By: MarkJ - 19 January, 2010 (10:27 AM)
email securityThe CTO of Internet security giant Trend Micro, Dave Rand, has called for UK and EU governments to adopt tougher legislation against SPAM (junk email). He also urged Internet Service Providers (ISP) to help combat the problem by blocking email on port 25 and informing users when their computers begin unwittingly distributing masses of junk messages (zombie systems / botnets).

Port 25 is responsible for the Simple Mail Transfer Protocol (SMTP), which effectively handles outgoing email and is especially useful when trying to send messages from a remote server (e.g. a different ISP or web host). For example, we use port 25 to send ISPreview.co.uk email because the webhost is separate from our broadband ISP. Sadly zombie systems, computers that have become infected with malicious software, also use the port to send junk mail.

Rand contends that ISPs do not themselves need port 25 to send email and could use internal ports. He also suggests that most users would be unaffected by such a block, which is understandable because many use free email providers or their ISPs own server. However his comments have not gone down well with Internet providers.

The Director of IDNet , Simon Davies , told ISPreview:

"That's a simplistic view and is also futile. It is the same argument that says that if you block P2P ports then you'll stop illegal music filesharing. No, you won't. The traffic will just move to other ports and/or SSL-encrypted channels.

Most SMTP servers accept incoming connections on port 587 and also 465 for TLS. Blocking port 25 wouldn't slow down the spammers for very long at all but it would inconvenience the very many, mostly business use, legitimate reasons for being able to reach port 25.

The answer is two-fold, for mail servers to be carefully configured to only accept legitimate incoming mail and for consumers to use secure operating systems (which would probably require a mass-uprising against Microsoft to pressure them into making their OSs more safe from viruses)."

The Director of AAISP , Adrian Kennard , commented:

"There are already effective block lists that will block email from IP addresses sending mail directly from an infected end user machine. Indeed, this is much better for us than our outgoing smart-hosts being blacklisted because an infected machine uses us to send the mail.

Tackling SPAM is something we all need to do, but not by trying to block traffic at the ISP. Ultimately the end users need more education. I can well see email as a protocol changing over the years, and I would hope a lot more use of proper authenticated (signed) emails and filtering based on that will make email more useful and stop ISPs (like us) spending a fortune running spam filtering for customers mailboxes.

We are happy to address the abuse complaints that we get regarding such customer machines and educate our customers. We are happy for customers to operate their own firewalls in their own control and recommend that they consider which machines should be able to access port 25 outgoing. But we are not going to block specific packets."

James Blessing, a senior ISPA Council Member and Chair of their Broadband Subgroup (among many other things), added:

"If you were to place a blanket outbound block on port 25 for new residential subscribers with the ability to turn it back on through an automated control panel then that would be a 'reasonable' move, anything else will break SMTP in so many ways.

You will of course generate large amounts of support calls and there is the possibility that the system will go wrong and block other things by mistake. Then there are also cost implications for the ISP (which would be passed to the subscriber in some way) and the spammer will just find another way to distribute the content (via the ISPs mailhost perhaps thus blacklisting the entire customer base).

So actually its probably not worth the effort in the long run and maybe we should be really looking at the security on the individual connected devices (better OS, better AV, better ant-malware etc) rather than trying to break the internet."

Most of the ISPs we queried noted that they already took steps to tackle customers whose machines had been compromised, in fact in the past we have seen people being temporarily disconnected from their ISP until the problem is resolved. Consequently at least one of Rand's ideas is already receiving some degree of acceptance.

Others might suggest that SMTP should be completely overhauled, though such a solution would be impractical because of the huge SMTP install base and the resulting network effects. This is part of the reason why email itself has not really evolved much since it was first invented.

Rand believes that ISPs are over playing the impact that such a block would have on their services. He pointed out that some countries, such as Turkey and the Netherlands, were able to impose similar restrictions and saw a large reduction in the problem with only minimal gripes (e.g. Compromised PC's in Turkey dropped from 1.7m per month to 35,000).

Trend Micro estimates that the UK is currently home to over 3 Million infected machines (not including business systems) and that blocking port 25 could reduce spam by around 20 million messages per month. That's actually quite a small change but it's suggested that a global implementation would be much more dramatic.
Share: Slash., Stumble, Facebook, Digg, Reddit, Delicious
Option: Link | Search

Comments: 11

asa logoa101
Posted: 19 January, 2010 - 1:57 PM
Link to comment

Blocking port 25 outbound for residential customers is already standard practice in the U.S. The world didn't come to an end. Very few folks are affected negatively. It's hard to say how much it's helped to reduce spam from botnet infected machines.

