their support calls-- but they would have to balance that with the risk of loosing customers. It's not as much a slippery slope as much as it is a tightrope act (yes-- I am metaphorically challenged).
I see nothing wrong with filtering commonly abused ports, provided that
the ISP allows a user to opt out if they know enough to ask.
When port 25 block was first instituted, several providers actually
redirected connections to their own servers (with spam filters and/or
rate limits) rather than blocking the port entirely. This seems like a
good compromise for port 25 in particular, provided you have the tools
available to implement and support it properly.
I also agree with the comments about switching customers to 587. My
former monopoly ISP only accepted mail on 25 and I had endless problems
trying to send mail from airports, hotels, coffee shops, etc. while
traveling. The same hotspots also tended to block port 22, so I
couldn't even forward mail via my own server. However, my new monopoly
ISP only accepts mail on 587, and I have yet to have a single problem
with that from any hotspot I've used since the switch. Ditto for
reading my mail via IMAPS/993, whereas I used to have occasional
problems reading it via IMAP/143.
More information about the NANOG