 Markie
join:2003-07-26
Kalispell, MT | Boo Boo to that. Punishing the innocent is never a cool thing. Kick off the spammers, don't block ports for the rest of us. This ought to be a bigger target of the net neutrality folks... | |
|  | 
Tweak
Premium
join:2002-06-08
Oklahoma City, OK
 ·Cox HSI
| Re: Boo Are you joking blocking outbound port 25 is one of the most effective methods in combating spam. Net neutrality is not about dictating How ISPs should run their networks. Net neutrality is about making sure traffic is treated equally and not discriminated against for competitive reasons. | |
| | | PapaMidnight
join:2009-01-13
Baltimore, MD
1 edit | Re: Boo I think he's more in reference to the block on port 80. But no argument about the latter part.
Edit: TLS or SSL are always options. | |
| | | | 
RARPSL
join:1999-12-08
Suffern, NY
| Re: Boo said by PapaMidnight  :TLS or SSL are always options. NO they are not since VZ does not support SSL on their POP or SMTP Servers (and does not support the SMTP-over-SSL and POP-over-SSL Ports [465 and 995 respectively]).
BTW: The blocking of Port25 is for attempts to connect to Non-VZ SMTP MSA Servers (Mail Injection from Clients) when using VZ connectivity. The activation of Port587 is good news since it means that you can now securely use the VZ MSA Servers when connected to some other Network (such as a WiFi or Hotel) where your UserID/PW can be monitored/stolen.
Even Better would be if VZ provided SSL support (as mentioned above). | |
| | | | | | | NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
 ·Pacific Bell - SBC
| Re: Boo said by tschmidt :How does blocking outbound Port 25 help? I agree inbound but fail to see what blocking outbound port 25 accomplishes. Outbound port 25 access allows a Verizon subscriber to access port 25 on a remote host. Such as an infected Verizon user's computer connecting to my mail server on port 25. If Verizon blocks outbound port 25 access, that means no 'bots on Verizon customers' infected computers can connect to my server.
The spammer does not need inbound port 25 access to the infected computer; any of the 65,535 TCP ports will suffice. But they can't get to the target gateway mail server from the Verizon network if the Verizon network chokes off port 25.
I watched the logs on my server, and, in 2004, SBC was the worst, followed by Comcast. In 2005, both SBC and Comcast implemented some form of blocking of outbound port 25. SBC opted for a blanket block on all users, and dubious connections from residential SBC IP addresses dropped dramatically. Comcast implemented a reactionary approach; block their subscribers when excessive SMTP activity was detected.
SBC dropped off the radar, and Comcast fell to near last place; Road Runner and Verizon became the top dogs in my dirty list.
The most recent rewrites of the email RFCs more clearly specify that port 25 access should be only used for mail transfer by email services, and that end user message submission should be done over port 587.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum | |
| | | | | 
tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
 ·Hollis Hosting
·Verizon Online DSL
·Fairpoint Communic..
| Re: Boo said by NormanS :Outbound port 25 access allows a Verizon subscriber to access port 25 on a remote host. It has been common practice for residential ISPs to block inbound Port 25 for years for exactly that reason.
said by NormanS : that end user message submission should be done over port 587. I read it over last night after I posted. I'll have to contact my hosting service to see what they support. I'm in New England, Verizon sold assets to FairPoint but I have to assume they will adopt similar policy at some point.
I'm in favor of steps that reduce spam but some ISPs have adopted rather silly an ineffective anti-spam measures that make life difficult.
/tom | |
| | | | | |
Tweak
Premium
join:2002-06-08
Oklahoma City, OK | Re: Boo Its not ineffective you have had fellow posters explain to you that its very effective in blocking spam. | |
| | | | | | NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| said by tschmidt :said by NormanS :Outbound port 25 access allows a Verizon subscriber to access port 25 on a remote host. It has been common practice for residential ISPs to block inbound Port 25 for years for exactly that reason. Blocking inbound port 25 has no effect on compromised computers' access gateway (MX) mail servers. You could block inbound port 25 to every Verizon customer, leave outbound port 25 unblocked, and compromise Verizon customer computers would be able to make connections to my gateway mail server unimpeded (unless the source IP address was in a blocking list, and my server queried same).
