Fair enough: your point of view being that you are paying for Internet Access, which is marketed to you as "unlimited" along with all of the commercials that tell you about all the neat things you'll be able to do.. which you then can't do when they block ports, cut people off, etc. As a paying customer for Internet access, you should have the full run of the TCP/IP suite.
Essentially, my "plan" becomes a "punish everyone for the problems caused by a few."
Ok, so then the problem then becomes how to deal with the situation of spam and virus propagation when the majority is coming from these unprotected machines. Should we expect casual users to be able to know the functioning of their computers to a level where they can adequately protect it from becoming a spam launch pad or a source of virus attacks? I would agree that the answer would have to be yes; however, there are three obstacles to this:
Even when ISPs basically include a firewall for free, they typically aren't set up to limit outbound traffic. Meaning when the end-user gets the spam producing virus on their machine, it has free reign to go out.
Computers, while being marketed to non-techies, are horribly difficult to use and secure for those same people. It's very simple for us, as this is what we do.
Maybe not really separate from the previous item, but non-techie end-users flat out refuse to learn even the basics of computer operation. On a regular basis, I see otherwise intelligent people suddenly lose their ability to read when the text they're trying to read is located inside of an error box.
The compelling factor for me is that the open ports, especially outbound port 25, is the chief vector for all of these attacks. Perhaps SPF, SenderID, or whatever they come up with as far as that goes will solve the problem of sender authentication, negating the need to block outbound port 25.
Maybe to be really fair, we don't charge extra for opening ports, but ISPs, as a best practice, should just leave them off by default and give end-users the option of unblocking them without charge. This would replace my original idea of charging for open ports with more of an intellectual barrier to open ports... if you're smart enough to know you need to explicitly have a port opened by your ISP, you're probably smart enough to make sure you're not spewing spam and viruses.
You've helped me refine my position, then. I still think the ports should be blocked, but only by default, and they should be openable at the request of the customer without charge (either by calling or via the web or whatever). Grandma who just wants to use email, browse the web, and download mp3s and access her bank account can do everything she needs to do, and she'll be safe by default. The techies can do whatever they want too, they would just need to login to the site and turn on their "enhanced security configuration" and open the ports themselves. ISP level firewall for both in and out, secure by default, and configurable by the high-tech end users.
I'll give you several reasons for running my own SMTP server (and hence needing inbound SMTP)
# Download mail in the background - then pop/imap it off at my 100Mbit LAN connection speed
Downloading email in the background is unrelated to SMTP mail transfer. If you meant that you run a mail server which receives email directly from sending mail servers or smtp clients, then you are running a mail server and I feel you should pay extra for that ability.
Run my own spam filtering - enough said
This is a valid point. It is however, implementable without requiring inbound port 25. Additionally, wouldn't your spam filter have to work a little less if millions of zombie computers owned by people with spam launching viruses weren't able to release their junk onto the Internet?
Using my own e-mail address that can follow me. No mailbox size limits.
Again, implementable with any mail hosting provider which takes their service seriously. As fair as mailbox size limits, that is a valid point as well. Honestly though, you require more than a basic user requires. Which is fine. But:
It seems to me that the casual user, which will be the largest percentage of people paying for residential $30/month Internet accounts aren't going to be configuring their own mail servers and these are the same users who have a high probability of being sources of junk mail bounced off of or forced to come from their machines without their knowledge.
Perhaps, to be fair to those of us who need these features, the open ports should be the standard, and "residential" or "basic" accounts can be marketed at a discount where most of the "casual" users will prefer to be. Just a thought.
The reason Internet providers should look at IP packets is because businesses and end-users hold them responsible for the reliability and security of their network. The consumer also demands that the ISPs keep viruses and spam from their computer. I agree that Internet Providers should not be accessing personal information inside IP packets, but is it really beyond reason for them to at least scan for viruses and validate the return address of email passing through servers that they own? At any rate, I was only saying that outbound mail from residential accounts should be forced through a controllable vector through the ISP to mitigate the spread of viruses by filtering and for validating the return address. Nothing more as far as packet inspection, although, other reasons for packet inspection may exist, I'm not aware of them at the moment.
Be Safe.
Secondly, you're wrong. Would you care to list all the ports that are to be accessed only by properly accredited business users?
