Slashdot Mirror
They Blocked My SMTP, Now What?
mindsuck asks: "As of this Wednesday, my ISP blocked my port 25, leaving my mailserver useless to the outside world as a consequence of spammers and their nasty worms. So I decided to ask the nice people of Slashdot. What can I do now to restore my smtp service, besides changing ISPs, is there a obscure way to run a mailserver off a non-standard port? What about services similar to those provided by dyndns.org for this kind of situations? Pros and Cons of using this services? Should I move my MX to a more 'stable' server than my homegrown one?" This topic was last touched upon in this article, from 2002. It's been over a year since SMTP blocks have become commonplace. Have you noticed a slowdown in your SPAM? Are ISP SMTP blocks really helping the problem? Updated: It looks like Charter is also blocking SMTP. Might there be a way to work with your ISP to get them to unblock port 25 for you, if you can sufficiently satisfy them that you are not a spammer?
Krondor wrote in with a similar query: "Charter Communications (in my area) has blocked outbound SMTP connections. I need to be able to send Email to other SMTP servers, besides theirs, for a number of legitamate reasons. My question is this; How can I either still send SMTP to the places I need to, or how can I convince Charter to unblock outbound SMTP (I can understand blocking inbound SMTP without ACK bit set)? They do provide a relay, but won't my messages get labelled as SPAM if I use that? I am also concerned because, this relay is not encrypted with SSL and I don't necessarily trust Charter with that."
If you want a practical service it MUST be port 25. If you can't offer port 25, either you need to use someone else's smtp server or to change ISP.
1000s Warcraft Gold while you sleep
Okay, the person asking the question is clearly talking about incoming traffic, as he mentions MX records and the like. The editor, on the other hand, seems to be talking about outgoing traffic, which is a completely different kettle of fish.
I wish more ISP's would block email. I get so much spam through my company mail server that originates off of DSL/Cable internet services. Combine that with the recent worms that turns infected computers into spam relays. I think it should common practice to push all outbound mail through the ISP's mail server.
And yes you can run it on non-standard ports. 26 is fairly common.
/* oops I accidentally made a comment, sorry */
... and then use a smarthost (another box that sends mail on your behalf) to send the mail for you. I haven't heard of anyone blocking SMTP-SSL.
.... but if you got a few buddies with your own mailservers you can chip in on one on a host somewhere, or find a trustworthy friend that will let you relay.
This sucks because you need a box outside your network to do this
Not the perfect solution but you at least get _some_ semblance of control.
and be sure to let them know exactly why you are leaving when you cancel your account.
First set your smtp server on a different port.
Second find a machine with net access outside of your isp.
Third make an ssh tunnel from that machine to your machine.
That should work perfectly. But nothing is guaranteed.
The GeekNights podcast is going strong. Listen!
The ISP is trying to prevent your host from being an open SMTP relay, by shutting down inbound port 25.
Although this helps a little bit in the fight against spam, the effect is not as large as your ISP thinks. Spammer/cracker gangs nowadays use viruses to infect zombie hosts (virii typically use ports 80 to infect IIS, or ports 135-139 to infect the CIFS filesharing). Once on your machine, these virii can easily send out spam on outbound port 25, no matter if your ISP blocks the inbound port or not.
Explain this to them, maybe they'll reconsider...
(Yeah,right).
I used to use noip.com for DNS stuff. They have a mail reflector service that'll accept mail on their mailserver at port 25 and forward to your mailserver on a non-standard port. It worked okay for me, but the problem arose that cable/dsl residential IPs are listed in many of the spam blacklists. So I ended up with some ISPs I could not send mail to. Ended up upgrading to a small office commercial connection. My servers don't violate the acceptable use policy anymore, I can host anything I want (within reason) and I don't have problems with blacklists.
Something like this.
Works well as a backup in case your isp goes down too.
RMX, a new DNS record type which lists authorized senders for a particular domain, would have a huge impact in blocking mail with a spoofed sender address. Of course, then spammers could still register their own domains to send from, but those could also be easily blocked, and it would be easier to find the spammers who registered the domain.
I think this has a lot of potential, unlike the other bazillion idiotic non-solutions that have been proposed, like X-mulct headers, for example.
include $sig;
1;
I work for a major cable ISP here and we are also having problems with spamming trojens. I have blocked all known proxy ports from outside, and things were bit quite for some time, but for past 2 - 3 months lots of spam is going out of our network. To solve it we do not want to block the customer's out going smtp completly, but now we are thinking of putting temp blocks on customers who's outgoing smtp traffic exceeds a certain limit.
:(
These spammer bastards are making our life hell
raj
Sarovar.org Hosting for open source projects in Indi
My ISP is pretty friendly to people running their own servers. Maybe you should just send them a friendly letter explaining your problem. Then they can keep track of you so that they know you aren't sending spam. If they can't open the port just for you, maybe they could set up some port forwarding, or even the SSH tunneling that other people have suggested.
