Verizon.net Finally Moving Email To Port 587

The Washington Post's Security Fix blog is reporting that Verizon, long identified as the largest ISP source of spam, is moving to require use of the submission port, 587, in outbound mail — and thus to require authentication. While spammers may still be able to relay spam through zombies in Verizon's network, if the victims let their mail clients remember their authentication credentials, at least the zombies will be easily identifiable. Verizon pledges to clean up their zombie problem quickly. We'll see.

try PRQ.se

I've been routing my traffic thru their traffic for a few years now, they're not limiting anyone and keep great privacy. what i heard their tunnel service will be open for new customers in a few days again so now is a great time.

Re:try PRQ.se

[flycream]

I must agree here. Its isp that has same background guys as the pirate bay and they really respect your privacy and freedom to say what you want. I know its mostly to route server traffic, but it makes great use in your personal stuff aswell.

Opportunity

[soundguy]

Sounds like a great opportunity to charge millions of clueless users $50 to change the setting for them. I see a Vegas vacation on my event horizon.

Re:Opportunity

[bn-7bc]

I see a Vegas vacation on my event horizon.

Hmm I hope you are not talking about this kind of event horizon lol, a Vegas vacation is a nice thing I just hope they don't tempt you to gamble away all your hard erned money.

Hva e nice day

Re:Opportunity

[charliebear]

Clueless users use webmail

Finally, Verizon, Finally!!

[Smidge207]

I found out I was a spammer when I investigated a message returned to me. I ended up talking with someone from SORBS. After emailing SORBS a couple of times, I received this message from Michelle Sullivan: "SORBS lists IP addresses that send spam. Often there is real email mixed with the spam, sometimes deliberately, sometimes accidentally. In this case you are using an IP address to send your email that has previously, and is still, sending spam. The IP address is blocked. I'd contact your provider and complain bitterly about it, because it's the provider that is listed, not you specifically."

I send out a newsletter with about 250 subscribers. After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages. I rarely approach 200 messages and the newsletter is a monthly. Verizon told me I couldnâ(TM)t even send the newsletter in one blast; I had to limit it to 100 subscribers an hour! And in late Fall 2008, some providers, like MS, would reject my mail simply because it had @Verizon.net in the senderâ(TM)s address. I knew I wasn't sending out large amounts of email, let alone spam.

Within those imposed limits, Verizon still could not bring its huge entity to investigate my complaint. In late December, we switch to Constant Contact to email the newsletter. While my boss uses Cox since he works mostly from home, the office is still âoeconnectedâ with Verizon!

Boy, I hate Verizon! Now, maybe they will kill the Zombies from all those dead zones they claim not to have!

=smidge=

Re:Finally, Verizon, Finally!!

[Jurily]

I send out a newsletter with about 250 subscribers per zombie.

Re:Finally, Verizon, Finally!!

[ILikeRed]

Guess what, unless you were careful to

• Include the correct Header info (You did mark your messages "Bulk" - right?)
• Provide an automated opt-out method
• and... Included your valid physical postal address

than guess what, you not only are a spammer, but you probably also broke the law.

Re:Finally, Verizon, Finally!!

[nabsltd]

I send out a newsletter with about 250 subscribers. After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages.

Verizon Business accounts assume that you will probably be running a business, and have your own domain.

If you do things this more professional way, there are no limits with Verizon DSL or FiOS (other than the speed you pay for being a "limit").

Re:Finally, Verizon, Finally!!

[Obfuscant]

@Verizon.net in the senderâ(TM)s address.

There's a problem with your posting. What is trademarked about whatever it is you are referring to?

In late December, we switch to Constant Contact to email the newsletter.

Oh, that's rich. Complain about being branded a spammer, and then hire a professional spammer to send your email for you.

I have never been able to get off a "constant contact" email list once some idiot gave them my address. Never. They take their responsibility (constant contact) quite literally. I now simply route all email that has a "constant contact" in the headers to the wastebasket. That includes an email newsletter that one department in the college has chosen to hire Constant Spammers to send, even though we have professionally maintained in-college mailing lists just for such purposes and pay people to maintain them.

Good luck keeping your customers once they find out you have given their email addresses to a spammer.

Re:Finally, Verizon, Finally!!

Since he is sending out a news letter to subscribers, I imagine the following in the page you referenced applies:

A "transactional or relationship message" — email that facilitates an agreed-upon transaction or updates a customer in an existing business relationship — may not contain false or misleading routing information, but otherwise is exempt from most provisions of the CAN-SPAM Act.

Re:Finally, Verizon, Finally!!

[GoodNicksAreTaken]

IANAL, Yet.
Guess what, "The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email"
Parent did not specify that it was commercial email and "newsletter" indicates that it likely is not. Even if they were of a commercial nature they would likely be exempted under the CAN-SPAM act as they would qualify as "relationship" messages.

Re:Finally, Verizon, Finally!!

[PuddleBoy]

In late December, we switch to Constant Contact to email the newsletter.

A number of admins I know block all email originating from Constant Contact as UCE. That's the problem with a lot of 'email marketing firms' - they take legit users along with spammers or quasi-spammers. Unless you decide to truly take control of your email by operating your own mail server, you run the risk of getting caught using an entity that gets blocked for their other clients' activities.

Re:Finally, Verizon, Finally!!

[Stiletto]

From the parent's posting:

After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages.

Sounds like commercial mail to me. Sounds like SPAM.

Re:Finally, Verizon, Finally!!

If Verizon weren't ignoring all spam reports at least since early 2000th', they wouldn't have the spam problem. I firewall Verizon for years after being fed up with the constant abuse coming from them, and them trying to block those who report it, instead of their own abusers:

http://www.dolphinwave.org/spam/Verizon/Verizon.txt

Re:Finally, Verizon, Finally!!

From the parent's posting:

After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages.

Sounds like commercial mail to me. Sounds like SPAM.

Nothing is wrong with commercial newsletters when the recipients are your customers and have explicitly stated that they want to receive it.
And 250 Mails is actually a pretty low number.

Re:Finally, Verizon, Finally!!

Destroying the header usually kills the zombie.

Re:Finally, Verizon, Finally!!

[mi]

even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages. I rarely approach 200 messages and the newsletter is a monthly. Verizon told me I couldnâ(TM)t even send the newsletter in one blast; I had to limit it to 100 subscribers an hour!

I'm in the same situation — I run a mailing list with about 60 subscribers. Normally, things are just fine, but when a discussion springs up, the 100/hour limit is easily hit. The particularly dumb bug on Verizon's part is that their rate-limiting begins rejecting the over-quota e-mails with final 5xx messages, instead of the temporary-failure 4xx something.

I wouldn't be minding the rate-limit as much, had the messages just sat in the queue waiting for the next hour. But, as Verizon has implemented this, the messages get rejected instead.

I really do despise these idiots, but they are the only company willing to provide DSL (however low-speed) at this particular neck of the hills...

Re:Finally, Verizon, Finally!!

[Conficio]

You are not a Verizon customer, are you?

Because, Verizon does not care what the e-mail claims to come from. It rate limits no questions asked. And Verizon does not tell you what the limit is.

And I don't see where it is stated, that a person can't communicate with a couple of hundred persons per e-mail, or a couple of thousands for that matter? Ever done a new baby announcement?

Re:Finally, Verizon, Finally!!

SORBS are a bunch of dicks anyway. We recently acquired a new netblock, allocated by ARIN, which had been out of use for 3 years. The block happened to be on SORBS list.

When we explained to them what was up (we just got the netblock, how the hell are you finding any malicious activity from us, etc etc), they just said tough, pay the fine, and get off the blacklist.

Given the way they run things, I can't seriously use SORBS as an RBL anymore, I think they'll generate way too many false positives.

Re:Finally, Verizon, Finally!!

[goldspider]

I actually ran into a MAJOR problem with this limitation for a user with a legitimate need to send such a volume of e-mail. I had to eventually move her back to freaking AOL because she couldn't send out her newsletter through Verizon.

Granted, there is probably multiple tools such as Google groups that could ultimately accomplish this much better, but many users are, shall we say, resistant to change.

What's this "finally" shit?

[the+unbeliever]

You can set up port 25 SMTP to require authentication for relay purposes, without having to configure end user's machines for another port.

Re:What's this "finally" shit?

[value_added]

You can set up port 25 SMTP to require authentication for relay purposes, without having to configure end user's machines for another port.

More broadly, authentication can be configured for port 25, port 587, or not at all. Typically, the submission port requires authentication.

As for the article, this factoid is amusing:

Spamhaus currently includes 225,454 U.S. based Internet addresses on its CBL. Of those, nearly one-quarter -- almost 56,000 -- are assigned to Verizon.net. Comcast, which according to Spamhaus is home to the next-largest concentration of malicious hosts among U.S. ISPs, has fewer than half as many listings.

Re:What's this "finally" shit?

[erroneus]

This implies that they are blocking all outbound port 25 requests. All ISPs in Japan that I am aware of have been doing this for a long time. The problem is that if you have a 3rd party email service provider, you can no longer send email through them because port 25 will be blocked and if the other party offers the alternative port as well, it is still often blocked.

Still, for MOST people, this is a good plan. I just think that users should be informed of this change, informed why it is a good idea for MOST people and to give them an option to "opt out" of the restriction in some way if the restriction is not compatible with their current needs.

Re:What's this "finally" shit?

[Artraze]

> This implies that they are blocking all outbound port 25 requests.

It doesn't imply that at all. Now they do that in the future, but there's absolutely no logical reason to do so now. After all, they'll have enough complaints on their hands with just this transition, let alone blocking all other (possibly unauthenticated) outgoing mail too.