By business accounts, what I was referring to were accounts which cost extra for additional services; not that I mean necessarily entities which are functioning as businesses. Unfortunately, the distinction between what could be considered technically "basic accounts" (such as web browsing, basic email access, downloading from FTP sites, running P2P software), and "enhanced accounts" (such as having inbound ports open, unblocked access to external SMTP servers) can only be referred to as "residential" and "business" accounts since this is where the ISPs make the distinction between features. It would be more accurate for ISPs to use "basic" and "enhanced" much like cable TV does. So no, I don't generally mean that these features should be limited to "accredited businesses" but to "enhanced need end-users" such as businesses, power users, hobbyists, etc.
As far as basic use, I consider this, and we can disagree, to essentially consist of web browsing, sending and retrieving of email through the ISP's established mail system, access to FTP sites, and accessing game servers. I don't consider someone running their own game server, their own mail server, or their own web server to qualify as basic use. Further, I don't consider access to port 25 of outside mail servers to be basic necessary access either. I elaborate more on this point below.
For a simple example, I have RoadRunner cable at home, and a site hosted with GoDaddy. For me to send an email from my.com address using my mail client at home, I need to do exactly what you're saying I shouldn't be allowed to do. And the reasoning you give is that the Windows lusers down the block are infected. That would be tantamount to my phone company decreeing that I can't send a fax or participate in a conference call from home, since I only pay residential prices. I believe some phone carriers have tried that in the past, but were smacked down pretty resoundingly.
First the reasoning behind blocking outbound 25, then the solution.
Right now 85% of the email entering my company is unsolicited junk mail. It has been well established that most of the spam is from zombie machines infected at people's homes who don't even know they're running a spam launcher in the background with the rest of their viruses. I won't go into technical details, as they're already well understood. This directly affects my mail server performance due to Bayesian filtering, attachment filtering, antivirus scanning. I can run all of the filtering I want, but the issue still remains that time is money, and in the real time world we live in now, CPU time costs money. Productivity costs money when things get passed the spam filter. Company's lose money when things get filtered that shouldn't be, and end-users at home, such as my grandmother, accountant sister, and and business person brother get told it's their own fault for falling for Phishing scams because for some reason they're expected to understand the intricacies of SMTP headers -- all of this because millions of machines on Earth are sending data through a vector that the end-user typically doesn't understand, care for, or even need.
If, however, someone requires the "enhanced" features because they are running a mail server -- since there is no way we can really test their ability to properly secure their systems, the only fair thing to do is to charge extra to offset the overall cost an ISP can run into by bandwidth being utilized for spam and virus propagation. Blocking outbound SMTP beyond the ISP mail server and restricting the "From:" field on residential accounts will also force legitimate spammers to pay their fair share for enhanced services and would also force accountability through auditing, essentially making unsolicited and spoofed spam a problem that can be dealt with while legitimate spam
Verizon has been offering high speed Internet access for quite a while now to both businesses and residential accounts and with Verizon's high speed services that I've used, I have never had any restrictions on which ports I could use both inbound and outbound with our business connections.
For a residential internet service account, there is no legitimate reason for inbound SMTP (and one could argue other services). I will take it a step further and state that there is also no legitimate reason whatsoever for outbound SMTP access, for residential accounts, to any mail server other than the ISP's mail server. It has been well documented that most spam and viruses come from infected home computers and home networks which are being used as spam and virus launching points. "What if I'm a system administrator running my own mail server?" Well, you can pay business rates for open ports like the rest of us have had to do with Internet service for the past 10 years, and what we've had to do with phone service in God knows how long. If you're a computer hobbyist who needs these ports open, well, hobbies are expensive. Deal.
It is unreasonable to expect that the business communitee spent excessive amounts of time and money defending against spam and virus propagation, when most of it is coming from infected home computers that have no business at all connecting to any mail server other than their ISPs, just because a bunch of computer geeks want to play "hobby web hosting provider" at home yet still pay the same rates as casual users.
If these are/residential/ accounts, they can send and receive email through their ISP's mail server (which should also restrict what you can use for the From: line).
I have a job to do running an enterprise wide area network. I shouldn't have to incur the extra cost of time and money stopping email-bourne viruses and junk mail from infected home computers that shouldn't be bypassing their ISP's mail server in the first place. If you want full access to all ports, you should pay up just like the rest of us responsible IT administrators have to. We're the ones actually smart enough to keep viruses and spam from getting onto the Internet from our networks.