O.O.
asa logocertaindoom
Posted: 19 January, 2010 - 3:56 PM
Link to comment

The trouble with Rand and RBL approach, is they assume one-size-fits all. There are many smaller companies especially who do not have the luxury of entire /16 assignments to 'dynamic' .. yet who fall victim to RBL assumptions frequently. Compounding the issue is the RBL do not agree on what makes up a 'dynamic' and a 'static' on sight. So they make assumptions, block all, and assume they're right. I applaud the UK ISP for standing up to the consensus terrorism that the RBL's have proferred in the form of magic-bullet lists that have no accountability and do not have a way to remove IP from them.
asa logoKen Gordon
Posted: 19 January, 2010 - 5:10 PM
Link to comment

See http://bit.ly/6mDgc6: "In the UK, Rand estimated that there were 3-4 million spam zombies, not including business PCs hidden from statistic-gatherers by NAT firewalls. Blocking port 25 and contacting compromised subscribers in the country would reduce the volume of spam by around 20 million spam messages per month, which sounds modest when you consider that the total volume for an average ISP is perhaps 1 billion bogus emails."
asa logoDan
Posted: 19 January, 2010 - 5:56 PM
Link to comment

Many mainstream ISPs in the UK already do this, to the degree that I routinely set up SMTP on laptops for work to port 26 otherwise people can't send mail through Outlook from their home connections.
asa logoSeth
Posted: 19 January, 2010 - 7:19 PM
Link to comment

Simon Davies apparently doesn't understand how smtp works.

Blocking the ports used by P2P applications will just see them moving to other ports, because both the sender and receiver want to communicate. But if all the spammers in his ISP switched to other ports, I wouldn't receive spam from them. I won't switch along with them, because I don't want their spam.

certaindoom, my "company" consists of rented 1U space with an entire /32 to itself. That server has a static IP address, and that IP address does not appear on DNSBLs because no spam emanates from it.

Mail servers do accept connections on ports 587 and 465; however, that's as far as the spam gets. because the zombie can't get authorization to transmit a message.
asa logobitz
Posted: 20 January, 2010 - 12:26 AM
Link to comment

Simon Davies said: "Blocking port 25 wouldn't slow down the spammers for very long at all but it would inconvenience the very many, mostly business use, legitimate reasons for being able to reach port 25."

Usually only residential lines have port 25 blocked by default and ISPs provide a way to unblock port 25. Business lines are never blocked. The key here is responsibility. A significant portion of residential customers are irresponsible and are generating a significant portion of the abusive, malicious and spam laden email on the Internet. Implementing only reactive measures to spam bots is an abusive and irresponsible in itself. Shame on you.

Simon says: "The answer is two-fold, for mail servers to be carefully configured to only accept legitimate incoming mail'. How does a machine know if any email is wanted or unwanted? Sit down with your email staff. You need a clue.
asa logoPatrick W. Gilmore
Posted: 20 January, 2010 - 2:10 AM
Link to comment

As much as I hate to disagree with James & Simon & company, I feel the need to correct what has been said.

First, Seth & bitz have good points. But more importantly, predicting what will happen must always be superseded by what /has/ happened. ISPs with customer bases larger than any ISP in England (by several times) are doing port 25 blocking today - with positive effect on their call volume, user satisfaction, and respect from other ISPs.

So instead of making predictions, we should talk to people who have and are doing this. Facts are useful when making decisions, and in this case they are readily available.

Port 25 blocking is not a silver bullet, it will not stop all spam. But there is no silver bullet. Does that mean we should give up? Personally, I prefer to fight the good fight. I believe those quoted above feel the same. Let's do it together.

--
TTFN,
patrick
asa logoWith experience
Posted: 21 January, 2010 - 11:33 AM
Link to comment

I work in the US for an extremely large ISP, and am baffled by this reaction to the advice to block port 25. It works, it does not generate massive numbers of support calls, and has been proven not just in the US but globally to be a technique which is effective for the suppression of spam. Japan is a case in point where the implementation of a coordinated port 25 block led to significant falls in outbound spam. This is a technique that is proven globally, not just in the USA and really is part of an old battle. MAAWG, the largest organization fighting spam and other forms of messaging abuse recommends this, and the document can be found here http://www.maawg.org/published-documents
ISPs should just get on, block port 25 and then be much more concerned with helping their users deal with malware and providing tools and advice to deal with this. This is the real battle.
asa logojimbo
Posted: 22 January, 2010 - 6:46 PM
Link to comment

What would even be the price difference of the realistic growth of support calls, compared to the ' spending a fortune running spam filtering'-budget that gets partly released?

It's quite a shame to consider a proper communication towards the end user to result in misunderstanding of the clients, thus to become a flop. Both a disrespect towards the marketing and communcation folks within the ISP's organisation, as well as towards the public that would anyway be to dumb to get the message, so that they would call support en-masse?

This is plainly called simple mindedness, stubborness, and pride. Yes, why wouldn't they themselves not have come up with such an idea???
asa logoDeeMendoza20
Posted: 22 October, 2010 - 10:55 AM
Link to comment

Set your own life time more simple take the <a href="http://bestfinance-blog.com">loan</a> and everything you want.
asa logoloans
Posted: 17 July, 2011 - 9:28 PM
Link to comment

I guess that to receive the business loans from banks you should have a firm motivation. Nevertheless, one time I have got a college loan, just because I was willing to buy a bike.



Generated in 0.14374 seconds.
DB queries: 8

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules