From nanog-bounces+bonomi=mail.r-bonomi.com@nanog.org Tue Sep 7 15:15:13 2010 Date: Mon, 6 Sep 2010 19:55:06 -0500 From: Brett Frankenberger <rbf+nanog@panix.com> To: deleskie@gmail.com Subject: Re: ISP port blocking practice Cc: NANOG list <nanog@nanog.org>
On Mon, Sep 06, 2010 at 10:38:15PM +0000, deleskie@gmail.com wrote:
Having worked in past @ 3 large ISPs with residential customer pools I can tell you we saw a very direct drop in spam issues when we blocked port 25.
No one is disputing that. Or, at least, I'm not disputing that. I'm questioning whether or not the *Internet* has experienced any decrease in aggregate spam as a result of ISPs blocking port 25. Did the spam you blocked disappear, or did it all get sent some other way?
_I_ can't say about 'some other way', but, on average, between 1/4 and 1/3 of the all the incoming spam at my personal server is 'direct to MX', that would have been been, at least 'slowed a little bit' by "classical, dumb" port 25 blocking. Now, a *smart* port 25 enforcer -- where traffic outbound to port 25 was selectively NATted into a 'data sink' -- something that replies "200" to everything up to the DATA command, and _always_ gives a 5xy response to that (with text like "you must send outgoing mail though our server'), WOULD kill the traffic dead. Or, at least, force the spamware writers to start paying attention to SMTP response codes, *IF* they wanted to count deliveries. All available evidence says that -most- spammers/spamware/ botnets pay no attention to such -- as established by the effectiveness of GreetPause, and greylisting. It is worth noting that this kind of 'smart' port 25 blocking would also automatically identify 'infected' machines, and by consulting the records of who is corrently on that IP address, tell _which_customer_ is has the infected machine, *AND* notify the customer of their problem. all without any need for any (expensive) human involvement. Aside, if spamware _had_ to 'obey the rules' of SMTP transactions, regarding reading reply codes, that alone would probalbly reduce by 50%, if not more, the aggregate sending _capacity_ of the world's spam sources. Whether that would make much of a difference, I don''t know -- depnds on how far existing 'capacity' exeeeds existing usage/demand.133-136 140 142-145 147