FTC Recommends ISPs Disconnect Spam Zombies

Mike Markley writes "CNN is carrying a story about the the FTC's plans and concerns around spam zombies. They say they will be identifying such zombie hosts and notifying ISPs, and are recommending that the ISPs disconnect indicated users. There's also a recommendation likely to raise the ire of the geekier sorts: that ISPs only permit users to send mail through their own servers (presumably by blocking port 25 outbound)." From the article: "Law enforcers in 25 other countries, from Bulgaria to Peru, are also participating in the campaign, the FTC said. Absent from the list of cooperating countries was China, where experts say rapid growth and a relative lack of technical sophistication have led to a large number of zombie computers."

Block 25 all you like.

[jd]

I've got an IPv6 tunnel onto the 6bone, and can therefore run my own IPv6-aware mailserver. I can still send to IPv4 mail addresses, because mail addresses aren't IP version-aware.

So nyah!

Oh. They just blocked tunnels, too. Shit.

Re:Block 25 all you like.

[Locke2005]

Anybody smart enough to get around port 25 blocking is probably smart enough to not get his machine owned by spammers... Yes, all ISPs should block port 25 by default, and only open it up for customers that specifically request it (and probably should charge those customers more). But then, I'm certainly not the first person to suggest this.

Re:Block 25 all you like.

[Martin+Blank]

Instead of charging customers for opening the port, they could have a provision where you request in writing that the port be opened for your IP address. Upon finding that you have been spamming (intentionally or not), they disconnect you (for a minimum time, say, 24 hours) until you pay a reconnect fee. A second time results in a longer disconnect (a week, perhaps) and a higher fee. A third offense bars you from their network for a year.

Re:Block 25 all you like.

[psyon1]

Why not charge those who are causing the problems a fine? I run my own mail server on a co-located server, there is no reason I should have to pay extra to connect to it.

Re:Block 25 all you like.

[jd]

That would be a very good system - perhaps even extend it to people who have any kind of virus, trojan or zombie that inconveniences or harms others, even if it's not spamming people.

(It would be no different from, say, driving a car that had failed - or not received - State safety checks, in those States that require them. If you do something reckless, but do so in a way that doesn't actually interfere with anyone, then there's no big deal, but it's on you - not them - to make sure of that.)

Re:Block 25 all you like.

[msim]

My isp blocks inbount port 80, 25, netbios, etc, packets by default, and you have to go into your system profile and have this blocking disabled if you want to look after this yourself.

I presume a similar thing could be configured for outbound port 25 if they wanted to, perhaps even with a "whitelist" of hosts your permitted to send to. Definitely food for thought

Re:Block 25 all you like.

[LilGuy]

I don't like the idea that my isp could arbitrarily block certain ports from being used. I don't need a nanny. I know I'm not typical in this sense, maybe among the slashdot crowd I am, but you gotta ask yourself where do they draw the line? So they start blocking 25 on major isps so all the morans [sic] that got owned can't be used to spam. But how easy would it be for these zombie creators to worm their way around a blocked port? How easy would it be for the zombies' masters to not use the zombies for spam, but for DDOS instead...

Blocking the port at the isp really wouldn't solve anything. Those that don't need the "protection" would be restricted in their net use, and those zombies would most likely just get updated to zombie 2.0 that works around the blocked port.

We need people to LEARN how to use their computers. That would be the ideal solution to most technical problems. But simply blocking access to something (a port especially) isn't going to solve anything.

Re:Block 25 all you like.

[KarmaMB84]

Until people can never ever be infected while using a completely up to date operating system, extending such a reconnect fee system to viruses and trojans wouldn't fly with customers.

Re:Block 25 all you like.

[jd]

Well, such Operating Systems do exist. And even if the customer chooses not to use them, and a password-locked proxy/firewall would stop just about any network-based trojan or virus from breaking out under it's own steam.

In other words, the customer is just as capable of stopping anything from attacking the Internet from their machine as they are capable of fastening a seatbelt or checking their tire pressures. Sure, it's "extra work" - so are the two above examples, but people are still expected to do them and can be penalized for failing to do so if, in the process, they cause injury to others.

So, we already have the idea in society. It isn't anything new or revolutionary. It is merely an extension of those parts of our day-to-day routine that involve a little awareness and a little respect. And those customers unwilling to do either, just because the other person isn't physically there, should have to pay some sort of price to offset that.

Re:Block 25 all you like.

[tacocat]

Both of these concepts have a potential flaw. Burden of Proof.

If someone is using my email address for fraudulent headers to make it appear that I am sending the spam, is that sufficient for them to shut me down? Do I have to prove that the email which I do not have a copy of, did indeed not come from me?

Based on how ISP's have behaved in the past, they would be more likely to arbitrarily shut someone down because their either triggered a spam filter erroniously (false positive) or got their email address put into the spam headers.

I do not agree that there should be a nominal fee applied to someone who is hosting their own mail server. On the contrary I should be getting refund on the basis of lower costs are realized against my account since I have zero email disk usage on their servers and have fewer help desk calls. The uber-geek types only need to call the ISP when the connection is down or blocked.

Re:Block 25 all you like.

[wernercd]

The Customers that buy your pills may agree... but what about the countless OTHER people that don't buy your pill?

Why should they/I have to put up with your garbage?

The vast majority of emails don't result in buys. It's the small percentage of sales per emails sent that spam results in that keeps the spam rolling in AND motivates a spammer send out more and more AND MORE garbage.

1 person out of 100 buys an item thru an email - all of a sudden that email isn't NOT spam. Thats just proof positive that there are STILL people out there that don't know that supporting the 'system' is only gonna make it worse.

Re:Block 25 all you like.

[Martin+Blank]

If it's made relatively easy to get fixes for the issues, then it is possible. Instead of an absolute cut-off, that MAC address can be assigned a private address that allows access only to a very limited network that contains information about, and opportunity to buy, anti-virus software and OS/application patches. It could even, with appropriate permission from the AV vendors, provide downloads for the stand-alone tools that are created for removing small numbers of viruses. It would assist people in getting better control over things, and I think they would be appreciative of that.

Re:Block 25 all you like.

[wernercd]

I don't think that paying a fee is going to work, and keep an ISP successfull.

When Joe Schmoe Normal Guy learns that his fancy computer, on his new fangled High Speed Net Service (which has been running real slow lately for reasons he don't understand) All of a sudden *GASP* His internet dont connect. He calls ISP and they say he's doing something He says he's not doing.

How is he going to fix it? By taking it to a proffesional that charges $25 an hour (or more) plus new software (If the tech is smart enough to recommend a good suite of tools to prevent future problems)

And on top of THOSE fee's you think Joe Schmoe is going to say 'sure I'll happily pay another $25 fee to my ISP'?

I doubt it. He's going to say 'Goodbye Earthlink, Hello NetZero' (or whatever). And those ISP's that DON"T regulate will get and keep the customers, while those that DO regulate w/fee's will be wondering 'hey... where'd all my customers go???'

Re:Block 25 all you like.

[Martin+Blank]

Burden of proof is easy. Hook up network traffic monitors that track the port usage on all of the systems in the network. Excessive port 25 usage would be used in conjunction with reports from the outside. If they get 300 reports of spams using your e-mail address, but they look and you have virtually no port 25 usage, then it's a safe bet that you didn't send it, at least from that system. No reason to shut it down.

If, OTOH, they look and you're sending a solid 30KB/sec over port 25 for the last six days, then it's a good bet that you're either spamming or you're a zombie for a spammer. Either situation needs to get rectified quickly, and it shouldn't be hard for you to show that you do have a legitimate need for sending out all of that mail, if indeed you do.

Re:Block 25 all you like.

[Locke2005]

Does everybody that owns a car know how to change their own oil and fix a flat tire? How can you expect everybody that owns a computer to be able to configure their own firewall? Heck, most people can't even set the time on their VCR!

Go ahead, block 25

[ProfaneBaby]

Just leave 587 open. The 'geek' users should be smart enough to figure that out anyway.

Home users SHOULD be blocked or disconnected, one or the other. I don't actually care which, but as someone who watches mail queues for busy hosting servers, home users infected with viruses become a huge annoyance.

Re:Go ahead, block 25

[Dark$ide]

Shouldn't that be 465 or 587?

Or is 465 non-standard for authenticated SMTP?

Re:Go ahead, block 25

[dgatwood]

The right answer is pretty simple, actually. Start out with port 25 blocked. When the user calls to complain, unblock it on a per-user basis. People who need port 25 unblocked know enough to request it, and there's no valid excuse for denying it. People who run Win-zombies don't have any valid reason to ask for it to be unblocked and generally don't know enough to ask for it anyway, as most of them think that "port" means the ethernet jack on their DSL router/modem....

Problem solved, and everybody wins.

Re:Go ahead, block 25

[MightyMartian]

The proper solution is to only let MTAs communicate via port 25, and to use 587 as it was intended, for MUAs. Stick SMTP Auth on port 587, and you're on your way. The only downside to this is if the worm authors start using the MUA (by this I mean Outlook Express in particular) to send email. I suspect that most users aren't really aware enough to notice a dozen messages they didn't write flying out of their Outbox.

Re:Go ahead, block 25

Start out with port 25 blocked. When the user calls to complain, unblock it on a per-user basis. People who need port 25 unblocked know enough to request it, and there's no valid excuse for denying it.

Internet provider SBC has already been doing this for months. Not that I am trying to smear SBC's name, but some users claimed at the time that the block on port 25 was implemented without notice.

Re:Go ahead, block 25

[bodgit]

465 is SMTP over SSL. 587 is submission, AIUI it's basically the same as SMTP but without the moral obligation to accept all correctly addressed mail from anywhere, so you can put up various auth barriers and whatnot.

Re:Go ahead, block 25

[winkydink]

You do. They wouldn't.

Re:Go ahead, block 25

[jd]

To the best of my knowledge, 465 is reserved by URL Rendevous Directory for SSM (I just looked in IANA's website). There is an RSMTP at 2390, but that's the only other mail listed by the IANA.

IANA's port number listings

Re:Go ahead, block 25

[ProfaneBaby]

587 requires authentication, which gets logged, and becomes MUCH easier to track from the sender side.

Re:Go ahead, block 25

[EvilStein]

What about when the spamware/viruses simply use the ISP's mail server to blat out their crap instead?

It's already been happening. I thought there was even one that was grabbing smtp auth information from mail clients and using it..

Re:Go ahead, block 25

[dgatwood]

That's a separate issue. And in that case, if the ISP uses SMTP auth, it's easy to track the mail back to the person infected and cut them off until they fix their computer....

What makes port 25 such a problem is that it is MTA to MTA, which means that for machines with dynamically-assigned IPs, there is almost no way to track it back to a given end user's machine short of grepping through piles of dhcpd/pump/bootpd/pppd logs.

Re:Go ahead, block 25

[coyote-san]

"Home user" is not synonymous with "personal user," especially as more and more people work from home. (Either by choice or because their employers are too cheap to spring for office space.)

I paid substantially more for a Comcast "business" account at my home address, then found I still had problems hosting my own domains because of their inability to provide a static address... or even a dynamic address within a "business class" block. (The latter meant I was blocked by RBLs listing all residential DSL/cable modem IP blocks.)

Could I have bounced outbound mail through their servers? Sure.

Could I stop them if they decided to rewrite the headers to indicate the true sender of the message, e.g., in an attempt to prevent malicious users/malware from pretending to be the security department at eBay or Citibank? Nope. Besides "what's the harm" if I'm identified as "some.user@comcast.net" instead of "some.user@my.own.domain.com" since I'm the same person?

I eventually switched to a virtual server at <URL:http://tummy.com/>. It was cheaper, it has a static IP address, it isn't blacklisted, etc. Of course I still need an outgoing port 25 so I can bounce my outbound mail through it.

Re:Go ahead, block 25

[LocoMan]

Well, he can.. but the reason zombie machines are so effective to send spam or DOS attacks is that it's too easy to get lots of them. If this becomes widespread enough, then it just wouldn't be practical (or economical) for the zombie bot network owner to phone ISPs a few thousand (or million) times so he can unblock enough zombies to do a decent DOS attack.

Re:Go ahead, block 25

[jericho4.0]

A "zombie" is a computer infected with malware, that is sending spam. The person controlling it lives 5000 miles away, and quite possibly never interacts with the zombie.

Re:Go ahead, block 25

[conteXXt]

Exactly why isps should:
1. use static dhcp.
2. tie the ip address to the modem/account
3. cap the outbound bandwidth (like they already
do)
4. let anyone run a server.

Personal responsibility shouldn't end at your modem.

It doesn't end at your door.

Re:Go ahead, block 25

******WARNING******
Dear Genesis of the Term PEBKAC:

All of the files on your PC have been encrypted. If you EVER want to view your p0rn again, please leave $250 on the bench at the corner of 9th St. and Nimrod Dr. AND, call your ISP and insist that they open port 25 for you.

Have a nice day.

Joe

Re:Go ahead, block 25

[Lord+Kano]

What happens when spam-bots block pop/IMAP ports on the local machine and then send pop-up windows to the user saying "You can not recieve email because your ISP blocks 'Port 25', call and request that they unblock it."

User:"I need you to um, 'Unlock Port 25'?"
Tech Support:"What seems to be the problem?"
User:"I can't get my email and I need you to unlock port 25."
Tech Support:"You'll have access in 30 seconds."

LK

Re:Go ahead, block 25

[Bombcar]

You'll then see trojans that say, "Call your ISP and ask them to unblock port 25 to see hot naked networks!"

Bet your last dollar on it.

Re:Go ahead, block 25

[slugo3]

I use SBC and its true that they didnt notify the users, then again I dont check my sbc email either.
Most users running a mail server would probably notice a problem pretty fast.
sbc upblocked it within a day after a visit to the following page though.

http://help.sbcglobal.net/article.php?ys_service=D SL&ys_state=&browser_redirect=%2Farticle.php%3Fite m%3D4640

Re:Go ahead, block 25

[Sheepdot]

Yes, this seems like an answer to the problem, but what I've never understood is that ISPs have the capability to determine when someone is sending spam and when someone isn't. Just monitor egress port usage. If someone is sending out 50 emails per second then block them. If they are sending one every 2 minutes, then don't.

Or, when a user signs up, give them the option! Why ISPs haven't provided this yet is beyond me. Have a simple web form that lets users sign in and turn off port blocking, the only ones smart enough to know they need to turn it off are also the ones that most likely need to.

For that matter, why hasn't Microsoft implemented this as a "feature" of windows XP? If they are turning off raw socket access, they might as well also turn off sending from port 25 by default. It'd upset some of us who host websites on our XP workstations, but if they really want to promote Windows 2003 Server, then this would seem like a viable option.

Or maybe, just maybe, we could abandon the ridiculous email protocol altogether, and move to something that is built with trust in mind. Or we could all start implementing greylisting and actually increase the cost of spam.

Re:Go ahead, block 25

[The+Cisco+Kid]

No, you dont need port 25 to relay through your tummy.com server. Use MSA - wether that means implementing it yourself (if your vserver is setup that way), or asking them to support it (if they dont already). Uses port 587 instead of 25. Requires authentication. Doesn't accept 'inbound' mail, only 'outbound for-relay'.

Re:Go ahead, block 25

[penix1]

This does nothing for DOS attacks. It does do something for spam relays though.

B.

Re:Go ahead, block 25

[penix1]

"1. use static dhcp."

That's an oxymoron...

The problem with this approach is you run out of IP addresses very quickly. The whole idea behind Dynamic Host Configuration Protocol (DHCP) is to reuse an IP as it becomes available. The problem isn't with DHCP but with identifying a machine via time/date stamp and manually searching logs. Imagine if you were an admin at say Earthlink and had to identify all the possible zombies out there via log files....

Call it job security...

B.

Re:Go ahead, block 25

I use static IP's with DHCP. DHCP also configures the nameserver and default gateway of the client, even while giving them back the same IP. Keeps one from having to push this info out to machines, keeps users from believing their IP is static Now And Forever Amen, and it transfers nicely when the machine does end up on a dynamic IP network.

"Static DHCP" still sounds a little odd.

Re:Go ahead, block 25

[teh_winch]

I find it hard to believe the person at the isp does anything different when finding the user of a static ip compared to a dynamic ip. They would just enter the ip and time and get back the users details.
Finding the user of an ip must happen often enough that they already have automated tools to do the job.
Users causing trouble and needing to be identified isn't exactly a new or uncommon problem.

Re:Go ahead, block 25

[penix1]

Again, this is fine for small networks but you would run out of IP numbers quickly on larger ones such as AOL, Earthlink or even MSN. When you get large numbers of users, IP management becomes necessary. Yes, DHCP does configure the rest but its main reason for existance is for IP management.

B.

Re:Go ahead, block 25

[DA-MAN]

If they are turning off raw socket access, they might as well also turn off sending from port 25 by default

Uhm, then how would you legitimately send out e-mail? Would they block port 25 for all but Outlook/Outlook Express? What would stop a virus from using the internal mail interface to just use Outlooks smtp engine? How would I send out e-mail through Thunderbird without port 25?

This is a really bad idea!

Re:Go ahead, block 25

[conteXXt]

actually it's not.
static = yours.

static dhcp = theirs but more or less permanently assigned to you.

My ip is technically dynamic (the word I DIDN"T use) but it never changes. functionally its a static dhcp address.

P.S. you should know that many admins will set static ips in dhcp for myriad reasons. I'll give you 1 good example though.

Jetdirect Print servers: can be set statically (via web/telnet/jetadmin etc). can also use dhcp as would be expected). Many admins will set them statically, and then add a static dhcp entry as well.

