dslreports logo
 story category
Verizon To Finally Crack Down On Spam
After years on Spamhaus top ten list...
Spamhaus has long kept a list of the top ten most spam-laden networks. Many of the list's ISPs are regular fixtures because they've decided to save money by ignoring the problem of infected botnets on their network. Verizon has traditionally been a frequent mainstay on the list (which changes daily), and according to Spamhaus, hosts the most infected botnet machines of any broadband ISP. However, the telco tells the Washington Post security blog, that within the "next few months," Verizon will join most ISPs in locking down port 25, and will be migrating customers to send/receive e-mail on port 587.
view:
topics flat nest 
meowmeow
join:2003-07-26
Helena, MT

meowmeow

Member

Boo

Boo to that. Punishing the innocent is never a cool thing. Kick off the spammers, don't block ports for the rest of us. This ought to be a bigger target of the net neutrality folks...

Tweak
Premium Member
join:2002-06-08
Colonial Heights, VA

1 recommendation

Tweak

Premium Member

Re: Boo

Are you joking blocking outbound port 25 is one of the most effective methods in combating spam. Net neutrality is not about dictating How ISPs should run their networks. Net neutrality is about making sure traffic is treated equally and not discriminated against for competitive reasons.

PapaMidnight
join:2009-01-13
Baltimore, MD

1 edit

PapaMidnight

Member

Re: Boo

I think he's more in reference to the block on port 80. But no argument about the latter part.

Edit: TLS or SSL are always options.

RARPSL
join:1999-12-08
Suffern, NY

RARPSL

Member

Re: Boo

said by PapaMidnight:

TLS or SSL are always options.
NO they are not since VZ does not support SSL on their POP or SMTP Servers (and does not support the SMTP-over-SSL and POP-over-SSL Ports [465 and 995 respectively]).

BTW: The blocking of Port25 is for attempts to connect to Non-VZ SMTP MSA Servers (Mail Injection from Clients) when using VZ connectivity. The activation of Port587 is good news since it means that you can now securely use the VZ MSA Servers when connected to some other Network (such as a WiFi or Hotel) where your UserID/PW can be monitored/stolen.

Even Better would be if VZ provided SSL support (as mentioned above).

tschmidt
MVM
join:2000-11-12
Milford, NH
·Consolidated Com..
·Republic Wireless
·Hollis Hosting

tschmidt to Tweak

MVM

to Tweak
said by Tweak:

Are you joking blocking outbound port 25 is one of the most effective methods in combating spam.
How does blocking outbound Port 25 help? I agree inbound but fail to see what blocking outbound port 25 accomplishes.

What it will do is annoy customer's like me that have a hosted domain and use off network SMTP server.

/tom

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS

MVM

Re: Boo

said by tschmidt:

How does blocking outbound Port 25 help? I agree inbound but fail to see what blocking outbound port 25 accomplishes.
Outbound port 25 access allows a Verizon subscriber to access port 25 on a remote host. Such as an infected Verizon user's computer connecting to my mail server on port 25. If Verizon blocks outbound port 25 access, that means no 'bots on Verizon customers' infected computers can connect to my server.

The spammer does not need inbound port 25 access to the infected computer; any of the 65,535 TCP ports will suffice. But they can't get to the target gateway mail server from the Verizon network if the Verizon network chokes off port 25.

I watched the logs on my server, and, in 2004, SBC was the worst, followed by Comcast. In 2005, both SBC and Comcast implemented some form of blocking of outbound port 25. SBC opted for a blanket block on all users, and dubious connections from residential SBC IP addresses dropped dramatically. Comcast implemented a reactionary approach; block their subscribers when excessive SMTP activity was detected.

SBC dropped off the radar, and Comcast fell to near last place; Road Runner and Verizon became the top dogs in my dirty list.