No, port 587 is simply where authenticated SMTP usually goes, and so that's the port they're using. It also helps that most mail clients automagicly link 587 and authentication, so the changes are easier for the end user.

Finally, I would point out, there's not a whole lot of difference between blacklisting port 25 and blacklisting port 25 on non-Verision servers. So if they were going to block it, they could've done it even before now.

Re:What's this "finally" shit?

My 3rd part mail provider allows use on ports 25, 465, 587, 8025, and 2525. So far, I've never had a problem using 465 anywhere I go, but I have the option of using VPN tunneling back home also if I ever need to...

Re:What's this "finally" shit?

Cox has been doing this for years in AZ. You can't send outbound unless you connect to their servers.

Re:What's this "finally" shit?

[gurps_npc]

Correct for most people this is a good plan. For spammers it is not. They will of course opt out of the restriction.

Re:What's this "finally" shit?

[The+Great+Pretender]

I recently went through this problem with my work email and Comcast. Someone had reported something, they never explained what, that caused them to put a stop on my port 25 at home. Figuring this out took me many days of bitching at my IT guys at work why they're system was not letting me send emails. Eventually they figured out that it was my ISP and had me call Comcast Customer Service Assurance at 856-317-7272. It turns out that regular Comcast customer services just parrot that the port cannot be unblocked. I talked to the CSA agent and in less than 2 mins he had unblocked up my Port 25. However, he did also say that there was no guarantee that it wouldn't be blocked again, all that had to happen was for someone to make a complaint against me for spam. This includes anyone on an outgoing email who tags any email as spam. His advice was to make sure that everyone wanted the emails when they went out. I can only assume that someone in a CC'd email had tagged me as junk not realizing the consequences.

Re:What's this "finally" shit?

[dkf]

Correct for most people this is a good plan. For spammers it is not. They will of course opt out of the restriction.

So long as there is no way for the zombie itself to opt out, there's no (big) problem: the owner probably won't opt out, and the spammer won't go to the (fairly substantial) effort to social engineer his way past the restriction. What this does mean is that it pretty much requires that people who want to opt out call their Customer Services line rather than using a self-service webpage. It's horrible, but necessary.

And for the love of God, don't encourage J Random Grandma to opt out unless she's actually busy overthrowing the government.

Re:What's this "finally" shit?

[wnknisely]

Not in my case. Port 25 is blocked, but the alternatives (587 and 465) work fine for me.

Re:What's this "finally" shit?

[mibus]

My home ISP (oblig. disclaimer: I now work for them too) has blocked port 25 outbound by default on 'Home' ADSL connections for a while now.

It's all configurable from the online webtools, so you can turn it back on if you want it.

And there's even an in-depth FAQ about it on the site.

IMHO it's a great idea, and I wish more ISPs did it.

Re:What's this "finally" shit?

[PitaBred]

What pisses me off is that Comcast did the same thing a few months back. I can no longer run a mail server on my home machine. It's not an Internet connection... it's a web and email connection now.

Re:What's this "finally" shit?

[The+Great+Pretender]

Before comments jump in irrelevant to the email. Yes I spelled 'they're' instead of 'their' and when I say 'someone had reported something they didn't tell me what', I mean that they couldn't tell me what exactly was the offending piece of email that caused them to shut-down the port 25, thus no way to back track and figure out if it was me or someone was piggy-backing my IP.

Re:What's this "finally" shit?

[Vellmont]

However, he did also say that there was no guarantee that it wouldn't be blocked again, all that had to happen was for someone to make a complaint against me for spam.

So why not take the hint, and send your mail through a 3rd party (maybe the free comcast SMTP server)?

Re:What's this "finally" shit?

[Buelldozer]

So, you spent "many days bitching at my IT guys at work" and in the end the problem was with your Internet Service at home?! You posted this on Slashdot?

Ummm, yeah, we're going to need your address. I've already handed out the torches and pitchforks.

Re:What's this "finally" shit?

[tepples]

Comcast did the same thing a few months back. I can no longer run a mail server on my home machine.

Per the TOS for home-tier service, you never could. As I understand it, the restriction goes away once you upgrade your high-speed Internet service to Comcast Business Class.

Re:What's this "finally" shit?

[Hognoxious]

Wow. Not a ripoff at all!

Re:What's this "finally" shit?

[The+Great+Pretender]

I live at 1835 73rd Ave NE, Medina, WA 98039

Re:What's this "finally" shit?

[The+Great+Pretender]

Work require me to send work emails through their server for accountability reasons. While my port 25 was blocked I used my smtp.gmail.com. I don't use my comcast email.

Re:What's this "finally" shit?

[DarkOx]

I have never really understood why this is an issue. I do think ISPs should be upfront about it before you sign up and if they change what ports they block and how they police their network you should be allowed out of the contract. I don't think its fair for them to write terms that say we can limit what you do in any way we like.

That aside I would like to ask my fellow slashdots running their own mail servers, (I do speakeasy actaully allows this under their tos) why its a problem for you to use your ISP as a smart host?

Personaly I like it. Unlike at work I don't have to worry about keeping the mail server off the black lists, contacting post masters at other domains to get mistakes corrected etc etc. The ISP does msot of that for me. Now speakeasy will relay for my domain, but I think most ISPs will probably trust whatever is coming from their own network to their relay, I hope they pass it through some outbound filter.

On the inbound side, the MX record points directly at my ip address so I get to handle the mail coming in a filter/black list etc according to my own needs. TLS works too if things need ot stay private.

I suppose the only arugment I can think of is even if you are using TLS your ISP can still read your outboand mail, and if I was using version or comcast I might be more concerned about that....

What are other peoples reasons?

Re:What's this "finally" shit?

[drolli]

While i see the issue i normally hardly see it necessary or even advantageous nowadays to run my own e-mail server, neither on my home machine nor on my machine at work/university. Email servers are something which required you seeing available for 24x7 in case somebody starts (due to some misconfiguration or bug in the software) to use your machine as a relay for his spam. You can get yourself quite easily blacklisted nowadays, so if you are interested in your email arriving at the recipients, just use some big mail service.

Re:What's this "finally" shit?

[slamb]

You can set up port 25 SMTP to require authentication for relay purposes, without having to configure end user's machines for another port.

You can set up a MSA (mail submission agent) on port 25, but Verizon users will not be able connect to it after this change. If you run a mail service, the practical effects of this change are (1) you will need to set up port 587 if you have any customers who get transit through Verizon and (2) you will receive less spam.

Verizon wants to stop customers from directly connecting to outside MTAs (mail transfer agents, which run on port 25). This will stop customers from sending spam from Verizon's network.

However, they need to allow customers to send mail to MSAs outside their network or customers will (rightfully) sue them for anticompetitive practices. The solution is to encourage use of a separate port for MSAs, port 587. This is outlined in RFC 2476.

Verizon's making a good move here. It will be a temporary inconvenience to some of their customers who will have to get their outside MSAs to set up the submission port, but that's a pretty small cost for stopping the spam.

Re:What's this "finally" shit?

[the+unbeliever]

Or you can set up your MSA's on any random port, it doesn't really matter. My personal mail server accepts connections on SMTP, SMTPS, submission, and two other random ports just in case the above are blocked.

Re:What's this "finally" shit?

[jewps]

Quite a few do this already. Only difference being your service provider allows you to disable the block even for home connections. That's excellent!

No reason to pay more for a business connection just to have some ports unblocked..

Re:What's this "finally" shit?

[drinkypoo]

Just use an ssh tunnel to work, this is one of the times when it seems like it's actually a valid and even reasonable use.

Re:What's this "finally" shit?

[darkpixel2k]

Wow. Not a ripoff at all!

No, not really. You pay more for business class, and they do things like ignore the stupid 250 GB home-user cap, or unblock port 25 since they expect businesses to have IT people.

Re:What's this "finally" shit?

[value_added]

That aside I would like to ask my fellow slashdots running their own mail servers, (I do speakeasy actaully allows this under their tos) why its a problem for you to use your ISP as a smart host?

I've run my own mail server on and off over the years, and decided to do it permanently just over two years ago.

Why?

Why do anything for yourself rather than let someone else provide a comparable service? Allow me to use a non-car analogy. The Holiday Inn suits some folks fine, some want their own apartment, while others insist on building and/or designing their own house. Me, I fall into the latter category.

Obviously, there's work involved (trivial if you know what you're doing beforehand), but that work invariably offers something in return. In my case (continuing the "build your own house" analogy), I don't have to deal with lousy contractors (subpar hosting companies), unqualified tradesman (help desk drones), ambiguous chain of command (no direct accountability by the person actually in charge of the mail servers), ambiguous contractual obligations (unpublished exceptions to the TOS), or any other nonsense. It's just me, my servers and my logs.

The downsides? My UPS won't protect me from accessing or receiving mail due to an extended power outage. On the other hand, I've received exactly 2 spam messages in just over 2 years. I'd say that's a real bargain.

Re:What's this "finally" shit?

[slamb]

Or you can set up your MSA's on any random port, it doesn't really matter. My personal mail server accepts connections on SMTP, SMTPS, submission, and two other random ports just in case the above are blocked.

That works, of course, but there are benefits to standardization, among them reduced user confusion.

What ISPs have you encountered that block port 587 but allow any of your others?

Re:What's this "finally" shit?

Why can't you use your Comcast mail server as a relay/Smart Host?

Re:What's this "finally" shit?

[theCoder]

Because Comcast has blocked incoming port 25 traffic as well!