Apparently, all of the people responding to this missed the part about the fact that the computer on your desk at work DOES NOT BELONG TO YOU.
You people bitch, bitch, and bitch again about how shitty Microsoft software is.. but you have no qualms about Windows having shitty lock-down ability for workstations... of course you don't --- those failings of Windows let you install software without your sysadmin knowing about it.
How hypocritical indeed.
I have an idea --- when you're at work - DO WHAT YOU'RE SUPPOSED TO DO. If you want to browse the web, use the web browser that's already installed.
Bottom line is --- if you are installing software on the computer at work without authorization, YOU NEED TO BE FIRED.
Say you work a 40-hour week (days)...that pretty much only gives you weekends to devote to service. If you work 8 hours on saturday, it will take 30 weeks to complete the sentence.
Say you work a 40-hour week and at 4:45 pm on a Friday a new virus gets emailed to someone in your company and starts renaming random files on your file server? That pretty much only gives you the weekend to devote to restoring from backup, instituting new procedures, etc.
So the virus is bad. Sure. Was there any loss of life? Was anyone maimed or psychologically traumatized (heh) over the incident?
There was no loss of life, but a system administrator had to spend the next day and a half, while his wife and 2 year old kid were at home, restoring from backup, updating virus definitions, and cleaning infected machines. If he gets paid hourly, the company lost money. If he's salary, he lost money -- and a weekend day, maybe the entire weekend, with his wife and kid at Disney World. I think 240 hours is more than fair.
Slashdot Mirror
Essentially, my "plan" becomes a "punish everyone for the problems caused by a few."
Ok, so then the problem then becomes how to deal with the situation of spam and virus propagation when the majority is coming from these unprotected machines. Should we expect casual users to be able to know the functioning of their computers to a level where they can adequately protect it from becoming a spam launch pad or a source of virus attacks? I would agree that the answer would have to be yes; however, there are three obstacles to this:
- Even when ISPs basically include a firewall for free, they typically aren't set up to limit outbound traffic. Meaning when the end-user gets the spam producing virus on their machine, it has free reign to go out.
- Computers, while being marketed to non-techies, are horribly difficult to use and secure for those same people. It's very simple for us, as this is what we do.
- Maybe not really separate from the previous item, but non-techie end-users flat out refuse to learn even the basics of computer operation. On a regular basis, I see otherwise intelligent people suddenly lose their ability to read when the text they're trying to read is located inside of an error box.
The compelling factor for me is that the open ports, especially outbound port 25, is the chief vector for all of these attacks. Perhaps SPF, SenderID, or whatever they come up with as far as that goes will solve the problem of sender authentication, negating the need to block outbound port 25.Maybe to be really fair, we don't charge extra for opening ports, but ISPs, as a best practice, should just leave them off by default and give end-users the option of unblocking them without charge. This would replace my original idea of charging for open ports with more of an intellectual barrier to open ports ... if you're smart enough to know you need to explicitly have a port opened by your ISP, you're probably smart enough to make sure you're not spewing spam and viruses.
You've helped me refine my position, then. I still think the ports should be blocked, but only by default, and they should be openable at the request of the customer without charge (either by calling or via the web or whatever). Grandma who just wants to use email, browse the web, and download mp3s and access her bank account can do everything she needs to do, and she'll be safe by default. The techies can do whatever they want too, they would just need to login to the site and turn on their "enhanced security configuration" and open the ports themselves. ISP level firewall for both in and out, secure by default, and configurable by the high-tech end users.
By business accounts, what I was referring to were accounts which cost extra for additional services; not that I mean necessarily entities which are functioning as businesses. Unfortunately, the distinction between what could be considered technically "basic accounts" (such as web browsing, basic email access, downloading from FTP sites, running P2P software), and "enhanced accounts" (such as having inbound ports open, unblocked access to external SMTP servers) can only be referred to as "residential" and "business" accounts since this is where the ISPs make the distinction between features. It would be more accurate for ISPs to use "basic" and "enhanced" much like cable TV does. So no, I don't generally mean that these features should be limited to "accredited businesses" but to "enhanced need end-users" such as businesses, power users, hobbyists, etc. As far as basic use, I consider this, and we can disagree, to essentially consist of web browsing, sending and retrieving of email through the ISP's established mail system, access to FTP sites, and accessing game servers. I don't consider someone running their own game server, their own mail server, or their own web server to qualify as basic use. Further, I don't consider access to port 25 of outside mail servers to be basic necessary access either. I elaborate more on this point below.
