This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • New note by bobjonkman 13 December 2018
      That was fun! I'm actually working on a for-reals Emergency Broadcast System at @RadioWaterloo -- I'll pass on your video so we can use it as our fallback audio track :)
    • Favorite 12 December 2018
      bobjonkman favorited something by scarlett: always remember "punishable with a fine" means "legal for rich people"
    • New note by bobjonkman 12 December 2018
      I was out. Back to the archives for me.
    • bobjonkman repeated a notice by fdroidorg 11 December 2018
      RT @fdroidorg Do you have experience with #Flatpak? Then we need your help!We want to package #Repomaker as #Flatpak to make it easier for people to install. We already have a running flatpak and are only missing the final bits. Any help is highly appreciated!See "Packaging Repomaker as Flatpak" for more information: https://forum.f-droid.org/t/f-droid-roles/4202
    • bobjonkman repeated a notice by tindall 11 December 2018
      RT @tindall Understanding these things, I feel that it is my duty, to myself and to my community, to reject and replace the products and services of as many spying companies with those of non-spying companies and nonprofit groups as rapidly and thoroughly possible.That can only be done with free software. So, I am a […]
    • Favorite 11 December 2018
      bobjonkman favorited something by tindall: Understanding these things, I feel that it is my duty, to myself and to my community, to reject and replace the products and services of as many spying companies with those of non-spying companies and nonprofit groups as rapidly and thoroughly possible.That can only be done with free software. So, […]
    • bobjonkman repeated a notice by indi 11 December 2018
      RT @indi The 2018 iteration of Indi's alternative holiday playlist has started going up today! Over the next two weeks, 100 holiday songs that are non-religious and don't sound like the standard holiday fare will be featured. https://www.canadianatheist.com/2018/12/indis-alternative-holiday-playlist-2018-100-to-91/ !atheism !secular !SecularHumanism
    • Favorite 11 December 2018
      bobjonkman favorited something by indi: The 2018 iteration of Indi's alternative holiday playlist has started going up today! Over the next two weeks, 100 holiday songs that are non-religious and don't sound like the standard holiday fare will be featured. https://www.canadianatheist.com/2018/12/indis-alternative-holiday-playlist-2018-100-to-91/ !atheism !secular !SecularHumanism
    • bobjonkman repeated a notice by ronhouk 4 December 2018
      RT @ronhouk Just got a grant for my #library to get 15 laptops. they'll be using #Linux and we will be teaching classes on open source software.
    • Favorite 4 December 2018
      bobjonkman favorited something by ronhouk: Just got a grant for my #library to get 15 laptops. they'll be using #Linux and we will be teaching classes on open source software.

Blocking port 25 considered harmful

Posted by Bob Jonkman on December 10th, 2008

Coffee cup with a broken handle on a cluttered desk

Coffeine abuse by maciekbor

Over in the Teksavvy Forum at DSLReports Rocky Gaudrault, the owner of my ISP, Teksavvy, started a discussion on blocking port 25 entitled “Argg…. UCEPROTECT… very frustrating!“. This is my reply:

Two cents I’d like to contribute:

The UCEPROTECT service isn’t blocking e-mail, it merely provides an opinion on an IP’s reputation as a mail server. Technically, this opinion is expressed with a DNSBL.

When mail doesn’t get delivered, it’s the receiving mail server that blocks it, not UCEPROTECT. The recipient may reject the mail based on the opinion of the DNSBL, but if that DNSBL gives bogus information then the recipient will be blocking legitimate mail. The fault is with the mail recipient for choosing a poor DNSBL. It’s not Teksavvy customers who can’t send e-mail, it’s the recipients who are refusing to accept it.

Even if Teksavvy did block port 25, there’s no guarantee that poor DNSBL services would whitelist Teksavvy’s servers. DNSBLs are run at the whim of their operators, and they can blacklist anything they like. The people who use these services need to understand that they’re letting someone else decide what mail they can receive, completely out of their control.

Port blocking is ineffective as a spam fighting technique — ISPs started port blocking in 2001, but if port blocking is so good, why is there still spam? Most spam still comes from disreputable bulk mailers running large-scale operations. Remember the McColo servers from a few weeks ago? When that one operation was shut down there were reports that spam volumes dropped by 30%. To fight spam, concentrate on the large-scale spammers.

There are lots of spambots running on poorly protected home computers, but that’s a symptom of poor security. Blocking port 25 won’t fix the security problem. To fight poor security it’s far better to identify the compromised computers, and provide them with tech support to fix the problem. Teksavvy is in a better position to do that than any other service provider I know.

There is no benefit to Teksavvy customers in blocking port 25 — It doesn’t protect Teksavvy customers from spam. It might protect other ISP’s customers from Teksavvy spammers, but it also denies Teksavvy customers full access to the Internet. Full, unblocked access is one of the main differentiators that Teksavvy brings to the market. Don’t give that up, Rocky.

Blocking ports also prevents legitimate services. ESMTP extensions like DSN rely on a direct connection to transfer Delivery Status Notifications. If a relay server doesn’t implement DSN then status notifications don’t get through. If port blocking is turned on, the smart host providing the relay service had better implement every ESMTP extension that exists. And that could still block other services that rely on unfettered access to port 25 (iMIP anyone?)

Blocking one port today is the thin edge of the wedge to blocking other services. Already I’ve seen requests for blocking ports 137 and other Netbios ports. If Teksavvy starts port blocking then every time there’s a new vulnerability the Teksavvy execs will need to agonize over whether to block or not. DNS is broken? Block port 53. There’s child porn on Usenet? Block port 119. CRIA threatens to shut down encrypted filesharing? Block port 443. If Teksavvy has a policy of no port blocking, all these decisions are moot.

I left Rogers because of port blocking, and came to Teksavvy because of unfettered access. Please don’t take that away.

–Bob.


Coffeine Abuse by maciekbor is used under a CC-BYCreative Commons Attribution license.

 
Better Tag Cloud