As someone with a personal domain, I'm not sure what the long term solution is going to be. Eventually, everyone is going to block all port 25 traffic, and only the "big guys" will be able to send and receive email. I don't want to pay for some co-lo since I am already paying for Internet service and can run a small mail server just fine. Google mail for domains (or whatever its called) might be a solution, but I don't like the idea of Google reading all my mail, and there's no guarantee that service would be around forever anyway.

I wish DNS allowed me to specify a port in addition to the host in the MX record.

Re:What's this "finally" shit?

[the+unbeliever]

Mostly it's hotel internet access that filters anything listed as a "common" tcp port until you pay an exorbitant fee. I could have gotten around that by putting SSH on a non-standard port and making a tunnel, but what's the fun in that.

Re:What's this "finally" shit?

[characterZer0]

Will they even let you get business class? My ISP (Time Warner) simply refuses to sell business class to a building zoned residential.

Re:What's this "finally" shit?

[DarkOx]

You can still run your own mail server and use someone else's server as a smart host. That what I am asking about, becuase this is what I do and i get the best of both worlds.

Re:What's this "finally" shit?

[SaDan]

I have Comcast Business internet, and it is exactly as others have described: no blocked ports, no upload/download limits, and (so far) very decent customer service.

I also have five static IPs, run an email server and web server out of my house for commercial and non-commercial purposes. I've had zero issues in the year I have had this configuration.

Re:What's this "finally" shit?

[SaDan]

It's called a business account, and Comcast offers this in most areas.

Re:What's this "finally" shit?

[SaDan]

So, work allowed you to bounce through smtp.gmail.com, but you couldn't use the SMTP servers at Comcast? Exactly how is that any different?

You really have no clue about how this stuff works, do you?

Re:What's this "finally" shit?

I talked to the CSA agent and in less than 2 mins he had unblocked up my Port 25. However, he did also say that there was no guarantee that it wouldn't be blocked again, all that had to happen was for someone to make a complaint against me for spam.

So take the hint and have your IT folks setup port 465 with SSL for authenticated SMTP submissions to the mail server. And use POP3 over SSL for the inbound leg.

Re:What's this "finally" shit?

[The+Great+Pretender]

Nope. Work insists on the port 25 (don't ask me why). I used gmail as that is my personal email address and just the first SMTP that I typed in. I have just never bothered to use my comcast email address and so didn't use that SMTP.

Re:What's this "finally" shit?

[The+Great+Pretender]

Talk to me about this. I'm not an IT guy, as you probably guessed by the first post. Looking up the ssh definition I think that work will not allow me to use this as it would give remote access to the company servers. Unless they can filter out non-company endorsed computers? It this is a viable option then why do you think they have not offered it?

Re:What's this "finally" shit?

[WuphonsReach]

Mostly it's hotel internet access that filters anything listed as a "common" tcp port until you pay an exorbitant fee. I could have gotten around that by putting SSH on a non-standard port and making a tunnel, but what's the fun in that.

Eh, SSH should almost always be run on a non-standard port if it's a public-facing IP address. If for no other reason then to stop the ceaseless and unrelenting dictionary attacks on your SSH server that fill up log files. It doesn't stop focused attacks, or crackers who use nmap first, but it definitely cuts the number of log messages by a few orders of magnitude.

(Even with only public-key authentication to our SSH servers, we still move it to a non-standard port.)

Re:What's this "finally" shit?

[greed]

Heck, authentication can be required on any port. SMTP can listen on any port. And, well at least _proper_ servers, can have any restrictions you want, on any port you want.

Due to the wonderful nature of SSL, I've got several SMTP listeners on my server, only one of them is on the submission port. Similarly, only one IMAP listener is on the well-known port.

The port 25 listener doesn't require authentication, and doesn't require SSL, but if you don't do both, you don't get relay permissions. The other listeners require some crypto (SSL or TLS) and authentication.

So, yeah, it means users need software that lets you enter a port number. It's 2009. Even the crappy mail program on my Palm TX can do that.

Re:What's this "finally" shit?

[SaDan]

If you use your Comcast SMTP servers for outbound email the same way you use Google's, you will be able to send work email from home. This will get around the port 25 block they (Comcast) have in place, because you are authenticating with Comcast in order to send email.

If your IT guys at work didn't have a problem getting your email when you were sending it through Google, they shouldn't care if you send it through Comcast. There's no more or less accountibility, and you actually aren't sending through the work email server if you go through Google anyways.

I'd give the Comcast SMTP server(s) a shot.

Re:What's this "finally" shit?

[drinkypoo]

It this is a viable option then why do you think they have not offered it?

They might not even know it's possible. I don't know how competent your IT guys are, but I've known and even worked with many that couldn't find their ass with both hands and a toner wand. I found a quickie google result on how to limit port forwarding so they can control just which ports you can forward. There are also numerous other technologies for doing the same thing including an IPSEC tunnel which is provided by Windows 2000 and later and by pretty much every Unix, at least those I'm aware of that someone might actually run a mail server on. Finally, they could just open an additional port (or forward a port) to port 25 on the mail server for you, so that you could access the mail server without being blocked by a rule against TCP connections to destination port 25.

The advantage of using an encrypted connection is that you can send confidential email without having to worry about being sniffed, and without having to actually encrypt email. This only really applies to internal mail, but anyway.

Re:What's this "finally" shit?

[The+Great+Pretender]

I asked them about using the non-25 recommended port (587?) and they said they could open it, but they would have to rebuild the server and that would be a hassle. Is this IT-BS diversion statement, basically they're telling me that they can't be bothered?

Re:What's this "finally" shit?

[psydeshow]

An IT wonk who doesn't know that port 25 is likely to be blocked or redirected by a home ISP deserves a little abuse.

I'm all for the pitchforks, though.

Re:What's this "finally" shit?

[drinkypoo]

Every mail server I know of will permit configuration to allow multiple incoming ports. Also you could do it at the firewall level by forwarding a port.

Re:What's this "finally" shit?

[lidocaineus]

I think you don't know what a smart host is.

Re:What's this "finally" shit?

[amorsen]

It's more like the worst of both worlds. ISP outgoing mail servers are notoriously overloaded, blacklisted and generally ill-maintained.

Also, at least around here, a lot of them do header logging and keep the data for a comparatively long time. You can argue that the ISP can get the same information just by analyzing packets, but actually a lot of email servers accept encrypted SMTP. The ISP can only log those emails by doing a man-in-the-middle, and they generally don't do that.

Re:What's this "finally" shit?

[PitaBred]

Yes. But they sold me an INTERNET account. They then changed the service they were providing with no notice. If they sold me a "web and email access" account, then I'd agree with you. But calling it an internet account is like saying a moped is highway-worthy. Only in the sense that it can go 55 downhill with the wind at it's back is it highway-worthy.

Re:What's this "finally" shit?

[theCoder]

Business accounts are more expensive than regular accounts. If the phone company decided that I couldn't call a specific area code unless I upgraded to a business account, I wouldn't be too please. Degrading the service and then saying you can get rid of the block by paying more money is awfully close to extortion.

Re:What's this "finally" shit?

[darkpixel2k]

Will they even let you get business class? My ISP (Time Warner) simply refuses to sell business class to a building zoned residential.

It seems dumb to me that a company would refuse to sell a higher-priced service to anyone--especially a home user that is already downloading a metric shit-ton of data. (Where metric shit-ton is equal to a number double the amount of the current providers bandwidth cap.)

Re:What's this "finally" shit?

[characterZer0]

Time Warner has never been known for not being dumb.

Re:What's this "finally" shit?

[SaDan]

So, where does Comcast block you when you browse the web like the average consumer? Most people don't need remote SMTP services, or run a web/email server out of their house.

It's all in the ToS. Worth a read before you buy, and this applies to ALL internet service providers. If you plan on doing anything non-standard with your connection, it's also worth asking before you accept the contract.

Re:What's this "finally" shit?

[SaDan]

No, they sold you access to the internet as most people would use the service, which includes blocked ports because the average person can't be bothered with a firewall or antivirus.

This applies to all ISPs. You have to investigate the service you are attempting to buy.

Re:What's this "finally" shit?

[Hognoxious]

My ISP ups the cap from 10 (or 12) to whopping 18, and opens port 25. That's it. And for only 100 Euro[1] rather than 40. Don't presume to tell other people they aren't being ripped off when your fat hummer driving ass doesn't even know what their tariff structure is, OK?

[1] I guess you don't know what that is, you fat prick. It's siimilar to a dollar, but worth something.

Re:What's this "finally" shit?

[darkpixel2k]

My ISP ups the cap from 10 (or 12) to whopping 18, and opens port 25. That's it. And for only 100 Euro[1] rather than 40. Don't presume to tell other people they aren't being ripped off when your fat hummer driving ass doesn't even know what their tariff structure is, OK?

[1] I guess you don't know what that is, you fat prick. It's siimilar to a dollar, but worth something.

Sorry--my white American, hummer-driving ass forgot there was a part of the planet called "Not America".

But seeing as how I typed in slashdot.org, and not slashdot.org.uk, I assumed we would be talking about American ISPs.

You know--kinda like when I dial *1*-800-FUCK-OFF, I don't want to press '1' for english and '2' for spanish--I already dialed *1*-800... and not 0111536-FUCKO-FF1 or whatever the Mexican international prefix is.

Zark off.

Do zombies even use ISP mail servers?

Don't most zombies implement their own SMTP clients? In other words, they wouldn't even use the ISP's mail servers...

Re:Do zombies even use ISP mail servers?

[stevey]

Indeed.

But if you're the ISP you can just say "Hey customers outgoing port 25 is blocked - use authentication and port 587 to send mail".

