Jay R. Ashworth wrote:
On Wed, Sep 03, 2008 at 11:56:51AM -0400, Justin Scott wrote:
As a small player who operates a mail server used by many local businesses, this becomes a support issue for admins in our position. We operate an SMTP server of our own that the employees of these various companies use from work and at home. Everything works great until an ISP decides to block 25 outbound. Now our customer cannot reach our server, so they call us to complain that they can receive but not send e-mail. We, being somewhat intelligent, have a support process in place to walk the customer through the SMTP port change from 25 to one of our two alternate ports.
The problem, however, is that the customer simply cannot understand why their e-mail worked one day and doesn't the next. In their eyes the system used to work, and now it doesn't, so that must mean that we broke it and that we don't know what we're doing.
I feel your pain, local compadre, but I'm on their side.
Here's your script:
"Allowing unfiltered public access to port 25 is one of the things that increases everyone's spam load, and your ISP is trying to be a Good Neighbor in blocking access to anyone's servers but their own; many ISPs are moving towards this safer configuration. We're a good neighbor, as well, and support Mail Submission Protocol on port 587, and here's how you set it up -- and it will work from pretty much anywhere forever."
I think this all vastly underrates the agility of the bad guys. So lots of ISP's have blocked port 25. Has it made any appreciable difference? Not that I can tell. If you block port 25, they'll just use another port and a relay if necessary. But the thing that's really pernicious about this sort of policy is that it's a back door policy for ISP's to clamp down on all outgoing ports in the name of "security". And it's almost plausible, except for the annoying problem that the net becomes secure and useless in one swell foop. That said, I heard a pretty amazing claim made by somebody while I was still at the big ol networking company that ISP's in general not only didn't know which of their customers computers were owned, but that they didn't want to know. Even putting aside the claim of blissful ignorance, port 25 blocking is nothing more than a Maginot Line for the larger problems of infected computers. If we really wanted to curb spam, why don't we just put them in the penalty box until they are remediated? Heck, that even stops lots of other attacks that have nothing to do with port 25 too. Mike