FWIW, neither AT&T (in the legacy SBC regions), nor Comcast block inbound port 25 by default. Comcast only blocks port 25 on evidence of abuse from their customer; that is a bidirectional block when implemented. AT&T (legacy SBC regions only) just blocks outbound port 25; though their block is bidirectional for AT&T Worldnet DSL and AT&T Southeast (legacy Bellsouth) customers.
said by NormanS : that end user message submission should be done over port 587. I read it over last night after I posted. I'll have to contact my hosting service to see what they support. I'm in New England, Verizon sold assets to FairPoint but I have to assume they will adopt similar policy at some point. I'm in favor of steps that reduce spam but some ISPs have adopted rather silly an ineffective anti-spam measures that make life difficult.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum | |
| | kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Once again, legitimate users are penalized for the actions of a few bad apples.
That said, I'm ok with port 25 blocking, only if:
1) the block is outbound only, not inbound, and
2) users have an option of having the block removed upon request.
While the majority of "average" users don't need port 25 (provided the ISP's mail servers accept mail on an alternate port such as 587, and they educate the users on how to configure their email clients to use said port), there are legitimate uses for outbound port 25 for power users:
1. One may maintain an offsite mail server and need to test connectivity to said server on port 25.
2. One may be using a non-ISP email service that doesn't accept connections on ports other than 25.
2. One may use nmap or other port scanning tools, and such tools won't report blocked ports.
Also, blocking port 25 is merely a band-aid. Spammers will find other ways to spew their crap (such as posted elsewhere where some spammers were trying to social engineer authentication info from users). For every ISP that blocks 25, there are 10 more that don't have it blocked and the spammers will just go there. Plus, what's to stop spammers from using the bots they already have to issue a DDOS attack, which can be done, port 25 blocked or not.
It's better to boot infected users and get them to clean up their act, than it is to "band-aid" their hemorrhaging.
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you. | |
| | | NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| Re: Boo said by kpatz :It's better to boot infected users and get them to clean up their act, than it is to "band-aid" their hemorrhaging. Might as well boot customers who lose their accounts to social engineering while you are at it.
Actually, this could be good for bandwidth hogs, as well. We'd probably be booting a significant (greater than 5%) percentage of the Internet users in the U.S. if we did this. Thus, fewer users chasing bandwidth. Those using their Internet connections heavily would have fewer competitors for bandwidth; a good thing in their eyes, I am sure. 
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum | |
| 
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
 ·Verizon FIOS
1 edit | Finally... I've received quite a few bounced as undeliverable messages simply because I use verizon.net address. Spamhaus defines the blocklist, other ISPs use it.
So I get punished for the mistakes of others. Could be a problem though. We'll have to see if they lock it down to prevent me from using SMTP to my domain.
But something has to be done.
Here's a link to a tutorial that might be useful for understanding port 587. »blogs.3sharp.com/deving/archive/···730.aspx | |
| | | | | | | | | NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| said by KoolMoe :So...since I have my own server at a datacenter that hosts my domains and email (me@mydomain.net), when VZ locks out port 25, I'm not going to be able to send mail out through my own mail servers anymore...right? If you control message submission port of the servers yourself, you can change them to any port not blocked by Verizon. If your hosting provider controls the message submission ports, you just have to point them to RFC 5321, which specifies that port 587 is the preferred message submission port, and to RFC 4409, which defines port 587 as the message submission port. Once your servers are properly configured to use the RFC specified message submission port, it won't matter that Verizon blocks outbound port 25.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum | |
| | | 
Eat Me
join:2002-09-25
Sussex, NJ | It's time to set up a vpn. | |
| | | | 
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
| Re: Time Warner Too?
said by Eat Me :It's time to set up a vpn.
Already did.
| |
| | | neufuse
join:2006-12-06
Indiana, PA | 587? Why is the push to port 587? is there something special about this port? Comcast already uses it, now verizon, why 587 specifically? | |
| | 
jackknife
join:2001-02-24
Phoenix, AZ
clubs: | Re: 587? Because 587 is also an SMTP port... Why make up a number when a standard port already exists? | |
| | | | NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| It is defined by RFC 4409 as THE port to use for SMTP message submission. Has been since RFC 2476 was published in December, 1998. It is just that nobody who should have paid attention then did. RFC 2476 was revised into RFC 4409, and, with more ISPs actually blockig outbound port 25 access (both Comcast and SBC adopted port 25 blocking in 2005; and others did so before that), more Email Service Providers are offering port 587 access.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum | |
| AVonGauss
Premium,MVM
join:2007-11-01
Boynton Beach, FL | About time... About time... | |
| 
jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
| External References Not commenting as a Comcast person, just a messaging guy (I am at a meeting of MAAWG today - and the author of the article gave the keynote).