In general I'm against ISP blocking services, but in the case of spam prevention its a good choice to make.

(The ideal would be to allow outgoing, but cut people off if they spam. That would punish only the guilty, but I guess they're not so keen on that).

Re:Do zombies even use ISP mail servers?

[bluefoxlucid]

those who would give up blahblah ben franklin

In general I'm against monitoring people secretly and continuously; but in the case of cities where children are legally or physically possibly present, it's a good choice to make to stop pedophiles.

Re:Do zombies even use ISP mail servers?

[Chabo]

In general I'm against monitoring people secretly and continuously; but in the case of cities where children are legally or physically possibly present, it's a good choice to make to stop pedophiles.

... what?

Re:Do zombies even use ISP mail servers?

[erroneus]

Yes and it is only a matter of time before that changes and evolves.

The reason these alternative ports and blocking works is because most everyone else isn't doing this. When it comes to the point where most people are doing this, new methods will arise.

The first scenario that comes to mind is that the next generation of bot-ware will listen to your outgoing email traffic and learn your password then configure itself to send email based on that information. Then once again, the problem returns. And if *I* can conceive of this, then I *know* spammers have already thought of this. (I am comfortable in the assumption that I have never come up with an original idea.) You can expect this to occur within the next year or so. The drive to these measures are largely based on the size of the target audience after all. (This is the reason Mac OS X is mostly immune to attacks and infection... it isn't yet a big enough target!)

Things will get crazier before they get better.

Re:Do zombies even use ISP mail servers?

Doing that would not cut out the ISP's mail server. Maybe yours was a simple slip up, but "SMTP client" is something like Outlook Express or Eudora... each still needs a mail server. I can attest that writing an SMTP client is fairly simple.

Now as to servers, I'm not as well informed. I don't know what difficulties there are in writing a program to spoof a mail server just passing along a message. I figure that's much harder to do or viruses would probably start there instead.

I do know that ISPs do normally restrict customers from using port 25 (and possibly other common mail ports) except for communication with their own mail server. So a simple SMTP client program sending spam out is restricted to communicating only with the "right" server, the ISP's server.

Re:Do zombies even use ISP mail servers?

[robot_love]

He's saying that a losing a little bit of liberty to gain some safety isn't worth it. He did this by cleverly rewording the original poster's statement about email to make it about pedophiles to highlight the fact it's essentially the same issue, simply in a different context.

Re:Do zombies even use ISP mail servers?

[bluefoxlucid]

The best part is it's ridiculously close to a strawman fallacy, and just barely escapes by actually being analogous to the original argument.

Re:Do zombies even use ISP mail servers?

[Drgnkght]

Writing a program to act like a mail server for the purpose of sending spam would not be difficult. You wouldn't need to implement any kind of backend just the simple mail transfer protocol. Take a look at the RFCs 821 and 2821. The original RFC is 821. It contains most everything you would need to write a mailer. The actual communication is very simple by design.

And for the record some virus and trojans do implement this.

Re:Do zombies even use ISP mail servers?

[GigaplexNZ]

The first scenario that comes to mind is that the next generation of bot-ware will listen to your outgoing email traffic and learn your password then configure itself to send email based on that information. Then once again, the problem returns.

The advantage in this instance is that the ISP can easily identify (because the zombie used the user/pass) who has been zombified and inform the customer to get their machine disinfected.

Re:Do zombies even use ISP mail servers?

[lgw]

I particularly like the scenario where the ISP informs the customer via *email* that they're infected - the email is intercepted by the spam bot, which stops for a while, then sends an email back promising that the system has been cleaned. All of which is much less silly than the fact that certificate authorities exchange plain-text emails with their customers, and are currently so easy to social-engineer that a bot could do it.

Re:Do zombies even use ISP mail servers?

[GigaplexNZ]

My ISP (Xnet, in New Zealand) informs the customer by blocking the internet connection and contacting them by phone (I know this as my flatmate managed to get infected at one point). Your described scenario is somewhat hilarious but somewhat scary as it's probably quite plausible depending on the ISP.

Re:Do zombies even use ISP mail servers?

[nine-times]

(The ideal would be to allow outgoing, but cut people off if they spam. That would punish only the guilty, but I guess they're not so keen on that).

I'd be more content if they said, "You're blocked by default, but contact our support line and we'll open port 25 for you."

But I find it really frustrating when they block port 25. I use two different email services, and both of them require authentication and SSL, but do it via port 25, so I can't use them for outgoing SMTP if that port is blocked. I've had an ISP block port 25 on me, requiring me to use their SMTP server, but then they wouldn't let me use their SMTP server when I wasn't connecting through them. That's a pretty annoying problem, considering I have a laptop and have to manually change SMTP servers whenever I change locations. And even if ISPs let you use their SMTP server from other locations, if they're using port 25 and other ISPs are blocking that port, then you'll still have to manually change your SMTP server whenever you change locations. It's stupid.

I vaguely suspect that there's some kind of attempt here to get you to use your ISP's email address by making everything else not-work, thereby making it more difficult to change ISPs. Or maybe it's just a means to milk extra money by charging a fee for opening port 25. My old ISP charge $15 a month to open ports 25 & 80.

Re:Do zombies even use ISP mail servers?

[hab136]

The first scenario that comes to mind is that the next generation of bot-ware will listen to your outgoing email traffic and learn your password then configure itself to send email based on that information.

That's why you also use encrypted connections. It would be stupid to pass login information over unencrypted connections.

Without access to the SMTP port and the login information, the next route is to tell the default mail programs (Outlook express, Mail.app, etc) to send a mail and let those programs handle it. This is already used by malware, and has been for some time. The reason they've been using straight SMTP is that it's harder for the user to notice, and marginally harder to trace to the sender.

(This is the reason Mac OS X is mostly immune to attacks and infection... it isn't yet a big enough target!)

Well, that and the lack of "run any code any idiot puts on a web page" (ActiveX, VBScript) and the whole non-root privileges by default thing.

Re:Do zombies even use ISP mail servers?

[houghi]

I can imagine that they would not look at the traffic, but look on your system to what the password of your Outlook Express is.
There are already things that van do that and I would suspect it can be re-written to do get the password without you knowing it and then use it to spam the world.
http://www.filetransit.com/files.php?name=Reveal_Outlook_Express_Password

Re:Do zombies even use ISP mail servers?

[wvmarle]

That actually sounds reasonable to me. If you plan to run your own web server you are bound to create extra traffic. You pay for that. And if you think it's too much then rent server space at a web server co. Probably cheaper even.

Home internet connections are not to run servers on. Then you need a business connection. In which case you probably get a fixed IP to boot, saves finding (and paying for) a dynDNS service.

Re:Do zombies even use ISP mail servers?

[wvmarle]

Setting a limit of say 100 mails, no make that 500 mails per day will do the job pretty much as well.

It is a limit that normal users will not reach. OK maybe some send out newsletters, one could consider making the limit a bit flexible on request. Though help desk calls are expensive of course for the ISP.

500 mails per zombie per day I don't think is interesting for a spammer. Now they can do hundreds of thousands in a day per zombie. It would lower the value of botnets for starters. And the user that is infected will have problems sending mail for being over the limit within minutes of switching on his computer - I can't think of a better way to convince people to clean up their act.

Re:Do zombies even use ISP mail servers?

[nine-times]

Home internet connections are not to run servers on.

What, is that a rule of some kind? I guess home internet connections are just meant for media companies to broadcast out to you, and not for you to participate on the Internet, right? We probably don't need to be able to get good upload rates either, or anything like that. Hell, let's just block all ports, and make traffic completely one-way unless it's traveling through ISP-approved servers.

Re:Do zombies even use ISP mail servers?

[eth1]

I would actually be FOR ISPs blocking outbound email (except via their relay) by default, IF there is an easy way to remove the block.

This way Joe Sixpack can't send spam, and won't notice the block in any case, while those who know what they're doing can can have the access.

Re:Do zombies even use ISP mail servers?

[wvmarle]

You do not need to run your own server to "participate on the Internet". You do not need to run your own web server to post comments on /. for example. Or to blog on Blogspot. Or to post your videos on Youtube. Just to name a few functions. Besides being geek I can't think of any reason to have to run your own servers as only way to "participate on the Internet".

Re:Do zombies even use ISP mail servers?

[nine-times]

Oh, right, we should just rely on the benevolence of big media companies to provide forums for us to interact. I'm sure they'll never use our reliance as leverage to get what they want.

Re:Do zombies even use ISP mail servers?

[WuphonsReach]

What, is that a rule of some kind?

It's a defacto rule for a couple of reasons

- ISPs have structured their networks where download speeds are higher then upload speeds, because that works for 80%+ of their user base.

- They don't want to be bothered with service calls from people trying to run their own servers. If you want that, get a business package with better support for doing things that the large majority of the user base does not do.

- It's about control and revenue. Business are willing to pay more for less control, therefore it makes sense from a revenue standpoint to charge more to those who are willing to pay for more.

- Bandwidth is not free. It's getting cheaper every year, but those really big links to other ISPs (or even other sections of the ISP network) are expensive.

Which all boils down to - if you want more service then the other 80% of the population, you're going to have to pay more for it. If you're not willing to pay for it, then it is apparently not important enough for you. (Or your business model is flawed because you're wishing that the world worked differently. In which case you can either get into the ISP business yourself and do it the way that you want to, or shop around for a better ISP.)

Re:Do zombies even use ISP mail servers?

[WuphonsReach]

Either way, with the use of credentials - you have a way to contact the *right* person. Without authentication, you're taking stabs in the dark which is not worth doing. You can't prove which user caused the issue because all you have is an IP address. (Although the RIAA is trying hard...)

