Verizon.net Finally Moving Email To Port 587

The Washington Post's Security Fix blog is reporting that Verizon, long identified as the largest ISP source of spam, is moving to require use of the submission port, 587, in outbound mail — and thus to require authentication. While spammers may still be able to relay spam through zombies in Verizon's network, if the victims let their mail clients remember their authentication credentials, at least the zombies will be easily identifiable. Verizon pledges to clean up their zombie problem quickly. We'll see.

try PRQ.se

I've been routing my traffic thru their traffic for a few years now, they're not limiting anyone and keep great privacy. what i heard their tunnel service will be open for new customers in a few days again so now is a great time.

Opportunity

[soundguy]

Sounds like a great opportunity to charge millions of clueless users $50 to change the setting for them. I see a Vegas vacation on my event horizon.

Finally, Verizon, Finally!!

[Smidge207]

I found out I was a spammer when I investigated a message returned to me. I ended up talking with someone from SORBS. After emailing SORBS a couple of times, I received this message from Michelle Sullivan: "SORBS lists IP addresses that send spam. Often there is real email mixed with the spam, sometimes deliberately, sometimes accidentally. In this case you are using an IP address to send your email that has previously, and is still, sending spam. The IP address is blocked. I'd contact your provider and complain bitterly about it, because it's the provider that is listed, not you specifically."

I send out a newsletter with about 250 subscribers. After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages. I rarely approach 200 messages and the newsletter is a monthly. Verizon told me I couldnâ(TM)t even send the newsletter in one blast; I had to limit it to 100 subscribers an hour! And in late Fall 2008, some providers, like MS, would reject my mail simply because it had @Verizon.net in the senderâ(TM)s address. I knew I wasn't sending out large amounts of email, let alone spam.

Within those imposed limits, Verizon still could not bring its huge entity to investigate my complaint. In late December, we switch to Constant Contact to email the newsletter. While my boss uses Cox since he works mostly from home, the office is still âoeconnectedâ with Verizon!

Boy, I hate Verizon! Now, maybe they will kill the Zombies from all those dead zones they claim not to have!

=smidge=

Re:Finally, Verizon, Finally!!

[Jurily]

I send out a newsletter with about 250 subscribers per zombie.

Re:Finally, Verizon, Finally!!

[ILikeRed]

Guess what, unless you were careful to

• Include the correct Header info (You did mark your messages "Bulk" - right?)
• Provide an automated opt-out method
• and... Included your valid physical postal address

than guess what, you not only are a spammer, but you probably also broke the law.

Re:Finally, Verizon, Finally!!

[nabsltd]

I send out a newsletter with about 250 subscribers. After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages.

Verizon Business accounts assume that you will probably be running a business, and have your own domain.

If you do things this more professional way, there are no limits with Verizon DSL or FiOS (other than the speed you pay for being a "limit").

Re:Finally, Verizon, Finally!!

Since he is sending out a news letter to subscribers, I imagine the following in the page you referenced applies:

A "transactional or relationship message" — email that facilitates an agreed-upon transaction or updates a customer in an existing business relationship — may not contain false or misleading routing information, but otherwise is exempt from most provisions of the CAN-SPAM Act.

Re:Finally, Verizon, Finally!!

[GoodNicksAreTaken]

IANAL, Yet.
Guess what, "The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email"
Parent did not specify that it was commercial email and "newsletter" indicates that it likely is not. Even if they were of a commercial nature they would likely be exempted under the CAN-SPAM act as they would qualify as "relationship" messages.

Re:Finally, Verizon, Finally!!

[PuddleBoy]

In late December, we switch to Constant Contact to email the newsletter.

A number of admins I know block all email originating from Constant Contact as UCE. That's the problem with a lot of 'email marketing firms' - they take legit users along with spammers or quasi-spammers. Unless you decide to truly take control of your email by operating your own mail server, you run the risk of getting caught using an entity that gets blocked for their other clients' activities.

What's this "finally" shit?

[the+unbeliever]

You can set up port 25 SMTP to require authentication for relay purposes, without having to configure end user's machines for another port.

Re:What's this "finally" shit?

[value_added]

You can set up port 25 SMTP to require authentication for relay purposes, without having to configure end user's machines for another port.

More broadly, authentication can be configured for port 25, port 587, or not at all. Typically, the submission port requires authentication.

As for the article, this factoid is amusing:

Spamhaus currently includes 225,454 U.S. based Internet addresses on its CBL. Of those, nearly one-quarter -- almost 56,000 -- are assigned to Verizon.net. Comcast, which according to Spamhaus is home to the next-largest concentration of malicious hosts among U.S. ISPs, has fewer than half as many listings.

