According to the BBC, South Korea's Internet and Security Agency is asking all ISPs to block all e-mail sent from anything but “official” e-mail servers. The idea is to block spam, but will it really accomplish this goal?
It's not like this is a new idea. The Anti-Spam Technical Alliance proposed it as a best e-mail practice for ISPs in 2004. It's a simple idea. If an ISP blocks the default Simple Mail Transport Protocol (SMTP) port, Port 25, from sending e-mail messages, users will be forced to use their ISP's mail servers. This, in turn, the theory, goes will magically stop spam.
ISPs loved this idea. Today, most ISPs already ready block port 25. AT&T, Comcast and Verizon to name only three already do this. In practice what this means is that unless you have a static Internet Protocol (IP) address chances are you must use your ISP's official e-mail server to send mail out.
Yep, it's already a popular, frequently implemented idea. Too bad it doesn't work. As you may have noticed, your e-mail box is still filled with spam. True, spam isn't as bad today as it was in 2010, but according to Cisco IronPort SenderBase Security Network, 84 to 85% of all e-mail is still spam.
The reason for this decline wasn't because port 25 was being blocked. No, most of the credit goes to the Windows-based Rustock botnet being taken down earlier this year.
Why isn't port 25 blocking working? It's because simply blocking port 25 is like putting a My Little Pony band-aid on a severed leg. There are numerous ways for a botnet-infected Windows PCs—the source of most spam—to still send spam out without using port 25. These including simply using SOCKS proxy servers and the other SMTP port, Secure SMTP (SSMTP) - port 465. In addition, spammers are moving from Windows PC botnets to compromised Web-mail accounts.
Richi Jennings, an independent e-mail analyst and writer, adds, “ISPs should do so much more, for example:
- Co-operating with reputation services that list IP ranges that have no business sending unauthenticated direct-to-MX, such as Spamhaus’ Policy Block List (PBL).
Recording the volumes of outbound port 25 traffic from particular users — a sharp increase from the historical trend can indicate infection.
Monitoring blocked attempts to use port 25 to outside MTAs [message transfer agents] — another indication of infection.
Moving infected PCs into a "walled garden," which prevents them from sending email, surfing the Web, or using other Internet applications until the problem has been cleaned up.
These are all good ideas, and far too few ISPs implement any of them. In short, South Korea's move may sound dramatic, but the Internet and Security Agency is just proposing a step that most ISPs already took years ago... and has proven to be woefully inadequate. We need far more.
Last year, I suggested that ISPs start using Network Access Control (NAC) to block users off the Internet if they were running insecure devices, such as Windows PCs without current security patches. If we're to ever really put a serious dent into spam traffic, not to mention the spread of malware, we still need to do this.
Blocking port 25? Please. It's a nice start, but nothing like enough.