Skywing at valhallalegends.com
Wed Sep 3 12:28:47 CDT 2008
Intercepting port 25 traffic of your customers (as an ISP), redirecting it to your own servers, and allowing the connection to complete sounds like a pretty slippery slope of badness to me.
Sure, you should be using TLS anyway, but slurping up port 25 traffic begs the question of what is happening to the SMTP authentication credentials or the mail data that flows through said intercept.
Blocking traffic versus intercepting it wholesale are very different ballgames.
Now, obviously, whoever is providing your pipe has the technical ability to intercept your traffic. Actually doing this has proven widely unpopular (to place it nicely) when uncovered, even with the best of intentions.
There is usually an implicit trust that your ISP won't be employing underhanded tactics like that in most people's minds, I think. I suspect that most people will call any interception of their outbound mail traffic "underhanded", even for if done for a perceived good reason in the mind of said ISP.
From: Stephen Sprunk <stephen at sprunk.org>
Sent: Wednesday, September 03, 2008 12:09
To: Alec Berry <alec.berry at restontech.com>
Cc: north American Noise and Off-topic Gripes <nanog at merit.edu>
Subject: Re: ingress SMTP
Alec Berry wrote:
> Michael Thomas wrote:
>> But the thing that's really pernicious about this sort of policy is
>> that it's a back door policy for ISP's to clamp down on all outgoing
>> ports in the name of "security".
> I don't think ISPs have anything to gain by randomly blocking ports. They may block a port that is often used for malicious behavior (135-139, 194, 445, 1433, 3306 come to mind) as a way to reduce their support calls-- but they would have to balance that with the risk of loosing customers. It's not as much a slippery slope as much as it is a tightrope act (yes-- I am metaphorically challenged).
I see nothing wrong with filtering commonly abused ports, provided that
the ISP allows a user to opt out if they know enough to ask.
When port 25 block was first instituted, several providers actually
redirected connections to their own servers (with spam filters and/or
rate limits) rather than blocking the port entirely. This seems like a
good compromise for port 25 in particular, provided you have the tools
available to implement and support it properly.
I also agree with the comments about switching customers to 587. My
former monopoly ISP only accepted mail on 25 and I had endless problems
trying to send mail from airports, hotels, coffee shops, etc. while
traveling. The same hotspots also tended to block port 22, so I
couldn't even forward mail via my own server. However, my new monopoly
ISP only accepts mail on 587, and I have yet to have a single problem
with that from any hotspot I've used since the switch. Ditto for
reading my mail via IMAPS/993, whereas I used to have occasional
problems reading it via IMAP/143.
More information about the NANOG