With authentication, it basically boils down to one of two cases:

A) The user's PC is infected, the spambot read their username/password out of a configuration file. In this case, you've identified the correct person to contact and you can, via your TOS contract, require them to take corrective action before reconnecting to your network.

B) The user's authentication credentials have been stolen or shared (almost always against the terms of service). Once again, you have a person that you can contact and tell them to correct the situation. Maybe you block them entirely, maybe you rate limit down to 1 email per hour, or force all their web traffic to go to a notification page. Or you have a CS rep call them and have them change their password. Bottom line, you can prove that the user account was used for actions not within the TOS contract and can then force the other party to take corrective action.

And it's not a black/white corrective situation. You might decide to apply a variety of methods. The initial contact might be via e-mail listed in the customers contact profile. If that doesn't work, an automated phone call might fit the bill. Or progressively worse rate limiting (100 per day down to 1 e-mail per day) until the issue is fixed. Since all of the traffic flows through a single point (the Verizon mail server) and has credentials attached to it, management of the situation is simply a lot easier.

Re:Do zombies even use ISP mail servers?

[Dragonslicer]

That actually sounds reasonable to me. If you plan to run your own web server you are bound to create extra traffic.

Which then reduces the bandwidth I have available to do other things. Why should an ISP care if I'm using 50 kbps for a web server and 50 kbps for porn instead of 100 kbps for porn?

Re:Do zombies even use ISP mail servers?

[nine-times]

It's about control and revenue.

That's the only part that you really got right. It's an issue of marketing. They know that they can give crappy service to most people, and most people won't notice. So they do that, and then if you want decent service, they hold you hostage for a higher price-- not necessarily because it costs them any more, but because they can. If they could get away with charging you $10/byte, they would. If these companies could turn the Internet into a broadcasting system where they controlled what you saw, they would.

It's an issue of what they can get away with, and nothing else.

Re:Do zombies even use ISP mail servers?

[lgw]

Given the convergence of phone and data traffic, I wonder how long it wil be before the mallware bot answers the phone when you call the TOS contact. A bot would hardly be weirder than some of the cusomters that ISP tech support has to deal with. :)

Re:Do zombies even use ISP mail servers?

[Thomas+Cruise]

An internet connection is a pipe to the open internet, nothing more, nothing less. You are paying for the following bandwidth at the following conditions, and that's that. They can't tell you what to do with what you bought. How'd you feel if the electricity company bans running a computer load higher than 500 W. Besides being a geek, I can't think of any reason to run more than 500 W worth of computers.

Verizon spam zombies

[benjfowler]

I feel a great disturbance in the Force, as if millions of voices cried out in terror and were suddenly silenced...

Re:Verizon spam zombies

[SpiffyMarc]

They're spam zombies. It's a million voices groaning out URrGgGHghHHhh followed by a couple late chants of "brains."

Re:Verizon spam zombies

[bluefoxlucid]

Zombies don't feel terror, they only feel hunger... for brains...

Re:Verizon spam zombies

Zombies don't feel terror, they only feel hunger... for brains...

ehlo console
MAIL FROM: LUVBRAINS2000@VERIZONZOMBIE.NET
RCPT TO: XHAVEBRAINSX@VERIZON.NET
data
TO: XHAVEBRAINSX@VERIZON.NET
FROM: LUVBRAINS2000@VERIZONZOMBIE.NET
sUBJECT: YOU HAVE BRAINS???
BRAAAAAIINS
.
quit

Can't see that as longterm solution

Can't see how this will prevent sending spam.
Maybe in future zombies have their own built-in sendmail.

Re:Can't see that as longterm solution

1. It blocks direct-to-25 spam as the individual home machines cannot send directly on port 25, forcing outgoing mail through the server.

2. The mail server then requires a username and password, which is an impediment for a dumb zombie (current generations probably wouldn't know.) If the zombie software manages to recover the username/password (which I suspect is only a matter of time, really) then the mail server can tell what account is compromised easily and cut it off. (If a particuar username/password sends 100 messages per day, it might get cut off or something.)

3. The mail server might also enforce the Sender/From headers to match up with the authenticated sender; making tracking down the person with the compromised box easier.

PORT 587 THE GATE TO HELL

Last week I routed an email through PORT 587 and this came out of it:

Hai Adonai Abmozedel, Adonai Garntaturagah, Adonai Hai Prezelbuuub, Adonai Hai Koadze....and so on.

Is their choice really smart ?

Re:PORT 587 THE GATE TO HELL

[Samschnooks]

Somebody fucked with you. They mapped port 587 on that machine to port 666.

Re:PORT 587 THE GATE TO HELL

Port 666 is reserved for Doom (video game)

Re:PORT 587 THE GATE TO HELL

[lgw]

Port 666 is reserved for Doom (video game)

Wow, I thought AC was joking, but it's right there in RFC1700!

doom 666/tcp doom Id Software
doom 666/tcp doom Id Software

Re:PORT 587 THE GATE TO HELL

[bloodninja]

Of course the AC would know that. It's his /. UID.

Won't make a difference in the long run

[Coram]

This is a good thing, but it's unlikely to improve things in anything other than the short term. They are quite capable of identifying which customers are zombie spam relays already by looking at IP addresses and authentication logs. I did this back in the days of dialup when i did a lot of work on mail systems for another large isp/telco. They are still left with the matter of contacting the customer and explaining the problem and guiding through to a solution. This is expensive to do, and requires hand holding as the customer isn't going to understand what do. It's still cheaper for the ISP to ignore the problem. Zombies will still operate, just now they have to steal authentication details. Big deal.

Re:Won't make a difference in the long run

[stevey]

They should just re-route outgoing connections on port 80 to :

• you're.a.spammer.verizon.net

Or similar. That way the customer knows what to do.

Of course that level of control would be easy for the ISP to avoid, but theres a tradeoff - do you block all outgoing :25 access, or only that belonging to known-bad/known-compromised users?

Me I'd block the spammers. But I guess it'd be easier to block all users.

Re:Won't make a difference in the long run

[Coram]

Those are the same options my former employer wrestled with. Many users don't care if they are a zombie spam bot, or at least it falls into the "too hard" basket. The choice (for the ISP) is "do i turn off service to my paying customers, or do i let spam go out to people who aren't my paying customers?". If the financial consequences of accepting that you can be a spam hub are less than the consequences of pissing off customers you've disabled email for, then you choose to let the spam run wild. Until the economies of this change (either it becomes expensive to send spam or it becomes expensive for ISPs to allow it), spam remains a problem.

Re:Won't make a difference in the long run

The right answer is obviously to send an automated email informing them that according to your data their computer is compromised and if the spam doesn't stop the offending ports will be locked.

Re:Won't make a difference in the long run

[vux984]

The right answer is obviously to send an automated email informing them that according to your data their computer is compromised and if the spam doesn't stop the offending ports will be locked.

That's not an obviously right answer.

First they'll ignore your email. (Assuming they even get it, because the people with zombie PCs don't check their ISP mail they mostly use hotmail/gmail/yahoo etc so they'll never see the message from their ISP.)

Then you follow through on your threat and block their access.

At which point they phone your Customer Support to complain that their 'internets is broken', bitch that you never warned them, and when your CSR tells them they need to have someone clean out their PC they go ballistic because that's hard or expensive. And the whole time they're on the phone with your CSR its costing you money, and creating an unhappy customer.

It might actually cost you less to just let the zombie spam away, and keep the customer is happy.

Re:Won't make a difference in the long run

If they don't care they are a zombie, they probably aren't sending legit mails the same way the zombie mailer is... ergo, you can block the zombie and the user will still be able to get to their myspace...

For the few people that notice, make sure your call center people have a script that points to the 'unblock smtp' page...

done.

Re:Won't make a difference in the long run

[amorsen]

It might actually cost you less to just let the zombie spam away, and keep the customer is happy.

There's no might in there, it's definitely cheaper to let it spam away. Especially if you do a bit of "congestion management" so it doesn't eat too much bandwidth. If you're lucky the "congestion management will make the customer switch to a different ISP who might spend the time to educate them, in the process making the customer so angry that they switch back to you.

That's not a particularly ethical way to deal with zombies or customers, but for consumer connections cheap tends to beat ethical.

Re:first

No, the guy posting before you did that ;-)

Comcast did it already

[Dwedit]

Comcast has required email to be on port 587 for a while now.

Re:Comcast did it already

Yep, they turned me off at home the other day for port 25 with no warning whatsoever. When I called, I was told they're slowing rolling it out to everyone (port 25 blocking that is).

Re:Comcast did it already

[whoever57]

Comcast has required email to be on port 587 for a while now.

Not where I am:
$ telnet a.mx.mail.yahoo.com. 25
Trying 67.195.168.31...
Connected to a.mx.mail.yahoo.com.
Escape character is '^]'.
220 mta112.mail.ac4.yahoo.com ESMTP YSmtp service ready
quit
221 mta112.mail.ac4.yahoo.com
Connection closed by foreign host.

Re:Comcast did it already

[PitaBred]

Yup. They hit me a few months ago. Fuckers. There's not even a way to opt out of it that I can find.

Re:Comcast did it already

^^^^ geek card revoke for using telnet instead of nc.

Comcast

[TheNinjaroach]

Well your spam made it through, but the response must have been throttled since you didn't get first post. You're a Comcast customer, aren't you?

Re:Comcast

[masshuu]

no probably AOL

l2ISP

Re:Comcast

[Dishevel]

no probably AOL

l2ISP

I thought AOL customers just posted ....

