Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Verizon.net Finally Moving Email To Port 587

kdawson posted more than 5 years ago | from the decade-late-and-a-megabuck-short dept.

Spam 195

The Washington Post's Security Fix blog is reporting that Verizon, long identified as the largest ISP source of spam, is moving to require use of the submission port, 587, in outbound mail — and thus to require authentication. While spammers may still be able to relay spam through zombies in Verizon's network, if the victims let their mail clients remember their authentication credentials, at least the zombies will be easily identifiable. Verizon pledges to clean up their zombie problem quickly. We'll see.

Sorry! There are no comments related to the filter you selected.

try PRQ.se (2, Informative)

Anonymous Coward | more than 5 years ago | (#26893517)

I've been routing my traffic thru their traffic for a few years now, they're not limiting anyone and keep great privacy. what i heard their tunnel service will be open for new customers in a few days again so now is a great time.

Re:try PRQ.se (1)

flycream (1381739) | more than 5 years ago | (#26893597)

I must agree here. Its isp that has same background guys as the pirate bay and they really respect your privacy and freedom to say what you want. I know its mostly to route server traffic, but it makes great use in your personal stuff aswell.

Yo Dawg, (3, Funny)

BrentH (1154987) | more than 5 years ago | (#26895495)

I herd you like emails in your emails, so I put some traffic thru yo traffic.

first (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#26893533)

didn't stop me from spamming a first post!

Re:first (3, Funny)

Anonymous Coward | more than 5 years ago | (#26893687)

No, the guy posting before you did that ;-)

Comcast (5, Funny)

TheNinjaroach (878876) | more than 5 years ago | (#26893723)

Well your spam made it through, but the response must have been throttled since you didn't get first post. You're a Comcast customer, aren't you?

Re:Comcast (1)

masshuu (1260516) | more than 5 years ago | (#26894493)

no probably AOL

l2ISP

Re:Comcast (2, Funny)

Dishevel (1105119) | more than 5 years ago | (#26895599)

no probably AOL

l2ISP

I thought AOL customers just posted ....

HOW DO I POST!!!!!!!!!!!!!!!

27 times in a row.

Opportunity (2)

soundguy (415780) | more than 5 years ago | (#26893535)

Sounds like a great opportunity to charge millions of clueless users $50 to change the setting for them. I see a Vegas vacation on my event horizon.

Finally, Verizon, Finally!! (5, Interesting)

Smidge207 (1278042) | more than 5 years ago | (#26893547)

I found out I was a spammer when I investigated a message returned to me. I ended up talking with someone from SORBS. After emailing SORBS a couple of times, I received this message from Michelle Sullivan: "SORBS lists IP addresses that send spam. Often there is real email mixed with the spam, sometimes deliberately, sometimes accidentally. In this case you are using an IP address to send your email that has previously, and is still, sending spam. The IP address is blocked. I'd contact your provider and complain bitterly about it, because it's the provider that is listed, not you specifically."

I send out a newsletter with about 250 subscribers. After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages. I rarely approach 200 messages and the newsletter is a monthly. Verizon told me I couldnâ(TM)t even send the newsletter in one blast; I had to limit it to 100 subscribers an hour! And in late Fall 2008, some providers, like MS, would reject my mail simply because it had @Verizon.net in the senderâ(TM)s address. I knew I wasn't sending out large amounts of email, let alone spam.

Within those imposed limits, Verizon still could not bring its huge entity to investigate my complaint. In late December, we switch to Constant Contact to email the newsletter. While my boss uses Cox since he works mostly from home, the office is still âoeconnectedâ with Verizon!

Boy, I hate Verizon! Now, maybe they will kill the Zombies from all those dead zones they claim not to have!

=smidge=

Re:Finally, Verizon, Finally!! (4, Funny)

Jurily (900488) | more than 5 years ago | (#26893701)

I send out a newsletter with about 250 subscribers per zombie.

Re:Finally, Verizon, Finally!! (2, Interesting)

ILikeRed (141848) | more than 5 years ago | (#26894655)

Guess what, unless you were careful to
  • Include the correct Header info (You did mark your messages "Bulk" - right?)
  • Provide an automated opt-out method
  • and... Included your valid physical postal address

than guess what, you not only are a spammer, but you probably also broke the law [ftc.gov] .

Re:Finally, Verizon, Finally!! (4, Informative)

nabsltd (1313397) | more than 5 years ago | (#26894803)

I send out a newsletter with about 250 subscribers. After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages.

Verizon Business accounts assume that you will probably be running a business, and have your own domain.

If you do things this more professional way, there are no limits with Verizon DSL or FiOS (other than the speed you pay for being a "limit").

Re:Finally, Verizon, Finally!! (1)

Obfuscant (592200) | more than 5 years ago | (#26895837)

@Verizon.net in the senderâ(TM)s address.

There's a problem with your posting. What is trademarked about whatever it is you are referring to?