Why? because they are flakey (like users). if they reset to defaults (dhcp), it doesn't matter.

Re:Go ahead, block 25

[mrm677]

You are wrong. I did exactly this with SBC DSL and now I have unrestricted access to port 25 after calling and asking for it. By default, it is blocked.

Re:Go ahead, block 25

[i.r.id10t]

Actually, I'm fairly sure a large portion of AOL/MSN users wouldn't know or wouldn't care if they were being NAT'd.

Come to think of it, I'm pretty sure the Internet could be a slightly better place if AOL, et. al. *were* NAT'd ....

Re:Go ahead, block 25

[timbo234]

Optus here in Australia blocked port 25 a while back like this. At first you had to ring them to get it undone but then they put a thing on the web page so you could just click to unblock it permantently for your account. It said something scary about you accepting all responsibility for any spam that comes from your computers.

Personally I think this is the right approach since most people who want to access externeal SMTP servers are cluey enough to get it unblocked. Whereas it still targets the rest of the customers who wouldn't notice or take action if their computer grew devil horns and started glowing an evil red as an indication that it had been zombied by a spammer.

Re:Go ahead, block 25

[Draknor]

Uh, wrong.

User: "I can't get my email and I need you to unlock port 25".

Tech: "You don't need port 25 to download your email. You have . Please go to this website to disinfect your system."

No one needs port 25 to GET mail unless they are running their own mail-server, in which case they are probably smart enough to either not get infected by a spam-bot, or smart enough not to use Outlook/Express in the first place.

Re:Go ahead, block 25

[Eggplant62]

Ever heard of radius? What's so damned hard to implement?

http://www.freeradius.org/faq/

Re:Go ahead, block 25

[dgatwood]

You can have -fixed- DHCP addresses, but they are not static. A DHCP address can disappear from the interface if the dhcp server doesn't respond in time. That makes it somewhat different from a static IP, and really quite unacceptable for a server, IMHO.

Re:Go ahead, block 25

[Draknor]

So much for preview - that should have read:

Tech: "You don't need port 25 to download your email. You have [spam-bot du'jour]. Please go to this website to disinfect your system."

Re:Go ahead, block 25

[itadaku]

Problem solved.. but you see this 'solution' has been discussed before about a year ago with COMCAST, then (probably still) the nets biggest spammer. Simply put it would cost them 58$ million in tech support costs.....

http://news.zdnet.com/2100-9595_22-5218720.html

Re:Go ahead, block 25

[dgatwood]

If someone is sending out 50 emails per second then block them. If they are sending one every 2 minutes, then don't.

I run a small mailing list server on a home office connection. It doesn't get much traffic, but when it does, it wouldn't be surprising for 50 emails to go out in a single second.

No, the only way is to have it default to being blocked. If somebody calls and asks for it to be unblocked, the person on the other end should ascertain whether the caller is trying to run a server or is just clueless. If the latter, the answer is "no". That said, I do kind-of like the idea of making it be an option when you sign up for service. A web page to change it, though... might cause people to get tricked into changing it. Dunno.

Regarding port 25 blocking on Windows... well, technically, they shouldn't be allowing anyone other than the equivalent of 'root' to be sending on privileged ports anyway. Don't get me started on Windows security....

Re:Go ahead, block 25

[japa]

If someone is sending out 50 emails per second then block them. If they are sending one every 2 minutes, then don't.

These days it's rare to see someone sending spam with huge volumes. Usually when something like that is noticed, it's legimate emailing. Instead I've noticed that many zombies send email very slow in order to "stay under radar". If you have enough bots, and boy net is full of them, then you can afford to send out email at the speed of 1kb/sec per zombie..

Re:Go ahead, block 25

[B2382F29]

they might as well also turn off sending from port 25 by default

mail is sent TO port 25, not FROM port 25

Re:Go ahead, block 25

[OnlineAlias]

$58 million? To block 25 outbound? How many users do they think are connecting to outside servers for mail? The ones that do use 25 won't need much help to figure out what to do. Puhlease, that is absolute crap. If I needed it inbound I would expect to pay for a fixed IP and such. I need outbound 25 to get to my server and domain, but I would gladly go hit a checkbox on my account to turn it on if it were turned off by defualt. Grandma will never even notice....

Re:Go ahead, block 25

[MightyMartian]

That doesn't even make sense. Port 587 is for MUAs. Mail servers still connect through port 25, but ought to be somewhat more secure against dictionary attacks and the like.

Re:Go ahead, block 25

[tacocat]

You make an arbitrary decision that a certain group of users, based on account type, should be removed from certain activities. Sounds like prejudice as in pre-judging someones ability based on their account or IP address.

Blocking 25 and forwarding through the ISP is kind of a late concept. Spammers are already changing their trojans to use the ISP mail relay and bypassing all this blocked port 25 bullshit.

Stop treating the symptoms. Stop thinking that spammers are fucking idiots. They are pretty damn smart or at least resourceful enough to figure out nice ways to get around everything that they do.

Understand that you are fighting a multi-billion dollar economic force. It's almost as bad as fight drug trafficking because the Dealers/Spammers have a lot of money to make on this.

Perhaps we can take a clue from Chinese history and how they solved the Opium problem. They executed, on the street, anyone found in possession of or under the influence of opium. Problem was solved in a few months. Think of the effectiveness if spammers were banned from any internet access of any kind (including VOIP, TIVO, bluetooth, SMS,) for a period of XX years and trojans were blocked until fixed.

I do think the idea of shutting down trojan machines makes more sense than blocking port 25. Most users don't know what port 25 is, but they sure understand denied service.

Re:Go ahead, block 25

[FridayBob]

If a spam-bot appears that blocks the local POP and IMAP ports and notifies users with a message saying "You cannot recieve email because your ISP is blocking port 25 -- call and request that they unblock it", chances are that the helpdesk will soon be asking the right questions to figure out whether the user is infected with a common virus or not. Sure, helpdesk people may not always be that experienced themselves, but they can usually follow procedures.

Re:Go ahead, block 25

[EvilTwinSkippy]

Exceptof course that SPAM doesn't chew up a whole lot of bandwidth. You can fit a lot of pink stuff in a 1MB link. Spammers have been known to make a pain in the ass out of themselves with a dial up line.

Re:Go ahead, block 25

[conteXXt]

That's why real/verified registration would be required.

This is for "responsible" people with irresponsible ISPs.

Not a spam hole.

Re:Go ahead, block 25

[conteXXt]

I was under the impression that if the dhcpd server wasn't reached (this time) that the previous configuration would be used (provided it hasn't exceeded it's ttl). Are you sure?

I have seen this behaviour with win2k and XP and I would imagine that linux can be configured this way too.

Re:Go ahead, block 25

[Antique+Geekmeister]

AOL, at least, uses NAT. For those who don't know, this means that all their internal IP addresses start with a non-routed IP address like 10.*, and that that only a small number of their servers have externally accessible IP addresses such as their web servers and mail servers and routers. This protects their customers from external traffic, and makes their network a lot safer to administer, and is just like when your ISP gives you one external IP address and you run a lot of home machines behind a NAT'ed router. So you, at home, can reach out to other addresses but they can't reach back in so easily. People who want to run their own services, like web servers and honest to god mail servers, would need to spring for a business account and a static IP. And the rest of us have a huge address space that AOL can assign as it wishes to provide static internal IP addresses for internal routing. Most ISP's do this now: getting a big range of externally accessible IP addresses is currently very expensive, and not many ISP 's bother to do it.

Re:Go ahead, block 25

[Antique+Geekmeister]

The previous configuration can be used only if the IP address hasn't been re-assigned to another host. Checking for that is built into the DHCP protocol. How to handle an expired DHCP lease is another problem, and whether to consistently re-issue the same IP for the same host if it is left active and a new DHCP lease is needed after the old one expires is another problem. And what to do if another DHCP server is handliing the same domain is a bit of an adventure.

Re:Go ahead, block 25

[Antique+Geekmeister]

It is NAT'ed. So are most other ISP's these days. That's part of the problem: the sending IP address for zombied machines is part of the NAT'ed address space, and is not externally accessible so that they can receive the bounce messages. Interestingly, AOL itself is publishing SPF information that messages forged to look like they come from aol.com can be easily blocked. It's the zombies that forge messages to look like they come from you, or me, or every other ISP in the world and get sent from address spaces from other ISP's that generate such such grief. One interesting filter approach is to assume that for any "MAIL FROM" address, the alleged domain actually does publish SPF records that use its reverse DNS and its real A record for that domain and its real MX records. Anything else is assumed to be forged, and an SPF record of "?all" is faked and used to process the mail, helping to generate powerful negative. This helps filter zombie and spam email quite a lot. In short, for any domain that does not publish SPF records, assume that they publish simple ones and filter accordingly. It's a very good indicator of forged email that can be processed right at the mail server and puts a big dent in zombie and email worm traffic.

Re:Go ahead, block 25

[Sheepdot]

Sorry, in my haste I mistyped that, good catch. Hopefully the part about "egress port usage" trumps the typo.

Re:Go ahead, block 25

[Sheepdot]

Uhm, then how would you legitimately send out e-mail?

Simple; you wouldn't. Email is one of those protocols that is so flawed it shouldn't be used. Since Windows zombies make up 90% of the spam and only maybe 10% of users don't use webmail on those stations, there'd be a few complainers.

Now blocking the Outlook mail engine would be difficult or damn near impossible to do, esp on a corporate level, so yeah, there wouldn't be anything stoping a virus from using Outlook.

The different with *that* is that Outlook at least lets you force authenticating, so that a virus wouldn't be able to spoof who it is or who it is from. Looking at who is sending the spam would tell you the culprit.

Re:Go ahead, block 25

[CreatureComfort]

Yeah, like the Indian support tech that takes my Comcast complaint calls will understand a port unblock request. As is, I have to spend ten minutes explaining that: yes, I have already reset my modem; no, I have disconnected my firewall (Actually I've stopped telling them I even have a firewall, because twice I've had them say that the problem had to be my firewall and was therefore outside thier support coverage, thank you, goodbye.) and it still doesn't work. After finally convincing them it is a problem on their network they tell me they'll send a technician out to look at it.

This actually happens almost every time anyone on my local loop gets new broadband service. Apparently, I'm at the end of the line and for some reason every time they hook a new person in it knocks me off. I worked cable broadband for 4 years, and have no idea how they could possibly have configured the local switch to cause the problem. One of these days I'll see the tech at the box at the end of my street and get him to show me how they are hooking us all up. Maybe get him to leave a laminated note in the box instructing any tech that gets into the box in what to do to make sure I don't get knocked off when they are done.

Re:Go ahead, block 25

[nahdude812]

Wrong, any users can *connect* to privileged ports, only privileged users can *listen* (accept connections) on privileged ports.

Otherwise you'd have to be root to use Thunderbird to send an email to an outside server.

Re:Go ahead, block 25

[petermgreen]

i doubt that with broadband you would use hugely more ips with a sticky policy (ie only change ips when you change the network design but still use dhcp to let you make those changes) rather than a fully dynamic policy. and it makes it a lot easier to keep track of who is doing what and for services to ban troublesome users.

Re:Go ahead, block 25

[petermgreen]

hmm here in the uk every isp i have used has given me a real ip and i'd be pretty pissed off if they didn't.

large scale nat has advantages but it also has big disadvantages (like requiring a connection tracking system in place to actually do the nat). and like pissing off customers who have a clue (and its customers with a clue who tend to get asked by friends what broadband provider to use).

Re:Go ahead, block 25

[petermgreen]

the way i do it (slightly simplified from my real setup as i use this ssh link for other stuff and the sshd is on a nonstandard port):

ssh -L 25:127.0.0.1:25 user@server

then just set up the mail client to send to port 25 on localhost

(yes i know about -D and i do use it for other stuff but i use my mail client for other accounts that i don't wan't to go through an ssh tunnel)

Re:Go ahead, block 25

[Stormy+Dragon]

Someone sending 50 e-mails a second could be spamming. Or they could just be hosting a legitimate mailing list.

China will play along

[winkydink]

If this gets substantial traction, China will get it's collective shit together and do something about it. A few days of null-routing their traffic should do the trick.

Re:China will play along

[ChipMonk]

Interesting that you would use the word "collective" next to "shit", and in reference to a Communist government.

Re:China will play along

[winkydink]

Blaming China for things like spam just lets them accuse us of stereotyping them or being rascist and this distracts people from valid concerns such as their unfair currency policy and unfair trade practices.

The article said, it was unsure if China would play along. I don't recall it saying "China, the leader in spam" or something. Also if those 25 countries agree to do something and China doesn't, what do you think happens to the percentages?

Have you ever been to the PRC? I've been numerous times. In general, the Chinese are extremely racist, almost to the Asian equivalent of Aryanism.

Re:China will play along

[Mike+Markley]

Nah. If we did that, it would just make the whole Great Firewall undertaking that much easier...

Re:China will play along

[stor]

In fairness to the Americans, they did invent the Internet. Seems rough to blacklist them. =)

Cheers
Stor

Re:China will play along

[powdered+toast+dude]

As a small-time ISP, I recently took the admittedly draconian action of blocking SMTP from China, Korea, and a few others at the iptables level. Result: 50% reduction in spam instantly. I suppose I'll have to give my users a way around it if any complain, but I'm not expecting it.

Also: qmail admins, I highly recommend simscan. It invokes clamav and spamassassin during the SMTP conversation by way of QMAILQUEUE resulting in a 5xx error (and therefore an immediate bounce to the sender for legitimate false positives) and no local queue growth. Nice.

$0.02,
ptd

Re:China will play along

[B2382F29]

Have you ever been to the PRC? I've been numerous times. In general, the Chinese are extremely racist, almost to the Asian equivalent of Aryanism.

You are talking out of your ass. And i have been to the PRC several times.

Re:China will play along

[winkydink]

Really? Ask you Chinese friends to explain the differences between "Big China" and "Little China".
Try venturing away from the business/tourist sections. Better yet, try it in a smaller city.

Re:China will play along

[B2382F29]

Try venturing away from the business/tourist sections

Been there, done that, my wife is chinese.

Spam Zombies?

[spotmonk]

It's enough that I get spam from life people..
but now spam from the undead?

Re:Spam Zombies?

[Rei]

dear brain owner,

compliments of the season to you. I am Barrister Urrrrrrrrrrrr Guurrrrrrrr. I represent Rrrrrrrr Rrrrrrrrrr, son of the late gen. Rrrrrrr Urrrrrrrgh, who was the former military head of state in Transylvania. he died in 1312. since his death, the family has been losing a lot of money due to vindictive church officials who are bent on dealing with the family. based on this therefore, the family has asked me to seek for a foreign partner who can work with us as to move out the total sum of us$75,000,000.00 ( seventy five million united states dollars ) in gold, presently in their possession. this money was of course, acquired by the late president and is now kept secretly by the family. the Swiss government froze all the accounts of the family in Switzerland in 1571, and some other countries would soon follow to do the same. This bid by some government officials to deal with this family has made it necessary that we seek your assistance in receiving this money and in investing it on behalf of the family.

This must be a joint venture transaction and we must all work together. since this money is very heavy, extra security measures have been taken to protect it from theft or seizure, pending when agreement is reached on when and how to move it into any of your nominated bank accounts. please contact me so we can arrange to meet you at a graveyard of your convenience in the Transylvania area to complete the transaction. as it is in a rather large box, please bring a chainsaw to assist in cutting it open.

Note: Please send your reply through (Urrrrrrrrrrrr.Guurrrrrrrr@sco.com)

Blocking port 25 seems reasonable

[Ritz_Just_Ritz]

It will block a huge amount of spam from being injected by broadband zombies and will inconvenience a vanishingly small number of hard core geeks (who probably know someone with a well connected server in a datacenter that they IMAP into from home anyway).