Re:What's this "finally" shit?

[erroneus]

This implies that they are blocking all outbound port 25 requests. All ISPs in Japan that I am aware of have been doing this for a long time. The problem is that if you have a 3rd party email service provider, you can no longer send email through them because port 25 will be blocked and if the other party offers the alternative port as well, it is still often blocked.

Still, for MOST people, this is a good plan. I just think that users should be informed of this change, informed why it is a good idea for MOST people and to give them an option to "opt out" of the restriction in some way if the restriction is not compatible with their current needs.

Re:What's this "finally" shit?

[The+Great+Pretender]

I recently went through this problem with my work email and Comcast. Someone had reported something, they never explained what, that caused them to put a stop on my port 25 at home. Figuring this out took me many days of bitching at my IT guys at work why they're system was not letting me send emails. Eventually they figured out that it was my ISP and had me call Comcast Customer Service Assurance at 856-317-7272. It turns out that regular Comcast customer services just parrot that the port cannot be unblocked. I talked to the CSA agent and in less than 2 mins he had unblocked up my Port 25. However, he did also say that there was no guarantee that it wouldn't be blocked again, all that had to happen was for someone to make a complaint against me for spam. This includes anyone on an outgoing email who tags any email as spam. His advice was to make sure that everyone wanted the emails when they went out. I can only assume that someone in a CC'd email had tagged me as junk not realizing the consequences.

Re:What's this "finally" shit?

[dkf]

Correct for most people this is a good plan. For spammers it is not. They will of course opt out of the restriction.

So long as there is no way for the zombie itself to opt out, there's no (big) problem: the owner probably won't opt out, and the spammer won't go to the (fairly substantial) effort to social engineer his way past the restriction. What this does mean is that it pretty much requires that people who want to opt out call their Customer Services line rather than using a self-service webpage. It's horrible, but necessary.

And for the love of God, don't encourage J Random Grandma to opt out unless she's actually busy overthrowing the government.

Re:What's this "finally" shit?

[mibus]

My home ISP (oblig. disclaimer: I now work for them too) has blocked port 25 outbound by default on 'Home' ADSL connections for a while now.

It's all configurable from the online webtools, so you can turn it back on if you want it.

And there's even an in-depth FAQ about it on the site.

IMHO it's a great idea, and I wish more ISPs did it.

Re:What's this "finally" shit?

[Buelldozer]

So, you spent "many days bitching at my IT guys at work" and in the end the problem was with your Internet Service at home?! You posted this on Slashdot?

Ummm, yeah, we're going to need your address. I've already handed out the torches and pitchforks.

Re:What's this "finally" shit?

[The+Great+Pretender]

I live at 1835 73rd Ave NE, Medina, WA 98039

Re:What's this "finally" shit?

[DarkOx]

I have never really understood why this is an issue. I do think ISPs should be upfront about it before you sign up and if they change what ports they block and how they police their network you should be allowed out of the contract. I don't think its fair for them to write terms that say we can limit what you do in any way we like.

That aside I would like to ask my fellow slashdots running their own mail servers, (I do speakeasy actaully allows this under their tos) why its a problem for you to use your ISP as a smart host?

Personaly I like it. Unlike at work I don't have to worry about keeping the mail server off the black lists, contacting post masters at other domains to get mistakes corrected etc etc. The ISP does msot of that for me. Now speakeasy will relay for my domain, but I think most ISPs will probably trust whatever is coming from their own network to their relay, I hope they pass it through some outbound filter.

On the inbound side, the MX record points directly at my ip address so I get to handle the mail coming in a filter/black list etc according to my own needs. TLS works too if things need ot stay private.

I suppose the only arugment I can think of is even if you are using TLS your ISP can still read your outboand mail, and if I was using version or comcast I might be more concerned about that....

What are other peoples reasons?

Re:What's this "finally" shit?

[characterZer0]

Will they even let you get business class? My ISP (Time Warner) simply refuses to sell business class to a building zoned residential.

Re:What's this "finally" shit?

[SaDan]

I have Comcast Business internet, and it is exactly as others have described: no blocked ports, no upload/download limits, and (so far) very decent customer service.

I also have five static IPs, run an email server and web server out of my house for commercial and non-commercial purposes. I've had zero issues in the year I have had this configuration.

Re:What's this "finally" shit?

