[Chapter-delegates] Blocking port tcp/25 outgoing

[Gilles Massen]

Hello,

I must confess that I disagree very strongly with any port blocking. It
is a very short sighted way with the only purpose to ignore the problem
without solving anything.

First of all, by blocking ports, you try to solve a *content* problem on
the *network* layer. The words 'network neutrality' immediately spring
to my mind. But far worse is that this approach basically burns the port
25 for any other use forever. Even if smtp is to be replaced completely,
these blocks will just stay forever. While this might be acceptable for
1 port out of 65000 (and actually there are a few more that are often
blocked), it is a very unhealthy precedent for reliable communications.
What prevents an ISP to offer port 80/443 communications only, and ask
for a fee for each additional port?

Personnally I would immediately leave an ISP that starts blocking
whithout offering a very clear opt-out that does not involve more money,
but that's only me.

But another danger from the blocking, and from pushing users to port
587, is that the malware will simply follow. It will stop using
straightforward smtp, but rather use the saved credentials to submit the
spam. And then you are screwed, because that already was plan B.

So I'd strongly argue that if you think that homeusers are a problem,
and that they should not be allowed to speak to your mailserver, then
let the mail server handle this: it would be trivial to signal the
nature of an address pool, so that those who want to go that way can.
And this way you wouldn't have to solve mail issues on the network and
you could avoid most collateral damage.

Kind regards,
Gilles



Franck Martin wrote:
> You make a mistake here.
> 
> The problem is not that port 25 provide TLS but that port 25 do not
> offer authentication first and only.
> 
> This work like this.
> 
> Take an email, look for the domain, look for the MX, send an email to
> this domain with or without TLS, it does not make a single difference,
> repeat the operation
> 
> Now if you are on end user IP, and 25 is denied to you but not 587, you
> cannot drop an email to port 587, if you have not authenticated first
> (login/password). So impossible for you to send an email unless 1) you
> operate your own smtp server on a static IP, known by your ISP (with a
> path to complain to) 2) you authenticate on someone mail server first to
> send email therefore we know who sent spam and can terminate the login.
> 
> This kills a lot of botnet operations.
> 
> Botnet spam is 80% of the spam out there.
> 
> Try to explain to your mother she has to fix her PC now because it has a
> botnet.
> 
> In a recent study, despite telling users to upgrade from IE6, 20% did
> not do it, for various reasons.
> In another study 8% of users clicked on a phishing link despite
> receiving warning messages
> 
> Experts will make email client software autodetect if port 587 is open
> to send email.
> 
> Franck Martin
> http://www.avonsys.com/
> http://www.facebook.com/Avonsys
> twitter: FranckMartin <http://twitter.com/FranckMartin> Avonsys
> <http://twitter.com/avonsys>
>