Tuesday, November 25 2008, 07:53
Port 25 blocking from Internet Service Providers to solve spam: a false good idea
For the last month, I noticed occasional problems with sending e-mails from my professional POP-based account (I also have a professional Exchange account but I don’t use this one very much for a lot of historic reasons, like me having a BlackBerry subscription which only worked with POP-based accounts, until I got my new phone). The hosting company that was hosting this POP account was having a lot of problems for months and I was using their SMTP server (requiring SMTPAuth) to send my e-mails from this account. I was busy at that time and just wanted my urgent e-mails to get out so thinking they had yet another breakdown, I switched to my Internet Service Provider (ISP)’s SMTP server (on port 25) and it worked fine. However, that obviously meant that as soon as I would plug my computer to a network using another ISP, this SMTP server would block my e-mails because they are sent from an Internet line leased by a competitor. Of course, changing the SMTP server every time was an unacceptable time loss and bother to do every time, so I set out and investigated.
I didn’t notice it immediately but the problem only happened when working from home: from there, sending e-mails using any other SMTP server than the ISPs one on port 25 failed, the e-mail being stuck in my outbox. I experimented a bit further and found out that using the SMTP server from my hosting plan on port 2525 worked. The problem here is that I didn’t want to use port 2525 because this outgoing port is blocked at office by our corporate firewall. I could obviously create a rule on it to let the port 2525 get out, but I didn’t want to allow another port to leave our network just for that.
I disabled all the components of my antivirus (I thought maybe it decided to block port 25 for some reason after a definition update) and tried again using my hosting’s SMTP server on port 25 this time… without success. At this point, I got somewhat pissed and decided to bring out the big guns, namely Wireshark (formerly Ethereal, the most powerful packet-sniffer, available on many platforms) to see what was happening to the requests made by my e-mail client to the e-mail server. I was seeing packets get to the port 25 of the SMTP server but never receiving any reply, indicating that it was likely blocked at some point by a firewall.
I don’t use any software firewall, but just the hardware one I have at home built-into the router. My home router (Freebox from Free.fr) is a bit particular as the configuration isn’t done in the router itself through an http service built into the router like usual but rather from a web console located on Free’s website, the router pulling the configuration changes (along with any firmware update) from the ISPs server every time it initializes itself (after a power off/on for example). In other words, I knew I didn’t change anything on my home firewall, but maybe the ISP did, especially since the configuration is stored on their servers. I went to my ISPs account web page and checked the router’s configuration settings and sure enough a new option poetically named “Outgoing SMTP protocol blocking” had made its appearance since the last time and was ticked by default! I unticked it, saved the new settings, refreshed my router and my e-mails were going out again from any server on port 25 again.
The rationale behind the cause
It is quite scary to think that from one moment from another, an ISP might decide to block some servers or protocol from one day to another. It isn’t really a big news that this happens, especially on P2P protocols and binary newsgroups servers (mostly used for piracy and pornography), but on something as mundane as e-mail? Why did they even do that? The reason is simple: to fight spam… well, or should I say to fight against how much spam actually costs them.
Everyday, people everywhere around the world get infected by viruses and their PCs get turned to zombies and send hundreds to thousands of spam or viruses e-mails per minute. Of course, to do that, the malware needs to use a SMTP server somewhere, either one located directly on the machine and installed by the malware itself or a list of pre-registered SMTP servers around the world, or even use the one configured the e-mail client’s accounts (which is just a simple matter of reading a registry entry or file depending on the client, after all).
Advantages and downsides of blocking port 25
The problem here is that I have an hard-time seeing how it can actually help solving spam in a significant manner in the long-run. For example, if the viruses that infected the computer installed a compact SMTP server with the rest of its payload (not that uncommon), the SMTP server will be accessed through the 127.0.0.1 IP address (localhost) which is the local machine, meaning the firewall of the ISP will not see this traffic and as a result will not block it. But even if it did, the workaround would be simple: operate the same compact SMTP server on another port than port 25, which isn’t filtered. The same is true if it is using a list of legitimate and respectable SMTP servers: many of them also accept connections on port 2525, which means it is just moving the problem to another port as I don’t see why spammers would be dumb enough to not use it as soon as they figure out that the port 25 gets massively blocked. Once we get there, what will be next? Blocking 2525 to now use, for example, 2626 and so on? The only positive point is that it could prevent a lot of already infected Zombies PC from sending more spam from now on, but let’s remember that a lot of malware are operable remotely (through IRC-bots for example) and thus able to download new and “improved” versions of themselves.
