[Chapter-delegates] Blocking port tcp/25 outgoing
Franck Martin
franck at avonsys.com
Wed Nov 11 00:12:16 PST 2009
You make a mistake here.
The problem is not that port 25 provide TLS but that port 25 do not offer authentication first and only.
This work like this.
Take an email, look for the domain, look for the MX, send an email to this domain with or without TLS, it does not make a single difference, repeat the operation
Now if you are on end user IP, and 25 is denied to you but not 587, you cannot drop an email to port 587, if you have not authenticated first (login/password). So impossible for you to send an email unless 1) you operate your own smtp server on a static IP, known by your ISP (with a path to complain to) 2) you authenticate on someone mail server first to send email therefore we know who sent spam and can terminate the login.
This kills a lot of botnet operations.
Botnet spam is 80% of the spam out there.
Try to explain to your mother she has to fix her PC now because it has a botnet.
In a recent study, despite telling users to upgrade from IE6, 20% did not do it, for various reasons.
In another study 8% of users clicked on a phishing link despite receiving warning messages
Experts will make email client software autodetect if port 587 is open to send email .
Franck Martin
http://www.avonsys.com/
http://www.facebook.com/Avonsys
twitter: FranckMartin Avonsys
----- Original Message -----
From: "Ed Tric" <eduard.tric at isoc.ro>
To: patrick at vande-walle.eu
Cc: "Chapter Delegates" <chapter-delegates at elists.isoc.org>
Sent: Tuesday, 10 November, 2009 11:51:27 PM GMT -08:00 US/Canada Pacific
Subject: Re: [Chapter-delegates] Blocking port tcp/25 outgoing
TLS adds encryption on the standard port 25 , there is no need to use other port to send securely smtp messages.
We use TLS with smtp-auth on our server. The main Adsl provider Romtelecom allows outgoing messages on 25 , but some cable providers prohibit it.
>From a user point of view ( having no clue about it ) it's a denial of service to block legitimate ports.
Hackers can use other other posrts than 25 to install their backdors in order to send spam. Security within obscurity is never a good solution, so i concur with Marcin.
Let users act as users and experts as experts. If you want users to act like experts we are going into a wrong direction:)
Ed
Patrick Vande Walle a écrit :
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20091111/c4260b68/attachment.htm>
More information about the Chapter-delegates
mailing list