Fix SMTP and leave port 25 alone for the sake of spam

Fix SMTP and leave port 25 alone for the sake of spam

Summary: Larry Seltzer of eWeek, whom I have great respect for and usually agree with, wrote this article on dealing with spam using the controversial tactic of blocking all outbound port 25 access.? The logic behind this is that the vast majority of spam in the world comes from "zombies" (millions of computers that have been hijacked by professional hackers and spammers?

TOPICS: Tech Industry

Larry Seltzer of eWeek, whom I have great respect for and usually agree with, wrote this article on dealing with spam using the controversial tactic of blocking all outbound port 25 access.? The logic behind this is that the vast majority of spam in the world comes from "zombies" (millions of computers that have been hijacked by professional hackers and spammers?and are used as?attack or spam platforms) that spew out tons of spam directly over TCP port 25 (a standard communication channel used specifically for e-mail).? I think this is a bad idea. Here's why:

  • Spammers can and?do bypass port 25 restrictions by using the zombie computer's legitimate SMTP servers.
  • Many legitimate users need outbound port 25 to send e-mail through an SMTP server that may not necessarily be hosted by their ISP of the moment (for example, amobile user at a wireless hotspot) and would be harmed by port 25 blocking.
  • Some low budget domains use their broadband accounts to host their own SMTP servers.? They would also be harmed by port 25 blocking.
  • Getting most or all ISPs to block outbound TCP port 25 would be very controversial with their users. It would be very difficult to get universal compliance.

Here is a much more effective alternative to dealing with the problem of spam.

  • Start banning all non-SPF compliant domains within a certain deadline (say end of 2005), which would make port 25 blocking moot.? Conceptually, this is?the same as port 25 blocking--only from the opposite end of the problem. Do we create an ACL (Access Control List) that denies all non-SMTP servers of the world by using port 25 blocking? Or, do we create an ACL that permits all legitimate SMTP servers of the world using SPF?? Since there are?far fewer SMTP servers than there are non-SMTP servers in the world, it is obviously easier to implement and maintain the smaller database of SMTP servers.
  • Implementing a successful ban on non-SPF compliant domains would not require the majority of domains to implement the ban.? If the top 50?domains?in the world who are sick of the spam problem implemented the non-SPF ban, this would force every other domain in the world to comply with SPF--unless they don't care for their e-mails to be delivered to the top 50 domains.? Contrast this with the port 25 ban, which requires every ISP and hotspot in the world to comply with outbound port 25 blocking. Which is the more practical solution?
  • Then we deal with the problem of ISPs who don't implement SMTP AUTH (verifies your identity before you get to send e-mail) and who won't implement some reasonable rate limiting schemes by black-listing them for irresponsible behavior.? This deals with the problem of spammers who reprogram their zombie armies to use their host's legitimate SMTP relay and SMTP credentials.
  • Start requiring some sort of official registration and/or bonding of domains who bulk send (based on Distributed Checksum Clearinghouse measurements) so that we can either easily track?them down for prosecution or we confiscate the bond for any kind of abuses from an SPF abusive domain.? Abuse could easily be tracked and?verified by forcing bulk sender domains to use Yahoo's DomainKeys, which gives us nonrepudiation on each message sent.? Since?governments have already shown a willingness to crack down on spammers, no spammer would register?those ?domains with which?they intend to spam.? Only domains?that need to send legitimate bulk e-mail would dare register their domains with a government organization?and implement DomainKeys.? Those who don't risk having all their bulk messages bounced, which leaves spammers out in the cold.

The key here is that all these changes can be driven by a small minority? of the most popular domains in the world.

Topic: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What are these top 50 domains?

    Are you talking ISPs? Microsoft? IBM? China?
    Patrick Jones
    • Most number of email users

      Hotmail, Earthlink, Yahoo, MSN, so on.
  • SPF is an unstable hack..

    Very hard to keep all the DNS servers consistant. Resolving domain names in the forward directions one thing. Reverse and all other stuff is another mess entirely.

    Far better to use the informal SMTP HELO command standard. Note: AOL has been using this criteria to filter for several years.

    The informal standard.. is the "HELO" string returned from sender includes '' with representing the domain name in string format. Thus the receiver can simply resolve alphanumeric name to an IP address and match it up with the system attempting to connect.

    If the IP addresses don't match.. it's bogus server and the receiving system should refuse the email.

    Note: This ID sending scheme can be implemented with no changes to SMTP or to DNS.
    • HELO storm

      1. Would sending "HELO" requests for each piece of mail, bog down networks?
      2. Can the "HELO" command be hacked some way?
      Roger Ramjet
      • HELO storm.. no..

        No more than existing methods or SPF.

        B.T.W. SPF has to have some mechanism to get senders domain name to the receiver. Otherwise it is dependant on unstable reverse IP lookup mechanisms. (bad news).

        Sender ID's itself with HELO string only after the TCP/IP handshake and socket neog are complete.

        You can try blasting unsolicted TCP fragments.
        But that hack is just like any other.
        No better or no worse.
    • Who says SPF requires reverse DNS?

