Posted: 19th Jan, 2010 By: MarkJ
The CTO of Internet security giant
Trend Micro, Dave Rand, has called for UK and EU governments to adopt tougher legislation against SPAM (junk email). He also urged Internet Service Providers (ISP) to help combat the problem by blocking email on port 25 and informing users when their computers begin unwittingly distributing masses of junk messages (zombie systems / botnets).
Port 25 is responsible for the Simple Mail Transfer Protocol (SMTP), which effectively handles outgoing email and is especially useful when trying to send messages from a remote server (e.g. a different ISP or web host). For example, we use port 25 to send ISPreview.co.uk email because the webhost is separate from our broadband ISP. Sadly zombie systems, computers that have become infected with malicious software, also use the port to send junk mail.
Rand contends that ISPs do not themselves need port 25 to send email and could use internal ports. He also suggests that most users would be unaffected by such a block, which is understandable because many use free email providers or their ISPs own server. However his comments have not gone down well with Internet providers.
The Director of IDNet , Simon Davies , told ISPreview:
"That's a simplistic view and is also futile. It is the same argument that says that if you block P2P ports then you'll stop illegal music filesharing. No, you won't. The traffic will just move to other ports and/or SSL-encrypted channels.
Most SMTP servers accept incoming connections on port 587 and also 465 for TLS. Blocking port 25 wouldn't slow down the spammers for very long at all but it would inconvenience the very many, mostly business use, legitimate reasons for being able to reach port 25.
The answer is two-fold, for mail servers to be carefully configured to only accept legitimate incoming mail and for consumers to use secure operating systems (which would probably require a mass-uprising against Microsoft to pressure them into making their OSs more safe from viruses)."
The Director of AAISP , Adrian Kennard , commented:
"There are already effective block lists that will block email from IP addresses sending mail directly from an infected end user machine. Indeed, this is much better for us than our outgoing smart-hosts being blacklisted because an infected machine uses us to send the mail.
Tackling SPAM is something we all need to do, but not by trying to block traffic at the ISP. Ultimately the end users need more education. I can well see email as a protocol changing over the years, and I would hope a lot more use of proper authenticated (signed) emails and filtering based on that will make email more useful and stop ISPs (like us) spending a fortune running spam filtering for customers mailboxes.
We are happy to address the abuse complaints that we get regarding such customer machines and educate our customers. We are happy for customers to operate their own firewalls in their own control and recommend that they consider which machines should be able to access port 25 outgoing. But we are not going to block specific packets."
James Blessing, a senior ISPA Council Member and Chair of their Broadband Subgroup (among many other things), added:
"If you were to place a blanket outbound block on port 25 for new residential subscribers with the ability to turn it back on through an automated control panel then that would be a 'reasonable' move, anything else will break SMTP in so many ways.
You will of course generate large amounts of support calls and there is the possibility that the system will go wrong and block other things by mistake. Then there are also cost implications for the ISP (which would be passed to the subscriber in some way) and the spammer will just find another way to distribute the content (via the ISPs mailhost perhaps thus blacklisting the entire customer base).
So actually its probably not worth the effort in the long run and maybe we should be really looking at the security on the individual connected devices (better OS, better AV, better ant-malware etc) rather than trying to break the internet."
Most of the ISPs we queried noted that they already took steps to tackle customers whose machines had been compromised, in fact in the past we have seen people being temporarily disconnected from their ISP until the problem is resolved. Consequently at least one of Rand's ideas is already receiving some degree of acceptance.
Others might suggest that SMTP should be completely overhauled, though such a solution would be impractical because of the huge SMTP install base and the resulting network effects. This is part of the reason why email itself has not really evolved much since it was first invented.
Rand believes that ISPs are over playing the impact that such a block would have on their services. He pointed out that some countries, such as Turkey and the Netherlands, were able to impose similar restrictions and saw a large reduction in the problem with only minimal gripes (e.g. Compromised PC's in Turkey dropped from 1.7m per month to 35,000).
Trend Micro estimates that the UK is currently home to over 3 Million infected machines (not including business systems) and that blocking port 25 could reduce spam by around 20 million messages per month. That's actually quite a small change but it's suggested that a global implementation would be much more dramatic.