Outgoing SMTP Servers

Robert Drake rdrake at direcpath.com
Wed Oct 26 00:53:26 CDT 2011


On 10/25/2011 10:19 PM, Blake Hudson wrote:
> I didn't see anyone address this from the service provider abuse
> department perspective. I think larger ISP's got sick and tired of
> dealing with abuse reports or having their IP space blocked because of
> their own (infected) residential users sending out spam. The solution
> for them was to block the spam. The cheapest/easiest way to do this was
> to block TCP 25 between subs and the internet, thus starting a trend. If
> 587 becomes popular, spammers will move on and the same ISPs that
> blocked 25 will follow suit.
Actually, it doesn't work that way because of what submission is 
designed to do.  I just posted another email about it so I won't repeat 
it, but basically you should think of blocking port 25 as a list of 
who's authorized to send emails, not as a port we just killed for fun 
and we're waiting for the spammers next move.

>
> A better solution would have been to prevent infection or remove
> infected machines from the network(strong abuse policies, monitoring,
> give out free antivirus software, etc). Unfortunately, several major
> players (ATT, for example) went down the road of limiting internet
> access. Now that they've had a taste, some of them feel they can block
> other ports or applications like p2p (Comcast), Netflix (usage based
> billing on Bell, ATT, others).

As an ISP, I liked seeing abuse complaints drop to near zero when we did 
this.  We spent about a month fixing some people who don't use webmail 
(most regular customers don't use an MUA anymore) and had our share of 
third-party MTA's that refused to turn on submission (no idea why, these 
were usually business-class comp accounts so we moved them to a business 
pool and dropped their acls) but overall we probably had less than 100 
calls from doing this and it made our lives easier.

Now I know you said you wanted us to be preventative and to treat the 
problem, but that's just impractical.  We got 5000 abuse emails a month 
for (at the time) ~20k customers.  Were 1/4 of them spamming?  No, but 
the ones that were spamming generated automated reports from everyone.

None of them were ever legitimate spammers.  They were all users who 
clicked on a funny puppy picture their mom sent, or some other thing 
that set their computer on fire and had it spitting out gobs of porno 
links to everyone it could find.  So it wasn't a set of problem users, 
it was just a random sampling of everyone's not-so-PC-savvy relatives.

So, lets say we wrote software to collate those reports and got it down 
to 30 legitimate people (if we're lucky).  Do we block their IP's and 
wait for them to call in then send them to geek squad?  Do we try to fix 
their infected PC over the phone?   At this point, no matter what we do 
they're going to get sent to a tier 2 tech which means at least 2 phone 
calls and whatever revenue we might have gotten from them is gone for 
quite a while.  We can have one guy tied up all day every day trying to 
process abuse issues or we can just shut down port 25 and the problem 
magically disappears.

Is their laptop uninfected?  No, but they can no longer infect any other 
customer in our network or anyone elses network, thus reducing global 
infections.  We've made the world a better place and saved ourselves 
some money.   Unfortunately, the first coffee shop they go to that 
doesn't block port 25 is going to be a new spam source but we can't save 
them all.

It may be possible in the future we'll have a more convenient method to 
police PC's but the network access controls that exist right now aren't 
flexible enough to allow different networks to set different policies, 
so if it's a work laptop and they have a domain administrator then 
802.1x might not be possible, and mandating they have firewall or 
anti-virus turned on (or a specific version/that it's updated, etc) 
might not be possible.

Most customers rail against controls anyway.  You don't want port 25 
blocked so how would you feel if we mandated you install our ad-ware 
mcafee client and scanned your computer every 15 minutes?  And when you 
think about it, if the big boys gave up and blocked port 25 and stopped 
offering free anti-virus and a backrub when you call in, how can we 
afford to compete with that?

>
> Unfortunately, I don't see the trend reversing. I'm afraid that Internet
> freedoms are likely to continue to decline and an "Unlimited" Internet
> experience won't exist at the residential level in 5+ years.

I hope that you're exaggerating for effect, but you might be right.  
Small providers have trouble competing right now because of all the 
advantages the carriers have in the market.  Some of the ways small 
providers can distinguish themselves is through support, or offering 
things a big player won't.  So in some cases it's better to find a 
regional ISP and go with them because they may work with you, and they 
may be a little more lenient with some things.

I don't think port 25 is worth making a stand on though, there are 
better battles to fight (rate limiting) that actually mean something to 
the customer experience.

>
> --Blake
>

Robert



More information about the NANOG mailing list