      You better click on the SPF link and check out how it works. SPF uses forward lookups.
  • Waste of time

    Any attempt to fix the email problems plaguing the interent via a technical fix, is just folly. Any solution that still allows users to send mail, in-turn allows the spammers to send mail. Any technical fix, will be easily overcome. For every 1 person working to fix the problem, there are hundreds of spammers working even harder to protect their source of income.

    The ONLY thing that's going to fix the problem, is to remove the monetary incentives to the spammers. If they aren't getting paid, they will stop "hacking" their way around counter-measures, and will stop sending out their filth, since there's nothing to be gained from it.

    How do you remove the money? Easy, but something no nation on earth, (well maybe some asian or middle-eastern countries might do), automatic death penalty for sending out bulk spam mails. Seems harsh I know, but when getting caught, means dying, the price necessary to get a spammer to advertise for you escalates to the point that the only companies able to afford to pay for it, are the ones that are so large and affluent, that they don't need it.

    Kill the money and you'll kill spam, anything else is a waste of time.
    • Re: Waste of time

      [quote]How do you remove the money? Easy, but something no nation on earth, (well maybe some asian or middle-eastern countries might do), automatic death penalty for sending out bulk spam mails. Seems harsh I know, but when getting caught, means dying, the price necessary to get a spammer to advertise for you escalates to the point that the only companies able to afford to pay for it, are the ones that are so large and affluent, that they don't need it.[/quote]

      I've been saying this through gritted teeth for the past two years: "Death penalty for spammers!" - nice to see I'm not alone.

      Toss in the drive-by malware/adware/spyware guys in that law, too.
    • Click on the crack down link in the blog

      Did you read the entire blog? There is a link to an article where the top spammer has been put out of business by lawsuits. SPAM requires everyone's participation. No one solution will work.
      • Yes I read the blog

        However, one spammer out of business, does not the solution make. What happens when the new top spammer isn't operating from a country with antispam legislation and roadblocks in place? This country, nor any other has the power and authority to regulate the world, and there will always be havens for scum like these spammers.

        I agree that it requires everyone's participation, but that will never happen, because everyone includes the spammers, and they won't give up voluntarily. Unless the incentives to spam are removed, it doesn't matter what you through at it, the problem isn't going away.
        • What is your point?

          You're not offering anything here.
          • Exactly

            My point is that it is a waste of time and resources to find a TECHNICAL solution to a problem that requires a social/political solution.

            If you do not understand exactly what the problem is, how can you ever have a chance of solving it? Step 1 of the scientific method (taught to elementary school children) is to actually define the problem. 90% of the people working or waxing on the "Spam" problem, must have completely missed the most important part of the process. The problem DOESN'T lie in the technical manner that spam messages are sent, the problem is that they are sent in the first place.

            Any technical solution proposed is obsolete in seconds, because it doesn't address the REAL problem. Once everyone, yourself included, wakes up and starts to do something about the REAL problem (spammers, not the actual spam email), maybe something could be done. But as long as everyone clamours about trying to find a technical fix, failing to see the point of pointing out that their attempts are folly, its going to remain the same old, same old. SMTP isn't "broken," its been misused. Simply fixing the old way of doing things, or creating a new one, won't stop it from being misused.

            If you want to cut down on the number of murders committed, which is more effective:

            (1) Making each guns barrel unique and having a registry of the barrell qualities so that any recovered bullet could be instantly matched to a gun in the registry.

            (2) Torturing and killing anyone found to have murdered someone else.

            Option 1 is designed to catch murderers (assuming the murderers play by the rules and legally worked within the government regulations for owning a gun.

            Option 2 is designed to reduce the number of people actually committing murder, via detterent threats, regardless of what weapon they used or didn't used. Option 1 is simple minded, like a technical fix, Option 2 is a solution to the bigger picture.
          • You need both

            We need all the help we can get for spam, political and technical. If the technical solution makes it easier to track down and convict a criminal spammer, then that is a good thing. The two solutions are not enemies of each other, but quite the opposite.
          • True again to some extent

            You do need both to be completely effective, but a technical solution with no political help is absolutely useless, and that is what we're heading towards. What real good comes out of being able to identify the source of a particular message, when there's nothing that can be done to the offender? If they can't send spam from one country, they'll relocate to a country that will allow them to. I can only imagine the heacaches to be coming as VOIP becomes more and more mainstream and international telemarketing calls become more and more cost effective. Then the problems already present with spam, will spread over to the phone realm. These are serious, serious problems that technical solutions alone don't come close to fixing. With the right political solution, a technical one isn't even needed. Money drives the spam business model. Cut off the money, and the problem eliminates itself completely, no technical solution needed. How exactly do we cut off the money, that's a good question, and that's where the focus should be, not on a technical solution.
  • Short-sighted and selfish

    There are two (misguided) critiques of ISPs blocking egress SMTP traffic:

    1) It will prevent roaming users from sending mail. This is incorrect. Roaming users ought to be connecting to their SMTP server using port 587 (or 465 for SMTP+SSL). Port 25 is not for initial mail submission-- it is for mail transport. Mail server admins that can't figure out how to configure the user of SMTP+AUTH+TLS on port 587 or SMTP+AUTH+SSL on port 465 should think about another career. "But we can't expect all of Comcast's users to reconfigure their e-mail clients!!" You don't have to-- only roaming users. The vast majority can continue to use the antiquated port 25 for IMS, Comcast can "trust" them since they will be coming from within their network.

