[107414] in North American Network Operators' Group
Re: ingress SMTP
daemon@ATHENA.MIT.EDU (Stephen Sprunk)
Wed Sep 3 13:08:32 2008
Date: Wed, 03 Sep 2008 12:07:22 -0500
From: Stephen Sprunk <stephen@sprunk.org>
To: Alec Berry <alec.berry@restontech.com>
In-Reply-To: <48BEC20F.6040307@restontech.com>
Cc: north American Noise and Off-topic Gripes <nanog@merit.edu>
Errors-To: nanog-bounces@nanog.org
Alec Berry wrote:
> Michael Thomas wrote:
>
>> But the thing that's really pernicious about this sort of policy is
>> that it's a back door policy for ISP's to clamp down on all outgoing
>> ports in the name of "security".
>>
>
> I don't think ISPs have anything to gain by randomly blocking ports. They may block a port that is often used for malicious behavior (135-139, 194, 445, 1433, 3306 come to mind) as a way to reduce their support calls-- but they would have to balance that with the risk of loosing customers. It's not as much a slippery slope as much as it is a tightrope act (yes-- I am metaphorically challenged).
>
I see nothing wrong with filtering commonly abused ports, provided that
the ISP allows a user to opt out if they know enough to ask.
When port 25 block was first instituted, several providers actually
redirected connections to their own servers (with spam filters and/or
rate limits) rather than blocking the port entirely. This seems like a
good compromise for port 25 in particular, provided you have the tools
available to implement and support it properly.
I also agree with the comments about switching customers to 587. My
former monopoly ISP only accepted mail on 25 and I had endless problems
trying to send mail from airports, hotels, coffee shops, etc. while
traveling. The same hotspots also tended to block port 22, so I
couldn't even forward mail via my own server. However, my new monopoly
ISP only accepts mail on 587, and I have yet to have a single problem
with that from any hotspot I've used since the switch. Ditto for
reading my mail via IMAPS/993, whereas I used to have occasional
problems reading it via IMAP/143.
S