First the reasoning behind blocking outbound 25, then the solution. Right now 85% of the email entering my company is unsolicited junk mail. It has been well established that most of the spam is from zombie machines infected at people's homes who don't even know they're running a spam launcher in the background with the rest of their viruses. I won't go into technical details, as they're already well understood. This directly affects my mail server performance due to Bayesian filtering, attachment filtering, antivirus scanning. I can run all of the filtering I want, but the issue still remains that time is money, and in the real time world we live in now, CPU time costs money. Productivity costs money when things get passed the spam filter. Company's lose money when things get filtered that shouldn't be, and end-users at home, such as my grandmother, accountant sister, and and business person brother get told it's their own fault for falling for Phishing scams because for some reason they're expected to understand the intricacies of SMTP headers -- all of this because millions of machines on Earth are sending data through a vector that the end-user typically doesn't understand, care for, or even need. If, however, someone requires the "enhanced" features because they are running a mail server -- since there is no way we can really test their ability to properly secure their systems, the only fair thing to do is to charge extra to offset the overall cost an ISP can run into by bandwidth being utilized for spam and virus propagation. Blocking outbound SMTP beyond the ISP mail server and restricting the "From:" field on residential accounts will also force legitimate spammers to pay their fair share for enhanced services and would also force accountability through auditing, essentially making unsolicited and spoofed spam a problem that can be dealt with while legitimate spam
Verizon has been offering high speed Internet access for quite a while now to both businesses and residential accounts and with Verizon's high speed services that I've used, I have never had any restrictions on which ports I could use both inbound and outbound with our business connections.
/residential/ accounts, they can send and receive email through their ISP's mail server (which should also restrict what you can use for the From: line).
For a residential internet service account, there is no legitimate reason for inbound SMTP (and one could argue other services). I will take it a step further and state that there is also no legitimate reason whatsoever for outbound SMTP access, for residential accounts, to any mail server other than the ISP's mail server. It has been well documented that most spam and viruses come from infected home computers and home networks which are being used as spam and virus launching points. "What if I'm a system administrator running my own mail server?" Well, you can pay business rates for open ports like the rest of us have had to do with Internet service for the past 10 years, and what we've had to do with phone service in God knows how long. If you're a computer hobbyist who needs these ports open, well, hobbies are expensive. Deal.
It is unreasonable to expect that the business communitee spent excessive amounts of time and money defending against spam and virus propagation, when most of it is coming from infected home computers that have no business at all connecting to any mail server other than their ISPs, just because a bunch of computer geeks want to play "hobby web hosting provider" at home yet still pay the same rates as casual users.
If these are
I have a job to do running an enterprise wide area network. I shouldn't have to incur the extra cost of time and money stopping email-bourne viruses and junk mail from infected home computers that shouldn't be bypassing their ISP's mail server in the first place. If you want full access to all ports, you should pay up just like the rest of us responsible IT administrators have to. We're the ones actually smart enough to keep viruses and spam from getting onto the Internet from our networks.
Apparently, all of the people responding to this missed the part about the fact that the computer on your desk at work DOES NOT BELONG TO YOU.
.. but you have no qualms about Windows having shitty lock-down ability for workstations ... of course you don't --- those failings of Windows let you install software without your sysadmin knowing about it.
You people bitch, bitch, and bitch again about how shitty Microsoft software is
How hypocritical indeed.
I have an idea --- when you're at work - DO WHAT YOU'RE SUPPOSED TO DO. If you want to browse the web, use the web browser that's already installed.
Bottom line is --- if you are installing software on the computer at work without authorization, YOU NEED TO BE FIRED.
Say you work a 40-hour week and at 4:45 pm on a Friday a new virus gets emailed to someone in your company and starts renaming random files on your file server? That pretty much only gives you the weekend to devote to restoring from backup, instituting new procedures, etc.
So the virus is bad. Sure. Was there any loss of life? Was anyone maimed or psychologically traumatized (heh) over the incident?
There was no loss of life, but a system administrator had to spend the next day and a half, while his wife and 2 year old kid were at home, restoring from backup, updating virus definitions, and cleaning infected machines. If he gets paid hourly, the company lost money. If he's salary, he lost money -- and a weekend day, maybe the entire weekend, with his wife and kid at Disney World. I think 240 hours is more than fair.