The End-To-End Internet (was Re: Blocking MX query)

Sean Harlow sean at
Wed Sep 5 15:49:02 UTC 2012

On Sep 5, 2012, at 11:11, Izaac wrote:

> This is why tcp port 25 filtering is totally effective and will remain so
> forever.  Definitely worth breaking basic function principles of a
> global communications network over which trillions of dollars of commerce
> occur.

Two things to note:

1. Restricting outbound port 25 is nothing new.  It's been in use since before SPF or DKIM were under development, yet it hasn't been defeated/bypassed.  Henry didn't specify whether the DKIM-valid messages he received were forged or if they just came from a random spam domain.  If the latter, of course that's trivial for spammers to make appear legitimate because the only goal of such systems is to verify that the sender controls or is approved by the domain the message claims to be from.

2. The reason port 25 blocks remain effective is that there really isn't a bypass.  If you want to spam, at some point you must establish a TCP connection to port 25 on the destination mail server.  You can either do this from your own machines (where a good hosting provider will cut you off in a hurry) or by using someone else's illegitimately.  Servers tend to be located in datacenters where again a good provider will take action, so botted end-user machines are obviously a huge thing to spammers.  Eliminate the ability for the majority of those bots to make said port 25 connections, you've now forced them in to a much smaller operating area where they're more likely to be found.  The only "bypass" is to go back to using their own machines or compromised equipment on higher-grade connections.

Sean Harlow
sean at

More information about the NANOG mailing list