
Port 25 will be blocked for South Korea from December - Tsagadai
http://zombie-storage.com/?p=95
======
mike-cardwell
<http://www.postcastserver.com/help/Port_25_Blocking.aspx>

    
    
      ISPs that block Port 25
    
      This list contains some of the major ISPs that block port 25 on their servers:
    
      AT&T (can be unblocked at the request)
      MindSpring
      BellSouth
      MSN
      CableOne
      NetZero
      Charter
      People PC
      Comcast ATTBI
      Sprynet
      Cox
      Sympatico.ca
      EarthLink
      Verio
      Flashnet
      Verizon
      MediaOne
    

I don't know how accurate or up to date this list is, but I know that _loads_
of residential ISPs in countries all over the World block outgoing port 25.

~~~
alexchamberlain
I think this is irrelivant. Don't these ISPs still run SMTP servers on port
25, but they force you to use theirs? Their SMTP servers then contact other
SMTP servers on port 25 to actually deliver the mail.

~~~
mike-cardwell
Yes they do. And thus botnets are forced to route via the ISPs intermediary
server instead of making a direct connection to the recipient mail server.
That intermediary server can apply rate limiting and blocking.

ISPs who implement blocks on port 25 and force everyone to use their mail
server are able to take responsibility for the spam leaving their network.

Note, ISPs don't block ports 587 and 465, so they're not preventing you from
using services like GMail etc.

Also, it is completely relevant as they have all done exactly what is being
proposed in the article being discussed. ISPs in South Korea will _also_
provide mail relays for their subscribers to use.

~~~
alexchamberlain
But this is really easy to work around. Isn't the Soth Korea arguing that all
mail relays should block port 25, not just those on residential networks?

~~~
mike-cardwell
I haven't seen them say that anywhere. If they block port 25 everywhere, then
they simply prevent the ability to send or receive email within South Korea.
That's clearly not their plan.

The port 25 block is _designed_ to force compromised systems to route email
via controlled boxes. The fact that you can route email via controlled boxes
doesn't mean you've worked around the block, it means you've been forced to do
exactly what the intention was.

~~~
alexchamberlain
Maybe I've misunderstood something. I wonder how much spam is sent via
compromised residential systems and how much is sent via less than perfect
commercial systems?

~~~
mike-cardwell
The vast majority is from botnets, which compromise mostly of compromised
residential systems. [http://www.theblaze.com/stories/email-spam-
down-82-percent-s...](http://www.theblaze.com/stories/email-spam-
down-82-percent-since-july-2010/)

------
hutler
Same decree issued by telco authority here in Finland. Nice combo with the
mandatory data retention laws (must use isp mail servers + isp must keep and
hand out logs to authorities).

~~~
marvin
That's actually pretty sinister. I'm in Norway, and although there hasn't been
any push to centralize and consolidate the e-mail servers in the name of spam,
the EU data retention directive was passed here in April after lots of
resistance.

I hoped that our neighbors were in a better position to fight these attacks on
liberty online. Is privacy on the web really under this much pressure in
Finland?

~~~
mike-cardwell
You may consider it sinister, but it's a fairly common practice all over the
World for residential ISPs.

~~~
Daniel_Newby
"Must use archiving ISP mail servers" is sinister.

~~~
baudehlo
Email is a postcard, not a securely sealed envelope. If you want it to be
securely sealed use PGP, then the archiving doesn't matter.

------
chrislomax
Would a better alternative not be to not allow insecure mail servers? Why
don't mail server providers disallow their programs from being open relays or
have IP/Username and password restrictions in place.

I configured our mail server to only accept mail from our internal work IP
address and from authorised users.

Obviously mass mail providers will only be able to impose a username and
password restriction but I would say the best way is to stop people producing
mail software that can be open.

~~~
pferde
_I configured our mail server to only accept mail from our internal work IP
address and from authorised users._

So if one of your office PCs catches an e-flu, it will have no trouble using
your mailserver to spread spam.

The way I see it, the only way is to make SMTP authentication mandatory
_everywhere_ (except perhaps on your desktop localhost, which should accept
mail from you, but should be required to authenticate when pushing your
outgoing mail to your upstream mailserver).

~~~
apgwoz
So that if one of your office PCs gets compromised the SMTP authentication is
also compromised, and therefore you have the same problem. This is assuming
you don't require that someone type their password everytime they send a
message--that'd be ridiculous.

~~~
pferde
Yes, I imagine there is malware out there which can read smtp credentials from
an infected host, but majority can't, and will just try sending out without
authentication. If nothing else, resulting amount of spam is decreased
severely.

OTOH, if smtp auth became mandatory, or at least widely used, malware would
just adapt, and its ability to sniff out credentials would improve. Arms race
and all that. So scratch my idea.

------
alexchamberlain
IMHO The best way to reduce spam is to identify the problems in the current
incarnation of email and design a new system that takes such problems into
account.

~~~
jbert
Well, the same problems apply to postal mail, IM and phone calls, etc.

I think the two properties which a comms method needs to have a spam problem
are:

1) it is inexpensive to communicate with someone

2) it is has a fixed, human-memorable "address" which can be communicated out
of band (business card, verbally etc)

Once you have these two things, such lists of fixed address can accumulate and
be circulated - and they can be spammed.

(2) implies that your comms method accept comms from unknown people. (1) is
necessary for spammers to bother to do to use that channel to communicate with
you.

I think you have to give up one or the other of these things to avoid spam.
Note that (1) is a sliding scale. Physical post is significantly more
expensive than email to send, and suffers less spam - but it is not non-zero.

Basically if cost of "customer acquisition" < "cost to send spam" on that
comms channel, then you'll get some (if (2) is met).

[*] I suppose some heuristics to decide if it is OK for "random unknown user
X" to contact me can help. But false positives are the very devil here...

~~~
alexchamberlain
Why can't I be asked the first time someone communicates with me? (This is ofc
client-side spam prevention, but it should be passed upstream ideally)

However, this isn't necessary for all communications. For instance, if a
communication is signed by a reputable company (bank, for instance), then
don't bother asking. ISPs should keep the list of reputable companies as short
as possible and, regardless, it gets rid of phishing emails.

~~~
mike-cardwell
If people see a message saying "x has tried to contact you, do you wish to
allow them", some of them will say yes. So spammers will continue to spam just
as hard as they always have.

Also, considering how easy it would be to spoof "x", they could probably make
people click "yes" a significant amount of the time.

~~~
alexchamberlain
You have defined problem number (3): the ability to spoof. Introduce
certificates and signing - problem "sorted".

~~~
mike-cardwell
You mean like S/MIME, PGP, DKIM?

How does this prevent me from getting a certificate for "Viagra Salesman" or
even "Roger Smith" and sending spam selling viagra?

~~~
alexchamberlain
Directly, it doesn't. However, I can block your certificate., or better, I can
block the CA signing certificates that represent either businesses I don't
want to talk to or people who don't really exist.

Whilst I don't generally believe governments should intervene in the internet,
this is one area they could intervene in. They could act as a certificate
authority.

Of course, CAs will make mistakes, but they can revoke certificates when
things go wrong.

~~~
mike-cardwell
You can also currently block IPs, domains, URLs and specific message content.
There are even globally distributed lists of such things.

This is already how we manage to block most spam on the edge. What you're
proposing is just a small iteration on the existing defences. An expensive
one, which wouldn't work unless you managed to get everyone doing it at the
same time.

------
jaequery
it's a good idea. but scary to think what govt can't do.

~~~
astrodust
Blocking port 25 doesn't impact people in a meaningful way, only spammers. For
years virtually every ISP has offered an alternate port like 587.

