ISP port blocking practice

Brian Johnson bjohnson at
Mon Sep 13 02:34:28 UTC 2010

>-----Original Message-----
>From: Owen DeLong [mailto:owen at]
>Sent: Friday, September 03, 2010 1:10 PM
>To: John Levine
>Cc: nanog at
>Subject: Re: ISP port blocking practice
>Sent from my iPad


>On Sep 3, 2010, at 10:10 PM, John Levine <johnl at> wrote:
>>> Really?  So, since so many ISPs are blocking port 25, there's lots
less spam
>>> hitting our networks?
>> It's been extremely effective in blocking spam sent by spambots on
>> large ISPs.  It's not a magic anti-spam bullet.  (If you know one,
>> please let us know.)
>That simply hasn't been my experience. I still get lots of spam from
>hosts in large provider networks, and yes, that includes many that
block 25. As
>near as I can tell, 25 blocking is not affecting spammers at all, just
>There was a time when it was effective, but the spammers have long
>adapted. Now we are only breaking the Internet. We are no ,onger
>accomplishing anything ireful. It's pure momentum.

So.... How are you getting messages from a user who is sending a message
from a network with port 25 blocked?

If there is some kind of alternate port usage, or tunneling going on,
then there would have been no way to stop it with a filter without doing
even more filtering. This additional filtering would likely increase the
number of blocked port numbers. This would start breaking other valid

Since you have no suggestions on how to actually handle this issue, I
would suggest that you stop criticizing the ones trying to solve the
problem for the excessive majority (likely < 99.999%) of users. It is OK
to represent the needs of a minority, but the average user doesn't even
notice these types of filters and it prevents (largely) ISPs from
spending time removing customer IP addresses from RBLs and other
filtering mechanisms. 
>>> workaround. Since, like many of us, I use a lot of transient
>>> having to reconfigure for each unique set of brokenness is actually
>>> more of my time than the spam this brokenness was alleged to
>> Is there some reason you aren't able to configure your computers to
>> tunnels or SUBMIT?  They seem to work pretty well for other people.
>Many of the transient networks I deal with block 22, 25, 465, and 587.
>also often block protocols 41 and 43 or do not provide a public
>rendering those protocols unusable anyway.
>Yes, I am now running ssh and s,tp processes on ports 80 and 443 to get
>around this, but, that consumes an extra address for something that
>be handled by a port number.

I'm sorry that you have/had to deal with a provider doing this. I would
call it bad form to block ports used for completely valid reasons (not
abused services) and would stand by you on those issues.

>Personally, i'd rather use port numbers for l4 uniqueness rather than

With you here brother. :)


BTW... In a previous post you mentioned "Net Neutrality". Port 25
blocking has NOTHING to do with "Net Neutrality" as long as you block
port 25 in a non-partisan manner. If I block port 25 to provider X and
not to provider Y for any reason other than abuse/security/network
stability specific reasons (meaning to be financially or ethically
unreasonable), then it may be considered not being "neutral" in the
terms of "Net Neutrality". I would NEVER do such a thing.

- Brian

 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged information. Any unauthorized review,
copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original message. Thank you.

More information about the NANOG mailing list