Relevant references, for those interested:
MAAWG recommendations on port 25 @ »www.maawg.org/port25
IETF RFC 5068 / BCP 134 @ »www.ietf.org/rfc/rfc5068.txt
Jason
--
JL
Comcast | |
| cornelius785
join:2006-10-26
Worcester, MA
| i've got an idea from my experience of getting internet access from a college network, i think it would be a great idea to simply turn off internet access to someone that has an infected system. at the very most, there should be a 24 hour notice. whenever there was suspicious activity on your computer, the network admins would shut your port off. | |
|
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
4 edits | NonsenseWow, that article is full of misleading and incorrect information. Just one example is that port 25 does not require authentication and that 587 does. That is so stupid; authentication is not a port dependency. For example when you use an SMTP client to send mail via outgoing.verizon.net on port 25 you have to authenticate. That is the way it is already right now today and has been that way a very long time if not from the beginning. However external mail servers exchange mail between each other and to/from relay.verizon.net on port 25 without any authentication. See authentication has nothing to do with the port number being used.
Even the statistics are skewed by the differing size of each ISP's customer base. The right metric would be CBL's per million subscribers. Believe that metric would show a more even distribution.
Block port 25 where? Inbound on customers service, outbound on customer service, customer service to/from relay.verizon.net, customer service to/from non verizon.net locations (third party and/or personally owned and operated SMTP servers), etc. etc. etc.? What are the specifics of the port 25 block?
Verizon already "blocks" outbound email from residential service to mail exchange servers by having those IP addresses listed in the Spamhaus PBL (Policy Block List). Any mail exchange server operator can use this to automatically lookup and reject all messages coming from those addresses. If mail exchange server opperators do not make use of it that is their, and their customers, problem. It would be interesting to know if Spamhaus uses their own PBL to filter out clients from their CBL data collection processes. I think if they did the CBL would not have nearly as many Verizon.net enteries.
It is a little difficult to discuss this without knowing the specific details of where and how they are going to block port 25, details which the article is conveniently omitting.
--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation | |
| | NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| Re: Nonsense said by N O Y B :Even the statistics are skewed by the differing size of each ISP's customer base. The right metric would be CBL's per million subscribers. Believe that metric would show a more even distribution. Or not. In 2004, the ISP with the largest subscriber base already blocked port 25 to their users (AOL). Two smaller providers (Comcast and SBC) had the highest number of dubious SMTP connectons to my server on port 25. The larger of the two (Comcast) had fewer dubious connections than the smaller of the two (SBC).
Both implemented some form of block on outbound port 25. By the end of 2005, dubious SMTP connections to port 25 from SBC subscribers dropped off significantly; no more than from such port 25 blocking ISPs as AOL, AT&T, Bellsouth, and Cox. Comcast was a bit higher than SBC, but still significantly less than such smaller ISPs as Verizon (which became number one in my list) and Road Runner.
Block port 25 where? Inbound on customers service, outbound on customer service, customer service to/from relay.verizon.net, customer service to/from non verizon.net locations (third party and/or personally owned and operated SMTP servers), etc. etc. etc.? What are the specifics of the port 25 block?
Outbound, from the customer to the remote server, by the sound of it.
Verizon already "blocks" outbound email from residential service to mail exchange servers by having those IP addresses listed in the Spamhaus PBL (Policy Block List).
As did some branches of SBC (such as the old Pacific Bell network); but that had to be maintained on a regular basis. As SBC brought newer IP address ranges into service, they neglected to keep the Spamhaus PBL updated. Simpler to just implement the block on their own network, than to publish their residential IP addresses to Spamhaus. And eliminates the need for the network engineers to keep track of thins when they changed the IP address assignments internally.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum | |
| | |
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
| Re: NonsenseMuch of what you have stated here I believe is nothing more than speculation.
For instance, do not believe Comcast blocks outbound port 25 on their residential customer connections. Do you have evidence to the contrary?
Also your statement that from the sounds of it from the customer to the remote server, is speculation as well. The article does not provide specific enough details to make this determination.
--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation | |
| | | | Bill03
Premium
join:2007-11-26
Richmond, VA
clubs:
| Re: Nonsense said by N O Y B :For instance, do not believe Comcast blocks outbound port 25 on their residential customer connections. Do you have evidence to the contrary? I'm residential and they blocked mine awhile back. Did you mean all residential connections or just some? | |
| | | | |
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR | Re: NonsenseAccording to this Comcast only blocks outbound destination port 25 on connections where abuse is detected.