Re:Blocking port 25 seems reasonable

[flabbergasted]

You mean like this list of machines logged on my company's mailserver last night?

pcp0010214909pcs.prtmry01.nj.comcast.net [68.38.185.88] 3 Time(s)
pcp0010265818pcs.indpnd01.mo.comcast.net [69.242.142.22] 1 Time(s)
pcp0010333393pcs.reston01.va.comcast.net [68.48.197.229] 1 Time(s)
pcp0010412028pcs.verona01.nj.comcast.net [68.45.58.128] 1 Time(s)
pcp0010540314pcs.cnorth01.va.comcast.net [68.57.67.93] 1 Time(s)
pcp0010584174pcs.detrtc01.mi.comcast.net [68.40.225.0] 1 Time(s)
pcp0010642714pcs.nstnig01.ct.comcast.net [68.85.32.47] 1 Time(s)
pcp0010655005pcs.pimaco01.az.comcast.net [69.244.46.82] 1 Time(s)
pcp0010810535pcs.blumtn01.pa.comcast.net [68.83.178.34] 1 Time(s)
pcp0010846920pcs.flrdav01.dc.comcast.net [68.48.139.194] (may be forged) 1 Time(s)
pcp0011040929pcs.columb01.pa.comcast.net [68.32.55.43] 1 Time(s)
pcp0011111425pcs.elkrdg01.md.comcast.net [68.54.168.192] 1 Time(s)
pcp0011378025pcs.tsclos01.al.comcast.net [69.244.22.77] 1 Time(s)
pcp0011477711pcs.chrchv01.md.comcast.net [69.250.168.74] 1 Time(s)
pcp0011618409pcs.glst3401.nj.comcast.net [68.38.117.248] 1 Time(s)
pcp0011641820pcs.aberdn01.md.comcast.net [69.250.232.187] 1 Time(s)
pcp0011714032pcs.nmexav01.dc.comcast.net [68.34.15.178] 1 Time(s)
pcp0011935679pcs.summit01.nj.comcast.net 1 Time(s)
pcp0011966837pcs.olathe01.ks.comcast.net [68.46.204.16] 1 Time(s)
pcp01021199pcs.panamc01.fl.comcast.net [68.59.108.1] 1 Time(s)
pcp01277162pcs.mobilh01.al.comcast.net [68.63.57.96] 1 Time(s)
pcp02108146pcs.cstltn01.in.comcast.net [68.58.134.116] 1 Time(s)
pcp02109399pcs.newhav01.mi.comcast.net [68.83.194.92] 1 Time(s)
pcp02285290pcs.paduca01.ky.comcast.net [68.63.248.232] 1 Time(s)
pcp03995793pcs.elkton01.md.comcast.net [68.33.57.218] 1 Time(s)
pcp04052298pcs.wbrmfd01.mi.comcast.net [68.41.42.156] 1 Time(s)
pcp04095669pcs.mtsano01.ga.comcast.net [68.47.47.2] 3 Time(s)
pcp04366701pcs.nrockv01.md.comcast.net [69.140.203.48] 1 Time(s)
pcp04965276pcs.benslm01.pa.comcast.net [68.80.89.88] 1 Time(s)
pcp05403122pcs.hershy01.pa.comcast.net [69.139.141.125] 1 Time(s)
pcp05921204pcs.sprgfd01.mi.comcast.net [68.61.127.211] 1 Time(s)
pcp06251235pcs.roylok01.mi.comcast.net [68.62.103.46] 1 Time(s)
pcp07344705pcs.sftmyr01.fl.comcast.net [69.139.61.100] 1 Time(s)
pcp08118966pcs.gambrl01.md.comcast.net [68.48.93.223] 1 Time(s)
pcp08582368pcs.alxndr01.va.comcast.net [68.83.219.101] 1 Time(s)
pcp08598128pcs.danbry01.ct.comcast.net [69.138.133.16] 1 Time(s)
pcp08697328pcs.500ash01.tn.comcast.net [69.137.110.133] 1 Time(s)
pcp08710847pcs.washly01.sc.comcast.net [68.58.250.62] 1 Time(s)
pcp08855755pcs.ypeast01.mi.comcast.net [68.85.187.162] 1 Time(s)
pcp09021586pcs.watrfd01.mi.comcast.net [69.244.163.126] 1 Time(s)
pcp09085861pcs.flint01.mi.comcast.net [68.62.31.79] 1 Time(s)
pcp09258390pcs.olathe01.ks.comcast.net [69.240.236.157] 1 Time(s)
pcp09287097pcs.brick101.nj.comcast.net [69.142.6.255] 1 Time(s)
pcp09381207pcs.brghtn01.mi.comcast.net [69.241.243.96] 1 Time(s)
pcp09401135pcs.mtlrel01.nj.comcast.net [69.142.56.207] 1 Time(s)
pcp09479154pcs.medfrd01.nj.comcast.net [69.142.38.170] 1 Time(s)
pcp09739260pcs.stclar01.mi.comcast.net [69.241.251.83] 1 Time(s)
pcp09859686pcs.medfrd01.nj.comcast.net [68.37.48.8] 1 Time(s)
pcp09942638pcs.hyatsv01.md.comcast.net [69.143.227.191] 2 Time(s)
pcp09984227pcs.audubn01.nj.comcast.net [68.36.74.167] 1 Time(s)
pcp185961pcs.swedsb01.nj.comcast.net [68.46.55.209] 1 Time(s)
pcp445640pcs.bartlt01.ga.comcast.net [68.51.164.35] 1 Time(s)
pcp695807pcs.lvngst01.md.comcast.net [68.50.92.82] 1 Time(s)

Re:Blocking port 25 seems reasonable

[typidemon]

Almost every single student at my university uses their pop3 mailing address from home (which is almost always a third party isp).

I also use my work email from home.

Heck, my mother has 3 mailing accounts: Her personal one, the one her and her husband share and her school account.

For the record; my mother is not a geek.

Re:Blocking port 25 seems reasonable

[The+FooMiester]

Hardcore geek here, with a UID that's far lower than yours.

Don't block my outbound port 25.

Don't block my outbound ANYTHING.

Block me off completely when my machine hurts the internet by spamming/flooding/whathaveyou.

I'm so sick of this "Let's surrender our internet because of Microsoft" bullshit. I'm sick enough of it to burn karma by posting this crap that's going to get modded into oblivion.

Not all of us know someone with a well connected server. Not all of us want to post mail from somewhere other than our box. I know that my box is working and isn't logging what I'm sending somewhere else. I know that the government isn't reading my email logs. I know that my server is MY SERVER and that's THAT.

If you don't like it, go back to AOL. Then you can have your little closed interface, able to email all of your little friends who use the same closed interface, and get charged for what I can get for free. All I have to pay for is my connection, whereas you'll have to pay for every "value-added" service you use.

Re:Blocking port 25 seems reasonable

[humuhumunukunukuapu']

" I know that the government isn't reading my email logs"

how do you know, exactly?

Re:Blocking port 25 seems reasonable

[the+eric+conspiracy]

UID that's far lower than yours.

LOL.

Re:Blocking port 25 seems reasonable

[Antique+Geekmeister]

It will inconvenience a big number of CEO's, CFO's, and other people who literally cannot be bothered to learn how their laptops work and want all their email to look like it is from their work account no matter where they are.

Blocking port 25 is a reasonable approach for most ISP's, since the large majority of email is now spam and email worms. Blocking port 25 puts a big dent in the worm traffic, since the outgoing traffic will hit the mail server of the ISP responsible for the infected customer. It also puts a big dent in the zombie traffic, which whips around most blacklists and burdens a lot of ISP's with maintaining huge and problematic blacklist of all DSL/cable/dialup IP addresses they can find.

A better solution is SPF. Not thw Microsoft DomainKeys or SenderID solution, but the pure DNS solution that says "this domain publishes a text record that says mail claiming to be from this domain must actually come from permitted IP addresses". It's cute, it's lightweight, it needs people to use the filtering to really have an effect. Check it out at http://spf.pobox.com./

Re:Blocking port 25 seems reasonable

[Amazing+Proton+Boy]

Yep. ;->

Re:Blocking port 25 seems reasonable

[Rasta+Prefect]

It will inconvenience a big number of CEO's, CFO's, and other people who literally cannot be bothered to learn how their laptops work and want all their email to look like it is from their work account no matter where they are.

V-P-N. If they're that far up the tree what they're sending is probably confidential anyway.

Re:Blocking port 25 seems reasonable

[v1]

Tho the real thing to ponder is how someone with a UID so large got a nickname so small

Re:Blocking port 25 seems reasonable

[dubl-u]

Hardcore geek here, with a UID that's far lower than yours.

You're allegedly a hardcore geek, but you're whining about the fact that people on consumer-grade internet connections are treated like consumers?

Really, if you want to get treated like the big swinging dick you apparently think you are, you should probably get a real internet connection. Go get yourself a T1 or a colocated server. Or both. Christ, I know people who get hundred-megabit pipes for their hobby projects; if you can't afford the few hundred bucks a month for a home T1, or the $70 bucks a month for a real ISP's DSL, then you should scrape together the $20 per month for a fractional colocated server and run your own mailserver.

Otherwise we may have to take away your ridiculously low UID and give it to somebody more deserving.

Re:Blocking port 25 seems reasonable

[cdwiegand]

Well then, if lower UIDs is any indication, I should be a G-d! (Yeah, it'll get modded down, but I don't live for SlashDot karma.)

Re:Blocking port 25 seems reasonable

[AmberBlackCat]

I think I could handle them requiring isp's to block port 25 on all servers but their own as long as they also require the isp's to actually provide their own mail server.

Re:Blocking port 25 seems reasonable

[DA-MAN]

Everybody's a fucking elitist and knows better than the unwashed masses.

Let's face it, Joe User is mentally challenged when it comes to technology. That's alright though, not everyone does technology.

The worst are the nanog-holes who run around all puffed up, saying "my network, my rules" - it is the customer's fucking network.

It's not the customers network, it's the customers node into the network. Unmanaged the internet would not be usable.

They could come up with more sophisticated alternatives that were more effective against unauthorized traffic, but it is easier to slop blanket rules on everyone.

Thus far nothing has worked. Give good ideas that work, don't sit here and talk smack about what does work but you disagree with.

I'll happily pay people like http://www.rawbandwidth.com/ and speakeasy since they seem to keep that in mind.

That's great! We geeks are a market too, and too few services target us. The more geeks that use these services the better!

BTW, those open relays were UNIX and VAX machines, not Linux and back then open relays helped deliver legit email.

Not true, the biggest offenders were Linux boxes. Stock RH up until 6.2 was open relay. When Linux was in it's infancy there was still in kernel 2.0 and early 2.2 it was heavily used by ISP's with open relay configurations.

This is not "best practices" it is what some control freaks are pushing because (again) they feel they know better. email does not want to be centralized for a long list of reasons and many so-called email experts have pointed that out.

Just like those prick doctors always telling us to eat healthier and exercise... Fuck those bastards, the common man knows way more than experts in their prospective fields.

Don't be a dumbass, regular people are not geeks. They should not be treated as such.

Let me guess, you're a network admin at an ISP, right?

Actually no, I work for Uncle Sam as a System Bitch.

Re:Blocking port 25 seems reasonable

[Amazing+Proton+Boy]

You ever seen one of taco's posts?

How about hemos?

That's some low UID's. ;->

We get karma and mod points because we obsess over slashdot. The low UID's are a byproduct of that, not a cause.

Re:Blocking port 25 seems reasonable

[Talence]

My slashdot UID is a lot lower than yours. What's my reward? ;-)

What should be done

[Michaelis]

I say we take their computers away then grind, burn, and scatter them in the Atlantic.

Re:What should be done

[psyon1]

Hey! don't polute the ocean! Drop them on the Redmond campus.

Re:What should be done

[initialE]

So you want to send them on a cruise with Richard Simmons?

Re:What should be done

[stor]

Yeah I sympathise.

Unfortunately it would mean there would be no money in computers. Sucky hey?

Cheers
Stor

Comment removed

[account_deleted]

Comment removed based on user account deletion

Anyone got bandwidth for new venture?

[conteXXt]

1. Get fcc to 'advise' isps to block 25.
2. wait for futility among the geeks to set in.
3. set up vpn server for aforementioned geeks.
(real verified reg required)(paid service but
(Real Cheap)
4. profit!!!

any takers?

Re:25? Already blocked.

[Chmarr]

Umm... how does sending to port 80 work? Or... have you configured your mail server to accept mail on port 80... and they're only sending to you?

Re:25? Already blocked.

[wayne606]

Why should outlook be connecting to port 25 of a server that is not the ISP's official mail server?

But I thought SMTP was on port 26...

[ChangeOnInstall]

Mmmmm iptables

[0:0] -A PREROUTING -p tcp -m tcp --dport 26 -j REDIRECT --to-port 25

(You have to add that to your server machine, not your client machine)

I second!

[Hrodvitnir]

Having worked for a university tech department that did this, I would have to say, I can't think of a better way to open peoples eyes to the threat of virii than to revoke their internet privilages.

Re:I second!

[Mad+Merlin]

Are you going to refund the money they paid for the 'net connection for that time too? I agree that a network connection is not a right but a privilege, but at the same time, they're still paying for that privilege, what gives you the right to take their money and give nothing in return?

Re:I second!

[SirSlud]

Thats the "Terms and Conditions can change at any time" part of the fine print you forgot to read.

Re:I second!

[phiwum]

Having worked for a university tech department that did this, I would have to say, I can't think of a better way to open peoples eyes to the threat of virii than to revoke their internet privilages.

And when they learn that lesson, they still have lost their "privilages", right? So what is the advantage of learning the lesson?

Anyway, I think this is a brilliant plan, but it doesn't go far enough. Too many people are being compromised by malicious websites and insecure browsers. I think we ought to block port 80, too.

Re:I second!

[SirSlud]

I was being sarcastic. I'm not an IT person, and I certainly don't power trip from being a software developer.

None the less, most contracts you sign for service providers of any sort these days include provisions that allow them to change the terms and and conditions of your service plans at any time.

I don't likeit as much as the next guy, but hey, until we all boycott the standard T&C boilerplate bullshit ...

Comcast is supposed to already be doing this...

[Fish+Heads]

So, according to this article...

http://news.zdnet.com/2100-3513_22-5230615.html

Comcast is already supposedly doing this. I can't confirm that since I am going through the mail server anyway...

The spammers will figure out a way around it anyway.

Re:Comcast is supposed to already be doing this...

[dlZ]

Cablevision does. I have a client with locations in CNY (using RR) and down in Long Island. When they're at a residence in Long Island (where some of them live) they have to connect to the VPN (or use webmail) to send mail because port 25 is blocked otherwise. It's great fun, because it's not in CNY with RR, and they don't understand why it doesn't work no matter how many times I explain it.

What about VOIP/911 services?

[ringfinger]

Completely cutting them off would be a disaster. Most users wouldn't know what happened or how to get back connected. Plus, support costs for ISP's would go through the roof.

People use their broadband connections for phone and 911 services now -- cutting them off completely could literally cut them off from emergency services.

Re:What about VOIP/911 services?

[winkydink]

You're betting on your ISP's reliability to get you through in an emergency? Perhaps natural selection is making a comeback.

Re:What about VOIP/911 services?

[TerminaMorte]

If you rely on the internet for emergency calls, then you're going to notice blackouts every month anyways.

Anyone with an ounce of intellegence will keep a land line for 911.

Re:What about VOIP/911 services?

[Zocalo]

OK, it's no solution to the VoIP emergency call scenario, but most ISPs that have implemented this kind of denial of net access in a sensible manner don't actually cut the user off out right. The preferred solution is to move the problematic user onto a dedicated VLAN. From there it's a trivial matter to redirect any attempt to access to web to a information page that informs the user what has happened and what to do about it. Here in the UK this usually applies to people who are "over using" their DSL lines, at least until this initiative gathers some momentum, but the principle is the same.

Re:What about VOIP/911 services?

[/dev/trash]

A phone is what these people need, not a computer.

Re:What about VOIP/911 services?

[Greyfox]

Keep a deactivated cell phone for just such emergencies. And it'll still work even when the power goes out!

Re:What about VOIP/911 services?

[tomhudson]

Anyone with an ounce of intellegence will keep a land line for 911.

Anyone who's not housebound is going to be carrying a cell phone - and a lot of us use it as our only line ... works fine. This 911 stuff is mostly alarmist BS. Your home line is useless for calling 911 when you're in the yard, or in your car, or walking the dogs, or anywhere else except in your house.

Obiquitous cell phone usage has already pretty much killed off OnStar renewals ... its hurting the old-line telcos ... and VoIP is just another choice.

If your house is on fire, you're not going to be making a phone call anyway, whether you have a land line or VoIP. You're getting the fuck out. Then, once you're safely outside, you can use your cell phone to call for help.

Re:What about VOIP/911 services?

[ergo98]

This is really becoming absurd now though. Just becuase people have a false impression about things does not mean they are right. At some point, people are going to have to realize their errors.

You have remarkably low expectations.

Personally I've seen both my cable and high speed over cable achieving perfect reliability over the last two years. Not 90%, but rather 100% reliability. Given that the cable providers themselves are now starting to roll out their own VoIP, I guarantee you that they aren't going to give some vague hazy answers about the reliability - they are going to guarantee telephone level reliability. The government will invariably then legislate required reliability, and right so.

Re:What about VOIP/911 services?

[Skapare]

Just cut off port 25. In fact, just cut it off before anything happens. If they are some BSD/Linux geek, they'll call in and demand port 25 be unblocked. Listen for the key "port 25" or "SMTP" in the caller's request; if they say that, they know what they are doing well enough they probably won't be much of a problem ... open all ports for them. It's the idiots using Windows you need to have in padded cells.

go ahead and block it, webetter stick to webmail

[downsize]

I have been with approximately 15 different ISPs in the past 10 years. Needless to say, all but 2 had horrid SMTP servers (same goes for their POP3's).
Which is why so many choose to use webmail providers such as http://fastmail.fm/ and http://shinyfeet.com/ for their day to day stuff, and only use the ISP given email for very little correspondance.

so I keep thunderbird open for the ISP addy and firefox open for the webmail.

I do like that the FTC is getting other governments involved.

blocked ports

[DaveCar]

I wouldn't mind to much, so long as you could opt out - just call up and say "I have half a clue what I'm doing" or "I'm not running a festering infected OS from Redmond".

I'm guessing most of the people who unwittingly harbour zombie machines wouldn't know wtf port 25 was anyway ...

Maybe a couple of basic networking questions to weed out the chancers?

Re:blocked ports

[downsize]

but you don't have to be running a SMTP server, you could be using port 25 to another server, like another commenter stated, a friend with a datacenter.

had a buddy with a client whose ISP blocked 25 and they had to use their ISP's SMTP server to send out, which they really hated to do since they wanted only their company name to be in the mail headers (which is understandable).

Re:blocked ports

[DaveCar]

Sure you don't have to run a server.

Joe Sixpack is told to use the ISP's SMTP server (the software they probably install would set it up for them anyway).

If you need to actually do you own mailing (and hence have enough clue to set up your own software) just call up and say why.

It seems a reasonable compromise - viruses can't (as far as I know ;) call up you ISP and ask if they can free up the port so they can wreak havoc!

Re:blocked ports

[StikyPad]

just call up and say "I have half a clue what I'm doing"

"I'm sorry sir, we don't support Linux."

Re:25? Already blocked.