The most recent rewrites of the email RFCs more clearly specify that port 25 access should be only used for mail transfer by email services, and that end user message submission should be done over port 587.

tschmidt
MVM
join:2000-11-12
Milford, NH
·Consolidated Com..
·Republic Wireless
·Hollis Hosting

tschmidt

MVM

Re: Boo

said by NormanS:

Outbound port 25 access allows a Verizon subscriber to access port 25 on a remote host.
It has been common practice for residential ISPs to block inbound Port 25 for years for exactly that reason.
said by NormanS:

that end user message submission should be done over port 587.
I read it over last night after I posted. I'll have to contact my hosting service to see what they support. I'm in New England, Verizon sold assets to FairPoint but I have to assume they will adopt similar policy at some point.

I'm in favor of steps that reduce spam but some ISPs have adopted rather silly an ineffective anti-spam measures that make life difficult.

/tom

Tweak
Premium Member
join:2002-06-08
Colonial Heights, VA

Tweak

Premium Member

Re: Boo

Its not ineffective you have had fellow posters explain to you that its very effective in blocking spam.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to tschmidt

MVM

to tschmidt
said by tschmidt:
said by NormanS:

Outbound port 25 access allows a Verizon subscriber to access port 25 on a remote host.
It has been common practice for residential ISPs to block inbound Port 25 for years for exactly that reason.
Blocking inbound port 25 has no effect on compromised computers' access gateway (MX) mail servers. You could block inbound port 25 to every Verizon customer, leave outbound port 25 unblocked, and compromise Verizon customer computers would be able to make connections to my gateway mail server unimpeded (unless the source IP address was in a blocking list, and my server queried same).

FWIW, neither AT&T (in the legacy SBC regions), nor Comcast block inbound port 25 by default. Comcast only blocks port 25 on evidence of abuse from their customer; that is a bidirectional block when implemented. AT&T (legacy SBC regions only) just blocks outbound port 25; though their block is bidirectional for AT&T Worldnet DSL and AT&T Southeast (legacy Bellsouth) customers.
said by NormanS:

that end user message submission should be done over port 587.
I read it over last night after I posted. I'll have to contact my hosting service to see what they support. I'm in New England, Verizon sold assets to FairPoint but I have to assume they will adopt similar policy at some point.

I'm in favor of steps that reduce spam but some ISPs have adopted rather silly an ineffective anti-spam measures that make life difficult.
Port 25 blocking is neither silly, nor ineffective. In fact, it has led to an increase in malicious attempts to gain AT&T customer email log in details. Since outbound port 25 is no longer available to the 'botnet spammers, they attempt to steal authorized log in credentials to the SMTP AUTH message submission servers. Using social engineering to steal that access from the users. It would seem that outbound port 25 blocking is putting the hurt on 'botnet spammers, if they have to resort to stealing accounts to get their spam sent.
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz to meowmeow

Premium Member

to meowmeow
Once again, legitimate users are penalized for the actions of a few bad apples.

That said, I'm ok with port 25 blocking, only if:

1) the block is outbound only, not inbound, and
2) users have an option of having the block removed upon request.

While the majority of "average" users don't need port 25 (provided the ISP's mail servers accept mail on an alternate port such as 587, and they educate the users on how to configure their email clients to use said port), there are legitimate uses for outbound port 25 for power users:

1. One may maintain an offsite mail server and need to test connectivity to said server on port 25.
2. One may be using a non-ISP email service that doesn't accept connections on ports other than 25.
2. One may use nmap or other port scanning tools, and such tools won't report blocked ports.

Also, blocking port 25 is merely a band-aid. Spammers will find other ways to spew their crap (such as posted elsewhere where some spammers were trying to social engineer authentication info from users). For every ISP that blocks 25, there are 10 more that don't have it blocked and the spammers will just go there. Plus, what's to stop spammers from using the bots they already have to issue a DDOS attack, which can be done, port 25 blocked or not.

It's better to boot infected users and get them to clean up their act, than it is to "band-aid" their hemorrhaging.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS

MVM

Re: Boo

said by kpatz:

It's better to boot infected users and get them to clean up their act, than it is to "band-aid" their hemorrhaging.
Might as well boot customers who lose their accounts to social engineering while you are at it.

