ISP port blocking practice

Robert Bonomi bonomi at
Wed Sep 8 05:05:04 UTC 2010

> From at  Tue Sep  7 15:15:13 2010
> Date: Mon, 6 Sep 2010 19:55:06 -0500
> From: Brett Frankenberger <rbf+nanog at>
> To: deleskie at
> Subject: Re: ISP port blocking practice
> Cc: NANOG list <nanog at>
> On Mon, Sep 06, 2010 at 10:38:15PM +0000, deleskie at wrote:
> >
> > Having worked in past @ 3 large ISPs with residential customer pools
> > I can tell you we saw a very direct drop in spam issues when we
> > blocked port 25.
> No one is disputing that.  Or, at least, I'm not disputing that.  I'm
> questioning whether or not the *Internet* has experienced any decrease
> in aggregate spam as a result of ISPs blocking port 25.  Did the spam
> you blocked disappear, or did it all get sent some other way?  

_I_ can't say about 'some other way',  but, on average, between 1/4 and 1/3
of the all the incoming spam at my personal server is 'direct to MX', that
would have been been, at least 'slowed a little bit' by "classical, dumb" 
port 25 blocking.

Now, a *smart* port 25 enforcer -- where traffic outbound to port 25 was
selectively NATted into a 'data sink' -- something that replies "200" to 
everything up to the DATA command, and _always_ gives a 5xy response to 
that (with text like "you must send outgoing mail though our server'),
WOULD kill the traffic dead. Or, at least, force the spamware writers to 
start paying attention to SMTP response codes, *IF* they wanted to count
deliveries.  All available evidence says that -most- spammers/spamware/
botnets pay no attention to such -- as established by the effectiveness of
GreetPause, and greylisting.

It is worth noting that this kind of 'smart' port 25 blocking would also
automatically identify 'infected' machines, and by consulting the records
of who is corrently on that IP address, tell _which_customer_ is has the
infected machine, *AND* notify the customer of their problem.  all without
any need for any (expensive) human involvement.

Aside, if spamware _had_ to 'obey the rules' of SMTP transactions, regarding
reading reply codes, that alone would probalbly reduce by 50%, if not
more, the aggregate sending _capacity_ of the world's spam sources.  Whether
that would make much of a difference, I don''t know -- depnds on how far
existing 'capacity' exeeeds existing usage/demand.133-136 140 142-145 147

More information about the NANOG mailing list