[coop0030]

That's interesting. All of this is unfortunate though, because it does burden someone who isn't doing something wrong if they get blocked by accident. I bet it is a nightmare trying to get it unblocked, also.

err

[rebug]

What does IMAP have to do with SMTP?

Re:err

[Ritz_Just_Ritz]

Most people don't NEED a server listening/sending on port 25 and can connect remotely to a server via POP/IMAP. That was my point. Cheers,

Yes, I know

[Hrodvitnir]

Leave it to me to misspell my key words.

Re:Yes, I know

[cr4p]

heh. I didn't even notice the misspelling until you said you misspelled it. When I went and re-read your comment, I finally noticed it. I guess some of us are so used to people typo'ing stuff that we don't even notice typos anymore.

I already do this on my home net

[WillerZ]

Traffic to or from port 25 is dropped at my router. My external email provider gives me SMTP-TLS on a high port, so I lose nothing.

This means that even if a worm gets through the NAT and manages to infect my patched-to current AV-running machines, it can't do what 90% of them want to. Thus, when the patch/AV database update arrives and kills it, I know I've not contribued to the problem.

Re:I already do this on my home net

[The+Good+Reverend]

That's fantastic. But anyone who knows as much about computers as you do tends not to be the problem in the first place. Those lazy about the problem are much less of an issue than those that are ignorant of the problem.

Re:I already do this on my home net

[Jason+Earl]

Yes, and now it looks as though the "powers that be" are going to force everyone to do something similar. Either you are going to have to be smart enough to set up your mail so that these sorts of attacks are impossible, or you don't get to send email at all.

So what?

[grub]

That ISPs only permit users to send mail through their own servers (presumably by blocking port 25 outbound)

My ISP doesn't block 25 outgoing but a few spam blacklists have my IP range on their "DSL/Cable/Dialup" listings so I send mail from my internal server through the ISP.

The result? No more "You're on a dynamic IP" bounce messages.

Re:So what?

[DieByWire]

My ISP doesn't block 25 outgoing but a few spam blacklists have my IP range on their "DSL/Cable/Dialup" listings so I send mail from my internal server through the ISP.

The result? No more "You're on a dynamic IP" bounce messages.

The other result:

"Connection error from smtp.comcast.net on port 25 (450 too frequent connects from 66.41.xxx.xx, please try again later.)"

Either way, you're screwed.

Small Business Users / external hosting

[nurb432]

Blocking port 25 would just about kill small business people that use a 3rd party hosting service for their webpages and email.

Guess that means the ISP gets a 'forced market' when it comes to email and hosting domains.

Re:Small Business Users / external hosting

[downsize]

yea I agree to this. and as I replied to another's comment, this has happened already, however, the client had the option to choose a different ISP. With this setup, small businesses would have to spend more money, and set up an SMTP on another port or setup a remote company webmail box.

Re:Small Business Users / external hosting

[Wesley+Felter]

I don't get it. My Web site and (incoming) mail server is not hosted by my ISP, but I happily send my outgoing mail through my ISP's SMTP server.

Re:Small Business Users / external hosting

[The+Cisco+Kid]

Nope.

http://www.ietf.org/rfc/rfc2476.txt

This idea is to seperate 'a mailserver connecting to another mailserver to drop of mail that is addressed to a user at the destination server' from 'a user connecting to his own server, authenticating as such, and then dropping of outbound mail for that server to then send on to the final destination', and restrict the first to non-dynamic, non-'consumer', or any addresses where there isnt some reasonable expectation of a positively identifiable responsible party.

Spammers will have a lot harder time abusing the second, and will be easier to identify if and when they do.

Re:Small Business Users / external hosting

[nurb432]

Not all ISP's allow relaying.

Also, some email servers reject mail thats been relayed from a different domain then its claiming to be ( antispam measure ).

Re:Small Business Users / external hosting

[benjamindees]

Not to mention, most ISPs suck ass (Southwestern Bell, I'm looking in your direction) and charge big bucks for service that doesn't suck ass.

Re:Small Business Users / external hosting

[gregmac]

Blocking port 25 would just about kill small business people that use a 3rd party hosting service for their webpages and email.

It doesn't matter what SMTP server you send outgoing mail from (so long as it's not blacklisted) -- SMTP doesn't check domain names or anything (which is also really the reason spam can exist so easily).

I had a situation that was really annoying a few years ago. We were on DSL with the incumbant phone company, and used our own co-located server to send mail. One day, I could no longer connect to SMTP. Called them, of course teir 1 tech support says "no, nothing has changed". I wait for a while to see if it'll go away, then call them back a couple hours later. This time, the guy says that they noticed one router wasn't blocking 25, so they "fixed" it. I decided just to use their server, since it was an easy fix (make a DNS entry in the office only that points to their IP instead of ours).

This was fine for a couple months. Then one day, we couldn't send mail again. I tried to connect to their SMTP, and it would either timeout, or VERY slowly connect. I call them, and they say they're being hammered by viruses, and it'll be fixed soon. Within half an hour it was back to normal. This happened about 3 more times, and I got really annoyed. I called and asked them to remove the port 25 block (just for my account -- even to only my mail servers IP), because it was rediculus we couldn't send email. They said they couldn't, I'd just have to wait. Well, it was several hours and still not working, so I called again, and asked to speak to a manager or supervisor. Basically, same deal "no, we can't take off the block. Maybe you can use webmail". Although it would work, I didn't want to tell everyone to use webmail instead of their email clients just because of this. I called another ISP, asked them how long it would take to get me DSL (and made sure I could use my mail server), ordered it, and called my ISP back and set to get rid of their connection.

Of course, this started another rediculus series of events. The DSL remove order and DSL add order (that get filed by old and new ISPs, respectively) got "mixed up", and a couple days after moving to my new ISP the DSL signal was lost. An angry call to the phone co had it back within an hour (yet it somehow still takes 5 business days normally).

The old ISP also decided that we actually couldn't cancel when we did - we were on a 1yr contract, and had to pay 50% of 8 months service or something for cancelling early. We had been a customer for 3 years, and none of our bills for the past year said anything about a 1year contract. They also couldn't produce the contract -- not even an unsigned version. In subsequent calls, they claimed that it was a verbal contract yet couldn't name who had supposedly made it. Eventually months later, in an effort to get our local phone service back (we had switched to a CLEC many years ago), they decided to "credit" our account for the charges. Of course, we remained with the CLEC.

Anyway, that got a tad off topic, but I felt the need to vent. Stay away from the big phone companies ;)

Re:Small Business Users / external hosting

[Antique+Geekmeister]

Not at all. The traffic to the third party hosting service can go over port 587, as documented by the RFC's, or can be tunneled over port 80, or can be sent over lots of other fascinating means. It's the random, unauthenticated, untraced outbound email that is the problem. Specified traffic to a designated 3rd party host is no problem if that 3rd party has the remotest clue.

Re:Small Business Users / external hosting

[Skapare]

You should have been relaying the mail via your own colocated server, but instead of using port 25 to do that, you should be using port 587, encrypted, and authenticated.

I do agree with you about the big phone companies. That includes probably all ILECs and a great many CLECs as well.

Re:Small Business Users / external hosting

[stor]

Blocking port 25 would just about kill small business people that use a 3rd party hosting service for their webpages and email.

Running an MTA is serious business these days. It's not just about blocking VRFY and ETRN. I'm battling bounce attacks, attacks on postmaster and make-baby-jesus-cry brute force attacks which are:

1. Difficult to stop.
2. Apparently increasing in popularity.

We process a bit over 100K emails/day. We reject about 15K emails/day.

Are these small businesses going to try to address this problem with the same rigour as a professional? No, they are not. They are going to do the *bare minimum* to get/keep the MTA working and it's going to become another tool for spammers.

If you have a static IP, your own domain configured (forward and reverse) and you are very capable of configuring ACLs on an MTA then you may be OK but you'll be like me: constantly looking for new ways of calming the storm of shit. Otherwise you're just going to become part of the problem.

Cheers
Stor

Re:Small Business Users / external hosting

[cdwiegand]

It's common in contracts with CLECs to do the cancelation fee - the thing is, there's a clause that says that when it expires, it renews for a new term of the same length (so 1 year in your case) unless you tell them otherwise (and you can, most allow you to go to month-to-month, but you have to tell them this when the contract's ABOUT to be but NOT YET expired). I'm dealing with that at my work, myself.

Re:Small Business Users / external hosting

Guess that means the ISP gets a 'forced market' when it comes to email and hosting domains.

The ISP is the worst place to have a mailbox when they sell all of the email addresses they host and forward spam to those addresses and when the spam wasn't even sent to a specific address. Obviously, the ISP would still want everybody to use their domain for everybody's mailbox so they can get the users hooked on their domain name. Always use an outside host for a mailbox so changing ISPs is easy while saving the same old email address.

The FTC and the FBI and the Mafia all want everybody to send all of their outgoing email to them! Using an ISP for an outgoing mail forwarder is the BIGGEST SECURITY BREACH POSSIBLE. Always make a direct connection to the destination to avoid the THIEF IN THE MIDDLE. Anything else is inviting trouble. The new email RFCs should require email to be sent directly from the sender to the destination and NEVER USING YOUR OWN ISP. The FTC is just encouraging anybody to open everybody's email.

The internet is a network with each computer interconnected with each other computer. That is a nightmare for control freaks. They want the ISP to be an establishment interconnecting with other ISPs with everybody just users of their ISP BB. They are against a free society and should be exposed as the despots looking for an empire to rule. Blocking port 25 gives them their empire. Does their empire begin with the 'forced market'? STOP THEM.

Re:Small Business Users / external hosting

[gregmac]

Well, that's the thing - we couldn't find our copy of the original contract (it may have been misplaced, but usually we're good about that stuff, and have a big file for every company with any relevant documents). The bill for the month where it should have renewed didn't look any different from any other bill, and we couldn't find ANY mention of "1 year contract" on any bill. I would have at least expected to see a line item on the bill saying something like "1yr Renewal - 05/23/2005 to 05/23/2006".

They also should have been able to show us a copy of the contract, which would have said that it renewed automatically. They couldn't produce a contract, told us two different stories about it (that we signed this contract, and then that it was a verbal contract), and basically had no proof that we owed them money at all. The interesting thing about how Bell works is that they have their own internal collections agency. If you owe money to their internet company, even though they're seperate companies, they'll cut off your phone, satellite, and/or cell phone service to get you to pay. They don't take you to an actual collections agency because then you could sue them. I've heard of a couple times they've done this sort of thing. Luckily, all of our services are with other companies (and is it any wonder?).

Re:Small Business Users / external hosting

[Lifewish]

Guess that means the ISP gets a 'forced market' when it comes to email and hosting domains.

I am eternally grateful to AOL for attempting to pull this stunt. It meant that I was finally able to convince my non-techy mother to give them and their cruddy, nonstandard service the boot.

Re:25? Already blocked.

[ruud]

we just switch them to port 3535

why not use port 587, which is specifically intended for this purpose?

Blocking port 25 only half bad

[thegrassyknowl]

that ISPs only permit users to send mail through their own servers

I am a geekier sort, and this pisses me off. At the same time I'm kinda glad. I only really use my ISP mail server for everything. They relay on even if my From: address is set to something other than my ISP-provided email address.

Anything to bring the amount of SPAM down is good in my books. Even if it means a slight loss of accessibility to other mail servers... That said, SMTP has authorisation capabilities now. They should rethink the blanket block and block only those SMTP servers that don't force authorisation to send mail. At least that way you'd need an account on it to send mail.

Re:Blocking port 25 only half bad

[TerminaMorte]

The issue isn't with shutting out port 25, but with disconnecting people who harbor zombie PCs.

No reason to block port 25 when the people who are abusing it can't even get online. :)

Re:Blocking port 25 only half bad

[thegrassyknowl]

I commented about a specific part of the original post - the part about ISPs only allowing customers to use the ISP's mail server. :)

This is distinct from cutting off spambots and zombies. There, unfortunately, is a reason to block port 25. Of course this won't stop the ISPs that exist purely to help spammers but there are other things in place that are meant to limit that.

Question...?

[KhaZ]

Now, I admit to not knowing a lot about, well, anything, really.

But I have played with a few mail servers (mostly hating it the whole way: setting up a non out-of-the-box install of Exim is like asking the University of Cambridge to kick me in the face repeatedly, every time), and there is such a setting as a smart host... Which I believe is to route your mail through their relay.

Any reason why they couldn't allow port 25 traffic, so long as it's destination is their mailserver? Then they can deal with spam on an individual basis, and even catch their own people doing it?

Once again, I'm not certain how well it works, but just a thought.

Re:Question...?

[FilthCatcher]

Hey, you're halfway there...

In fact your suggestion - an ISP blocking port 25 except to their own mailserver - is exactly what is meant by "block port 25 outbound".

This will disadvantage people who use a mailserver hosted elsewhere - a setup that is pretty useful if you move your laptop around (changing ISPs between home, work, your friend's house etc).

Don't block 25 outbound!

[m85476585]

My ISP blochs port 25 outbound, forcing me to use their mail servers. When I am traveling and connected with a different ISP, I have to go into my email program's (Thunderbird) settings and change the outbound server (or not send mail). Also, what if I had to send an urgent message and my ISP's servers were down (it hasn't happened, but it could).

Re:Don't block 25 outbound!

[MightyMartian]

And this is why ISPs should open port 587 with SMTP Auth on it (to prevent unwanted relays), and newer mail programs should automatically try port 587 before port 25. We have a number of roaming customers who can plug into darn near any network and still send mail via our mail server. For most mail clients, it isn't that tough to change the port, though, as I say, I still think that mail program writers could give a helping hand by recognizing port 587 as a sending port.

Re:Don't block 25 outbound!

[winkydink]

You'd use your telephone?

A throwaway gmail, yahoo, hotmail, etc... account?

Re:Don't block 25 outbound!

[datadriven]

I'm in a similar situation and I use gmail's smtp as a backup.

Re:Don't block 25 outbound!

[MightyMartian]

All mail programs, at least all mail programs put out in the last six or seven years, allow you to change the SMTP port. What I would like is for the mail program, during set up, to test port 587. While it's a ten second change for tech-savvey folk, for the average user, the acronym "SMTP" is enough to produce palpitations, let alone getting them to change the TCP port in a configuration section they likely wouldn't dare even look at on a normal day.

Re:Don't block 25 outbound!

[Hamsterdan]

Just use SMTP Authentication. That's what I do.

Re:Don't block 25 outbound!

[v1]

Knowing the address of a (little known) open relay is handy for just such an emergency. Though finding an open relay has gotten a lot harder, and they usually disappear (spammied into oblivion) within a month or so.

Re:Don't block 25 outbound!

[m85476585]

My email server doesn't seem to support port 587. It is smtp.bizmail.yahoo.com. Should it?

Re:Don't block 25 outbound!

[Skapare]

If your ISP can't support the email submission protocol properly, get an ISP that can.

Re:Don't block 25 outbound!

[m85476585]

I just configured it to send by Gmail. I didn't realize I could do that.


You failed to confirm you are a human. Please double-check the 7-letter image and make sure you typed in what it says.
But the picture is too hard for humans to read! Is that letter I or J?

Re:Don't block 25 outbound!

[jackofallbrandnames]

" You'd use your telephone?" You gonna pay for the long distance costs?

Re:25? Already blocked.

[wk633]

I'm confused- you mean you act as a relay and run SMTP servers on 3535 and 80? Or you mean source port 25 is blocked, which makes no sense, and would have no effect on web browsing?

The way to block zombies would be to block the customer from port 25 dst for all IP but the ISP.

Nothing the customer could do (short getting the receiver to accept SMTP on some other port) could change that.

If the customer decided to send to port 80, (and assuming they convinced the receiving end to run an SMTP server on 80) it would have no effect on web browsing.

I'm not sure what you're really telling your customers, but what you're telling us is confused.

Re:Wrong way around

[MightyMartian]

See RBLs. Compiling lists is, I'm afraid, inherently flawed. It may cut down on a lot of evil traffic, but never all of it, and unless you have very thorough checking of claims of services letting worm-generated spam through, you open the door to abuses (as has been seen with RBLs on occasion).

The ultimate solution is, I'm afraid, blocking of outside port 25 hosts by anything other than actual mail servers. We finally bit the bullet early this year and put a total ban on our regular subscribers sending outside our network via port 25. On one dialup account alone we had major complaints from AOL (it's incredible to think that a 56k connection could do that over a few hours).

I'm not about to start opening up port 25 for individual subscribers, it's a major headache to keep track of, and since I can't guarantee that they'll keep their machines safe, I'm still allowing my network to be fingered. Users have a few choices; they can send through our server, they can use tunneling, or they can use port 587 (and request that their mail provider open that port up).

Earthlink

[FriedTurkey]

Earthlink doesn't block outbound on port 25 but does block port 25 to other SMTP servers besides Earthlink's servers. Does SPAM still bounce off other servers anymore?? I know at one time there were lists of open SMTP servers.

Luckily I can bounce my work email off the Earthlink server without it looking any different.

This is going to get someone killed.

[shift.red.avni]

The FTC should stick to trade, and leave the mismanagement of the Internet to the FCC. The FCC just ruled last week VOIP to tell their customers if they provide 911 access or not after a girl died because her mom couldn't call 911 on her VOIP phone.

It wont be long before someone dies because their newly 911 enabled VOIP phone was disconnected because their machine was suspected of being a spam zombie.

Re:This is going to get someone killed.

[Fatal67]

We offer data and voip over the same circuit. I can disconnect yor internet without touching your Voip line.

If your ISP is using an Emta with only 1 ip address on it, you should be looking for a new ISP anyway.

Re:This is going to get someone killed.