Actually, this could be good for bandwidth hogs, as well. We'd probably be booting a significant (greater than 5%) percentage of the Internet users in the U.S. if we did this. Thus, fewer users chasing bandwidth. Those using their Internet connections heavily would have fewer competitors for bandwidth; a good thing in their eyes, I am sure.

birdfeedr
MVM
join:2001-08-11
Warwick, RI

1 edit

birdfeedr

MVM

Finally...

I've received quite a few bounced as undeliverable messages simply because I use verizon.net address. Spamhaus defines the blocklist, other ISPs use it.

So I get punished for the mistakes of others. Could be a problem though. We'll have to see if they lock it down to prevent me from using SMTP to my domain.

But something has to be done.

Here's a link to a tutorial that might be useful for understanding port 587. »blogs.3sharp.com/deving/ ··· 730.aspx

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

Time Warner Too?

i wonder if Time Warner will follow suit. They have port 25 open which I use to access my servers mail. I send quite a bit...Judging by the graph, TW is in the top three. Will have to wait and see i guess.

KoolMoe
Aw Man
Premium Member
join:2001-02-14
Annapolis, MD

KoolMoe

Premium Member

Re: Time Warner Too?

So...since I have my own server at a datacenter that hosts my domains and email (me@mydomain.net), when VZ locks out port 25, I'm not going to be able to send mail out through my own mail servers anymore...right?

So I'll have to send out via Verizon's mail servers...correct? Ok...but there won't be any sender authentication, right? So VZ's SMTP server isn't going to refuse to send my emails because the From is not a 'verizon.com/net' address, right?

Argh.
KM

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

Re: Time Warner Too?

Not at all....Instead of port 25 in your email client for outbound mail, change it to port 587 and you will be back in business with your own server.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to KoolMoe

MVM

to KoolMoe
said by KoolMoe:

So...since I have my own server at a datacenter that hosts my domains and email (me@mydomain.net), when VZ locks out port 25, I'm not going to be able to send mail out through my own mail servers anymore...right?
If you control message submission port of the servers yourself, you can change them to any port not blocked by Verizon. If your hosting provider controls the message submission ports, you just have to point them to RFC 5321, which specifies that port 587 is the preferred message submission port, and to RFC 4409, which defines port 587 as the message submission port. Once your servers are properly configured to use the RFC specified message submission port, it won't matter that Verizon blocks outbound port 25.

fifty nine
join:2002-09-25
Sussex, NJ

fifty nine to KoolMoe

Member

to KoolMoe
It's time to set up a vpn.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB

Premium Member

Re: Time Warner Too?

said by fifty nine:

It's time to set up a vpn.

Already did.


Anonymous_
Anonymous
Premium Member
join:2004-06-21
127.0.0.1

Anonymous_ to swintec

Premium Member

to swintec
said by swintec:

i wonder if Time Warner will follow suit. They have port 25 open which I use to access my servers mail. I send quite a bit...Judging by the graph, TW is in the top three. Will have to wait and see i guess.
TWC will shut down your internet with in 24 hours of being reported
neufuse
join:2006-12-06
James Creek, PA

neufuse

Member

587?

Why is the push to port 587? is there something special about this port? Comcast already uses it, now verizon, why 587 specifically?

jackknife
join:2001-02-24
Phoenix, AZ

jackknife

Member

Re: 587?

