Outgoing SMTP Servers
rdrake at direcpath.com
Wed Oct 26 05:53:26 UTC 2011
On 10/25/2011 10:19 PM, Blake Hudson wrote:
> I didn't see anyone address this from the service provider abuse
> department perspective. I think larger ISP's got sick and tired of
> dealing with abuse reports or having their IP space blocked because of
> their own (infected) residential users sending out spam. The solution
> for them was to block the spam. The cheapest/easiest way to do this was
> to block TCP 25 between subs and the internet, thus starting a trend. If
> 587 becomes popular, spammers will move on and the same ISPs that
> blocked 25 will follow suit.
Actually, it doesn't work that way because of what submission is
designed to do. I just posted another email about it so I won't repeat
it, but basically you should think of blocking port 25 as a list of
who's authorized to send emails, not as a port we just killed for fun
and we're waiting for the spammers next move.
> A better solution would have been to prevent infection or remove
> infected machines from the network(strong abuse policies, monitoring,
> give out free antivirus software, etc). Unfortunately, several major
> players (ATT, for example) went down the road of limiting internet
> access. Now that they've had a taste, some of them feel they can block
> other ports or applications like p2p (Comcast), Netflix (usage based
> billing on Bell, ATT, others).
As an ISP, I liked seeing abuse complaints drop to near zero when we did
this. We spent about a month fixing some people who don't use webmail
(most regular customers don't use an MUA anymore) and had our share of
third-party MTA's that refused to turn on submission (no idea why, these
were usually business-class comp accounts so we moved them to a business
pool and dropped their acls) but overall we probably had less than 100
calls from doing this and it made our lives easier.
Now I know you said you wanted us to be preventative and to treat the
problem, but that's just impractical. We got 5000 abuse emails a month
for (at the time) ~20k customers. Were 1/4 of them spamming? No, but
the ones that were spamming generated automated reports from everyone.
None of them were ever legitimate spammers. They were all users who
clicked on a funny puppy picture their mom sent, or some other thing
that set their computer on fire and had it spitting out gobs of porno
links to everyone it could find. So it wasn't a set of problem users,
it was just a random sampling of everyone's not-so-PC-savvy relatives.
So, lets say we wrote software to collate those reports and got it down
to 30 legitimate people (if we're lucky). Do we block their IP's and
wait for them to call in then send them to geek squad? Do we try to fix
their infected PC over the phone? At this point, no matter what we do
they're going to get sent to a tier 2 tech which means at least 2 phone
calls and whatever revenue we might have gotten from them is gone for
quite a while. We can have one guy tied up all day every day trying to
process abuse issues or we can just shut down port 25 and the problem
Is their laptop uninfected? No, but they can no longer infect any other
customer in our network or anyone elses network, thus reducing global
infections. We've made the world a better place and saved ourselves
some money. Unfortunately, the first coffee shop they go to that
doesn't block port 25 is going to be a new spam source but we can't save
It may be possible in the future we'll have a more convenient method to
police PC's but the network access controls that exist right now aren't
flexible enough to allow different networks to set different policies,
so if it's a work laptop and they have a domain administrator then
802.1x might not be possible, and mandating they have firewall or
anti-virus turned on (or a specific version/that it's updated, etc)
might not be possible.
Most customers rail against controls anyway. You don't want port 25
blocked so how would you feel if we mandated you install our ad-ware
mcafee client and scanned your computer every 15 minutes? And when you
think about it, if the big boys gave up and blocked port 25 and stopped
offering free anti-virus and a backrub when you call in, how can we
afford to compete with that?
> Unfortunately, I don't see the trend reversing. I'm afraid that Internet
> freedoms are likely to continue to decline and an "Unlimited" Internet
> experience won't exist at the residential level in 5+ years.
I hope that you're exaggerating for effect, but you might be right.
Small providers have trouble competing right now because of all the
advantages the carriers have in the market. Some of the ways small
providers can distinguish themselves is through support, or offering
things a big player won't. So in some cases it's better to find a
regional ISP and go with them because they may work with you, and they
may be a little more lenient with some things.
I don't think port 25 is worth making a stand on though, there are
better battles to fight (rate limiting) that actually mean something to
the customer experience.
More information about the NANOG