Best of the ISP-Lists

General

The Port We Hate The Most

Port 25 is where the e-mail comes in. Many ISPs say it's the port they hate the most, and they'll block all traffic on it, but those that do so need to understand the consequences.

[February 5, 2004]

On the ISP-Tech list in January, CS asked:

With the profusion of viruses that send mail and spammers using proxy servers and whatnot, isn't possible and wouldn't it be prudent to block all outgoing port 25 traffic at the router level except that which comes from my outgoing mail servers?

Does anyone do this? I'm not a router guru by any stretch but isn't it possible with an ACL?

Many had already done so.

[JS wrote] "We do, and I know many others do—it's actually something that should be standard practice. We do have some clients who need outoing 25 we give them that on request. Although I use a Linux router, it's something you can do with Cisco as well, as well as RADIUS for your dialups."

[PM agreed] "We block incoming and outgoing port 25 on all of our dynamic pools. If you need to accept e-mail or run a mail server then you will need a static IP address, which doesn't have these blocks. We tell our customers that they can relay mail via our mail servers, regardless of their from address. We find that it cuts down the amount of direct to MX spam and virii that our customers can send."

[JS replied] "Might also want to tell them that any charges you incur due to any spam they might send will be passed on, in case you need to bill them for time you spend tracking down and removing yourself from a blackhole."

[PM chuckled] "It's already in the AUP! It's also handy when people do something silly like installing formmail from '97."

[JN enthused] "If every ISP switched to blocking port 25, most spam would cease as it is currently being delivered via open proxies from viruses. I say, go ahead and do it. If you are not very big you can have some exceptions and allow overrides to those mail servers. But it's best to just have a blanket policy of your users connected to you should send through your mail server."

MS warned that it doesn't always work:

"A lot of the cable companies block port 25, but you just have to switch your mail servers to port 26, if they support it."

JC, who works for an e-mail company, added:

"We e-mail only providers have been providing alternate ports for a long time. Some providers have proxies listening on all ports."

[RS added] "Yep, a lot of large ISPs are starting to do this, but beware. You might be surprised at how many people are using external mail servers. For example, the guy who brings his laptop home from work, or the one who has his e-mail domain hosted by another company."

[ed note: we found a service through google ads: No-IP's Mail Reflector service allows you to run a mail server, even if your ISP blocks port 25, the standard port number reserved for Internet mail.]

We posted a link to a broadbandreports story which noted:

This week's release of the MyDoom virus (and variant) has renewed the debate among many ISP's over the tactic of blocking outgoing port 25 traffic. Port 25/TCP is used for SMTP, the outgoing mail protocol, and is often blocked by ISPs to cut down on spam (whether intentional or due to infection). The block prevents users from sending outgoing mail via any third party mail-hosting services.

[JS replied] "It's about time, but would that even have helped with this one? Didn't this one just use the client PC's standard SMTP server as configured inOutlook Express?"

[RS continued] "Not that I saw. There might be multiple behaviors, but the virus messages I saw bypassed any mail relay configured in OE and delivered directly."

[BC concluded] "The common misconception is that it is necessary to block all outbound port 25 traffic except from your authoritative mail relay.

What is necessary is that you allow all known authoritative mail relays to send mail in/out and that all other connections that are attempted are hijacked and sent to a local authoritative relay.

This behavior can be crafted with level 4-7 Ethernet switching, with Linux, or as we do it with OpenBSD. We are mainly a Linux shop. But OpenBSD is much more efficient at this task than any other OS I have seen. We even have separate MTA systems running on the OpenBSD boxes that handle queuing, and scanning of mail for viruses, attachments, and spam before they are queued for outbound/inbound delivery. Lots of options.

These mechanisms allow for a central entry point for all SMTP traffic that can be crafted to meet the needs/demands of a virus or spam attack. We have been running ours since August in concert with Postini. It works great. We have only made minor queuing modifications since August."

—End