Because 587 is also an SMTP port... Why make up a number when a standard port already exists?

vpoko
Premium Member
join:2003-07-03
Boston, MA

vpoko to neufuse

Premium Member

to neufuse
587 is defined as the ESMTP email submission port per RFC 2476 (»tools.ietf.org/html/rfc2476). RFC 3207 (»tools.ietf.org/html/rfc3207) defines the use of transport-layer security over this port.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to neufuse

MVM

to neufuse
It is defined by RFC 4409 as THE port to use for SMTP message submission. Has been since RFC 2476 was published in December, 1998. It is just that nobody who should have paid attention then did. RFC 2476 was revised into RFC 4409, and, with more ISPs actually blockig outbound port 25 access (both Comcast and SBC adopted port 25 blocking in 2005; and others did so before that), more Email Service Providers are offering port 587 access.
AVonGauss
Premium Member
join:2007-11-01
Boynton Beach, FL

AVonGauss

Premium Member

About time...

About time...

jlivingood
Premium Member
join:2007-10-28
Philadelphia, PA

1 recommendation

jlivingood

Premium Member

External References

Not commenting as a Comcast person, just a messaging guy (I am at a meeting of MAAWG today - and the author of the article gave the keynote).

Relevant references, for those interested:
MAAWG recommendations on port 25 @ »www.maawg.org/port25
IETF RFC 5068 / BCP 134 @ »www.ietf.org/rfc/rfc5068.txt

Jason
cornelius785
join:2006-10-26
Worcester, MA

cornelius785

Member

i've got an idea

from my experience of getting internet access from a college network, i think it would be a great idea to simply turn off internet access to someone that has an infected system. at the very most, there should be a 24 hour notice. whenever there was suspicious activity on your computer, the network admins would shut your port off.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

4 edits

NOYB

Premium Member

Nonsense


Wow, that article is full of misleading and incorrect information. Just one example is that port 25 does not require authentication and that 587 does. That is so stupid; authentication is not a port dependency. For example when you use an SMTP client to send mail via outgoing.verizon.net on port 25 you have to authenticate. That is the way it is already right now today and has been that way a very long time if not from the beginning. However external mail servers exchange mail between each other and to/from relay.verizon.net on port 25 without any authentication. See authentication has nothing to do with the port number being used.

Even the statistics are skewed by the differing size of each ISP's customer base. The right metric would be CBL's per million subscribers. Believe that metric would show a more even distribution.

Block port 25 where? Inbound on customers service, outbound on customer service, customer service to/from relay.verizon.net, customer service to/from non verizon.net locations (third party and/or personally owned and operated SMTP servers), etc. etc. etc.? What are the specifics of the port 25 block?

Verizon already "blocks" outbound email from residential service to mail exchange servers by having those IP addresses listed in the Spamhaus PBL (Policy Block List). Any mail exchange server operator can use this to automatically lookup and reject all messages coming from those addresses. If mail exchange server opperators do not make use of it that is their, and their customers, problem. It would be interesting to know if Spamhaus uses their own PBL to filter out clients from their CBL data collection processes. I think if they did the CBL would not have nearly as many Verizon.net enteries.

It is a little difficult to discuss this without knowing the specific details of where and how they are going to block port 25, details which the article is conveniently omitting.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS

MVM

Re: Nonsense

said by NOYB:

Even the statistics are skewed by the differing size of each ISP's customer base. The right metric would be CBL's per million subscribers. Believe that metric would show a more even distribution.
Or not. In 2004, the ISP with the largest subscriber base already blocked port 25 to their users (AOL). Two smaller providers (Comcast and SBC) had the highest number of dubious SMTP connectons to my server on port 25. The larger of the two (Comcast) had fewer dubious connections than the smaller of the two (SBC).

Both implemented some form of block on outbound port 25. By the end of 2005, dubious SMTP connections to port 25 from SBC subscribers dropped off significantly; no more than from such port 25 blocking ISPs as AOL, AT&T, Bellsouth, and Cox. Comcast was a bit higher than SBC, but still significantly less than such smaller ISPs as Verizon (which became number one in my list) and Road Runner.
Block port 25 where? Inbound on customers service, outbound on customer service, customer service to/from relay.verizon.net, customer service to/from non verizon.net locations (third party and/or personally owned and operated SMTP servers), etc. etc. etc.? What are the specifics of the port 25 block?
Outbound, from the customer to the remote server, by the sound of it.
Verizon already "blocks" outbound email from residential service to mail exchange servers by having those IP addresses listed in the Spamhaus PBL (Policy Block List).
As did some branches of SBC (such as the old Pacific Bell network); but that had to be maintained on a regular basis. As SBC brought newer IP address ranges into service, they neglected to keep the Spamhaus PBL updated. Simpler to just implement the block on their own network, than to publish their residential IP addresses to Spamhaus. And eliminates the need for the network engineers to keep track of thins when they changed the IP address assignments internally.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB

Premium Member

Re: Nonsense


Much of what you have stated here I believe is nothing more than speculation.

For instance, do not believe Comcast blocks outbound port 25 on their residential customer connections. Do you have evidence to the contrary?

Also your statement that from the sounds of it from the customer to the remote server, is speculation as well. The article does not provide specific enough details to make this determination.
Bill03
Premium Member
join:2007-11-26
Richmond, VA

Bill03

Premium Member

Re: Nonsense

said by NOYB:


For instance, do not believe Comcast blocks outbound port 25 on their residential customer connections. Do you have evidence to the contrary?
I'm residential and they blocked mine awhile back. Did you mean all residential connections or just some?

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB

Premium Member

Re: Nonsense

According to this Comcast only blocks outbound destination port 25 on connections where abuse is detected.

»Port 25 Out Blockage


••••

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to NOYB

MVM

to NOYB
said by NOYB:

Much of what you have stated here I believe is nothing more than speculation.

For instance, do not believe Comcast blocks outbound port 25 on their residential customer connections. Do you have evidence to the contrary?
The proof is here, in the DSLR Comcast forums, and the Microsoft help newsgroups at 'msnewes.microsoft.com'; the email client groups. Comcast customers suddenly unable to send on port 25, and, using Comcast's own recommendation to switch to using port 587 for message submission, able to send again.

The Comcast methodology is to monitor the customer connections for what Comcast considers excessive SMTP activity, and, to respond to third party complaints of abuse. They put a port 25 blocking configuration file on the subscribers cable modem. This block is bidirectional, against both inbound and outbound connections.
Also your statement that from the sounds of it from the customer to the remote server, is speculation as well. The article does not provide specific enough details to make this determination.
Blocking inbound port 25 is useless against 'botnet spam. The spammer doesn't need inbound port 25 to run spam through a 'bot; any of the 65,535 TCP ports will suffice. If Verizon intends for port 25 blocking to be effective at mitigating 'botnet spam from their network, blocking outbound port 25 is the only way to accomplish same.

••••••

RARPSL
join:1999-12-08
Suffern, NY

RARPSL

Member

Receiving Email via Port587?

The article has a major goof in that Port587 is used to SEND Email (in lieu of Port25). Receiving Email is via POP Port110 or 995 (the later is POP-over-SSL) or IMAP Ports 143/993 (normal or with SSL sessions).

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB

Premium Member

Re: Receiving Email via Port587?

said by RARPSL:

The article has a major goof in that Port587 is used to SEND Email (in lieu of Port25). Receiving Email is via POP Port110 or 995 (the later is POP-over-SSL) or IMAP Ports 143/993 (normal or with SSL sessions).

So what are you saying is the major goof?
NOYB

NOYB

Premium Member

Spamhaus Stats Missleadning


If Spamhaus is not using their own PBL list to reject connections to their spam traps then their stats are not representative of the real world in which most reputable mail exchange operators do use the Spamhaus PBL to reject connections.

For instance their spam traps will be accepting connections form ip addresses that real world exchange servers would not. So the botnet zombie would be able to spam Spamhaus spam traps but not real people.

The more botnet zombies in the Spamhaus lists the better. Makes it easy to identify and reject connections from bot net zombies for anyone who actually cares to do so.

The tools are there for exchange mail server operators to reject messages from these sources. If they chose not to do so that is their prerogative, and they and their customers will be the ones to bear the consequences.