HOW DO I POST!!!!!!!!!!!!!!!

27 times in a row.

Re:Comcast

[Zencyde]

me too

Article Confuses Mail Servers vs. Network Filters

[billstewart]

As far as I can tell from this article and a few others that are derived from the same press releases, what VZ is doing here is setting up their own mail servers to use Port 587 submission instead of Port 25. That won't stop zombies or legitimate Linux mail systems from sending mail directly to their recipients' systems, though I'm guessing that they'll get around to blocking Port 25 (sigh) once they've got most of their users migrated to 587.

What this will do is give them authentication, which makes it easier for them to block customers who use VZ's mail servers from spamming, but I'd be surprised if there's much of that happening (though botnets keep evolving their techniques.) It's already possible to reduce that simply by using passwords, or using various hokey port 25 authentication methods like receive-before-send; this cleans up the process a bit.

Directive 587

[Tumbleweed]

Remove the head, destroy the brain.

Enabler, not longterm solution

[billstewart]

Most ISPs already do a fair bit of policing on the users of their mail servers, so this probably won't make a big dent (though botnets keep evolving, and if the scalability works to use ISP mail servers, they'll go back to it.) This basically provides a cleaner, more standardized solution for mail submission and authentication. VZ might block Port 25 later, and getting their users onto 587 makes it easier.

Zombies already do deliver their mail directly using Port 25. They're not generally running Real Sendmail (which is way too big and heavy for what they need) - in general they're running stripped-down mail senders that don't bother checking error messages correctly, which is why greylisting's "Go away and come back in 5 minutes" is enough to discourage lots of them. But lots of ISPs have been jumping on the "Block Port 25" bandwagon (with no apologies to Linux users who run their own sendmail), so maybe the zombies will go back to using ISP mail servers more often.

This makes sense but exceptions exist

[davidwr]

This makes sense for 99.9+% of customers including probably 99.99% of non-business customers. Customers who claim to have a legitimate need for port 25 and who can demonstrate they have the technical and management infrastructure in place to prevent abuse and the liability insurance or proof of financial responsibility should they fail should be allowed to continue using it subject to termination at any time if it is abused. Heck, I might even just settle for proof of financial responsibility, if they had enough insurance to cover damages from the time spamming was discovered until the plug was pulled.

You can, but it's hokey

[billstewart]

Yeah, it's possible to do authentication on Port 25, but it's generally hokey and often broke things when people did it, and left passwords in the clear for eavesdroppers - 587 is a cleaner and more standardized solution. I remember having to configure Eudora for receive-before-send when my email provider was trying that approach...

Re:You can, but it's hokey

[MSG]

You do realize that SMTP on port 25 and MSA on port 587 are the same protocol, right? There's no way that one can be hokey and the other not. In both cases, STARTTLS can be used, and should be required before authentication is allowed.

Providers should universally provide service on 587 in order to allow other ISPs to block outbound port 25, but arguing that authentication on 25 is hokey is just silly. The only reason not to bother is that sooner or later, port 25 is going to be blocked by the ISPs of remote users, and you really ought to be providing service on 587.

great, only 7 years late

[Indy1]

Verizon has been an epic sewer network for years, and has ignored their spam problem for years. If they want to clean up now (or make a lame attempt to clean up, as most telco's do), fine. It just means less work for iptables at my end.

For those who are sick of Verizon's bullshit, here's my list (no promises this is complete, but it should have most of em) of Verizon's ip blocks.

  206.46.0.0/16
  66.12.0.0/14
  207.68.0.0/17
  71.96.0.0/11
  72.64.0.0/11
  72.42.0.0/18
  71.160.0.0/15
  71.162.0.0/16
  96.224.0.0/11
  98.108.0.0/14
  98.112.0.0/13
  68.160.0.0/14
  162.84.0.0/16
  162.83.0.0/16
  151.204.0.0/15
  138.88.0.0/21
  66.171.0.0/16
  66.14.128.0/17
  151.201.0.0/16
  138.89.0.0/16
  141.149.0.0/16
  141.150.0.0/15
  141.152.0.0/14
  141.156.0.0/15
  141.158.0.0/16
  68.160.192.0/18
  68.161.192.0/18
  66.14.0.0/17
  151.196.0.0/14
  151.200.0.0/14
  151.204.0.0/15
  129.44.0.0/16
  138.88.0.0/16
  64.222.0.0/15
  68.236.0.0/14
  70.104.0.0/13
  70.16.0.0/13
  71.96.0.0/11
  209.158.0.0/16
  209.159.0.0/19
  71.160.0.0/11
  173.64.0.0/12
  70.192.0.0/11
  66.174.0.0/16
  75.224.0.0/12
  75.240.0.0/13
  75.192.0.0/10
  97.0.0.0/10

Re:great, only 7 years late

[phantomcircuit]

CIDR

E-mail Clients and Ports

[dlevitan]

I wish that more software would default to 587 instead of 25. For example, Thunderbird doesn't even mention the possibility of 587 as a "default" port, which really needs to be changed.

In any case, it's good to see the change to 587 become more widespread and hopefully it will eventually become the default port for sending messages (along with encryption + authentication), while 25 will be reserved exclusively for server-to-server communication.

Re:E-mail Clients and Ports

[ZerdZerd]

Darn, why can't all the spammers stop using port 25, so we can use it again!

Remembering credentials?!

[coljac]

I like the suggestion that people are somehow lax in security because their mail client remembers their password. Who are these guys who type the password in every 3 minutes when they check their mail?

Re:Remembering credentials?!

I am and I've never had a probsnoopy417$lem with it.

Re:Remembering credentials?!

[Scotch42]

I like the suggestion that people are somehow lax in security because their mail client remembers their password. Who are these guys who type the password in every 3 minutes when they check their mail?

once per session is enough... the client may keep the password in RAM never writing it to a file.

Re:Remembering credentials?!

[dotancohen]

I like the suggestion that people are somehow lax in security because their mail client remembers their password. Who are these guys who type the password in every 3 minutes when they check their mail?

Every three minutes? In my day we were checking our mail every 20 seconds, both ways uphill, and tapping out the password in binary!

Re:Remembering credentials?!

[MattskEE]

I like the suggestion that people are somehow lax in security because their mail client remembers their password. Who are these guys who type the password in every 3 minutes when they check their mail?

Every three minutes? In my day we were checking our mail every 20 seconds, both ways uphill, and tapping out the password in binary!

And I'm guessing the two most popular passwords were "1" and "0".

New generation of bots

[IGnatius+T+Foobar]

As more and more consumer ISP's block outbound connections on port 25, this will only accelerate the development of newer, smarter zombie bots that know how to read the configuration settings of popular email programs (perhaps even the passwords for popular webmail sites stored in your browser's saved password list) and use those settings to send mail.

This will be even more wonderful because all of that spam will now have your name and email address on it.

Re:New generation of bots

[WuphonsReach]

Which is fine, because it narrows the area that you have to watch for outbound spam runs. Instead of having to run filtering software on port 25 at the border routers (which are probably already overworked), you can now make the mail server do it.

And as a bonus, the mail server (because of authentication) will be able to e-mail the sender (whose credentials were used to do the run) that either their machine is infected or their credentials have been stolen. You're no longer guessing on which IP number is associated with which ISP customer, or what their contact address might be.

As for the line "we don't trust our ISP's mail server"... well, tough. At some point, you *have* to trust some mail server to transmit your e-mail. If you want to run your own mail server, go ahead, and get the ISP to unblock you on port 25. Odds are, if you do this, you're probably not part of the 99.99% of the ISP's customer base who are causing the problem. Or you can sign up with a 3rd party e-mail provider (GMail?) and submit your e-mails to their mail server for further delivery.

Heck, as a bonus, you're more likely to get SSL/TLS over port 465 or 587 then you could over port 25 with a 3rd party e-mail provider. So now your outbound e-mails and authentication details are protected from snooping until they get to the 3rd party mail server.

Re:New generation of bots

[jonadab]

> This will be even more wonderful because all of that spam will now have your name and email address on it.

If all spam had the name and email address of the owner of the computer that was used to send the message, that would be a five-thousand-fold improvement over the current situation, wherein each individual spam message has a new random email address either pulled from a database of harvested addresses, or just made up on the spot by the automated sending software.

The numbers don't match up

[dave562]

I often seen antecdotal numbers in the "millions" when people talk about zombie infected boxen. Yet the article quotes Spamhaus.org claiming "225,454" machines on all networks are sending spam. Even if one were to assume that only a quarter of all zombie machines are sending spam at any one given time, that's still only a million boxes that are compromised and sending spam.

What's the deal? Are there really millions and millions of compromised Windows boxes out there in zombie networks? Or are the numbers over blown when matched up against activity logs that monitor traffic from compromised boxes?

Re:The numbers don't match up

[LingNoi]

There's probably millions, just not used for sending spam.

Most botnet owners charge for their usage for denial of service attacks. A popular example being halo tards DOSing others in the games at $500 a pop so they lag and can be killed easier.

Re:The numbers don't match up

[irtza]

well, that depends on how the 225,454 number is derived. I doubt they can detect all machines behind a firewall - including simple home routers. Figure that if one machine on a home network is infected - the others are likely to be as well (same people managing them).

Re:Arrest, Try, Convict, and Sentence +1, Incendia

LOL + (-1) stupidity

Re:Enabler, not longterm solution

[nabsltd]

But lots of ISPs have been jumping on the "Block Port 25" bandwagon (with no apologies to Linux users who run their own sendmail), so maybe the zombies will go back to using ISP mail servers more often.