[user32.ExitWindowsEx]

but what about someone with cable and vonage?

Re:This is going to get someone killed.

[Fatal67]

Well, if Vonage were to work with the actual infrastructure providers, this could be solved. I could assing voip customers, of any company, an ip out of a specified block that would pass thru filters. Instead, they prefer to just scream they are being blocked and take it to court. Their loss. And not my problem.

Re:25? Already blocked.

[barc0001]

Here's Bob. Bob is your boss at a small to mid sized company. He's not what you'd call "technical". You're the company's "tech" guy. You also do other things, but when the computers don't work, you're the go-to guy. Your company isn't that large, or that technical itself, so you host your mail with your company's ISP, PhoneCo. When Bob goes home, however, his ISP at home is CableCo. Bob is perpetually calling you either at home, or into his office because he "damn well can't send that email!" Invariably, the reason is because his account is configured to the wrong SMTP server, depending on where he his located.

Wouldn't it be nice if you could just set up his account to use the company's ISP for SMTP all the time? You used to be able to do that, until the spineless CableCo decided they were just going to blanket-block port 25, no exceptions, instead of doing traffic analysis and chopping off the offenders. But that would take work, and effort, and nobody wants to do that, so just block 25 and call it a day!

Note: Some elements of this story might be based on real experiences, which may explain the negative bias towards blanket policies of any type as bandaids.

Or...

[jd]

Use X.400 - it's a lot more powerful than SMTP, supports receipts for e-mails, is much harder for spammers to inject fake-mails, and is ruthlessly standardized.

Well, it does have the drawback that nobody uses it anymore, but that does mean you never have to worry about your mailbox being flooded AND you get an excuse on why you didn't turn up to that important meeting that was called electronically.

Re:Or...

[OnlineAlias]

Well, we *could* all get AS/400's, RS/6000's and System 38's to run x.400 on. We could use PC's to gateway all the mail to the internet. Oh wait, what protocol are we going to use for the internet?

Re:Or...

[jd]

Easy. We then revert to X.25 and use ISIS and ESES for routing.

Re:Who runs home mail servers?

[tomhudson]

BS. My ISP sold my email addy when I signed up for my account - even before I was connected, so it was too late to "opt out".

Besides, did you read the article?

"It's sometimes very difficult to tell the difference between spam coming across your network and your local charitable organization sending out its monthly newsletter," said McClure, who added that U.S. law prevents Internet providers from reading customer e-mail.

The FTC's campaign follows on earlier efforts to shut down "open relays" and other poorly configured computers that have been exploited by spammers.

So, how are they to filter this w/o reading your mail? *someone* has to verify it ... whether its your ISP or the FTC or some other 3-letter group.

Maybe its time to come up with a better RFC for handling mail - one that doesn't allow you to fake the headers, sender, etc. Then also have the ISPs issue static IP addies, so zombies can be identified properly. It's not like this is any "bells and whistles" thing.

Re:25? Already blocked.

[KenBot_314]

um, because the customer has configured outlook to work with another mail server? duh.

Bulgaria

[iive]

Very strange. I do live in Bulgaria and this is the first time I hear of this.
It is nice to have zombies blocked, but on the other side, how long it will take to abuse this power?

There is no need to block computers from internet, all that have to be done is ISP to don't forward mail if user didn't ask for it. When user ask for it then ISP will give him with username and password. (well, they already know that this is you).
Filtering 25 port for whole internet and only allowing ISP mailserver to forward mails is interesting idea.

If you totally block zombies, how are they supposed to clean themselfs. They can not connect to internet and download antivirus/updates/linux.

Re:Bulgaria

[TetryonX]

I disagree. All spammers should be blocked from the internet, but rather kicked into a really small corner of the net where they can play nice until they get cleaned up.

Blocking computers from the internet is an excellent idea, but not a complete block. Rather, do what some universities do. If you are detected doing spam/virii activities, your system gets kicked off the normal subnet that is granted full internet access, to a restricted-access subnet. In this secondary subnet you are only allowed to visit update sites, the ISP's website, and other computer fixing websites that have been whitelisted by your ISP.

Yes I know you naysayers will start to complain "WHAT ABOUT VOIP", again, if the whitelist is setup correctly, VOIP should not be affected, nor should any critical services that have been whitelisted be affected. But this does present a problem. "What should be whitelisted? Who gets to determine this?" I believe that there should be a consortium between the ISPs to determine what can and cannot be accessed in this restricted-subnet. The consortium should have it's whitelist allow all updates for any software depending on whether or not the company writing the software has requested the consortium to whitelist their address (which of course would have to be reviewed).

This is not perfect, but solutions like netsquid and others can do this relatively well. Depending on how much ISPs keep these products up to date. It will significantly remove the spamming idiots off the net, reducing everyone's overall costs (spam = wasted bandwidth, bandwidth = money) to be connected to the internet. ISPs can differentiate what services get killed when you get caught for spamming by integrating it into the connection classes (such as, VPN does not get killed if a business-class spammer gets detected).

Rochester Institute of Technology, Rochester NY does this, and I've only been blocked a few times out of mere stupidity (I forget to close xwin32 for its XSet + vulnerabilities when I cannot use ssh tunneling and neglect to turn on it's ACL)...

It works. People will complain but it is their own dumb fault for not using antivirus/antispyware/firewall software. The message they should get should have instructions on how to clean their computers of the problems and places to get help if it is required.

What it is about China?

[Klivian]

What is it about all this nagging about China, Brazil et al, when the wast majority of spam still comes from the US? Not only are it sent from US based computers, zombies or otherwise. But the seller of the gods advertised are also in most cases US based.

Re:What it is about China?

[Martin+Blank]

My server has far more SMTP rejections from China than it does from the US. It may just be an exception to the rule, but there is a lot coming from the direction of East Asia.

Re:What it is about China?

[trublaha]

Yep

http://www.sophos.com/spaminfo/articles/dirtydozen 05.html

Re:25? Already blocked.

[wayne606]

Good example. None of the obvious workarounds (set up DHCP or DNS to give him different SMTP servers in different places, ssh-tunnel port 25 to the office, etc) seem workable for a PHB. So the ISP needs to have some kind of opt-out mechanism for users who are technically savvy and responsible (or have handlers who are). Maybe allow each user a maximum number of port-25 connections per minute?

A better solution would be to separate out the ports used by MUA-MTA and MTA-MTA connections. This would stop the zombies from pretending to be an MTA while still allowing you your choice of MTA's from your MUA.

Stupid policy.

[Erris]

Closing port 25 is pointless because the owners of the botnet already know to use the ISP's SMTP server, just like the victim does, to send mail. You won't really stop the spam or DDoS this way, you will just stop normal users from doing something that's easy and useful.

There's nothing difficult about running a mail server. Exim comes with debian and has reasonable default values set in a script that tells you what it's doing. It's no harder to run than it is to use a GUI client. There are many advantages to it as well, such as custom mail addresses for registrations and other junk.

Reducing redundancy is bad for national security. In the end, it's much easier to DDoS email by targeting two broadband providers than it is to target thousands of individual users with a clue. The setback will be temporary. As email dies as a useful communication media, Jabber and others will rise in it's place.

Re:Stupid policy.

[ErikTheRed]

Closing port 25 is pointless because the owners of the botnet already know to use the ISP's SMTP server, just like the victim does, to send mail. You won't really stop the spam or DDoS this way, you will just stop normal users from doing something that's easy and useful.

Most ISPs rate-limit outbound SMTP. Some will shut down a client that appears to be spamming, and force the user to call in to reestablish service. It's important to keep in mind that the vast, vast majority of users barely know how a computer works. ISPs are more or less forced to cater to the lowest common denominator. If you don't like that, then use a geek-friendly ISP like SpeakEasy.

Re:Stupid policy.

[alienw]

Finally, someone with an ounce of sense. Or, how about this (very real) scenario? My university now publishes SPF listings. Therefore, I have to use the university (authenticated) SMTP server to send out email (to avoid getting an SPF fail for that email). However, my new ISP blocks port 25, so I can't use the university's server anymore and they cannot be bothered to port-forward some other port to the SMTP server. I have to use the ISP's mail server and risk getting my email deleted by the recipient as spam.

Re:Stupid policy.

[froody]

They could just as well rate limit all port 25 traffic. That shouldn't be much harder than forcing you to go through their server, and then limiting you there.

Tim

Re:Stupid policy.

[v1]

Most spam engines do direct sending, because if they relay through an ISP's email server, that's a single server seeing thousands of outbounds from a single IP. And since that's where the point of control is, that can be easily detected and blocked. (tho admittedly that often doesn't happen, due to stupid ISPs) If you allow outgoing through 25, then the bot can just deliver mail directly to the victims' mailservers, a random spray of IPs. Harder for the ISP on either end to detect, and very difficult for the receiving mailserver to filter out.

Though I would mind the inconvenience of getting my mailserver blocked, I am fairly sure that I could straighten that out with one phonecall. (helps to have a good ISP)

Re:Stupid policy.

[ErikTheRed]

Ummm... there's a slight (sarcasm) difference in ACL overhead involved in the routers.

Re:Stupid policy.

[alienw]

Maybe if fucktards like you could read, they wouldn't be posting stupid comments. I already said that they don't have any other ports opened.

Comment removed

[account_deleted]

Comment removed based on user account deletion

587 is the answer

[lseltzer]

Exactly, but it's all basically for naught if they don't authenticate SMTP as well.

Re:25? Already blocked.

[budgenator]

He is ISP Internet Service Provider, hosting a server with a domain name is a service, the service often includes web server, Email smtp, and pop or imap, people who are paying for the service sometimes need to send Email. When the service provider that is providing merely an internet connection email and DNS service blocks port 25, then he cannot send his Email. If your responding to a customer's billing question about your online store do you want the Email to come from customer-service@example.com or HotPatootie69@comcast.net?

Re:25? Already blocked.

[The+Cisco+Kid]

Yes, so you make sure you pick a clueful ISP that has MSA (RFC 2476) support, which uses port 587, then you set his mail client to use that, and it works fine both when hes in the office, or at home, regardless of port 25 restrictions wherever he's getting his connectivity from.

Since MSA requires him to *authenticate* (which most clients, even OE and ilk will do happily) when he connects on port 587, and the ISP only accepts *outbound* mail on that port (other ISP's wanting to delvier mail *to* your ISP still use 25) it isnt terribly attractive to spammers.

Nothing forces you to use anyone's servers

[ravenspear]

My ISP blochs port 25 outbound, forcing me to use their mail servers.

Wrong. You can use whatever mail server you want as long as you connect on a different port. Very few (if any) ISPs block 587.

When I am traveling and connected with a different ISP, I have to go into my email program's (Thunderbird) settings and change the outbound server (or not send mail).

If mobile email is important to you this is why it is an excellent idea to use an ISP independent mail server. You can get a cheap web hosting account that can do this quite easily. I have a UML linux setup with remote root access for $8/mo. I run a mailserver with SMTP auth on 587 and I can connect from anywhere in the world without a problem.

For the trivial expense the hassle this eliminates is well worth it.

Re:Nothing forces you to use anyone's servers

[ravenspear]

I should also add that if you don't want to run a mailserver yourself you can just as easily use your hosting provider's server as long as they provide an alternate port. With as many hosting providers as there currently are, finding one that allows this should not be overly difficult.

port 25, zombies, DNS cache stuffing, debris

[Senor_Programmer]

Find a buddy with a mail server and use it. Port 25? You should use port 22 to talk to your mail server from anywhere other than it's console. Seriously, if you want to tx&rx mail from wherever you are there are plenty of servers available to friends and friends of friends.

ISPs should block zombies. A simple auto-generated email aroused by traffic level and requesting an explanation should be sufficient. Blcok all except port 53and whatever the heck VOIP uses if there is no reply.

DNS cache stuffing is still a problem. Who needs an open proxy when you're a legal host?

A bounty on spammers perhaps? Outsource to Indonesia, Malaysia, Peru, Belarus, Ukraine, Pakistan, or any number of places.

Hell, my lawn guy in USA, and this is an honest to $deity(s) quote...

"Twenty dollah? TWENTY DOLLAH? I KEE a MAN FO TWENTY DOLLAH!"

Re:25? Already blocked.

[fred+fleenblat]

The problem with blocking 25 and moving to other ports is that guess what, several spammers read slashdot and they just added some extra code to their bots to check for SMTP on 80 and 3535 also, and a plain old port scan if they don't find anything right away.

Re:25? Already blocked.

[B747SP]

Invariably, the reason is because his account is configured to the wrong SMTP server, depending on where he his located.

1) Configure his mail client to speak SMTP to mailhost.domainthatIcontrol.com, and to speak DNS to dnshost.domainthatIcontrol.com.

2) Configure bind on dnshost.domainthatIcontrol.com to give different answers to the forward lookup on mailhost.domainthatIcontrol.com depending on where the request comes from.

3) Profit!!!

No problem, if done right

[PonyHome]

If they only block port 25 for dynamic IP users, they'll leave most of the small business/geekier sorts untouched (I've got 5 IPs at home, and 13 at work). I would definitely approve of this, especially if they provide an unblocking mechanism (but how do you do that reliably with a dynamic IP?)

Re:Well, how about this.

[B747SP]

I suspect the logic is, if you're sending out requests for web and email through the same port, there might be conflicts?

Why would there be conflicts? A TCP connection is defined by four things... source IP, source port, destination IP, destination port. So long as any one of those four things is different from all the other connections currently being handled by, well, anyone, then it's a unique connection and its not going to tread on any other's toes.

Getting a box to listen on port 80 for SMTP and HTTP is gonna be a little trickier, but I suspect that isn't what you're trying to do.

The time has come..

[alphax45]

To license the net. I've said this before and I honestly believe it. You can't keep virus and spyware off your machine, too bad then. No internet access for you. It's like a car, if you keep crashing it, they will take away your license because you being on the road is dangerous to others. Same with the net and your box. If you box (car) is making it hard or worse, unsafe for me to use the net (drive), guess what, you can't be on it anymore. No arguments. It's not really that hard to buy an AV program and keep it up to date. Hell most of them now update themselves. Same thing with Windows (yes I know not everyone has SP2, but is windowsupdate.microsoft.com really that hard to type in). I think most people are just unaware of the dangers their computer can cause on the net if it's not up to date. I know that when I leave home my dad is going to get rid of his; he knows that he won't be able to maintain it and can't be bothered to learn. Ok rant over.

Re:The time has come..

[trime]

These are all valid concerns. However, when you suspend my internet license, will I still be able to have the weather burned into my toast in the mornings?

Seriously though, you can achieve this sterile utopia youself. It's called a LAN which isn't connected to the internet. Connect it to your friend's LAN if you want via a (backbone-esque) router. But if you decide to let your friend connect to other networks too, you should bear in mind that searching a graph for a spammer is exponentially costly.

Re:Go ahead, block 25 (vote for mod)

[SirSlud]

Word.

Honestly, education starts with being burned. Its 2005 and we're still trying to convince people that driving without seatbelts or racing other commuters, or ... insert public safety campaign here ... is a bad idea.

It gains traction when folks who are spreading it are having their feet held to the fire.

I'm not being an elitist jerk, I'm sayin that owning a computer is as much a responsibility as any thing else in life. You own a car, you're responsible for what you do with it. If your car is blowing up regularly, you might want to seek a new manufacturer.

Not Everyone

[mdarksbane]

I run my own SMTP server on my laptop. It ignores anything not coming from localhost, so it's at least reasonable safe.

I use it because when I'm jumping onto a friend's wireless network, my ISP of course any mail I'm trying to send (since I'm outside their network), and it's impractical to reconfigure for every five minutes I want to spend sending something from a friend's system.

So I always send it myself. This obvious won't work if port 25 is blocked by default, as I'm also not going to call the ISP to spend five minutes on a connection.

I'd always got the impression that spam zombies were spending out enough bulk that the traffic should be pretty obvious and easy to identify. Why not just redirect anyone who sending that much to a support page for a virus scan, instead of interfereing with legitimate uses? If they're in one of the rare cases where they're ACTUALLY generating that much traffic on a consumer line, a quick email to tech support takes them off the monitor list.

I know I *could* just use webmail somewhere, but have you ever used that on Dialup? twenty-thirty minutes to check my email and send a single reply just isn't reasonable when i can do the same thing over the same connection in five through my real mail client.

Let me guess...

[Lord+Kano]

I'm so sick of this "Let's surrender our internet because of Microsoft" bullshit. I'm sick enough of it to burn karma by posting this crap that's going to get modded into oblivion.

You, my friend, must be a Republican.

LK

The problem with Zombie spam

[Locke2005]

They're all selling the same thing: Braaaaaaiiiiiiins!

Re:25? Already blocked.

[barc0001]

I think you missed the part about this being a smaller company where the people there probably wouldn't know how to pronounce DNS, let alone know what it does...

For you and me, this isn't a problem. Too bad 99.9999% of the world doesn't have the technical skills of you and me, yet it's a direct result of them not having these skills at least in part that the mail system is in this mess to begin with. And to think we don't let people drive cars before they can pass 2 tests...

Re:Well, how about this.

[wk633]

"But you don't have to send SMTP traffic over port 25."

The confusion is that it's not really 'over port X', but 'to port X', but I think I understand you now. You're not the ISP, but you are relaying email for customers, so they need to send you SMTP traffic. Your company runs SMTP servers on both 3535 and 80.

That bit about not web browsing at the same time is certainly wrong, but I understand having to pass on stupid info :-)

Re:Wrong way around

[jhoger]

Let me make this clear to you and any other ISPs:

Fail to route your customers packets at your peril. Period.