Keep in mind that if you want to pay commodity prices for a service, you are going to get a service that has been sanitized and developed for the masses. What you're asking is essentially the same as "How can I get WinXP-home to work as a good server?".
If you want to connect to outside SMTP servers, you'll either have to go with a smaller ISP that doesn't have paranoid, 'we're not going to be the front for spam' policies in place (and make a sacrfice, be it limited dialing area, higher prices, or whatever) or tunnel out to a server that will allow you to connect to foreign SMTP servers.
For recieving mail, I understand the need to have a dedicated server, but I have always wondered why it is considered standard and okay to send outgoing mail through a seperate server. It doesnt make sense to me at all- why do e-mail programs not just connect directly to the servers they are trying to send mail to?
(this is just ignorance, I'm actually wondering why)
-- 'The' Lord and Master Bitman On High, Master Of All
Once a month or so, I get a message from the mail server "Delivery unsuccessful: Unknown recipient 'relaytest%security.rr.com'". If they find an open relay, then they'll do something about it; otherwise, I'm free to run my mail server.
Here is how I run a mail server out of my home with port 25 blocked. For incoming mail: My domain will forward any number of e-mail addresses. I have different addresses forwarded to either my cox.net address, hotpop.com, or any of a number of other free POP3 services. On my server, I have an application (free) called poproute that runs every 10 minutes and queries all the pop3 accounts and then sends the mail directly to my internal SMTP server. All the mail goes to the proper internal mailboxes. This gets me around port 25 incoming being blocked. Outgoing Mail: Outgoing mail was very easy. I just set up my mail server to use a smart host and have my smtp server forward outgoing mail to the cox.net server. Cox.net will accept my mail because I am on the inside of thier network, and will then forward it on as if I sent the mail from any mail client. Hope this helps..
I had this happen to me, too, and I use Dynu as my MX, and you can set it to auto-forward my mail from there, to a non-standard port on your host (which for me, the first stop is my firewall, so I have my 'non-standard port' port-forwarded to 25 on my mail machine).
It's not free, unfortunately, ($20 a year I think), but the nice thing is that they'll store 100 MB of email if for some reason they can't deliver it to your host - and since my mail is all done off of my cable, and I live in a weird area (My power was out for 8 hours yesterday because of the intense winds we were having (I live in Maryland)), it's a nice solution for me.
[DISCLAIMER: This post is a work of satire and should not be misconstrued as a holy text upon which to base a religion.]
It's depressing that most techniques to prevent abuse rarely have anything to do with the abuse itself and usually are based upon abuser profiles. I recall most EFNet servers for a while started blocking machines without working reverse DNS because a lot of abusers were using such machines. It didn't seem to matter to anyone that a lot of legitimate users had such machines and couldn't do much about it (reverse DNS for people on a dial-up link is an ISP's responsibility.)
In this case, I think it's going absurdly far. Because a lot of people have open relays on their machines, every machine is being assumed to have an open relay. But people can and do have completely legitimate reasons to want to have an SMTP server on their machines, to receive incoming email. The promise of broadband - or rather, always on - is supposedly that more of this can be managed by the end user, and the ISP can become more of an IP packet forwarder. Instead, we're seeing the opposite, which is an immediate clamp on user freedom, and long term a clamp on innovation. I know a lot of people don't think this is important, because maybe 1% of Internet users wants to do this stuff. That same argument could be used to restrict just about any Internet service.
You are not alone. This is not normal. None of this is normal.
I work for a major cable ISP here and we are also having problems with spamming trojens. To solve it we do not want to block the customer's out going smtp completly
I work for a small ISP. We worked around this problem a little differently..
Instead of blocking outbound SMTP, we opted to transparently proxy outbound SMTP sessions to our mail server.
The mail server does connection-rate throttling, and if the load on the server exceeds 'normal', the on-duty admin gets paged, so he can check the mail queue to see where the problem is - if it's a spam run, we shut off the ability for that customer to send SMTP, and purge the spam from the queue.
This has worked exceedingly well for us - the one time someone's machine has been used for spam (in the past 3 years), we were able to shut it off with only 2 spams making it out of our system.
I don't know how well it would scale for you, but it should be do-able.
There are a couple of justifications for this. Some are probably more realistic than others.
My cable-modem ISP (Cox) blocks outbound 25. This is a minor only a minor issue to me because Cox's outbound mail servers are generally:
I receive mail with co-lo servers that are part of my business.
