Verizon.net Finally Moving Email To Port 587

The Washington Post's Security Fix blog is reporting that Verizon, long identified as the largest ISP source of spam, is moving to require use of the submission port, 587, in outbound mail — and thus to require authentication. While spammers may still be able to relay spam through zombies in Verizon's network, if the victims let their mail clients remember their authentication credentials, at least the zombies will be easily identifiable. Verizon pledges to clean up their zombie problem quickly. We'll see.

Re:What's this "finally" shit?

[value_added]

You can set up port 25 SMTP to require authentication for relay purposes, without having to configure end user's machines for another port.

More broadly, authentication can be configured for port 25, port 587, or not at all. Typically, the submission port requires authentication.

As for the article, this factoid is amusing:

Spamhaus currently includes 225,454 U.S. based Internet addresses on its CBL. Of those, nearly one-quarter -- almost 56,000 -- are assigned to Verizon.net. Comcast, which according to Spamhaus is home to the next-largest concentration of malicious hosts among U.S. ISPs, has fewer than half as many listings.

Re:Do zombies even use ISP mail servers?

[stevey]

Indeed.

But if you're the ISP you can just say "Hey customers outgoing port 25 is blocked - use authentication and port 587 to send mail".

In general I'm against ISP blocking services, but in the case of spam prevention its a good choice to make.

(The ideal would be to allow outgoing, but cut people off if they spam. That would punish only the guilty, but I guess they're not so keen on that).

Article Confuses Mail Servers vs. Network Filters

[billstewart]

As far as I can tell from this article and a few others that are derived from the same press releases, what VZ is doing here is setting up their own mail servers to use Port 587 submission instead of Port 25. That won't stop zombies or legitimate Linux mail systems from sending mail directly to their recipients' systems, though I'm guessing that they'll get around to blocking Port 25 (sigh) once they've got most of their users migrated to 587.

What this will do is give them authentication, which makes it easier for them to block customers who use VZ's mail servers from spamming, but I'd be surprised if there's much of that happening (though botnets keep evolving their techniques.) It's already possible to reduce that simply by using passwords, or using various hokey port 25 authentication methods like receive-before-send; this cleans up the process a bit.

Enabler, not longterm solution

[billstewart]

Most ISPs already do a fair bit of policing on the users of their mail servers, so this probably won't make a big dent (though botnets keep evolving, and if the scalability works to use ISP mail servers, they'll go back to it.) This basically provides a cleaner, more standardized solution for mail submission and authentication. VZ might block Port 25 later, and getting their users onto 587 makes it easier.

Zombies already do deliver their mail directly using Port 25. They're not generally running Real Sendmail (which is way too big and heavy for what they need) - in general they're running stripped-down mail senders that don't bother checking error messages correctly, which is why greylisting's "Go away and come back in 5 minutes" is enough to discourage lots of them. But lots of ISPs have been jumping on the "Block Port 25" bandwagon (with no apologies to Linux users who run their own sendmail), so maybe the zombies will go back to using ISP mail servers more often.

Re:Do zombies even use ISP mail servers?

[Chabo]

In general I'm against monitoring people secretly and continuously; but in the case of cities where children are legally or physically possibly present, it's a good choice to make to stop pedophiles.

... what?

Remembering credentials?!

[coljac]

I like the suggestion that people are somehow lax in security because their mail client remembers their password. Who are these guys who type the password in every 3 minutes when they check their mail?

What ever happened to SSL and port 465?

[Khopesh]

What the fuck are they doing on 587? That's a secondary half-ass port used as a compromise and a low-end workaround for ISPs and network admins who blanket-block port 25. If you're to move away from port 25 (which can easily accept TLS for encrypted authentication or even just encrypted data without authentication), you might as well move to the one that requires both authentication and encryption.

NO responsible network or ISP should use plain-text authorization as the default method. I was astounded when I heard that RCN (et al!) fail to offer HTTPS webmail and POP3S email (if not the vastly superior IMAPS), and that TLS commands get dropped on the floor. This is completely unacceptable.

Verizon and co should not be commended for this trivial step, they should be scolded for not going full-on SSL.

Re:What ever happened to SSL and port 465?

[MSG]

Don't be stupid. Verizon is planning to block outbound port 25 like a lot of other ISPs do in order to prevent trojans from sending out email. It's not their business to impose a requirement that other mail providers use their choice of STARTTLS on 587 or SSL on 465.

If anyone is failing to do SSL, it has nothing to do with Verizon blocking outbound port 25, and Verizon should in no way be scolded for taking this step.

Re:What ever happened to SSL and port 465?

[Erik+Hensema]

smtps is rarely used these days. None of our customers are using it, I guess because most of them use clients such as outlook can't do it. They all do TLS, which is available on both port 25 and 587. And most mail servers disallow smtp auth over an unencrypted session.

Lots of provider-provider smtp traffic is now encrypted, and still uses (and will always continue to use) port 25.

The only difference between ports 25 and 587 is that 587 requires SMTP AUTH. Therefore, 587 is not suitable for delivery of mail to the MX of the domain of the recipient. 587 can only be used for the first injection of mail into the SMTP system from MDA to MTA.

By blocking port 25 outgoing, you're effectively forcing your customers to inject mail to your own relay, or to an external relay with smtp auth. Now suddenly clients can only reach a very limited number of smtp servers. This centralizes the problems caused by infected nodes to those few smtp servers. The problem can be dealt with on those few servers, in stead of the entire world.

All consumer-grade access providers should block port 25 outgoing. Really. I'm tempted to create a dnsbl listing providers who don't adhere to this policy.

Re:Do zombies even use ISP mail servers?

[robot_love]

He's saying that a losing a little bit of liberty to gain some safety isn't worth it. He did this by cleverly rewording the original poster's statement about email to make it about pedophiles to highlight the fact it's essentially the same issue, simply in a different context.

Re:Article Confuses Mail Servers vs. Network Filte

Don't suggest that.

Transparent proxies are the work of the devil and a long step towards full-blown internet censorship.

Or do you work for a company that sells Great Firewalls to China?

Re:Won't make a difference in the long run

[vux984]

The right answer is obviously to send an automated email informing them that according to your data their computer is compromised and if the spam doesn't stop the offending ports will be locked.

That's not an obviously right answer.

First they'll ignore your email. (Assuming they even get it, because the people with zombie PCs don't check their ISP mail they mostly use hotmail/gmail/yahoo etc so they'll never see the message from their ISP.)

Then you follow through on your threat and block their access.

At which point they phone your Customer Support to complain that their 'internets is broken', bitch that you never warned them, and when your CSR tells them they need to have someone clean out their PC they go ballistic because that's hard or expensive. And the whole time they're on the phone with your CSR its costing you money, and creating an unhappy customer.

It might actually cost you less to just let the zombie spam away, and keep the customer is happy.

Completely pointless?

[MikeBabcock]

In my opinion, the transition to port 587 is nearly pointless. I already use authentication on port 25 to identify customers.

And according to one of the only people I'd trust on SMTP issues, "the SUBMIT specification has several fundamental flaws that make compliance practically impossible. I advise against all use of port 587" -- djb.

Re:Finally, Verizon, Finally!!

From the parent's posting:

After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages.

Sounds like commercial mail to me. Sounds like SPAM.

Nothing is wrong with commercial newsletters when the recipients are your customers and have explicitly stated that they want to receive it.
And 250 Mails is actually a pretty low number.

Re:What's this "finally" shit?

[characterZer0]

Will they even let you get business class? My ISP (Time Warner) simply refuses to sell business class to a building zoned residential.