I already dropped Adelphia cable and went to Speakeasy when they purposely stopped routing ICMP packets. I made the decision in about 3 seconds once I found out what they had done.

There are no bad ports or protocols, just bad people and programs. You'll have to deal with the problem directly not with bandaids if you want to keep your best customers.

That said, if you are a low end provider you don't really have any "good customers" so do whatever you feel like.

-- John.

Re:Who runs home mail servers?

[benjamindees]

U.S. law prevents Internet providers from reading customer e-mail.

This is wrong, wrong, wrong. Despite what the law says, the Supreme Court has said that ISPs *can* read your mail, because it's a "store-and-forward" service.

Using port 25 directly, which is not stored, is the only e-mail that's still illegal to snoop. Unfortunately, if this passes and ISP's block port 25, that won't make a bit of difference. Americans should then *expect* their ISP to routinely read mail that goes through their servers.

Re:Well, how about this.

[The+Cisco+Kid]

If more and more major ISP's block port 25 outbound for their 'consumer grade' service, there will be less and less zombie spam from those networks. As more web and mailhosts come to grips with this (most already have, to be honest), they will ensure that they support MSA (RFC 2476), and those users that need to travel between connectivity providers will be setup to use it (only once, as it will also work when on onces 'home' network, no need to switch back and forth).

Mail that servers send to other servers, will still go via port 25, and in addition to other spam control measures, server admins wont have to deal with as many zombied wincrap boxes on $cableco or $telco/dsl networks.

Spammers can't use MSA to deliver mail to recipients, as 1. it requires authentication, and 2. it should be setup to only accept mail for outbound relay from authenticated users. Yes, there will be some cases of spammers hijacking MS email software, and using its saved passwords to send mail as that user through that users mail server, but that will be far easier to track down and squelch than the current situation of spam coming randomly from all over.

More comprehensive info at:

http://www.circleid.com/article/1039_0_1_0_C/

Re:25? Already blocked.

[wayne606]

Obviously an ISP would not block all port 25 traffic, only traffic to SMTP servers outside the ISP's control. Normally you would point your MUA's SMTP server to mail.myisp.com or whatever and have no problems.

Port 25 suggestion..

[LordZardoz]

The reccomendation that Port 25 be blocked except for the ISP's own mail servers sounds like it will work. However, for the tinfoil hat crowd and hardcore geek types, this can be a problem.

Why not force a liscencing scheme on it? For a nominal fee and/or some paperwork, you could force a paper trail leading to a meatbag human. For those that want to own their own mail server for technical reasons, this would not be a problem. But for spammer types, it would pretty much kill them.

Of course, you end up with the tinfoil body suit crowd who are paranoid enough to not want anyone to connect their e-mails to them. Forgetting for a moment that by having an internet account they already have a paper trail pointing at them, no body likes those people anyway. Therefore, them being unhappy should be a non-issue.

END COMMUNICATION

Re:Port 25 suggestion..

[dbc]

Frankly, good suggestion. In fact, history is repeating itself.

In the early days of wireless, there was no licensing. It was OK for a while, but as wireless caught on, ship-to-shore, press wireless, and hams all started clobbering each other. The commerce department started issuing licenses, and setting aside frequencies. Eventually, the FCC was formed.

Something akin to a ham license for running a mail server makes sense to me. Kids as young as 7 get ham licenses. I had one at 14. I don't see a license with written exam and paper trail to be any burden to anyone with half a clue about configuring sendmail.

Re:Port 25 suggestion..

[NerveGas]

However, for the tinfoil hat crowd and hardcore geek types, this can be a problem.

I'm not so sure that it is. Most of the folks that I know who are running a mail server on their DSL or cable line really aren't all that qualified to be running a mail server - despite the fact that they always, always, always think that they are.

Yes, I've run across a few that are qualified, but they're vastly in the minority. As much as I'd love to run my own mail server at home, I just don't do it. Enough of my mail would be blocked anyway just because it's coming from a cable network.

As to blocking mail coming from a cable network, I don't blame people, either. I do it all the time on my mail servers. If I block mail coming from cable modems (NOT the cable company's mail servers, but the modem pools themselves), I block at least 20,000,000 pieces of spam for every one legitimate message that I lose. No, those numbers are not exagerations.

steve

Re:25? Already blocked.

[The+Cisco+Kid]

The 'better solution' you pine for has already existed for 7 years in RFC 2476, circa 1998. Hopefully more and more DSL/cableco's blocking of port 25 outbound will eventually lead to near-universal implementation of it.

http://www.ietf.org/rfc/rfc2476.txt

Not the worst solution..

[Fatal67]

But there are better ones. I have just shy of 2 million broadband users on my network. Every day I have many customers who are detected as being infected. Automagically they are placed in a walled garden where the only page they can load tells them what is happening. Basically it tells them that they have been compromised. If we can determine the virus/trojan they are running, we give them a link to a locally stored method of corrrecting the problem. I have never received a complaint about it, but I have received hundreds of calls saying thank you.

I do have to question the FCC's thinking though. Most people who get infected are not of a technical nature. If you disconnect them from the net, they are at a loss of how to fix the issue. Obviously they don't have uptodate protection on their machine. if they go out and buy a brand new copy of whatever virus software, it will need to download the latest definitions, which they can;t do because you shut them off.

It reminds me of the mid 90's where if your ds3 to one of the 6 or so backbones went down they would send you an email to notify you. Or sending them a letter telling them you shut their phone off and telling to call you to get it turned back on.

Re:Not the worst solution..

[Tom]

Every day I have many customers who are detected as being infected. Automagically they are placed in a walled garden where the only page they can load tells them what is happening.

Now that's something I wanted to push in my company for years. We have about half a million users, all broadband.

Can you tell me what technology you use for this? If it is fairly easy and not too expensive to set up, I'd like to adopt it.

Re:Not the worst solution..

[Tim+C]

Actually, although I've not read the article, personally your description of what you do (divert all traffic to a set page) meets my definition of "disconnected from the net".

The user's PC can still connect to a small area of the ISP's network, but not to The Internet - surely that counts? (It's also a far better solution than just killing their connection completely, as you say)

Re:Well, how about this.

[complete+loony]

Well actualy, you could do it, SMTP requires the client to wait for a 2xx response. HTTP requires the client so send a request. So on accepting a connection, wait for a bit then send the 2xx.

Re:25? Already blocked.

[Stardate]

A nice solution is to set up a VPN for the company (the Windows built-in PPTP client works fine with Windows' built-in PPTP server, if that's all that matters), and then he can use the internal IP of the mail server everywhere, along with getting access to his files, internal websites, etc. I hate the port-blocking too.

User on the Road port 25 blocked? Tunnel over SSH

[kjh1]

My users are constantly travelling and plugging into God knows whose networks, and then calling me up and telling me they that our mail server is dead b/c they can't send e-mail. Why they always blame the local IT group first is beyond me... But anyway, it was invariably b/c port 25 was blocked.

Our solution was to create a recipe that they could follow to tunnel their SMTP connection over SSH to our SMTP server. Even your pointy-haired boss can follow it. Include screenshots and make sure to include copious amounts of blame on the hotel network and spammers.

If you're using Windows, you can use PuTTY and set up the forwarding tunnel beforehand too.

GRR. My ISP blocks SMTP outbound.

[sgauss]

Sucks, because I used to use my laptop at home and at the job site, and didn't want to have to muck with my email profiles continually. I decided it was easier to VPN into the job site.

Re:Who runs home mail servers?

[tomhudson]

The next step I can see is spammers sending out tons of pgp/gpg-encrypted email ... along with a key in another email, making it look like its from a friend/whoever.

Dear S. Ucker:

Hi. My hard disk crashed, so I had to make a new public/private key pair. They're attached. Hope you didn't try to decrypt the paper I sent you with the old one - it won't work.

Thanks

A. S. Pammer

You can't solve a social problem (spam, drug abuse, etc) through legislation or technology - only education.

Blocking ports 1-65535 TCP/UDP

[Polarism]

Will fix all of these problems.

=)

Re:Blocking ports 1-65535 TCP/UDP

[Harry+Balls]

Not really, there still would be a covert channel via ICMP.
Better block ICMP as well. :-)

Re:Blocking ports 1-65535 TCP/UDP

[NerveGas]

... but you'd still be open to all sorts of ICMP mischief. =)

steve

Re:Blocking ports 1-65535 TCP/UDP

[MavEtJu]

Better block ethernet types 0x0800 to get rid of the internet protocol thing!

Re:Blocking ports 1-65535 TCP/UDP

[vidarh]

That's why we have Ping Tunnel "For those times when everything else is blocked."...

See, there are always some hacker far ahead of ideas like that :)

Blocking chinese language encoding is even better.

[bani]

How about this list of IPs originating spam in chinese? I dont read chinese and dont read BIG5 or GB2312 or EUC-TW. Any emails with chinese language encoding are summarily rejected by my filters:

[211.100.226.52], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[211.100.226.6], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[211.139.61.110], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[211.162.182.2], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[211.162.233.3], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[211.162.249.133], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[211.162.30.114], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.11.75.123], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.13.89.58], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.17.238.163], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.17.82.102], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.18.212.221], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.18.74.226], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.18.86.27], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.19.96.234], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.20.58.103], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.2.199.251], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.4.247.80], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.71.165.253], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.71.205.30], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[218.71.222.187], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[61.144.184.8], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[61.149.100.140], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[61.149.102.114], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[61.149.102.135], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[61.149.103.11], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[61.149.131.87], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[61.149.134.110], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[61.149.153.81], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[61.149.178.5], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[61.149.204.30], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[61.149.206.7], reject=554 5.7.1 thank you for your support of falun gong/free tibet now/free and democratic china.
[61.149.55.188], reject=554 5.7.1 thank

Re:25? Already blocked.

[ockegheim]

And I thought that my ISP's SMPT server was the only one that worked. It's not a problem for me because I have a desktop computer and use webmail away from home.

I've noticed my friends with laptops duly switching SMPT servers depending on their location. I'll have to tell them to try port 3535

Seller of the Gods!

[plover]

Fear Me, Fear Me!

I am Zeus, Seller of the Gods.

Opening bids up for Narcissus. He's in beautiful shape! Any takers for Narcissus? (Sorry, sir, but you cannot bid on yourself.)

What am I bid for this muse, Apollo? Anyone care to bid on Apollo? Slightly used, I'm letting him go for a paean.

We've got goddesses, too! Aphrodite is going fast! She always goes fast!

Oh, you meant "seller of the goods"? Never mind.

Re:Seller of the Gods!

[Klivian]

I'm going to bow deeply to show my respect, once I'm finished laughing...

Re:Wrong way around

[Antique+Geekmeister]

Unfortunately, email is often forwarded or passed along by innocent SMTP servers, and decoding the forwarding or the original source is a nightmare to do. The source ISP has already demonstrated their incompetence at preventing the spam or the email worm: there's no hint that slapping the innocent intermediate carriers will help the situation. For now, use SPF. Let the ISP's themselves define what hosts are allowed to send email from those hosts, or protending to be from those domains. It doesn't block the forged "From:" lines, but blocks the forged "MAIL FROM" lines to prevent faking mail from other people, which has been a big problem for spam filters and for email worm filters. This requires filtering to occur at the first point of injecting the SMTP message, but it's very helpful for blocking forged email. Add a strong negative spam score for any mail whose "From:" data doesn't match its "MAIL FROM" data, and you have a very powerful filter that's easy to implement.

Worsening spam tactics wrt mail headers

[MavEtJu]

I've gone through a couple of bounces on your mail server and saw that the spammers had added a couple of lines to their emails, making it look like my mail server was actually the one who originated it locally:

Received: from (root@localhost)
by mail3.barnet.com.au (8.12.8/8.12.8/Submit) id 1GaCy2wErDj5Ks
for <fromms@midcoast.com.au>; Mon, 23 May 2005 14:41:04 -0700

Kind of sucks because the untrained eye will point the finger at me now!

See http://weblog.barnet.com.au/edwin/000100.html for a full write up.

Don't mess with China

[CatOne]

You see how they laid the smack down on 24 last night?

They're badasses. Better not mess with them. Yeesh.

Block port 25?

[vought]

There's also a recommendation likely to raise the ire of the geekier sorts: that ISPs only permit users to send mail through their own servers (presumably by blocking port 25 outbound).

Waitaminit. Would that mean that I could no longer use my mail client with my (insert name of mail provider that is not my internet provider here) e-mail account?

Let Comcast try that. They'll be wondering what happened to the revenue-generating cable splitter boxes at our apartment complex. You know - the ones that are unlocked.

Re:Freedom is taken a little at a time.

[NerveGas]

You're confusing constitutionally-guaranteed rights with priveliges.

You have the right to be free from unreasonable search and seizure.

You do NOT have the right to do whatever you want with my private property. My mail server is my private property.

If you argue that, then I should be free to walk over to your house and use your car whenever you're not, because as long as I fill it up with gas, no damage has been done to you.

steve

How about blocking port 40?

[Urusai]

It seems many Trojans are installed via this port.

FTC Does NOT Recommend Blocking SMTP / Port 25

[jonathanbearak]

The article is quite vague. But I really think that Reuters is misunderstanding the details here and creating this inclarity. The FTC is not so stupid as to block port 25.

I immediately went to ftc.gov.
Here is a link to their actual press release:
http://ftc.gov/opa/2005/05/zombies.htm

They have a more detailed website at:
http://www.ftc.gov/bcp/conline/edcams/spam/zombie/ index.htm

This site appears to be geared for the people who actually understand what's going on. The very first bullet point on the site states very clearly:
"block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers."

In other words, under their proposal, can still send emails so long as we are authenticating to an SMTP server.

We can use our College email, our Google, Yahoo, etc. accounts.

This is how I interpret their idea:
- You want to send email? Connect to an SMTP server and log on.
- Incoming traffic is not interfered with.
- If you send SMTP traffic directly from your computer to someone else's computer, this is blocked.

I'm not sure exactly how one would implement this because one cannot know every "legitimate" mail server. Further, ISP's will not (should not) be scanning all of our SMTP packets to see what kind of traffic is coming from our computers. The easiest solution is something already in place, although it annoys me. I can still send SMTP from my computer (RoadRunner ISP, New York City) but if I send to an AOL user, for example, I get a reply back from AOL explaining that AOL will not accept emails from a Residential IP address. This is irritating, but it's no bother. Simply have all the ISP's say, these IP blocks are for our residential customers --- if you get email from them, it's probably a spam zombie, so you may wish to block such SMTP traffic if it becomes a bother.

I'm not proposing anything, just trying to piece together what the FTC is actually saying. Trust me, they're not so clueless; it's usually the papers, especially in these generic wire reports, that mess up the details.

The FTC is most certainly _not_ recommending that all port 25 traffic is blocked; they are not limiting anyone to their ISP's mail servers.How would the FTC people log in to their own FTC email from their homes? They'd have the same issues we'd have.

Anyway, since I *never* use my ISP mail server (mostly because Google is faster, has more storage, and is easier to access when I don't feel like carrying my laptop around; and because for professional stuff I tell people to contact me @honorscollege.cuny.edu (even though I SMTP back through Google).

Though less technical, I'm sure, most professional people require such a setup. Think things through. I see so many posts regarding outright and absolute SMTP / Port 25 blocking. That's too ridiculous to believe. Indeed, it's not even close to what the FTC actually says, as I cite above.

Read their site if you still have your doubts. Let it be said, however, that the government is not as stupid as some would like to believe.

Home users should NOT be blocked.

[WindBourne]

Look, there is no amount of servers that exists on this planet that can survive all the spam. So the only way to survive large amounts of spam is to distribute the servers; everybody should have there own server.

The real problem is the weak security on Windows. If an ISP really wanted to stop spam, they should examine 25 and then block the system that is transmitting above a certain level for a certain length of time (or simply slow them waaaaayyy down).

Maybe Longhorn will finally have real security.

Or how about port 80?

[Urusai]

My previous post makes more sense that way.

The same could be said about telephone

[b00m3rang]

service in it's infancy. Telephone's not a perfect mechanism for emergency communications, why not just cut the telephone lines of everyone who gets infected? They shouldn't be betting on the telephone company's reliability in an emergency anyway, right?

Re:The same could be said about telephone

[winkydink]

I must have skipped the chapter in early phone history where telemarketers would call at all hours of the day and night.

Emergency services infrastructure was very different in the infancy of the telephone and it wasn't displacing a more reliable method of summoning for help, unless you lived next door to the Policeman/Firefighter/Doctor and they could hear you when you screamed at the top of your lungs.

cut 'em off completely -- please!

[eh2o]

spam zombies are only the first sign of trouble. next comes ssh zombies, DoS zombies, keystroke loggers/phishers, ransom-for-data lockouts, etc. not only are they a general nusiance but the owners need some sort of painfully obvious notification that they have been 0wned.

Re:Anyone got bandwidth for new venture?

[bill_kress]

Too many steps. 3 is always profit!!!

What I'm wondering is,

[pocketfullofshells]

Why the fuck is the FTC doing this instead of the FCC?

of DSL and blacklists

[v1]

I run a mailserver for my friends and family, and it's relay is authtenticated, to keep out the spammers. I've found my mailserver on more than one blacklist in the past, but so far it's been a case of a misconfiguration on MY part (no reverse DNS, oopsie!) and another for being in a DSL pool. (business class DSL mind you, a block of static IPs) Got off the lists easily enough, haven't had any problems since. The blacklist system seems to work well.

Re:of DSL and blacklists

[Trinition]

Got off the lists easily enough

How did you get off those lists?