[SaDan]

If you use your Comcast SMTP servers for outbound email the same way you use Google's, you will be able to send work email from home. This will get around the port 25 block they (Comcast) have in place, because you are authenticating with Comcast in order to send email.

If your IT guys at work didn't have a problem getting your email when you were sending it through Google, they shouldn't care if you send it through Comcast. There's no more or less accountibility, and you actually aren't sending through the work email server if you go through Google anyways.

I'd give the Comcast SMTP server(s) a shot.

Verizon spam zombies

[benjfowler]

I feel a great disturbance in the Force, as if millions of voices cried out in terror and were suddenly silenced...

Re:Verizon spam zombies

[SpiffyMarc]

They're spam zombies. It's a million voices groaning out URrGgGHghHHhh followed by a couple late chants of "brains."

Re:first

No, the guy posting before you did that ;-)

Comcast

[TheNinjaroach]

Well your spam made it through, but the response must have been throttled since you didn't get first post. You're a Comcast customer, aren't you?

Re:Comcast

[Dishevel]

no probably AOL

l2ISP

I thought AOL customers just posted ....

HOW DO I POST!!!!!!!!!!!!!!!

27 times in a row.

Re:Comcast

[Zencyde]

me too

Re:Do zombies even use ISP mail servers?

[stevey]

Indeed.

But if you're the ISP you can just say "Hey customers outgoing port 25 is blocked - use authentication and port 587 to send mail".

In general I'm against ISP blocking services, but in the case of spam prevention its a good choice to make.

(The ideal would be to allow outgoing, but cut people off if they spam. That would punish only the guilty, but I guess they're not so keen on that).

Article Confuses Mail Servers vs. Network Filters

[billstewart]

As far as I can tell from this article and a few others that are derived from the same press releases, what VZ is doing here is setting up their own mail servers to use Port 587 submission instead of Port 25. That won't stop zombies or legitimate Linux mail systems from sending mail directly to their recipients' systems, though I'm guessing that they'll get around to blocking Port 25 (sigh) once they've got most of their users migrated to 587.

What this will do is give them authentication, which makes it easier for them to block customers who use VZ's mail servers from spamming, but I'd be surprised if there's much of that happening (though botnets keep evolving their techniques.) It's already possible to reduce that simply by using passwords, or using various hokey port 25 authentication methods like receive-before-send; this cleans up the process a bit.

Enabler, not longterm solution

[billstewart]

Most ISPs already do a fair bit of policing on the users of their mail servers, so this probably won't make a big dent (though botnets keep evolving, and if the scalability works to use ISP mail servers, they'll go back to it.) This basically provides a cleaner, more standardized solution for mail submission and authentication. VZ might block Port 25 later, and getting their users onto 587 makes it easier.

Zombies already do deliver their mail directly using Port 25. They're not generally running Real Sendmail (which is way too big and heavy for what they need) - in general they're running stripped-down mail senders that don't bother checking error messages correctly, which is why greylisting's "Go away and come back in 5 minutes" is enough to discourage lots of them. But lots of ISPs have been jumping on the "Block Port 25" bandwagon (with no apologies to Linux users who run their own sendmail), so maybe the zombies will go back to using ISP mail servers more often.

You can, but it's hokey

[billstewart]

Yeah, it's possible to do authentication on Port 25, but it's generally hokey and often broke things when people did it, and left passwords in the clear for eavesdroppers - 587 is a cleaner and more standardized solution. I remember having to configure Eudora for receive-before-send when my email provider was trying that approach...

Re:You can, but it's hokey

[MSG]

You do realize that SMTP on port 25 and MSA on port 587 are the same protocol, right? There's no way that one can be hokey and the other not. In both cases, STARTTLS can be used, and should be required before authentication is allowed.

Providers should universally provide service on 587 in order to allow other ISPs to block outbound port 25, but arguing that authentication on 25 is hokey is just silly. The only reason not to bother is that sooner or later, port 25 is going to be blocked by the ISPs of remote users, and you really ought to be providing service on 587.

Re:PORT 587 THE GATE TO HELL

[Samschnooks]

Somebody fucked with you. They mapped port 587 on that machine to port 666.

great, only 7 years late

[Indy1]

Verizon has been an epic sewer network for years, and has ignored their spam problem for years. If they want to clean up now (or make a lame attempt to clean up, as most telco's do), fine. It just means less work for iptables at my end.

For those who are sick of Verizon's bullshit, here's my list (no promises this is complete, but it should have most of em) of Verizon's ip blocks.

