Should ISPs Block Port 25?

According to ISPreview, Trend Micro has apparently agitated British ISP’s by suggesting that they block their user’s port 25 SMTP access to external mail servers (connections to the ISP’s own mail servers would not be affected).

The suggestion was offered as a tactic to prevent botnets of infected personal computers from connecting to external mail servers, which is how many spammers send such massive amounts of junk email.

Interestingly, a number of articles and blog posts have been published recently that stand in opposition to this proposal, such as these articles on AllSpammedUp and ComputerWeekly.

Most of what we’ve read on the subject so far doesn’t answer the question as to whether blocking Port 25 is a good idea or not. What is clear is that very few people, even those with technical backgrounds, actually understand the issue.

Positions taken against blocking port 25 include claims that such blocking would:

1. Force sending email only through ISP mail servers greatly inconveniencing users who wish to send mail through accounts they may have through work, schools or other organizations.
2. Result in spammers shifting tactics to abuse other vulnerabilities, such as social networks.
3. Be ineffective because most SMTP servers also accept connections on ports 465 and 587.
4. Increase virus risks because: “Many anti-virus programs monitor port 25 by default, so blocking this port would leave users unprotected unless they manually change their security software settings.”
5. Create unspecified problems: “there is the possibility that the system will go wrong and block other things by mistake.”

With such a mixed bag of misinformation it’s easy to see why there is still debate on the issue. How can the facts be reasonably discussed when so few know what they are?

For the record, and to correct one erroneous point at a time:

1. Simply put, users don’t need access to port 25 in order to send mail.  Almost any current email client can send outbound mail through the mail server of your choice using port 587. This being the actual port, as specified by RFC 4409 for such client submission. Enabling the use of port 587 typically only requires that the user select “Alternate Submission Port” in their client, if any effort is required at all. Because of RFC 4409 more and more email clients now automatically try 587 first, and only fall back to 25 if that is unavailable.
2. Claiming that Port 25 should be left open for spammer’s botnets to exploit so they don’t move on to more sophisticated techniques is laughable at best. It’s a “non” argument that could be used as disingenuous support against any and every spam filtering or virus detecting technique ever conceived; and it would be equally specious in every case.
3. It is true that many email servers (though not all) will accept SMTP to port 465 without authentication. It’s also true that spammers might very well modify their botnets to exploit this. For that reason, 465 should be blocked as well. Since it was never intended for SMTP that’s no real loss to anyone, either.By contrast, when submitting to port 587, a properly configured mail server will require the user to authenticate with a valid login and password and therein lies the key distinction. Allowing unrestricted access to 25/465 enables spammers to send email without any authentication, whereas 587 does not. Thus, while real users can still send mail through the server of their choice using port 587 (assuming they have the right to do so) infected zombies cannot.
4. The statement that “Many anti-virus programs monitor port 25 by default” might be true for mail servers, which both send and receive mail on Port 25. However, personal computers and other devices that are not mail servers receive their mail through ports 110, 143, 993, or 995.  There is nothing on a personal computer that should be listening to port 25 and no security vulnerability created by using alternate ports for sending outbound mail.
5. As for the “possibility that the system will go wrong and block other things by mistake” it should suffice to point out that port 25 is only used for email, so this generic and uninformed fear of change is really just that.

While other weak and inaccurate positions can likely be put forth against port 25 blocking, there is not much substance to any of them. The only somewhat valid argument that can be advanced is that blocking port 25 would make it more difficult to run an actual mail server on a PC connected through a residential broadband connection. This obviously doesn’t effect the average user, whether business or residential, but is commonly put forth by techies who like to run mail servers on their home PCs… mostly just because they can.

In cases where a user wishes to run a mail server out of their basement or small office, their ISP could unblock port 25 for that connection, or they could configure their server to relay its mail through their ISP or another party via the submission port.

On the other hand, there is actually quite a bit of benefit to having ISPs block port 25 in that it neutralizes spam sending ability of most infected personal computers.

In order to understand this, you need only grasp a few key points:

1. ISP’s almost always allow access to their own mail servers through ports 25, 465 and also 587, so the only user that’s affected by any of this discussion is the one who wants to connect to the Internet through their ISP but who wants to send mail through some external mail server.
2. In those instances, the user’s email client software can submit to the mail server of their choice using the RFC specified port 587. A properly configured server will require the client authenticate on this port which keeps the zombies out, while allowing real users in.
3. Mail servers communicate with other mail servers using port 25. Allowing unrestricted access to external servers through port 25 just permits infected PC’s to pretend they are mail servers, sending mail directly to any other mail server on the Internet without having to have email access, authentication or privileges on any legitimate system.
4. ISP blocking of port 25/465 cripples the existing zombie botnets, leaving them unable to spam, but has no effect whatsoever on mail server to mail server traffic.

While blocking Port 25/465 won’t end spam, it will absolutely make it much more difficult for spammers to send the volume of email they currently do using infected PCs.

It will also have the effect of sparing a lot of small business from having their mail servers relentlessly pounded to the point of crawling or crashing altogether.  As it now stands, millions of infected PCs can open mail server connections to any businesses mail server simultaneously, overwhelming bandwidth and CPU resources while also crowding out connections from legitimate mail servers attempting to deliver real email.

It’s also worth noting that many if not most of the major broadband providers in the United States (and elsewhere) already do block unrestricted access to external mail servers over port 25 and few if any end-users are inconvenienced or even know the difference.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

No related posts.

Tags: botnet

This entry was posted on Monday, February 22nd, 2010 at 7:18 am and is filed under Message Control. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.