Many ISPs will let you use outbound port 25 if you request it. This usually means only responsible users will have the ability.

Also, you can configure sendmail to use port 587 on another server as the relay, so you could still use your own sendmail and relay through the ISP server.

What ever happened to SSL and port 465?

[Khopesh]

What the fuck are they doing on 587? That's a secondary half-ass port used as a compromise and a low-end workaround for ISPs and network admins who blanket-block port 25. If you're to move away from port 25 (which can easily accept TLS for encrypted authentication or even just encrypted data without authentication), you might as well move to the one that requires both authentication and encryption.

NO responsible network or ISP should use plain-text authorization as the default method. I was astounded when I heard that RCN (et al!) fail to offer HTTPS webmail and POP3S email (if not the vastly superior IMAPS), and that TLS commands get dropped on the floor. This is completely unacceptable.

Verizon and co should not be commended for this trivial step, they should be scolded for not going full-on SSL.

Re:What ever happened to SSL and port 465?

[sgt+scrub]

Agreed. Port 465 traffic is the standard port for smtps and should be the ONLY port an email client should be sending email. If anyone believes a cable modem's traffic can't be sniffed for plain text smtp authentication they need to share that good dope with a hippy.

Re:What ever happened to SSL and port 465?

[jeaton]

Port 587 was allocated by IANA and is documented by the IETF in RFC 2476, and the STARTTLS capability is documented in RFC 2487. It is not clear from the article whether Verizon is going to require STARTTLS or not. They may require STARTTLS for all mail on port 587 if they so choose.

I assume that the "full-on SSL" that you would prefer refers to the non-standard port 465 ("SMTPs"). That port was chosen arbitrarily by Microsoft, has not been standardized by any common standards body, and was previously already allocated to "URL Rendesvous Directory for SSM".

Why perpetuate non-standards when there are established standards which have the same functionality?

Re:What ever happened to SSL and port 465?

[MSG]

Don't be stupid. Verizon is planning to block outbound port 25 like a lot of other ISPs do in order to prevent trojans from sending out email. It's not their business to impose a requirement that other mail providers use their choice of STARTTLS on 587 or SSL on 465.

If anyone is failing to do SSL, it has nothing to do with Verizon blocking outbound port 25, and Verizon should in no way be scolded for taking this step.

Re:What ever happened to SSL and port 465?

[Erik+Hensema]

smtps is rarely used these days. None of our customers are using it, I guess because most of them use clients such as outlook can't do it. They all do TLS, which is available on both port 25 and 587. And most mail servers disallow smtp auth over an unencrypted session.

Lots of provider-provider smtp traffic is now encrypted, and still uses (and will always continue to use) port 25.

The only difference between ports 25 and 587 is that 587 requires SMTP AUTH. Therefore, 587 is not suitable for delivery of mail to the MX of the domain of the recipient. 587 can only be used for the first injection of mail into the SMTP system from MDA to MTA.

By blocking port 25 outgoing, you're effectively forcing your customers to inject mail to your own relay, or to an external relay with smtp auth. Now suddenly clients can only reach a very limited number of smtp servers. This centralizes the problems caused by infected nodes to those few smtp servers. The problem can be dealt with on those few servers, in stead of the entire world.

All consumer-grade access providers should block port 25 outgoing. Really. I'm tempted to create a dnsbl listing providers who don't adhere to this policy.

Re:What ever happened to SSL and port 465?

[Khopesh]

Thank you, jeaton. You have taught me a little more about the specs. To think that I'm a network admin, running a mail server (with a policy requiring port 465 but accepting 587) for a decently large company, and I didn't know that.

The funny thing is that MS Outlook doesn't know about 465 (when you push to SSL + authentication on outgoing mail, the port doesn't change from 25) whereas Mozilla Thunderbird changes the port to 465 automatically. Also, running grep 465 /etc/services in Debian returns "ssmtp" with alternate name "smtps" and description "SMTP over SSL" rather than your correctly cited official IANA "URL Rendesvous Directory for SSM," implying that at least Debian, FreeBSD, and others who maintain their own lists are also propagating this issue.

I had learned anecdotally (from the above sources and others) that 465 requires SSL (rather than STARTTLS, which makes it optional), and that it was therefore an easier way to require encryption in addition to authentication. Very interesting.

That said, I still find it unacceptable that most ISPs fail to offer SSL encryption for mail over HTTPS, POP3S/IMAPS, and Submission/SMTP/SMTPS.

Re:Article Confuses Mail Servers vs. Network Filte

[nabsltd]

It's already possible to reduce that simply by using passwords, or using various hokey port 25 authentication methods like receive-before-send; this cleans up the process a bit.

There is no requirement for any "hokey" authentication...port 25 for connections from inside an ISP could be routed (netcat, iptables, etc.) straight to where an MTA that allows relaying would be listening. For bonus points, any connection from inside the ISP to port 25 on any machine would end up at the same ISP "internal" MTA.

Meanwhile, connections to port 25 from outside the ISP would be routed to a "normal" MTA that doesn't require authentication and will not relay...it would only accept e-mail for domains local to "isp.com".

You don't even need authentication to make this work...authentication just gives you one more piece of proof where a connection came from.

cant identify by ip?

..."if the victims let their mail clients remember their authentication credentials, at least the zombies will be easily identifiable."...

are they saying they don't keep track of who uses which IP? you gotta be kidding me.

what they're doing is the easy thing, block port 25 and with it the majority of the spambots. they just dont want the hassle of getting the trojans removed from those thousands of machines. too expensive.

Re:Article Confuses Mail Servers vs. Network Filte

Don't suggest that.

Transparent proxies are the work of the devil and a long step towards full-blown internet censorship.

Or do you work for a company that sells Great Firewalls to China?

Good Changes

[Snker]

Is a very good idea for reduce spam

Yo Dawg,

[BrentH]

I herd you like emails in your emails, so I put some traffic thru yo traffic.

Re:Article Confuses Mail Servers vs. Network Filte

[kindbud]

What hokey port 25 authentication methods? Any authentication methods offered on port 587 can also be offered on port 25. There is nothing magical about "25" that makes strong authentication unpossible. There is nothing magical about "587" that makes it any more secure than "25." You can run a open relay just as easily on port 587 as you can run one on port 25. You can run SMTP-AUTH and TLS on port 25, and permit relaying to authenticated clients that use TLS, while non-authenticated and/or plain-text clients can only send mail destined for your own domains.

Setting aside port 587 for smtp-submit simply makes the firewall rules at the border easier to manage.

Completely pointless?

[MikeBabcock]

In my opinion, the transition to port 587 is nearly pointless. I already use authentication on port 25 to identify customers.

And according to one of the only people I'd trust on SMTP issues, "the SUBMIT specification has several fundamental flaws that make compliance practically impossible. I advise against all use of port 587" -- djb.

Re:Enabler, not longterm solution

with no apologies to Linux users who run their own sendmail

None deserved, because probably 80% of them have some line in their sendmail.cf file like
>&;:$=M m QQ!2z ~dnl
that not only turns their server into an open relay, but sends every email 5 times, and on every third tuesday sends the entire contents of your harddrive as an attachment too.

For the love of God, if you don't have a clue as to what you're doing, don't do sendmail. Use exim, the installation script configures 80% of the sites out there in 1-4 questions, and for the remainder, the configuration is in a human-readable syntax that doesn't require learning a whole macro language just to configure the program that creates the configuration file for you.

(PROTIP: if you even think about asking a question about sendmail.cf, you are demonstrating that have no fucking clue what you're doing, and by continuing to use sendmail you deserve to have your computing license revoked until you have memorized the entire m4 documentation.)

It's not pointless

[pavon]

It is useful because it allows ISPs to block port 25 for customers who do not run their own mail server (the vast majority of them). This makes it impossible for zombied machines to send mail directly , instead having to go through a relay. Open relays are much easier to filter against / get shutdown for abuse, than a whole swath of zombie computers. Mail going through authenticated relays is also easier to monitor for abuse, plus once the mailhosts relaying the authenticated mail are affected by zombie generated SPAM, they then have an incentive to do something about it.

In short it forces zombie SPAM to be channeled through choke points where it can be more easily identified and shutdown.

As for DJB, IIRC, his complaints against SUBMIT were entirely restricted to the fact that it will be yet another case where everyone implements defacto behavior, rather than following the standard to the letter, because the standard has some flaws in the way it is written. I agree that this is annoying for new implementers, as they have to look beyond the standard to "conventional wisdom" to figure out how to be interoperable. But this is true of every single network protocol in existence to varying degrees. I don't think he had any complaints about the idea of authenticated relays happening on a different port than mailhost-to-mailhost delivery. But, I can't find anything more detailed than what you posted so I can't say for sure.

Re:Article Confuses Mail Servers vs. Network Filte

[icydog]

If you want the ISP's MTAs to relay mail sent from internal computers, then this will break TLS over port 25 as the certificates will (by design) be invalid for the ISP's servers.

but are they still using that spamhaus crap?

[Uzik2]

grr! Spamhaus is a sock puppet for industry forcing little guys running mail servers off the internet.

Re:but are they still using that spamhaus crap?

[buss_error]

The only people I see with SpamHaus listings are:

1. People too clueless to be allowed to send email (or run an email server depending on why the listing is there)
2. People that do not use closed loop, unique token, confirmed opt-in
3. Spammers

If you have a problem with a SpamHaus listing, there are well documented ways to go about resolving the issue and having the listing removed. Remember children, SpamHaus only rejects emails sent to SpamHaus servers. If your mail is rejected by a non-spamhaus server, then the email administrator chose to do so, knowingly, and with effort to make that happen. No MTA software comes pre-configured to use ANY blocking list.