While this blocking only has some immediate advantages but virtually none in the long-run, it however brings a lot of complications to a computing world that is complex enough already both for consumers and IT professionals. Nowadays, many employees worldwide work from home and use their companies’ servers to pull and send out e-mails. Many users are also mobile and on the road most of the time which means they will connect to networks operated by various ISPs. For these categories of users, using a single SMTP server from one particular ISP simply won’t work. The solution used to be simple: use the SMTP server coming from your hosting plan (most of the time using the SMTPAuth protocol for making sure the user may use this server).
Things could quickly get for the worse for IT Departments if more ISPs follow this trend of blocking the port 25 on any SMTP server but theirs. This is especially true if they do not use a centralized e-mail server like Microsoft Exchange but rather the traditional POP/SMTP combination: many accounts are already configured in e-mail clients like Outlook and changing them all would take time, especially if the said e-mail client or its settings aren’t easily scriptable. Worse, if you don’t want to allow outgoing communication on port 2525 on your firewall like me, you have to find a way to deal with each router/ISP configuration, hoping that all of them will offer a way to disable it through their router or account console. Currently, I have identified 3 cases of ISPs blocking the port 25, including french ISPs Free.fr, Neuf.fr and a belgian ISP going by the name of Telenet, but I don’t doubt there are many others…
These two french ISPs received rather harsh criticisms and bad press in some areas of the Internet due to these actions, computer-literate users not understanding why this change occurred so suddenly without notification and proper planning. But the question is, could it be even notified? A large part of the people who would be impacted by this probably do not consult the e-mail address coming with their Internet subscription as they are probably using a different e-mail account, which means the proper way to inform people would be to send actual letters to all subscribers, which is quite expensive (and in my book, blocking port 25 is little more than a move to save money as I’ll explain later). Even then, what to say in this letter? 95% of the home users probably have no clue about what in the world a SMTP server may be and even less what is a port. Explaining this in simple terms, understandable by everyone, and without causing “technological anxiousness” to the customers is a very challenging task.
The real way to eradicate spam
While some ISPs keep bragging about having reduced the spam circulating through their network by 30 to 50% using this method, it is just a matter of time before the spammers adapt to this change merely by changing a port number somewhere in their scripts, the only benefit being that it prevents the existing malware on zombies computers to send more spam… until they get infected by more malware. It is not a long-term solution, just postponing the real problem to later and moving the consequences onto the users and businesses (which is, after all, a rather popular trend, and not just in IT…).
I always thought that spam and viruses were a false problem, or more exactly not one we couldn’t solve if we really wanted to. First, a lot of spam delivered is by zombies computers: solve the virus problem and you eliminate a great part of the spam traffic already. The difference between viruses and spam is that viruses are usually easier to recognize (or at least are detected with a significantly less rate of false positives) and that viruses massively sent are usually very well detected by antivirus products. If ALL e-mails servers were fitted with both antivirus and antispam filters, the spam problem would be much less significant and the Internet much safer as well, as a lot of infections still come from users opening infected e-mails attachments. After all, the higher-level you solve the issue at, the better, right? The problem is that most ISPs and hosting companies do not want to process this junk traffic. Analyzing such an amount of data is a lot of work, even if machines do it automatically: it requires bandwidth, processing time (servers) and antivirus and antispam software constantly updated, and finally IT personnel to support all the aforementioned: it costs a lot of money and ISP do not want to assume this cost, so, what do they do? They simply close and lock the door to one of the most widespread protocol in use on the Internet today coming from any servers but theirs, and leave you, could you be a consumer or an IT Manager, deal with the aftermath and dire consequences of such a foolhardy move. Needless to say, most ISPs also provide antivirus and antispam software that are to be installed on the customer’s computer at the cost a relatively pricey monthly fee. It is much more profitable to leave this problem exist on the desktop (several thousands of possible customers for each ISP) rather than solve the problem upriver, eliminating any business opportunity to sell these oh-so-profitable “security-pack” options.
How to make it happen
In my opinion, what would be needed is for governments to strongly encourage, or even enforce this move on ISPs and hosting companies running e-mail servers. Governments are already enforcing a lot of taxes and rules on ISPs to compensate the financial losses in piracy and try to limit it, so it isn’t like they have no way to enforce something on them. After all, the European Union has put a ton of regulations into effect regarding safety for hundreds of kind of different products and services, so why not legally enforce safety measures for e-mail as well? If a product doesn’t comply with the regulations in effect, the company doesn’t have the right to do business of the said product on the territory. Obviously, I don’t trust our typically computer-illiterate governments to lay out the reasonable specifications of what a antispam and antivirus-enabled e-mail service may be but a group of specialists from the various involved business and consumers areas could be put together to lead to an ISO certification (much like the standardized programming languages ones) that could serve as a basis for the enforcement by governments and guide the customers better. But obviously, I wouldn’t hold my breath for it… spam and viruses, just like tobacco and alcohol, are costly, but how much more profitable…