  206.46.0.0/16
  66.12.0.0/14
  207.68.0.0/17
  71.96.0.0/11
  72.64.0.0/11
  72.42.0.0/18
  71.160.0.0/15
  71.162.0.0/16
  96.224.0.0/11
  98.108.0.0/14
  98.112.0.0/13
  68.160.0.0/14
  162.84.0.0/16
  162.83.0.0/16
  151.204.0.0/15
  138.88.0.0/21
  66.171.0.0/16
  66.14.128.0/17
  151.201.0.0/16
  138.89.0.0/16
  141.149.0.0/16
  141.150.0.0/15
  141.152.0.0/14
  141.156.0.0/15
  141.158.0.0/16
  68.160.192.0/18
  68.161.192.0/18
  66.14.0.0/17
  151.196.0.0/14
  151.200.0.0/14
  151.204.0.0/15
  129.44.0.0/16
  138.88.0.0/16
  64.222.0.0/15
  68.236.0.0/14
  70.104.0.0/13
  70.16.0.0/13
  71.96.0.0/11
  209.158.0.0/16
  209.159.0.0/19
  71.160.0.0/11
  173.64.0.0/12
  70.192.0.0/11
  66.174.0.0/16
  75.224.0.0/12
  75.240.0.0/13
  75.192.0.0/10
  97.0.0.0/10

Re:Do zombies even use ISP mail servers?

[Chabo]

In general I'm against monitoring people secretly and continuously; but in the case of cities where children are legally or physically possibly present, it's a good choice to make to stop pedophiles.

... what?

E-mail Clients and Ports

[dlevitan]

I wish that more software would default to 587 instead of 25. For example, Thunderbird doesn't even mention the possibility of 587 as a "default" port, which really needs to be changed.

In any case, it's good to see the change to 587 become more widespread and hopefully it will eventually become the default port for sending messages (along with encryption + authentication), while 25 will be reserved exclusively for server-to-server communication.

Re:Do zombies even use ISP mail servers?

[erroneus]

Yes and it is only a matter of time before that changes and evolves.

The reason these alternative ports and blocking works is because most everyone else isn't doing this. When it comes to the point where most people are doing this, new methods will arise.

The first scenario that comes to mind is that the next generation of bot-ware will listen to your outgoing email traffic and learn your password then configure itself to send email based on that information. Then once again, the problem returns. And if *I* can conceive of this, then I *know* spammers have already thought of this. (I am comfortable in the assumption that I have never come up with an original idea.) You can expect this to occur within the next year or so. The drive to these measures are largely based on the size of the target audience after all. (This is the reason Mac OS X is mostly immune to attacks and infection... it isn't yet a big enough target!)

Things will get crazier before they get better.

Remembering credentials?!

[coljac]

I like the suggestion that people are somehow lax in security because their mail client remembers their password. Who are these guys who type the password in every 3 minutes when they check their mail?

Re:Do zombies even use ISP mail servers?

[robot_love]

He's saying that a losing a little bit of liberty to gain some safety isn't worth it. He did this by cleverly rewording the original poster's statement about email to make it about pedophiles to highlight the fact it's essentially the same issue, simply in a different context.

Re:Do zombies even use ISP mail servers?

[GigaplexNZ]

The first scenario that comes to mind is that the next generation of bot-ware will listen to your outgoing email traffic and learn your password then configure itself to send email based on that information. Then once again, the problem returns.

The advantage in this instance is that the ISP can easily identify (because the zombie used the user/pass) who has been zombified and inform the customer to get their machine disinfected.

Yo Dawg,

[BrentH]

I herd you like emails in your emails, so I put some traffic thru yo traffic.

Re:Won't make a difference in the long run

[vux984]

The right answer is obviously to send an automated email informing them that according to your data their computer is compromised and if the spam doesn't stop the offending ports will be locked.

That's not an obviously right answer.

First they'll ignore your email. (Assuming they even get it, because the people with zombie PCs don't check their ISP mail they mostly use hotmail/gmail/yahoo etc so they'll never see the message from their ISP.)

Then you follow through on your threat and block their access.

At which point they phone your Customer Support to complain that their 'internets is broken', bitch that you never warned them, and when your CSR tells them they need to have someone clean out their PC they go ballistic because that's hard or expensive. And the whole time they're on the phone with your CSR its costing you money, and creating an unhappy customer.

It might actually cost you less to just let the zombie spam away, and keep the customer is happy.

Completely pointless?

[MikeBabcock]

In my opinion, the transition to port 587 is nearly pointless. I already use authentication on port 25 to identify customers.

