Topic 'Boo' in forum '' - dslreports.com

Topic 'Boo' in forum '' - dslreports.com http://www.dslreports.com/forum/Boo-21932085 en Thu, 09 Feb 2012 13:15:31 EDT Thu, 09 Feb 2012 13:15:31 EDT Re: Boo http://www.dslreports.com/forum/Re-Boo-21942161 said by kpatz:

It's better to boot infected users and get them to clean up their act, than it is to "band-aid" their hemorrhaging.
Might as well boot customers who lose their accounts to social engineering while you are at it.

Actually, this could be good for bandwidth hogs, as well. We'd probably be booting a significant (greater than 5%) percentage of the Internet users in the U.S. if we did this. Thus, fewer users chasing bandwidth. Those using their Internet connections heavily would have fewer competitors for bandwidth; a good thing in their eyes, I am sure. ;)
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum]]> http://www.dslreports.com/forum/Re-Boo-21942161 Thu, 19 Feb 2009 13:45:32 EDT Re: Boo http://www.dslreports.com/forum/Re-Boo-21941127
That said, I'm ok with port 25 blocking, only if:

1) the block is outbound only, not inbound, and
2) users have an option of having the block removed upon request.

While the majority of "average" users don't need port 25 (provided the ISP's mail servers accept mail on an alternate port such as 587, and they educate the users on how to configure their email clients to use said port), there are legitimate uses for outbound port 25 for power users:

1. One may maintain an offsite mail server and need to test connectivity to said server on port 25.
2. One may be using a non-ISP email service that doesn't accept connections on ports other than 25.
2. One may use nmap or other port scanning tools, and such tools won't report blocked ports.

Also, blocking port 25 is merely a band-aid. Spammers will find other ways to spew their crap (such as posted elsewhere where some spammers were trying to social engineer authentication info from users). For every ISP that blocks 25, there are 10 more that don't have it blocked and the spammers will just go there. Plus, what's to stop spammers from using the bots they already have to issue a DDOS attack, which can be done, port 25 blocked or not.

It's better to boot infected users and get them to clean up their act, than it is to "band-aid" their hemorrhaging.
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you.]]> http://www.dslreports.com/forum/Re-Boo-21941127 Thu, 19 Feb 2009 10:41:39 EDT Re: Boo http://www.dslreports.com/forum/Re-Boo-21938205 said by tschmidt:

said by NormanS:

Outbound port 25 access allows a Verizon subscriber to access port 25 on a remote host.

It has been common practice for residential ISPs to block inbound Port 25 for years for exactly that reason.
Blocking inbound port 25 has no effect on compromised computers' access gateway (MX) mail servers. You could block inbound port 25 to every Verizon customer, leave outbound port 25 unblocked, and compromise Verizon customer computers would be able to make connections to my gateway mail server unimpeded (unless the source IP address was in a blocking list, and my server queried same).

FWIW, neither AT&T (in the legacy SBC regions), nor Comcast block inbound port 25 by default. Comcast only blocks port 25 on evidence of abuse from their customer; that is a bidirectional block when implemented. AT&T (legacy SBC regions only) just blocks outbound port 25; though their block is bidirectional for AT&T Worldnet DSL and AT&T Southeast (legacy Bellsouth) customers.

said by NormanS:

that end user message submission should be done over port 587.

Port 25 blocking is neither silly, nor ineffective. In fact, it has led to an increase in malicious attempts to gain AT&T customer email log in details. Since outbound port 25 is no longer available to the 'botnet spammers, they attempt to steal authorized log in credentials to the SMTP AUTH message submission servers. Using social engineering to steal that access from the users. It would seem that outbound port 25 blocking is putting the hurt on 'botnet spammers, if they have to resort to stealing accounts to get their spam sent.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum]]> http://www.dslreports.com/forum/Re-Boo-21938205 Wed, 18 Feb 2009 19:16:03 EDT Re: Boo http://www.dslreports.com/forum/Re-Boo-21937676 http://www.dslreports.com/forum/Re-Boo-21937676 Wed, 18 Feb 2009 17:35:59 EDT Re: Boo http://www.dslreports.com/forum/Re-Boo-21934891 said by NormanS:

Outbound port 25 access allows a Verizon subscriber to access port 25 on a remote host. It has been common practice for residential ISPs to block inbound Port 25 for years for exactly that reason.

said by NormanS:

that end user message submission should be done over port 587.

