They Blocked My SMTP, Now What?

mindsuck asks: "As of this Wednesday, my ISP blocked my port 25, leaving my mailserver useless to the outside world as a consequence of spammers and their nasty worms. So I decided to ask the nice people of Slashdot. What can I do now to restore my smtp service, besides changing ISPs, is there a obscure way to run a mailserver off a non-standard port? What about services similar to those provided by dyndns.org for this kind of situations? Pros and Cons of using this services? Should I move my MX to a more 'stable' server than my homegrown one?" This topic was last touched upon in this article, from 2002. It's been over a year since SMTP blocks have become commonplace. Have you noticed a slowdown in your SPAM? Are ISP SMTP blocks really helping the problem? Updated: It looks like Charter is also blocking SMTP. Might there be a way to work with your ISP to get them to unblock port 25 for you, if you can sufficiently satisfy them that you are not a spammer?

Krondor wrote in with a similar query: "Charter Communications (in my area) has blocked outbound SMTP connections. I need to be able to send Email to other SMTP servers, besides theirs, for a number of legitamate reasons. My question is this; How can I either still send SMTP to the places I need to, or how can I convince Charter to unblock outbound SMTP (I can understand blocking inbound SMTP without ACK bit set)? They do provide a relay, but won't my messages get labelled as SPAM if I use that? I am also concerned because, this relay is not encrypted with SSL and I don't necessarily trust Charter with that."

Incoming or outgoing?

Okay, the person asking the question is clearly talking about incoming traffic, as he mentions MX records and the like. The editor, on the other hand, seems to be talking about outgoing traffic, which is a completely different kettle of fish.

I wish more of them would

[nocomment]

I wish more ISP's would block email. I get so much spam through my company mail server that originates off of DSL/Cable internet services. Combine that with the recent worms that turns infected computers into spam relays. I think it should common practice to push all outbound mail through the ISP's mail server.

And yes you can run it on non-standard ports. 26 is fairly common.

Re:I wish more of them would

[grunthos]

my ISP blocked my port 25

Incoming, outgoing, or both? The workarounds can be different depending on which it is.

And yes you can run it on non-standard ports. 26 is fairly common.

Except that the great wide world can't send mail to you if you're listening there. The sender has to be specifically configured for that.

One thing I'm doing as a backup to my main connection is (everybody get ready to cringe) UUCP over TCP port 540. It's an easy config in the Unix/Linux world with Taylor UUCP. Sendmail handles it fine. No, no bang paths-- just plain domain names.

This would be a workaround for a problem on incoming mail. In my case, my primary MX record points to my mail server, and my secondary MX points to my UUCP relay site (bungi.com). If a sender can't connect to me, they go to the secondary where it queues. I run an hourly UUCP poll over TCP, which picks up anything waiting. If my main connection went down or were blocked, I could retrieve incoming mail with any generic PPP dial-up account.

I know, sounds kludgy, but it works fine.

This would work as a workaround for outgoing blockage also, but it would be much easier to use your ISP's outgoing mail server.

Move to SMTP over SSL

[reaper20]

... and then use a smarthost (another box that sends mail on your behalf) to send the mail for you. I haven't heard of anyone blocking SMTP-SSL.

This sucks because you need a box outside your network to do this .... but if you got a few buddies with your own mailservers you can chip in on one on a host somewhere, or find a trustworthy friend that will let you relay.

Not the perfect solution but you at least get _some_ semblance of control.

Change ISPs

[sweetooth]

and be sure to let them know exactly why you are leaving when you cancel your account.

It does not help against spam (very much)

[Tor]

The ISP is trying to prevent your host from being an open SMTP relay, by shutting down inbound port 25.

Although this helps a little bit in the fight against spam, the effect is not as large as your ISP thinks. Spammer/cracker gangs nowadays use viruses to infect zombie hosts (virii typically use ports 80 to infect IIS, or ports 135-139 to infect the CIFS filesharing). Once on your machine, these virii can easily send out spam on outbound port 25, no matter if your ISP blocks the inbound port or not.

Explain this to them, maybe they'll reconsider...
(Yeah,right).

Re:It does not help against spam (very much)

[Webmonger]

Actually, I've only ever heard of ISPs blocking *outbound* port 25, i.e. blocking their users from accessing port 25 on remote machines.

I am planning some thing on these lines...

[raj2569]

I work for a major cable ISP here and we are also having problems with spamming trojens. I have blocked all known proxy ports from outside, and things were bit quite for some time, but for past 2 - 3 months lots of spam is going out of our network. To solve it we do not want to block the customer's out going smtp completly, but now we are thinking of putting temp blocks on customers who's outgoing smtp traffic exceeds a certain limit.

These spammer bastards are making our life hell :(

raj

Have you tried asking?

[Descartes]

My ISP is pretty friendly to people running their own servers. Maybe you should just send them a friendly letter explaining your problem. Then they can keep track of you so that they know you aren't sending spam. If they can't open the port just for you, maybe they could set up some port forwarding, or even the SSH tunneling that other people have suggested.

Re:Mydomain?

[squiggleslash]

I'd find anything other than direct control over my SMTP server difficult as I use it as part of an anti-spam procedure that's one of the few that's absolutely fool proof (ie no false positives, no permanent false negatives) - my journal explains what I'm doing.

It's depressing that most techniques to prevent abuse rarely have anything to do with the abuse itself and usually are based upon abuser profiles. I recall most EFNet servers for a while started blocking machines without working reverse DNS because a lot of abusers were using such machines. It didn't seem to matter to anyone that a lot of legitimate users had such machines and couldn't do much about it (reverse DNS for people on a dial-up link is an ISP's responsibility.)

In this case, I think it's going absurdly far. Because a lot of people have open relays on their machines, every machine is being assumed to have an open relay. But people can and do have completely legitimate reasons to want to have an SMTP server on their machines, to receive incoming email. The promise of broadband - or rather, always on - is supposedly that more of this can be managed by the end user, and the ISP can become more of an IP packet forwarder. Instead, we're seeing the opposite, which is an immediate clamp on user freedom, and long term a clamp on innovation. I know a lot of people don't think this is important, because maybe 1% of Internet users wants to do this stuff. That same argument could be used to restrict just about any Internet service.