This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • Favorite 18 February 2019
      bobjonkman favorited something by kat: #tfw you think you know what you are doing... But type reboot on a remote server and your OWN workstation goes off.
    • New note by bobjonkman 18 February 2019
      And as a result I've spent the last two hours watching Emo Phillips on YouTube. et al.
    • Favorite 18 February 2019
      bobjonkman favorited something by indi: The second part of my interview with In-Sight Journal's Question Time about the term "Nones" is up! This part's about alternative terms. Looks like only one part left to go! !atheism
    • Favorite 15 February 2019
      bobjonkman favorited something by clacke: The themes of TOS, TNG, DS9 and VOY all rearranged into one big beautiful thing! of VOY fans in the comments. 😀I'm overall not a big VOY fan, but it had many good aspects, and the theme music is definitely one of them.
    • bobjonkman repeated a notice by sim 15 February 2019
      RT @sim The less javascript a site uses and/or requires, the better.
    • Favorite 15 February 2019
      bobjonkman favorited something by sim: The less javascript a site uses and/or requires, the better.
    • New note by bobjonkman 11 February 2019
      *sigh*... 20 years ago... #User_Friendly
    • bobjonkman repeated a notice by lnxw37a2 11 February 2019
      RT @lnxw37a2 Every so often, I run across this. I laugh and laugh. I miss #User_Friendly. #Depends
    • Favorite 11 February 2019
      bobjonkman favorited something by lnxw37a2: Every so often, I run across this. I laugh and laugh. I miss #User_Friendly. #Depends
    • Favorite 11 February 2019
      bobjonkman favorited something by hardmous: 👽 Been very busy but WILL BE BACK NEXT WEEKEND I PROMISE!#Anonradio #SDF #Trance #PsyTrance #GOA 👽

Blocking port 25 considered harmful

Posted by Bob Jonkman on December 10th, 2008

Coffee cup with a broken handle on a cluttered desk

Coffeine abuse by maciekbor

Over in the Teksavvy Forum at DSLReports Rocky Gaudrault, the owner of my ISP, Teksavvy, started a discussion on blocking port 25 entitled “Argg…. UCEPROTECT… very frustrating!“. This is my reply:

Two cents I’d like to contribute:

The UCEPROTECT service isn’t blocking e-mail, it merely provides an opinion on an IP’s reputation as a mail server. Technically, this opinion is expressed with a DNSBL.

When mail doesn’t get delivered, it’s the receiving mail server that blocks it, not UCEPROTECT. The recipient may reject the mail based on the opinion of the DNSBL, but if that DNSBL gives bogus information then the recipient will be blocking legitimate mail. The fault is with the mail recipient for choosing a poor DNSBL. It’s not Teksavvy customers who can’t send e-mail, it’s the recipients who are refusing to accept it.

Even if Teksavvy did block port 25, there’s no guarantee that poor DNSBL services would whitelist Teksavvy’s servers. DNSBLs are run at the whim of their operators, and they can blacklist anything they like. The people who use these services need to understand that they’re letting someone else decide what mail they can receive, completely out of their control.

Port blocking is ineffective as a spam fighting technique — ISPs started port blocking in 2001, but if port blocking is so good, why is there still spam? Most spam still comes from disreputable bulk mailers running large-scale operations. Remember the McColo servers from a few weeks ago? When that one operation was shut down there were reports that spam volumes dropped by 30%. To fight spam, concentrate on the large-scale spammers.

There are lots of spambots running on poorly protected home computers, but that’s a symptom of poor security. Blocking port 25 won’t fix the security problem. To fight poor security it’s far better to identify the compromised computers, and provide them with tech support to fix the problem. Teksavvy is in a better position to do that than any other service provider I know.

There is no benefit to Teksavvy customers in blocking port 25 — It doesn’t protect Teksavvy customers from spam. It might protect other ISP’s customers from Teksavvy spammers, but it also denies Teksavvy customers full access to the Internet. Full, unblocked access is one of the main differentiators that Teksavvy brings to the market. Don’t give that up, Rocky.

Blocking ports also prevents legitimate services. ESMTP extensions like DSN rely on a direct connection to transfer Delivery Status Notifications. If a relay server doesn’t implement DSN then status notifications don’t get through. If port blocking is turned on, the smart host providing the relay service had better implement every ESMTP extension that exists. And that could still block other services that rely on unfettered access to port 25 (iMIP anyone?)

Blocking one port today is the thin edge of the wedge to blocking other services. Already I’ve seen requests for blocking ports 137 and other Netbios ports. If Teksavvy starts port blocking then every time there’s a new vulnerability the Teksavvy execs will need to agonize over whether to block or not. DNS is broken? Block port 53. There’s child porn on Usenet? Block port 119. CRIA threatens to shut down encrypted filesharing? Block port 443. If Teksavvy has a policy of no port blocking, all these decisions are moot.

I left Rogers because of port blocking, and came to Teksavvy because of unfettered access. Please don’t take that away.


Coffeine Abuse by maciekbor is used under a CC-BYCreative Commons Attribution license.

Better Tag Cloud