Larry Seltzer of eWeek, whom I have great respect for and usually agree with, wrote this article on dealing with spam using the controversial tactic of blocking all outbound port 25 access.? The logic behind this is that the vast majority of spam in the world comes from "zombies" (millions of computers that have been hijacked by professional hackers and spammers?and are used as?attack or spam platforms) that spew out tons of spam directly over TCP port 25 (a standard communication channel used specifically for e-mail).? I think this is a bad idea. Here's why:
- Spammers can and?do bypass port 25 restrictions by using the zombie computer's legitimate SMTP servers.
- Many legitimate users need outbound port 25 to send e-mail through an SMTP server that may not necessarily be hosted by their ISP of the moment (for example, amobile user at a wireless hotspot) and would be harmed by port 25 blocking.
- Some low budget domains use their broadband accounts to host their own SMTP servers.? They would also be harmed by port 25 blocking.
- Getting most or all ISPs to block outbound TCP port 25 would be very controversial with their users. It would be very difficult to get universal compliance.
Here is a much more effective alternative to dealing with the problem of spam.
- Start banning all non-SPF compliant domains within a certain deadline (say end of 2005), which would make port 25 blocking moot.? Conceptually, this is?the same as port 25 blocking--only from the opposite end of the problem. Do we create an ACL (Access Control List) that denies all non-SMTP servers of the world by using port 25 blocking? Or, do we create an ACL that permits all legitimate SMTP servers of the world using SPF?? Since there are?far fewer SMTP servers than there are non-SMTP servers in the world, it is obviously easier to implement and maintain the smaller database of SMTP servers.
- Implementing a successful ban on non-SPF compliant domains would not require the majority of domains to implement the ban.? If the top 50?domains?in the world who are sick of the spam problem implemented the non-SPF ban, this would force every other domain in the world to comply with SPF--unless they don't care for their e-mails to be delivered to the top 50 domains.? Contrast this with the port 25 ban, which requires every ISP and hotspot in the world to comply with outbound port 25 blocking. Which is the more practical solution?
- Then we deal with the problem of ISPs who don't implement SMTP AUTH (verifies your identity before you get to send e-mail) and who won't implement some reasonable rate limiting schemes by black-listing them for irresponsible behavior.? This deals with the problem of spammers who reprogram their zombie armies to use their host's legitimate SMTP relay and SMTP credentials.
- Start requiring some sort of official registration and/or bonding of domains who bulk send (based on Distributed Checksum Clearinghouse measurements) so that we can either easily track?them down for prosecution or we confiscate the bond for any kind of abuses from an SPF abusive domain.? Abuse could easily be tracked and?verified by forcing bulk sender domains to use Yahoo's DomainKeys, which gives us nonrepudiation on each message sent.? Since?governments have already shown a willingness to crack down on spammers, no spammer would register?those ?domains with which?they intend to spam.? Only domains?that need to send legitimate bulk e-mail would dare register their domains with a government organization?and implement DomainKeys.? Those who don't risk having all their bulk messages bounced, which leaves spammers out in the cold.
The key here is that all these changes can be driven by a small minority? of the most popular domains in the world.