    2) It will prevent amateur mail admins from running a mail server on their consumer DSL or cablemodem line. Correct! Running a mail server is a serious responsibility. Admins need to be held accountable for the operation of their server(s). Not only is running a mail server on a DHCP consumer line usualy against the AUP of the ISP, the resulting outgoing mail looks like spam (it certainly won't pass SPF muster). Sorry, but if you want to run a mail server, either get a business account (no blocking port 25), or convince your ISP to give you a static IP address and unblock port 25. Now they can easily find you if there is abuse.

    Sorry to be harsh about this, but many, many mail admins (myself included) are going to block any and all mail that does not appear to come from a legitamate SMTP server. If it looks like spam (like from a DHCP block), I'm blocking it. So is AOL. So is Earthlink. There is nothing to distinguish it from a spam zombie.

    Blocking egress SMTP traffic is the single best way to reduce spam, and ISPs are learning it is one of the most effective techniques to cut down on complaints about their network spweing spam. I'm sorry if it makes it a little more difficult to set up a mail server, but that's just life sometimes. Most of the people that complain about this technique either don't want to get the proper type of account from their ISP, or are not skilled enough to propery configure their server for roaming users.

    Having said that, I certainly agree that SPF adoption is one of the best anti-spam and anti-spoofing ideas to be introduced in years. I highly urge responsible mail server admins to start publishing SPF records, and checking all incoming mail. Once again, if you can't figure out how to implement it, you probably should not be calling yourself a mail admin. Wake up and smell the new millenium-- spam is a big problem. Be part of the solution!
    • So we agree on SPF

      If we agree on SPF, why bother messing port 25? SPF enforcement makes port 25 blocking moot.

      Also keep in mind that port 25 blocking is a network function, and requires you to get the router guys to participate. As far as they're concerned, this isn't their job. SPF enforcement is a server based function, DNS and SMTP servers. I can assure you that DNS and SMTP is easier to maintain than router ACLs.
      • Yes, SPF has promise

        I have posted many, many times, on ZDnet and Slashdot, about blocking egress SMTP traffic. My original post to your article was in reference to the responses I usually get.

        If I could wave my magic wand, everyone would publish and check SPF records. I support and advocate SPF whenever I can, I think it has tremendous promise. Unfortunately, I don't think SPF adoption will come as quickly as you do (yet I hope I am wrong!). Blocking port 25 traffic is quite simple, in fact for consumer router/gateways it is just a few clicks. ISPs could give their customers such devices pre-configured, and let users turn off the block if they "needed" it. As far as the router guys, their job is to do what their employer tells them to. A few border router configurations will be easier than mass SMTP and DNS reconfigs. Some DNS systems do not (yet) support TXT records, and many SMTP servers cannot check SFP records. While my vote is to ditch the servers and/or admins that can't handle SPF, I don't think too many people are counting my vote!

        I operate several e-mail servers, for hundreds of users. We receive over a million messages a week. SPF checking does block a noticeable number of incoming messages, so I see it working (of course, I have no idea how many spoofed messages are being blocked by other ISPs). We have many other filters as well (RBLs, virus and spam checkers, etc), that block almost 90% of incoming SMTP traffic. The spam that gets through is mostly from infected ISP customers.

        I also operate a free wireless network for my local community, and I don't want other, angry mail admins hounding me for abuse originating from my network. My worse fear is a trojan/virus infected laptop spewing spam. Or even a spammer purposely using the free access to send a few million messages while they sip their latte. We block outgoing port 25 traffic, and I won't budge on this. It is the #1 item on our FAQ:

        All things considered, perhaps the best and most reasonable approach right now is a healthy debate. In that, I am happy you have brought it up in such a prominent forum.
  • Potential spin-off problem

    If messages arriving from "unauthorized" (in the SPF sense) hosts are blocked, spammers will begin to use zombies to send spam from the victim's own From: address. What this means is that the "spam" will appear completely valid from the perspective of SPF -- and so will the domain.

    I predict that this kind of attack will result in a reduction in the total volume of spam, but an increase in the damage caused, since domains will no longer be useful in a reputation sense.
    • That would be GOODness!

      "spammers will begin to use zombies to send spam from the victim's own From: address"

      That would be GREAT! We can track down the zombies and get them fixed then.
    • SPF doesn't rely on "from"

      Did you every do any research on what SPF was? SPF has nothing to do with "from: address". SPF locks down SMTP servers to only those that have been published on their authoritative DNS servers.