If you think SpamHaus is being unreasonable, there is a public foura where you can post about the probem and get non-spamhaus people to comment. It's called UseNet, and the group you want to post in is News.Admin.Net-Abuse.Email. But bring your nomex undies, you'll need 'em.

It's my opinion that SpamHaus is ***FAR*** too leinant, not too strict.

Re:but are they still using that spamhaus crap?

[Uzik2]

>If you have a problem with a SpamHaus listing, there are well documented ways to go about resolving the issue and having the listing removed.

The way is well documented but impossible to use. Spamhaus blocks ranges of IP's based solely on their being part of a bank assigned to individuals by a cable internet provider. There IS NO WAY FOR INDIVIDUALS TO UNBLOCK THEMSELVES. PERIOD. The cable company must do it and they have so far not even answered my messages about the problem. If there was a decent alternative to the cable modem for low cost internet I would change providers. There isn't. I'm too far from the NOC to get DSL even if I wanted it and AT&T is evil.

>there is a public fourm where you can post about the probem and get non-spamhaus people to comment. It's called UseNet,

Post to usenet? So that non Spamhaus people can read it? First of all what is the point? As far as I know nobody is still using Usenet except moderated because the spam is so bad. Second it exposes me to a further deluge of spam since bots scan it for email addresses. How will posting in this forum have any positive effect?

>SpamHaus only rejects emails sent to SpamHaus servers. If your mail is rejected by a non-spamhaus server, then the email administrator chose to do so, knowingly, and with effort to make that happen. No MTA software comes pre-configured to use ANY blocking list.

Sure, but two thirds of the ISP's my regular correspondents use HAVE implemented blocking based on Spamhaus's public block list. They could care less if some little guy like me gets run over. In fact, I'd bet they're hoping for exactly that to happen.

Further Spamhaus's concept of blocking IP's only partly works and you don't care that only people with lots of bucks can run mail servers. If they truly wanted to reduce spam the money spent on bandwidth to host PBL's could be used to develop and publicize grey listing technology. I've implemented it and it works very well. This would significantly reduce spam and reduce the number of useless bits being sent over the internet. I can only assume they're either stupid or trying to push independent mail server operators off the net. There are corporations paying them to do it.

You are either clueless or a sock puppet.

hehe

[pavon]

I just reread your link. In it DJB explicitly advises against running authentication on port 25. In fact, for security reasons, he wrote two separate programs, qmail-smptd and ofmipd, to keep the tasks of relaying authenticated email and accepting mail for local delivery as removed from one another as possible.

He defends the idea of separating these two tasks, not only to separate ports but separate programs, on this thread on the IETF-SUBMIT mailing list.

So, yeah, his complaint against port 587 was simply that if you can't implement the SUBMIT standard correctly (which according to him noone can), you should use a different port then the one specified in that standard. The rest of the world doesn't care, because it sees all the various authentication methods (including SUBMIT) as extensions to SMTP, and not as a different protocol (OFMIP as DJB calls them collectively), and have no qualms running a standard (non-SUBMIT compliant) SMTP server on port 587.

Cox?

"my boss uses Cox"

Cool. How do you like working for a female boss?

Re:Cox?

His boss is GAY you insensitive clod!

wishing for Domain Keys Identified Mail (DKIM) ?

[johnjones]

YAY port 587 is a great thing !

but are they going to sign their mail ?

now that would be a good thing so people can not FAKE a @Verizon.net address
google paypal yahoo etc do this

if Verizon did it people would start to respect @Verizon.net

simple if I get a Verizon.net address and it pass's the DKIM then I know it came from their domain

but a big WELL DONE ! someone with a clue got this done !

regards

John Jones

Your Ideas ....

[djdavetrouble]

... are intriguing and I wish to subscribe to your newsletter.

There is no need to require a specific port

Changing the port is like modulating your shields against the borg: it just delays the inevitable. There is a way to stop this, though. All that is required is some kind of registration service, say a web-accessible form, for the ISP's users to register their outgoing e-mail addresses with the mail server. It's no longer a problem then: the spambot suddenly needs to be able to spoof one of the user's valid outgoing e-mail addresses - and if it does, the ISP can now trace the offending account, and notify the account holder. If I'm missing something, someone please let me know. A lot of ISP's already do it this way.

agreed, this is a breakfix.

[nimbius]

verizon obviously has some equipment or customers behind their mailservers that do not support starttls. to avoid total breakage i would imagine they will include port forwarding on a few nets as well. moving the ports is...a bandage at best.

What nonsense!

[dzfoo]

This article makes no sense!

If spammers are attracted to the company's network, it may be because Verizon still allows customers to send e-mail on Port 25, the communications channel that is traditionally used by large organizations to send e-mail.

Port 25 is traditionally the one used to send e-mail. ALL e-mail. It is not the one used "by large corporations", it is the one used by everyone. If some ISPs change the port, that's fine, but it still does not change the fact that port 25 is the known port for SMTP transactions.

Most other large ISPs long ago stopped allowing customers to send mail on Port 25 because spammers typically set up junk e-mail relays on this port after infecting a computer with malware designed to convert the host system into a spam zombie.

A spammer can set up a "junk e-mail relay" on any port. The security has has nothing to do with the port.

Many ISPs have migrated customers away from Port 25 to sending and receiving e-mail on port 587, which - unlike Port 25 - requires the sender to authenticate him or herself with a username and password before it will permit the sending or relaying of e-mail.

WTF? Port 587 requires authentication? Port 25 does not?! The port is not some magical concept with special abilities. A port is just the communications channel used within the TCP/IP bandwidth. As an analogy, imagine if your cable company said "We had HBO in channel 20 and everybody was stealing it. We moved it to channel 42, because--as you know--channel 42 requires scrambling."

Switch ports. Wow! Why didn't anybody else think of that. That magical port 587, which is impervious to spam.

The ISP can set to require authentication on their SMTP server on any port. They could do this on port 25, though I'm sure that they would piss off some big clients in their network, if say, their e-mail stopped working one day. It's easier to push the cattle consumer to a different port and require authentication (arbitrarily, by them, not because of the port). After all, who cares if they complain; it's not as if Verizon answers its phones or offers proper customer service...

I'm sure that what Verizon is doing could be a Good Thing, but this article does not explain their reasoning properly. It makes it sound as if Verizon hit on a technological solution to the Spam problem, instead of saying what is really on their minds:

"We don't want to piss off our large clients by forcing everyone to authenticate and go through extra hoops to configure their system. So we'll offer a two tierred service: Large clients will continue using SMTP on port 25 as normal (inviting spam, as normal), and we'll force the rest of the users to use the SMTP ghetto on port 587. We don't even need to make the service on that port work well or reliably, since the big guys will still have the premium servers allocated on port 25."

          -dZ.

Re:What nonsense!

Exactly, the port is NOT the problem; changing the port will just be a temporary deterrent to the zombies. What's to stop them from start using port 587 if 25 isn't open?? You can run SMTP auth on port 25 as Verizon already DOES for their .net SMTP servers--the problem is the use of compromised accounts being used for spam. They can change it to whatever port they want and it would just be a matter of time till zombie networks start spamming via the latest port number that ISPs decide on using. Until you can teach people to be more careful about what they click on or what emails they open, you'll always have idiots who perpetuate the spam problem, regardless of what port their ISP uses. Yes, fine, change the port, but it doesn't fix anything in the long run. This article sounds waaay misleading and also implies that Verizon does not already use SMTP authentication.

Re:What nonsense!

[dzfoo]

Modded "overrated"? Why is that?

        -dZ.

Zombies

[Bootarn]

Verizon pledges to clean up their zombie problem quickly.

That's what they said abot Ravenholm, and see what happened!

Maybe they can add SSL to their webmail too

Maybe they can add SSL to their webmail too

Hear! Hear!

[professorguy]

Now that's a response that'll shut 'em up. Right comes not only from correct analysis, but also requires a refusal to live in fear! Nice job.

Re:Hear! Hear!

[Raenex]

Posting Bill Gates' home address is refusing to live in fear?

Absolutely amazing!

[OhHellWithIt]

It's only been about five or six years since I wrote a letter to a Verizon executive about email I was receiving from Verizon zombies. I was frustrated by no way of contacting them online and looked up the executive's postal mailing address. I got no response.

Their track record continues. I looked for a way to find out if they will be blocking TCP/25 connections to other ISPs or just to their mail servers, and there seems to be no way to contact a live human being at that company.

One step closer...

Is this spam problem being taken advantage of by the new world order as a reason for identifying oneself before sending email?

Big brother is making moves.

Re:Article Confuses Mail Servers vs. Network Filte

[amorsen]

Don't worry, modern deep inspection can do almost anything that a transparent proxy can do, and it's generally harder to detect.

Re:wishing for Domain Keys Identified Mail (DKIM)

[Conficio]

DKIM is helpful in some cases but not too many.

The real solution to spam is individual sender signatures, because:
* A mail server (ISP or IT or self owned) can never accurately decide what is SPAM for the recipient.
* Signed e-mail allows the recipient to filter accordingly
* Unknown senders can be assigned a trust score based on the network of trust and filtered accordingly
* Keys can be bought form commercial vendors, but they don't have to
* Mail lists can re-sign a message, so no forwarding problems there, just a bit of computation.

Do you sign you e-mail? Start today and make the world better. Once the signature is universal, even the ISP get rid of the 80% + useless SPAM, because it will be not profitable anymore. If the ISPs want to do something about it, give signature keys to your customers or sign the e-mail automatically with the customers key (by default).