I have trouble sending e-mail from my consumer DSL (not business DSL) to many RoadRunner cable customers. After digging through their poorly organized auto-responses and subsequent URLs, it seems I was in a range of IPs they didn't consider worthy of sending e-mail. Of course, when I followed the perscribed course of action to contact actual humans several times, I got no responses.

Instead, I just set my local SMTP server to route everything through my ISPs SMTP server. Problem solved, but I'm still irked.

Re:Anyone got bandwidth for new venture?

[dafunn]

Hmm... sounds similar to this business plan I'm holding...

Thunderbird without port 25?

[dpilot]

...
2: At the OS level, block port 25 for all mailers except your own.
3: Profit!!!

Re:Anyone got bandwidth for new venture?

[conteXXt]

ooops.

I guess I should have got the capital before I gave the idea up to any slashdotter worth his/her weight in OpenVPN source.

Oh well, on to the next idea.

Re:Wrong way around

[DA-MAN]

There are no bad ports or protocols, just bad people and programs.

Then what is the Evil Bit for?

Re:25? Already blocked.

[T-Ranger]

Well, actually, MSA does not require authentication. The MSA RFC can be sumerized as "SMTP with the right to less strict rules (missing headers) and more strict policy (site specific)". There are only two MUST clauses in MSA:

4.2. Ensure All Domains are Fully-Qualified
The MSA MUST ensure that all domains in the envelope are fully- qualified.

If the MSA examines or alters the message text in way, except to add trace header fields [SMTP-MTA], it MUST ensure that all domains in address header fields are fully-qualified.
--snip--
8.1. Add 'Sender'

The MSA MAY add or replace the 'Sender' field, if the identity of the sender is known and this is not given in the 'From' field.

The MSA MUST ensure that any address it places in a 'Sender' field is in fact a valid mail address.

And the second one is conditional if you decide to add a Sender field, which is optional.
A reasonable mailserver can enforce varrying policy on: existance of authentication, source IP address. The only reason to run a "MSA" server is if you have a network clients who expect to talk to MSA.. So far as I know, none exist, and assume they are talking to a straigh-ESMTP system, generating themselves the headers which MSA MAY add.

Re:Go ahead, block 25 (vote for mod)

[rtb61]

Thing to remember of course there is not a manaufacturer out their making claims about a car that can be driven at any speed and is always safe and can't be broken into and never crashes, when in fact the exact opposite is true and a lot of the major faults were done on purpose.

Penalising the end user for ignorance as a result of a manufacturer's marketing programme where greed for profits exceeds any moral resposibility for the damage the program producs, is a little harsh. Disconnect the end user and provide them with help to fix their system and prevent it from happening again and fine the manufacturer of the software, perhaps that will finally get Microsoft to really do something about security rather than just use it as another marketing scheme.

I'm glad you are happy.

[Erris]

My ISP doesn't block 25 outgoing but a few spam blacklists have my IP range on their "DSL/Cable/Dialup" listings so I send mail from my internal server through the ISP. The result? No more "You're on a dynamic IP" bounce messages.

Problem: Your friends have dickhead ISPs that bounce your mail back instead of sending it to them.

Grub Solution: Have a dickhead ISP for yourself that blocks all of your mail so none of your friends get it unless you use their Carnivored SMTP spam server. Sweet!

Re:I'm glad you are happy.

[grub]

It's not just ISPs that bounce mail from (semi-)dynamic IP addresses. Many companies uses various blacklists which have those IPs listed (I use one myself). It's not ideal to go through the ISPs mail server but it works well enough. As to "Carnivored SMTP": that's retarded. Plaintext mail gets sifted through regardless of source.

(Didn't realize I was on your foes list, thanks! :P )

Re:I'm glad you are happy.

[grub]

arg. I should clarify things... I'm not saying bouncing through the ISPs mail server is ideal, it isn't; but it's a shitty solution to an even shitter Microsoft problem (zombies, spam relays, etc)

Dumb and Dumber.

[Erris]

Most ISPs rate-limit outbound SMTP. Some will shut down a client that appears to be spamming, and force the user to call in to reestablish service.

So the spammer gets your first 100 mails a day, your friends and family get none and you end up getting cut off. AWESOME. Cutting off infected boxes is nice, but silly limits that will prevent people from running legitimate mail lists and turn them off for trying is not nice at all.

The Microsoft Solution to software that eliminates their fake Server/Client model is to coerce ISPs to eliminate service.

Re:Dumb and Dumber.

[ErikTheRed]

And your better solution is? How do you expect a home ISP to distinguish between a list and a spam server? Chances are, running a list violates the TOS anyway. They're providing bandwidth on the cheap. For 99.999% of users, this provides acceptable service while blocking a very significant quantity of spam. If you want to run a professional service over the Internet, get a business-class ISP. If you want your port 25 open, get a geek-friendly ISP.

Re:Dumb and Dumber.

[jackofallbrandnames]

You missed it completely (watching plane fly over your head). The limits just spit back a generic message that the naive user doesn't understand, only that their email doesn't work, then for some 'strange' reason, the Outbox empties. Ok, they think, it does work. They send some more, all's fine. The spammer is back at it later, fills the quota for the day and fills it again the next day. Revolving cycle.

Re:25? Already blocked.

[Skapare]

If your users can't send mail because port 25 is blocked by their ISP, then their configuration is wrong to begin with. They should be configured to relay through their ISP's smarthost mail server, or if you are providing outbound mail for them, it should be using port 587 for secure submission (and you must be doing encrypted authentication to be sure it's really them).

A simple fix?

[blanks]

Many ISP's offer a cd that you use to setup your services.

Why not have built in software (firewall) that by default blocks port 25, and port 80 (inbound) irc in/out etc, and make the customer need to specifically allow those ports if they want them open.

That way, the 99% of the customers who never use those ports will have cleaner or safer machines, while the people who do run their own servers have the ability to use them.

Re:A simple fix?

[NerveGas]

Because once the computer is infected, that can easily be disabled. There are many worms/virii/spyware/etc. that already bypass, disable, or even delete various scanners and firewalls.

It's easy to think that the firewall will protect them from being infected, but it won't protect them from things that they tell the computer to retrieve - if they go to a web page with the IE exploit du jour, then the firewall doesn't do a whole lot of good.

steve

Throttling is better

[ttul]

Rather than blocking port 25, progressive and user-friendly ISPs (does such a thing exist?) would be well served to simply throttle port 25. By exponentially dropping the available bandwidth to that port as traffic on it increases from a particular host, the zombie problem can be for the most part eliminated while not unduly penalizing legitimate senders of email.

Blocking port 25 just shifts the problem around. With port 25 blocked, zombie owners are forced to use the ISP's outgoing mail servers. If throttling is intelligently applied to all port 25 traffic on a per-host basis, the feasibility of zombie spamming drops off.

Put it this way: Which would you prefer: having one of your customers blacklisted as a result of spamming, or having ALL of your customers blacklisted as a result of your own mail servers spamming...?

The OpenBSD team is working on a transparent traffic shaping proxy that will make magic like this trivial for the pf priesthood. IMHO this is yet another reason to support that excellent project by buying a CD or T-shirt.

Re:Throttling is better

[NerveGas]

By exponentially dropping the available bandwidth to that port as traffic on it

That would mean that a single large attachment would penalize other mail traffic. A better way would be to throttle the numer of new connections which can be established.

With port 25 blocked, zombie owners are forced to use the ISP's outgoing mail servers. If throttling is intelligently applied to all port 25 traffic on a per-host basis, the feasibility of zombie spamming drops off.

No, it just means that they need to infect more machines. It's easier for them to get around limitting and throttling if they have a large number of infected hosts than if they have to pass it through a single or few servers.

The OpenBSD team is working on a transparent traffic shaping proxy that will make magic like this trivial for the pf priesthood

While it isn't exponential, you can still limit the connection rate with iptables or tcplimit without much trouble. I'm not a big BSD guy, but I would expect there would already be provision to do something similar there...

steve

Re:Throttling is better

[EvilTwinSkippy]

You can fit a lot of spam in the same bandwidth as a picture of little Junior or Juniorette. How big is a spam? 1k? 2k? How big is a photo? 45k? 450k?

I do this for a living. You don't cap the bandwidth. You cap the number of emails.

Re:Freedom is taken a little at a time.

[Kilz]

Forcing your mail to go thru my mailserver when it originates on my network is within my rights as a network operator. Please feel free to sign up with another provider that doesn;t care if you spam. Of course, then you may not be able to send mail to anyone as you will be blacklisted, but at least you'll be free!

What you fail to see is that people who are paying for high speed buisness accounts because they have a network at the house pay your company. Without income your company goes out of buisness
Spamer? Get a grip. Not everyone with a email server is a spamer. I have a right to do as I please as long as I hurt no one, and PAY the bill each month.
I do not run an open relay. I do not send spam. I pay for the internet access. I should have the right to do whatever I want. That includes sending email using my domain. You know that bill I pay someone for each year?
While not a constitutional right the idea that freedoms given away to get a little security. Are still freedoms given away. You will be no safer because someone blocks my ports. You will have taken away options. The next time someone wants to block a port it will be easy.
Whats next, blocking everything but port 80? You dont need bit torrent, thats to steal copyrighted movies. You dont need port 1412, DC++ is for trading illegel copyrighted songs. You dont need port 6667, dont use Mirc chat with a browser interface.
Nice thing about compitition. There isnt just one broadband provider. Maybe if enough people paying for the 6mbps accounts change providers and give the reason "you are restricting me" it will change thier mind.
After all if I couldnt do as I please do you think Id pay for a premuim for a high speed account?

Crap.

[Randseed]

Earthlink/Mindspring already pull this shit. They block all outgoing traffic on port 25 to all servers except their own SMTP servers which they've blessed. The catch is that then email sits on their lame SMTP server for x number of hours if it doesn't go out, instead of the immediate notification I get from my own server. Then there are problems with the mail servers of the ISP going to shit -- I don't care why.

Roadrunner, by contrast, doesn't do this. This is why I subscribe to their service now and dropped Mindspring.

Email I send goes over my LAN to my SMTP server, which then handles sending it out. 99% of the time I don't have a problem. When I do, it's usually for some shit like AOL or sending mail _to_ Earthlink or Mindspring, at which point they get a complaint email (whcih they of course ignore), and then a bunch of enraged calls from their customers (who don't understand the entire thing) saying that the ISP's email reception is broken (which it _is_). This wastes their time dealing with their enraged customers. If they don't like it, they can fix their fucking systems.

Of course, I could set a smart host to my ISP's mail server, which solves the problem, but grants me the problem I pointed out in the first paragraph.

If ISPs are going to block outgoing port 25 and effectively break the net that way, then they need to FIX THEIR FUCKING SMTP SERVERS FIRST. If they would do that, then I wouldn't give a rat's ass what the fuck they do aside from the principle of the thing.

All of this evades solving the real problem. The real solution is to filter spam using something like Spamassassin and, because that's a drain on resources, block the originating SMTP host automatically (and send an email to the technical contact) when X number of spams are received from the same IP address. When Y number of spams are received from an ISP, block that entire ISP. The IP mappings are available or, at least, could be made available. Then the ISP's resources are only tapped up to X (or Y) number of spams. This blocks zombies, but is a stopgap solution. The real solution lies with the originating ISP, which needs to map that back to an account and cut that account off. After that, the originating ISP which was used can send a bill back to the user and turn them into the FTC for violating anti-spam legislation. All this, of course, with forced banning of ISPs running zombies.

This, in turn, puts pressure on Micro$hit to fix their fucking operating system, and on users to keep their systems up to date.

Now the simplest solution? Wait for it, it's mind-numbingly simple. If you're going to block port 25, ALL ISPs should allow opening of port 25 with a no-questions-asked phone call with the understanding that if it's caught sending spam then, after a human review, the account will be cut off.

Re:Crap.

[NerveGas]

The catch is that then email sits on their lame SMTP server for x number of hours if it doesn't go out,

That sounds like it's working as designed. Depending on the error involved, mail servers are designed to either bounce it immediately, or queue it and keep trying.

If your mail server bounces email for every single transient error, you're going to bounce a very significant portion of your mail that really shouldn't be bounced.

The real solution is to filter spam using something like Spamassassin

No, the real solution is for every country to approve the death penalty for spammers, and allow extradition to any country with a warrant for them. Most anything less, and spam will continue. With filtering, they just increase the number they send by a few orders of magnitude, and they still get enough by to make a profit. Since they aren't paying for the vast majority of the resources used, then it doesn't matter to them if 99.9% of the mail gets filtered, they'll just send 1000 times more.

steve

Re:Crap.

[EvilTwinSkippy]

Get a commercial account with a real ISP if port 25 is that critical to you.

Seriously, I run an ISP out of my basement. It's not that hard. You just have to pay a bit more.

I can't stand the "I want everything, and I want it now, and I want it cheap, and I want it no questions asked" crowd.

Re:Crap.

[Antique+Geekmeister]

You want to live in my apartment building? Then you can use the front door. You want a key to the back door, so you can take deliveries for the business you run out of your apartment? Then you can pay office rates instead of apartment rates and be in the office building, not the apartment, because supporting your needs for traffic costs me as a landlord mor.

It's that simple. The building managers, or in this case the ISP's, have too much trash being dumped outside the back door by lazy tenants, so they are insistiing people use the front door. Get over it, or pay the money for a statifc IP address and opened up firewalls so you can run your own SMTP server and be held responsible for it.

Re:Crap.

[elemental23]

Earthlink/Mindspring already pull this shit. They block all outgoing traffic on port 25 to all servers except their own SMTP servers which they've blessed.

That's right, and speaking as someone who was working in Earthlink's Abuse department at the time the port 25 block was rolled out, I can tell you authoritatively that it had an enormous positive effect on the amount of spam being sent from our network. We had previously been plagued with a few high-profile (ie, top 20 or so) professional spammers who would signup a dozen or two accounts per day with stolen credit cards and spam through various open relays, usually overseas. This block shut them down cold. I don't remember the exact numbers but our spam problem decreased by probably 50%.

I applaud any ISP that introduces this policy on their own networks.

Re:Crap.

[dodobh]

Do you mind offering to process a million messages a minute for us on SA for free (we do about 1.1M, with about 91% rejection based on DNSBLs, non existent users and some other checks)? ISP blocks on port 25 would help reduce that load on our servers by about 50% or so.

You can always run your own smarthost with a static IP and submit on port 587, as a good internet user does.

Re:Crap.

[Randseed]

You can always run your own smarthose with a static IP and submit on port 587, as a good internet user does.

No, I can't. That's the point. My choices are either to deal with an ISP's screwed over mail servers, or run my own. As I said, mail is submitted over my LAN, goes to my SMTP server, and my SMTP server handles it. Submitting on port 587 does wonders if you're a guy who is trying to hand messages off to a corporate SMTP server somewhere. It does nothing for the end-point which has to submit the mail anyway. That end-point has to submit on port 25. So, again, the choice for the end-point is to deal with the ISP's broken mail servers, or do it itself. This proposal is designed to prevent that.

Re:Crap.

[dodobh]

You can always configure your mailserver to submit to your smarthost on port 587.
If you want to connect to port 25, buy business class service with a static IP and no blocked ports.

Re:25? Already blocked.

[Nintendork]

"If that doesn't work we sometimes have them use port 80, and warn them not to surf the web while sending out email because it can potentially cause errors."

This reminds me of a support call I had for NT4 Server. The client was using some D-Link NAT-enabled router at one of two sites to be connected by RRAS, using PPTP. Their router was running the latest firmware and still having issues with PPTP passthrough. Using a utility called PPTP Ping and taking a network capture at both servers, I could clearly see that the GRE protocol wasn't getting through. When I conferenced in D-Link support, their tech, tech's supervisor, and manager all were insisting that we need to "Forward port 47." They were being total jerks, saying I don't know what I'm talking about when I told them that forwarding TCP or UDP port 47 does nothing. I was trying to explain to them that what is meant is the GRE protocol, protocol number 47 as defined by IANA. GRE protocol 47 doesn't use ports, especially not port 47 for the TCP or UDP protocols. When I sent them RFC 2637, they basically said "Well, our people know what they're doing and you have to forward port 47." It was at this point that I asked if they want me to forward TCP or UDP and just did it to get them to escalate.

It's amazing how the basic understanding of the TCP/IP protocol suite can be so screwed up in well established companies.

-Lucas

Re:User on the Road port 25 blocked? Tunnel over S

[goldfndr]

Search this discussion for "587" (RFC 2476; authenticated SMTP).

While it obviously isn't as secure as tunneling over ssh, it also doesn't require as much of a recipe, and chances are you already have it available on your server side.

Re:A better solution

[Fatal67]

2 things.

As I posted previously http://it.slashdot.org/comments.pl?sid=150605&cid= 12629485 [Slashdot] my company already uses this solution.

Your EMTA (phone/network adapter) should have 2 ip's on it from 2 different subnets. I should be able to filter all of yoru internet traffic without interfering with VOIP at all, except maybe making it better by removing all the spam traffic on the upstream.

How?

[cbreaker]

I'm curious.

Re:HELP! NEED ISP THAT WILL NOT BLOCK PORTS EVER!!

speakeasy

ISP's already do this.

[cbreaker]

I have Cox cable, and thus Cox "High Speed Internet." There are no other cable providers for the State of Rhode Island.

They block inbound 25, 21, 80, 443, 53U/T, among others. But they also block outbound 25.

If you want these restrictions removed, you can pay more. But it's not a nominal fee. For the same speed, same "no guarentee" service, with only ONE static IP address, I have to use their business service at $120/mo. Versus the $30/mo I pay now.

I think if you request it, they should open the ports. But almost all consumer-class Internet service has a "no server" policy so they don't give a fuck.