»Port 25 Out Blockage
| |
| | | | | | NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| Re: Nonsense said by N O Y B :According to this Comcast only blocks outbound destination port 25 on connections where abuse is detected. » Port 25 Out Blockage The evidence suggests that what Comcast considers abuse may not actually be abuse.
Also, the comparison, in my mail server logs, between Comcast, and SBC (now AT&T) suggests that waiting until abuse is detected is akin to closing the barn door after the horses have gotten out.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum | |
| | | | | | |
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
1 edit | Re: NonsenseWhat Comcast considers to be abuse is not relevent. The point is that Comcast in fact does not globally block outbound destination port 25. Neither does Verizon, and doubt they will. So the question still remains as to exactly what the article is referring to when they claim Verizon is going to block port 25.
--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation | |
| | | | | | Bill03
Premium
join:2007-11-26
Richmond, VA
clubs:
| To elaborate on on my previous post I had proactively changed my port to 587 since I figured they were switching everyone over at some point. I switched it back awhile back to see if the email would go out on port 25. It didn't. Maybe I'm not really blocked and they didn't go out for some other reason. | |
| | | | | | | kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Re: Nonsense Comcast blocks 25 selectively for customers that meet certain usage patterns consistent with "spamming". That could be sending a large number of emails over a period of time, or even sending 1 email and having the recipient flag it as spam. If 587 works for you and 25 doesn't then something is blocking 25, probably your modem config provided by Comcast. | |
| | | | NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| said by N O Y B :Much of what you have stated here I believe is nothing more than speculation. For instance, do not believe Comcast blocks outbound port 25 on their residential customer connections. Do you have evidence to the contrary? The proof is here, in the DSLR Comcast forums, and the Microsoft help newsgroups at 'msnewes.microsoft.com'; the email client groups. Comcast customers suddenly unable to send on port 25, and, using Comcast's own recommendation to switch to using port 587 for message submission, able to send again.
The Comcast methodology is to monitor the customer connections for what Comcast considers excessive SMTP activity, and, to respond to third party complaints of abuse. They put a port 25 blocking configuration file on the subscribers cable modem. This block is bidirectional, against both inbound and outbound connections.
Also your statement that from the sounds of it from the customer to the remote server, is speculation as well. The article does not provide specific enough details to make this determination.
Blocking inbound port 25 is useless against 'botnet spam. The spammer doesn't need inbound port 25 to run spam through a 'bot; any of the 65,535 TCP ports will suffice. If Verizon intends for port 25 blocking to be effective at mitigating 'botnet spam from their network, blocking outbound port 25 is the only way to accomplish same.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum | |
| | | | |
See 6 replies to this post | |
RARPSL
join:1999-12-08
Suffern, NY | Receiving Email via Port587? The article has a major goof in that Port587 is used to SEND Email (in lieu of Port25). Receiving Email is via POP Port110 or 995 (the later is POP-over-SSL) or IMAP Ports 143/993 (normal or with SSL sessions). | |
| |
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
| Re: Receiving Email via Port587?said by RARPSL :The article has a major goof in that Port587 is used to SEND Email (in lieu of Port25). Receiving Email is via POP Port110 or 995 (the later is POP-over-SSL) or IMAP Ports 143/993 (normal or with SSL sessions).
So what are you saying is the major goof?
--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation | |
|
N O Y B
St. John 3.16
join:2005-12-15
Forest Grove, OR
| Spamhaus Stats MissleadningIf Spamhaus is not using their own PBL list to reject connections to their spam traps then their stats are not representative of the real world in which most reputable mail exchange operators do use the Spamhaus PBL to reject connections.
For instance their spam traps will be accepting connections form ip addresses that real world exchange servers would not. So the botnet zombie would be able to spam Spamhaus spam traps but not real people.
The more botnet zombies in the Spamhaus lists the better. Makes it easy to identify and reject connections from bot net zombies for anyone who actually cares to do so.
The tools are there for exchange mail server operators to reject messages from these sources. If they chose not to do so that is their prerogative, and they and their customers will be the ones to bear the consequences.
--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation | |
| | | |
|
|
Verizon To Finally Crack Down On Spam
·
·
Time Warner Too?