The comment of not trusting outbound relaying because they might look at it is a bit misplaced. Looking at internet traffic is pretty easy for anyone with the desire and means to do so. If you send outbound SMTP on your cable modem, your ISP can look at the packets if they have the desire to do so (and I doubt that this breaks any laws). It does not really matter if they relay the traffic or not. They have physical access to the network, so they can sniff either way. On the other hand, they are pretty unlikely to do so unless they are asked by some governmental agency. Basically, sniffing such large amounts of data is uninteresting to them, so why would they bother. If you are worried about eavesdropping on email, encrypt.
In your case, I suspect that the blocks have two reasons:
Inbound blocks to 25 are just an enforcement to a no servers rule. I suspect that there are also blocks on 80 and perhpas a bunch of others. In all fairness, I would hate to run a mail server in-house on a cable modem. Mail is just too important to me, and I don't trust my in-house systems to be up 24x7. That is what co-lo is for.
Outbound blocks to 25 are an attempt to slow down spam. Specifically, they prevent hacked home systems from becoming SMTP relays. In general, this is probably a good thing and most users with hacked boxes never know the damage they are doing.
Your only real solutions that you have are:
None of these are 100% free or pretty, but the bottom line is that you are using your cable-modem line in a manner that doesn't fit your provider's pre-conceived image of the type of user they have/want.
On the other hand, the solutions above are not necessarily that expensive either. You can get email hosting with adequate access for <$10/mo, co-lo virtual servers for <$15/mo, and full dedicated co-lo servers for <$100/mo.
I don't want free as in beer. I just want free beer.
I was curios so I asked a Cox support person on chat what was blocked. They have a page published on this. You can get there by searching for "blocked" on their FAQ.
I see a couple of ports in your list that are not in theirs, so the FAQ may be a little out of date.
In general, I would love to see a "control panel" that let you set this up yourself (instead of making it global), but there choices are not unreasonable on the surface. They also appears to be full disclosure here, so I would compliment Cox in this area.
Here is a cut-and-paste of their FAQ.
What ports do you block?
Answer:
Reasons For Filtering Ports
Protecting our customers - Certain ports are filtered in order to protect our customers. We can protect them from certain common worms and protect them from running dangerous services on their computers that could allow intruders access.
Protecting our upstream bandwidth - Upstream bandwidth to a cable plant is limited. If customers over utilize their upstream bandwidth by running high-traffic servers or becoming infected with a worm or virus, it can degrade the service of other customers on their node.
Protecting the rest of the Internet - Some filters prevent our customers from attacking other computers on the Internet. In addition to being in our best interests for protecting our bandwidth, it is our duty as good Netizens to prevent abuse of our network.
Port Transport Protocol Direction Reason for Filtering
25 TCP SMTP Both* SMTP Relays
80 TCP HTTP Inbound Web servers, worms
135 UDP NetBios Both Net Send Spam/Pop-ups, Worms
136-139 UDP, TCP NetBios Both Worms, Network Neighhood
445 TCP MS-DS/NetBios Both Worms, Network Neighhood
1433 TCP MS-SQL Inbound Worms, Trojans
1434 UDP MS-SQL Inbound Worms, SQLslammer
1900 UDP MS-DS/NetBios Both Worms, Network Neighhood
27374 TCP Subseven Both SubSeven Trojan
*SMTP is only permitted outbound to Cox-provided SMTP servers
Detailed Explanations Of Filtered Ports
25/TCP - SMTP. SMTP stands for Simple Mail Transport Protocol. This is the protocol that mail servers use to exchange email. We block this in order to protect upstream bandwidth and prevent customers from running open relays could potentially be used by others to send spam via our network.
80/TCP - HTTP. HTTP stands for Hypertext Transport Protocol. This is the protocol web browsers use to communicate with web servers. In addition to protecting bandwidth by preventing customers from running high-traffic web servers, we can stop many destructive worms that spread via security holes in web server software.
135,137/UDP, 135,139/TCP, 445 MS-DC - NetBIOS. NetBIOS (also known as Server Message Block, LanManager, and Common Internet File System) is a networked file sharing protocol. The Microsoft Windows "Network Neighborhood" runs over NetBIOS. We filter this port to protect customers from inadvertently exposing files on their computers, and also to block worms which spread via open file shares. The latest addition to this series, a consolidated service port (TCP445), has also opened new (yet similar) security risks in Win2K and WinXP.
1433/TCP, 1434/UDP - MS-SQL. Microsoft SQL Server (and software designed with SQL Server components) is a database application with a long history of security exploits, and is noted for the propagation of the SQLslammer worm. These ports are filtered to prevent exploitation and propagation of MS-SQL exploits.
1900/UDP - UPnP discovery/SSDP, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders.
27374/TCP - SubSeven. SubSeven is a common trojan. When installed on a victim's computer, it allows an attacker to remote control it over the Internet. SubSeven can be configured to run on any port - not just 27374 - but blocking this port at least provides our customers some protection and prevents our customers from attacking others on the default port.