The End-To-End Internet (was Re: Blocking MX query)

Jimmy Hess mysidia at
Thu Sep 6 02:43:11 UTC 2012

On 9/5/12, Sean Harlow <sean at> wrote:

> While I've clearly been on the side of "don't expect this to work", "why do
> you have your laptop set up like that?", and defending the default-blocking
> behavior on outbound, this is not true at least for Gmail.  I have a test
> Asterisk box which I've been really lazy about setting up properly that

I would still file it under... yes, there will probably be many mail
hosts you can contact that way. It will be understandable if many
block it,  but they don't have to.  If they give you a smart host,
then you should use that.

End-to-End doesn't imply control of the routing in-between smtp origin
and destination.

It will also be understandable if the ISP blocks outbound port 25, but
they don't have to.
Personally I would rather they not -- blocking port 25  doesn't make
the underlying problem go away;  it's just a way of  "hiding the
problem", so the ISP isn't pestered about it.

By blocking port 25; the ISP doesn't receive a spam complaint for
blocked non-legit activity, so they have fewer network abuse reports
to deal with.

Fewer users to turn off = fewer angered users switching to other providers
(Even if turning off the user in response to spam will help the user,
by alerting them to their compromised computer).

End user Having to use a smart relay host increases latency and
introduces a point of failure (ISP mail relay can fail or perform
unacceptably even when the network has no issues). If you have the
intelligence on your laptop to properly contact MX hosts;  the
restriction can be a hinderance,  and it is difficult to justify.

The ISP could block port 25 on report of abuse; but I suppose...
incident handlers' time reading abuse reports = $$$

Once the large ISPs do the math, it is understandable if their ISP
organizations' management eventually opts to block port 25.

For the ones who didn't choose to do that; presumably sufficient users
complained or they feared the competition would be strengthened or
charged  with their unpopular choice.

My idealistic preference would be the ISP allows outbound port 25,
but  are highly responsive to abuse complaints;   that way,  the
problem will be corrected,   instead of festering, until some day  the
laptop gets plugged into some network that happens to allow the port.

Or spreads the infection,  because of the port 25  block, the problem
goes undetected
and contributes to making the overall worse.

Just because a compromised host can't connect on port 25; doesn't mean
it is not a significant contribution to the problem.  Spreading
infection via other vectors;
spamming via other vectors such as IM,  Forum posts,  HTTP
contact/feedback forms...

There are plenty of abusive non port-25 activities  that ultimately
facilitate spamming.


More information about the NANOG mailing list