I read it over last night after I posted. I'll have to contact my hosting service to see what they support. I'm in New England, Verizon sold assets to FairPoint but I have to assume they will adopt similar policy at some point.

I'm in favor of steps that reduce spam but some ISPs have adopted rather silly an ineffective anti-spam measures that make life difficult.

/tom]]> http://www.dslreports.com/forum/Re-Boo-21934891 Wed, 18 Feb 2009 09:08:41 EDT Re: Boo http://www.dslreports.com/forum/Re-Boo-21934372 said by tschmidt:

How does blocking outbound Port 25 help? I agree inbound but fail to see what blocking outbound port 25 accomplishes.
Outbound port 25 access allows a Verizon subscriber to access port 25 on a remote host. Such as an infected Verizon user's computer connecting to my mail server on port 25. If Verizon blocks outbound port 25 access, that means no 'bots on Verizon customers' infected computers can connect to my server.

The spammer does not need inbound port 25 access to the infected computer; any of the 65,535 TCP ports will suffice. But they can't get to the target gateway mail server from the Verizon network if the Verizon network chokes off port 25.

I watched the logs on my server, and, in 2004, SBC was the worst, followed by Comcast. In 2005, both SBC and Comcast implemented some form of blocking of outbound port 25. SBC opted for a blanket block on all users, and dubious connections from residential SBC IP addresses dropped dramatically. Comcast implemented a reactionary approach; block their subscribers when excessive SMTP activity was detected.

SBC dropped off the radar, and Comcast fell to near last place; Road Runner and Verizon became the top dogs in my dirty list.

The most recent rewrites of the email RFCs more clearly specify that port 25 access should be only used for mail transfer by email services, and that end user message submission should be done over port 587.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum]]> http://www.dslreports.com/forum/Re-Boo-21934372 Wed, 18 Feb 2009 04:57:40 EDT Re: Boo http://www.dslreports.com/forum/Re-Boo-21934340 said by PapaMidnight:

TLS or SSL are always options.
NO they are not since VZ does not support SSL on their POP or SMTP Servers (and does not support the SMTP-over-SSL and POP-over-SSL Ports [465 and 995 respectively]).

BTW: The blocking of Port25 is for attempts to connect to Non-VZ SMTP MSA Servers (Mail Injection from Clients) when using VZ connectivity. The activation of Port587 is good news since it means that you can now securely use the VZ MSA Servers when connected to some other Network (such as a WiFi or Hotel) where your UserID/PW can be monitored/stolen.

Even Better would be if VZ provided SSL support (as mentioned above).]]> http://www.dslreports.com/forum/Re-Boo-21934340 Wed, 18 Feb 2009 04:27:43 EDT Re: Boo http://www.dslreports.com/forum/Re-Boo-21933326 said by Tweak:

Are you joking blocking outbound port 25 is one of the most effective methods in combating spam.
How does blocking outbound Port 25 help? I agree inbound but fail to see what blocking outbound port 25 accomplishes.

What it will do is annoy customer's like me that have a hosted domain and use off network SMTP server.

/tom]]> http://www.dslreports.com/forum/Re-Boo-21933326 Tue, 17 Feb 2009 22:09:21 EDT Re: Boo http://www.dslreports.com/forum/Re-Boo-21932260
Edit: TLS or SSL are always options.]]> http://www.dslreports.com/forum/Re-Boo-21932260 Tue, 17 Feb 2009 18:45:34 EDT Re: Boo http://www.dslreports.com/forum/Re-Boo-21932231 http://www.dslreports.com/forum/Re-Boo-21932231 Tue, 17 Feb 2009 18:38:20 EDT Boo http://www.dslreports.com/forum/Boo-21932085 http://www.dslreports.com/forum/Boo-21932085 Tue, 17 Feb 2009 18:12:54 EDT