Eventually I see most ISP's restricting subscribers to web browsing and known game ports. Windows vulnerabilities and crappy admins cause all of this, and it really makes one frown.

I wish I wasn't 14,000ft from the CO (not to mention the fiber run somewhere in there) so I could get DSL. I could get much better service with DSL with more options because of the competition in that area.

Do The Obvious

[rtb61]

Why can't they do the obvious. You get spam you forward it to the FTC, one they have received sufficient complaints (10 or more), they check to confirm it is spam, then notify the isp to implement remedial action.

Disconnect and where the user is also a victim assist in the repair, can be simply done with an online scan and repair (where the user refuses remedial action just disconnect them). Failure by the ISP should result in blocking of the isp's ip addresses and fines.

As for overseas operator there should be a government website which lists bad ip allowing for simplified blocking.

It is not a very good idea to attempt to change isps into some kind of private internet police force. A lot of this including protection against trojans and viruses should already be done by the government and not just ignored because of a few corrupt lobbiest's demand that oppurtunity for profit needs to be maintained at the people's expence.

Customers expect service

[btarval]

"I can't think of a better way to open peoples eyes to the threat of virii than to revoke their internet privilages"

And I can't think of a better way to drive away your customers. Remember, from their point of view, the ISP isn't working; and there are plenty of others that will. This isn't the closed environment of a University.

As already mentioned, egress is one great solution.

Re:Wrong way around

[MightyMartian]

Have you ever sat face to face with a million attempt per day distributed dictionary attack, pouring like steaming piss out of DSL and cable providers from Spokane to Adelaide? Have you ever watched your mail server start to falter under the weight of hundreds of simultaneous connections, until even your own customers' email is getting stuck in queues for hours. If customers had the ability to even understand why these worms are such a menace to variuos networks, I'd be on your side, but unfortunately for every guy that knows how to keep his system worm-free, there are two hundred people who get infected, and are zombies being used to vomit spam and more viruses.

Have you ever got very nasty emails from the likes of AOL threatening to blacklist your network because a few customers have been shooting at them as part of a dictionary attack? You know what, it ain't that big an imposition for a user to use his ISP's mail server, or to use port 587 with SMTP Auth. But if you don't like it, go with a network that lets outbound zombie traffic spew forth. But don't come snivelling here when that network suddenly finds itself in black lists or simply just tarpitted.

Time Warner digital phone has its own IP.

[DigiShaman]

If you use the Time Warner digital phone service, we can block internet access AND leave the phone working. That's because the modem has two IP addresses. One for internet access, and the other for MTA (phone).

If your using vonage or some other 3rd party VOIP access and need 911, your fucked. Simple as that. No "ifs" ands" or "buts" about it. We are not going to pander to someone just because they have a product we don't support.

Re:Time Warner digital phone has its own IP.

[Lord+Flipper]

If you use the Time Warner digital phone service, we can block internet access AND leave the phone working. That's because the modem has two IP addresses. One for internet access, and the other for MTA (phone).

If your using vonage or some other 3rd party VOIP access and need 911, your fucked.

I use TimeWarner, with Vonage. No 911 enabled. Big deal. I would never use TM's phone over IP, it's a shitty deal compared to Vonage. So, there...oh, and "fucked"? I don't think so. Fuck you too, pal, have a nice day.

Re:Wrong way around

[jhoger]

Here's my position, do with it what you will:

An ISPs job, IMHO is to route my packets. Every packet that you don't route is a failure to do the only service that I am paying the you for.

From that angle, it's not really that complex.

I agree spam, worms, virii are all huge problems, and the solutions aren't going to be easy. I do agree 100% that ISPs should start shutting off their own users that spew spam and virus.

But blocking user's MTAs is just plain wrong.

The worst part of this type of "solution" is that it falls into the trap of a "client server" Internet. The Internet is not client server. It's peer-to-peer, by design. The content industries would love to turn the net into a huge TV-like content distribution network force feeding users their crap.

No! Every computer is a node on the network. If you want to start requiring driving tests for the info superhighway, by all means, I'll take it. Maybe it would just be easier to get rid of people on the first or second or third offense.

But my feeling is that your eventual result is more evil and certainly more insideous than the problem which you are attempting to solve. Route my packets are I'll just switch to another ISP. It's that simple. Don't head down the slippery slope of making the Internet client-server.

-- John.

Re:25? Already blocked.

[Alioth]

How will surfing the web whilst using port 80 cause errors? On any properly programmed socket interface (i.e. in every modern operating system) it will NOT cause errors at all.

Why not use port 587 which is the proper port for a MUA to submit mail on?

get a box hosted

[bug]

I think the legitimate question is "should a consumer expect full freedom to engage in potentially risky behavior from a consumer-grade ISP service?" I think the answer is, VERY unfortunately, no. If you want to have greater freedom (e.g., running your own network services, having unrestricted outbound SMTP, etc.), then you should seriously consider colocation. Paul Vixie has been nice enough to catalog many places all across the US and a few places internationally where you can get a box (or virtual vmware box) hosted for relatively cheap: Personal Co-location Registry

Re:go ahead and block it, webetter stick to webmai

[Stephen+Chadfield]

FastMail also run proxy servers that you allow to make secure IMAP or SMTP connections on any port you like. Port blocking is not an issue for FM users...

Re:25? Already blocked.

[Darren+Winsper]

A number of ISP's SMTP servers will reject your email if the FROM address isn't in a domain they control.

No

[Aldric]

But I'm not going to pay you for a connection that's crippled because you can't be bothered to really fix the problem. My home network is secure, I don't see why I have to put up with restrictions due to the antics of your brain dead Windows-using customers.

Re:No

[MightyMartian]

Alright, let's hear how you map your home network's security into an ISP? I'd love to see this.

Re:25? Already blocked.

[michaelhood]

root 8511 0.0 0.2 1252 788 p0- I 5Apr05 0:00.14 redir --lport=24 --cport=25

Problem solved. Yeah, it sucks that the ISPs are being lazy. But here's the solution we're using.
clicky for redir: http://sammy.net/~sammy/hacks/

SPF is useless when port 25 is blocked inbound.

[amorsen]

It's getting very popular around here (Denmark) for ISP's to close port 25 inbound. The way to get mail through to your server is to put your server in MX with a priority of say 10, and the ISP mail server in MX with priority of say 20. However, after mail has passed through the ISP mail servers, you cannot tell which address it came from originally, and so you cannot filter by sender.

Re:SPF is useless when port 25 is blocked inbound.

[amorsen]

That's where the ISP itself needs to use SPF on the incoming mail.

Great, so not only will they force me to receive mail through their mail servers, they will also remove some of the mail that would otherwise have gone to my server. I certainly do not want them to do that.

Re:Freedom is taken a little at a time.

[Antique+Geekmeister]

This kind of blocking is not for business accounts. Business accounts can buy static IP addresses and get a different class of firewall configuration, no problem, they are paying for that class of different service. It's for the home users, and the home users can generally use SMTP auth if they need to send through their business mail sever, no problem.

Re:Jul abg whfg rqhpngvba?

[SmileyByte]

Yes, education is the key. But governments will always find it easier to just increase control over population than to properly educate it. And it really is easier - and less time- and resource-consuming. Sad, but true.

Note that I'm *NOT* supporting this kind of decision, I'm only describing what happens in reality. I support and defend the idea that everyone should get proper and decent education.

This will be a PR disaster for Microsoft

[Burz]

...as users discover they could be zombitized because they are running Windows.

I predict Mac and Linux penetration will jump because of this. I hope these vendors do take advantage of the opportunity.

Re:This will be a PR disaster for Microsoft

[jackofallbrandnames]

Not really. Mac and Linux are used by the uninformed as well (ESPECIALLY Mac). People will use what they are comfortable with and can use at work. People know Windows can be secured, because their IT department has shown them it can be done. The spike will be in the spyware/antivirus companies that take care of smtp 25 for them.

Re:25? Already blocked.

[The+Cisco+Kid]

I would never use an MTA that didnt do 4.2 anyway, even for straight [E]SMTP (at least for any mail not originating locally. Although since I pretty much always seperate the 'unix login account' namespace from the 'mail address' namespace, so there isnt a valid way for any addresses in locally generated mail that dont already have a full address to be corrected, except to substitute postmaster@${primary_domain}

Given the specification, MSA works just fine with the client beleiving it is speaking straight-ESMTP, even with SMTP AUTH, which would certainly be recommended, if not required; since the whole point is to seperate 'the world' sending you mail and 'authorized users' sending outbound mail, and of course without authentication there wouldnt be any way to determine authorization, even if the authorization rule is 'anyone that can successfully authenticate is authorized'

I assume your reply was just a clarification, and that you dont disagree with my more general point.

And shared ips?

[dindi]

I wonder what happens with shared ips, and when people start to shut ips out not knowing how many customers/visitors/mails they loose....

Also if i have let's say 5 computers in my house, and my grandma's windows gets highjacked because she installed some "neat little thingie in the toolbar".
Now if they kill the service and my 2 kids cannot do research on the net, and I cannot work without net, I would be super upset ...

I think there should be procedures given to ISPs to do that ...

eg: free scanning software, "sniffit type" pocket monitor, that would monitor well known (zombie) traffic..... and education of users....
newsletters, warnings, rss feeds ... whatever ...

Restricting ports, and services, and shutting down services is not the way to go ...

on the other hand i am pissed of the zombie spam, and i would be extremely embarassed if any of my machines turned out to be sending crap all over.. (maybe that's why my windows box is behind 2 NATs ... one to analise traffic, one to protect the 2nd nat box :) ahm and that whole thing is behind a 3rd one that comes to my.... ....sad story: Being on a shared IP behind a crappy firewall and transparent proxy, I am in constant troubble using various (mostly mail, but everything from IM to p2p) services ...

my public ip is listed in all possible ...SBL registries, and I am a well known zombie/spammer/open relay ...

how great ..... because of spam and casinos you have problems with paypal and credit card processors ...

I thought of putting china into a strict DENY, but I am sure there are legit users that would go to my sites ....... tehn it just appears to me how much of a pain of an ass Costa Rica could be for some with the casino spam, and credit card fraud that comes from here ....
but not from me .....

ps: because local porn regulations i cannot even confortably watch pr0n .... (prostitution is legal, watching tities online is censored - OK just some very few sites)

Re:25? Already blocked.

[budgenator]

Your not getting the point, sending Email through a connection provider's SMTP, it marked with the IP address assigned by the connection providers DHCP IP pool as the orriginating address, then it's stamped with the connection provider's SMTP server. In an era increasingly aware of phishing scams, broadband zombies spewing spam and god only knows what other evils are out there in the wild, it's more important than ever that the IP address of the sending SMTP server match the IP address range for the domain name. I agree for the vast majority of users out there, routing traffic to any mailserver other than the connection providers smtp server is unnecessary, but some people absolutely need this ability for working. Connection provider's can be incredibly draconian about policy enforcement and completely clueless about the need for a variance because of specific user requirements.
I actually had a conversation that went like this

me: do you block outbound port 25 connections?
aol: sir we do not block any port at aol
me: why can't I connect to my website's SMTP server?

... after a half hour of back and fourth still talking to the same person ...

aol: yes sir we do block port 25 connections
me:ARGUHHG

I have not figured out which is more agrivately, the clue tech support and the connection provide or the clueless boss that chose them so he could IM his daughter easier.

Re:Who runs home mail servers?

[Floody]

Maybe its time to come up with a better RFC for handling mail - one that doesn't allow you to fake the headers, sender, etc. Then also have the ISPs issue static IP addies, so zombies can be identified properly. It's not like this is any "bells and whistles" thing.

Right! For that you'd need Advanced Mail Transport Protocol!

Admin will be web page, not phone support

[billstewart]

The administrative interface for that is likely to be a web page for most ISPs for most customers. So you'll get a web page that doesn't know how to figure out that the customer's really infected, as opposed to an underpaid phone tech who doesn't think to figure out that the customer's infected....

Blocklists are equivalent to Port 25 Blocking

[billstewart]

While I'm not too bothered by the "Block 25 by default, enable for customers who ask" approach, if you're an inbound-email provider, you can get the same spam protection by using blocklists as you get by forcing everybody in the world to do Port 25 blocking, and as an ISP who's considering blocking outbound Port 25, you can be just as effective by working with the blocklist providers to keep them up to date on which of your users can/can't send port 25 and not have to break the end-to-end model for your users.

Some people comment about zombies doing DDOS - blocking port 25 does keep them from attacking port 25 on their targets, but they can still do all the same Port 80, Port 53, and Port 109/110 attacks, so it's not a big difference.

Also, Port 25 really was designed to support MUAs as well as MTAs - Port 587 and its competitors are later additions for MUA-only, and saying that Port 25 wasn't is purely revisionist. And as you say, malware folks will start abusing Outlook Express if that helps them.

Re:25? Already blocked.

[wayne606]

If (1) the blocking policy is fine for the majority of clueless users, and (2) only advanced users need to unblock, then maybe they can unblock on an as-needed basis.

Besides, I can't believe that you would be able to require the IP address of the first-hop SMTP server match the DNS record for the domain in the From: line. There are so many cases where this is just not going to work ...

Doesn't the SPF proposal require you to give a list of SMTP servers that are allowed to send mail on your behalf? Wouldn't you just add your ISP's server to this list?

Re:25? Already blocked.

[budgenator]

If the first hop doesn't match, and the second hop does; then you've got an open-relay!

Re:25? Already blocked.

[wayne606]

No you don't, you just have a relay ... An open relay is one that accepts mail from anybody, whereas smtp.myisp.com should be accepting mail only from cusomers of myisp. This is exactly how all isp's work now. They do not rewrite the From: and Reply-to: lines of the messages they accept (SBC doesn't, at least).

Re:HELP! NEED ISP THAT WILL NOT BLOCK PORTS EVER!!

[iamcf13]

Thank you for recommending speakeasy.net!

Re:Well, how about this.

[petermgreen]

yeah making a server listen for both smtp and http on the same port would require using some kind of timeout. since smtp requires the server to send 220 to tell the client the connection is established.

having said that many smtp servers do an ident lookup with a fairly significant timeout before sending this greeting so mail clients should be prepared for such a timeout delay.

Re:25? Already blocked.

[dodobh]

587/tcp is the mail submission port. I recommend moving to that.

Google mail blockage

[Lotharjade]

My ISP requires you to send mail via their server and has the port blocked. This prevents me from my google acccounts sending/getting my email via SMTP. Will this create a way for us to get our google or other mail through?

How about a REAL solution?

[Math,+The+Ancient]

Block 25, 587, 26, whatever....it will fail and does exactly the opposite of its intention letting the spammers. Paying users (and yes, even the geeks are paying users...the Internet is over 65,000 ports, not 1 or those defined by a mere provider of that medium that connects to it) then become unable to use a normal standard as defined by the RFC's, not the FTC or any other form of government body.

Changing it to 587 won't work or even using 26 that uses a second server for outgoing 25. MTA's or any other service will forward what has been authorized. Because of obvious infection, authorized users are spamming without knowledge, through one port or another and only education will fix the infection.

Blacklists other than ORBS (which do educate email admins at least) do the very same thing and have created what they don't want to happen...making email useless. One is unable to get off these lists because "they don't own it". That's like saying you got a ticket for a cracked windshield on your car and you still can't drive the car because the manufacturer hasn't had all windshields...never mind that you already fixed the windshield or fixed the spamming. Now before one of you dumbasses replies with "but there's not a problem with broken windshields all over the place", well, duh-h-h. That's because the user of the car fixex the problem and they get to drive the car. A user of an IP address blacklisted should fix the spamming problem and get themselves off the list, not the "manufacturer" up three tiers of bureacratic red tape that makes it impossible.

Dialup dynamic IP's ok, sure. You can't effectively operate an email server on dialup anyway. Before, dialup was used legitimately as backup redundancy; now there are now other redundancy options and even higher need for redundant broadband rather than just a connection to the Net. Those with the desire to educate themselves and monitor their ip for spamming (DHCP for broadband is longer lasting than DHCP for dialup) should be rewarded for their diligence rather than telling them to piss off because they're "not the owner". /Flame ON
But,,,we all know spammers lie, right? You know, it sure as hell doesn't take much to get on these damm lists, but trying to get the owners of these lists (some last updated in 2001, I shit you not) that are just big mouth dumbfucks without the balls to give accurate domain registration information, hiding behind newsgroups, and repeating "you just don't know" ---BULL FUCKING SHIT---we do fucking know, you just aren't fucking listening. Get your head out of your ass and breathe before you suffocate because you're too lazy to update your shit and think it doesn't stink. All your doing with the current status quo is letting the spammers fucking win. You act like spoofed IP addresses don't exist. Then there's the pompous attitude that seems to seep out saying "if you send mail and don't know how an email server works, you're an idiot" -- of course, this doesn't apply to me or has benn relayed to me personally, but I've seen the threads. Your fucking manners suck the same ass your head is in.

This narrow minded view with blinders on that "all spammer lie, so we won't take you off" is like watching a Daffy Duck/Bugs Bunny cartoon:

SPAMHAUS and similar: Spammers lie!

User of IP address: But I'm not a spammer.

SPAMHAUS and similar: Spammers lie! Yes you are.

User of IP address: But I fixed it.

SPAMHAUS and similar: Spammers lie! You couldn't

Spammer: I'm a spammer

SPAMHAUS and similar: Spammers lie! No you're not.

Result: Spammers get off the list and users don't /Flame OFF

Alas, even "detecting" infected spammers/users may not be enough as it becomes more difficult. The real spammers have already begun to learn to dole the evil messages out in a metered fashion, sending them out only when the user does to make it look like normal traffic. I recall a recent experience where one of my users was the