And according to one of the only people I'd trust on SMTP issues, "the SUBMIT specification has several fundamental flaws that make compliance practically impossible. I advise against all use of port 587" -- djb.

Re:What ever happened to SSL and port 465?

[jeaton]

Port 587 was allocated by IANA and is documented by the IETF in RFC 2476, and the STARTTLS capability is documented in RFC 2487. It is not clear from the article whether Verizon is going to require STARTTLS or not. They may require STARTTLS for all mail on port 587 if they so choose.

I assume that the "full-on SSL" that you would prefer refers to the non-standard port 465 ("SMTPs"). That port was chosen arbitrarily by Microsoft, has not been standardized by any common standards body, and was previously already allocated to "URL Rendesvous Directory for SSM".

Why perpetuate non-standards when there are established standards which have the same functionality?

Re:What ever happened to SSL and port 465?

[MSG]

Don't be stupid. Verizon is planning to block outbound port 25 like a lot of other ISPs do in order to prevent trojans from sending out email. It's not their business to impose a requirement that other mail providers use their choice of STARTTLS on 587 or SSL on 465.

If anyone is failing to do SSL, it has nothing to do with Verizon blocking outbound port 25, and Verizon should in no way be scolded for taking this step.

hehe

[pavon]

I just reread your link. In it DJB explicitly advises against running authentication on port 25. In fact, for security reasons, he wrote two separate programs, qmail-smptd and ofmipd, to keep the tasks of relaying authenticated email and accepting mail for local delivery as removed from one another as possible.

He defends the idea of separating these two tasks, not only to separate ports but separate programs, on this thread on the IETF-SUBMIT mailing list.

So, yeah, his complaint against port 587 was simply that if you can't implement the SUBMIT standard correctly (which according to him noone can), you should use a different port then the one specified in that standard. The rest of the world doesn't care, because it sees all the various authentication methods (including SUBMIT) as extensions to SMTP, and not as a different protocol (OFMIP as DJB calls them collectively), and have no qualms running a standard (non-SUBMIT compliant) SMTP server on port 587.

Re:PORT 587 THE GATE TO HELL

[lgw]

Port 666 is reserved for Doom (video game)

Wow, I thought AC was joking, but it's right there in RFC1700!

doom 666/tcp doom Id Software
doom 666/tcp doom Id Software

Re:Do zombies even use ISP mail servers?

[nine-times]

(The ideal would be to allow outgoing, but cut people off if they spam. That would punish only the guilty, but I guess they're not so keen on that).

I'd be more content if they said, "You're blocked by default, but contact our support line and we'll open port 25 for you."

But I find it really frustrating when they block port 25. I use two different email services, and both of them require authentication and SSL, but do it via port 25, so I can't use them for outgoing SMTP if that port is blocked. I've had an ISP block port 25 on me, requiring me to use their SMTP server, but then they wouldn't let me use their SMTP server when I wasn't connecting through them. That's a pretty annoying problem, considering I have a laptop and have to manually change SMTP servers whenever I change locations. And even if ISPs let you use their SMTP server from other locations, if they're using port 25 and other ISPs are blocking that port, then you'll still have to manually change your SMTP server whenever you change locations. It's stupid.

I vaguely suspect that there's some kind of attempt here to get you to use your ISP's email address by making everything else not-work, thereby making it more difficult to change ISPs. Or maybe it's just a means to milk extra money by charging a fee for opening port 25. My old ISP charge $15 a month to open ports 25 & 80.

Re:What ever happened to SSL and port 465?

[Erik+Hensema]

smtps is rarely used these days. None of our customers are using it, I guess because most of them use clients such as outlook can't do it. They all do TLS, which is available on both port 25 and 587. And most mail servers disallow smtp auth over an unencrypted session.

Lots of provider-provider smtp traffic is now encrypted, and still uses (and will always continue to use) port 25.

The only difference between ports 25 and 587 is that 587 requires SMTP AUTH. Therefore, 587 is not suitable for delivery of mail to the MX of the domain of the recipient. 587 can only be used for the first injection of mail into the SMTP system from MDA to MTA.

By blocking port 25 outgoing, you're effectively forcing your customers to inject mail to your own relay, or to an external relay with smtp auth. Now suddenly clients can only reach a very limited number of smtp servers. This centralizes the problems caused by infected nodes to those few smtp servers. The problem can be dealt with on those few servers, in stead of the entire world.

All consumer-grade access providers should block port 25 outgoing. Really. I'm tempted to create a dnsbl listing providers who don't adhere to this policy.