In late December, we switch to Constant Contact to email the newsletter.

Oh, that's rich. Complain about being branded a spammer, and then hire a professional spammer to send your email for you.

I have never been able to get off a "constant contact" email list once some idiot gave them my address. Never. They take their responsibility (constant contact) quite literally. I now simply route all email that has a "constant contact" in the headers to the wastebasket. That includes an email newsletter that one department in the college has chosen to hire Constant Spammers to send, even though we have professionally maintained in-college mailing lists just for such purposes and pay people to maintain them.

Good luck keeping your customers once they find out you have given their email addresses to a spammer.

Cox? (0)

Anonymous Coward | more than 5 years ago | (#26896871)

"my boss uses Cox"

Cool. How do you like working for a female boss?

What's this "finally" shit? (4, Informative)

the unbeliever (201915) | more than 5 years ago | (#26893551)

You can set up port 25 SMTP to require authentication for relay purposes, without having to configure end user's machines for another port.

Re:What's this "finally" shit? (2, Insightful)

value_added (719364) | more than 5 years ago | (#26893695)

You can set up port 25 SMTP to require authentication for relay purposes, without having to configure end user's machines for another port.

More broadly, authentication can be configured for port 25, port 587, or not at all. Typically, the submission port requires authentication.

As for the article, this factoid is amusing:

Spamhaus currently includes 225,454 U.S. based Internet addresses on its CBL. Of those, nearly one-quarter -- almost 56,000 -- are assigned to Verizon.net. Comcast, which according to Spamhaus is home to the next-largest concentration of malicious hosts among U.S. ISPs, has fewer than half as many listings.

Re:What's this "finally" shit? (4, Interesting)

erroneus (253617) | more than 5 years ago | (#26893733)

This implies that they are blocking all outbound port 25 requests. All ISPs in Japan that I am aware of have been doing this for a long time. The problem is that if you have a 3rd party email service provider, you can no longer send email through them because port 25 will be blocked and if the other party offers the alternative port as well, it is still often blocked.

Still, for MOST people, this is a good plan. I just think that users should be informed of this change, informed why it is a good idea for MOST people and to give them an option to "opt out" of the restriction in some way if the restriction is not compatible with their current needs.

Re:What's this "finally" shit? (1)

Artraze (600366) | more than 5 years ago | (#26893909)

> This implies that they are blocking all outbound port 25 requests.

It doesn't imply that at all. Now they do that in the future, but there's absolutely no logical reason to do so now. After all, they'll have enough complaints on their hands with just this transition, let alone blocking all other (possibly unauthenticated) outgoing mail too.

No, port 587 is simply where authenticated SMTP usually goes, and so that's the port they're using. It also helps that most mail clients automagicly link 587 and authentication, so the changes are easier for the end user.

Finally, I would point out, there's not a whole lot of difference between blacklisting port 25 and blacklisting port 25 on non-Verision servers. So if they were going to block it, they could've done it even before now.

Re:What's this "finally" shit? (1)

PitaBred (632671) | more than 5 years ago | (#26895287)

What pisses me off is that Comcast did the same thing a few months back. I can no longer run a mail server on my home machine. It's not an Internet connection... it's a web and email connection now.

Re:What's this "finally" shit? (1)

tepples (727027) | more than 5 years ago | (#26895783)

Comcast did the same thing a few months back. I can no longer run a mail server on my home machine.

Per the TOS for home-tier service, you never could. As I understand it, the restriction goes away once you upgrade your high-speed Internet service to Comcast Business Class.

Re:What's this "finally" shit? (1)

Hognoxious (631665) | more than 5 years ago | (#26895903)

Wow. Not a ripoff at all!

Re:What's this "finally" shit? (1)

drolli (522659) | more than 5 years ago | (#26896565)

While i see the issue i normally hardly see it necessary or even advantageous nowadays to run my own e-mail server, neither on my home machine nor on my machine at work/university. Email servers are something which required you seeing available for 24x7 in case somebody starts (due to some misconfiguration or bug in the software) to use your machine as a relay for his spam. You can get yourself quite easily blacklisted nowadays, so if you are interested in your email arriving at the recipients, just use some big mail service.

Re:What's this "finally" shit? (0)

Anonymous Coward | more than 5 years ago | (#26894017)

My 3rd part mail provider allows use on ports 25, 465, 587, 8025, and 2525. So far, I've never had a problem using 465 anywhere I go, but I have the option of using VPN tunneling back home also if I ever need to...

Re:What's this "finally" shit? (0)

Anonymous Coward | more than 5 years ago | (#26894367)

Cox has been doing this for years in AZ. You can't send outbound unless you connect to their servers.

Re:What's this "finally" shit? (1)

wnknisely (51017) | more than 5 years ago | (#26895095)

Not in my case. Port 25 is blocked, but the alternatives (587 and 465) work fine for me.

Re:What's this "finally" shit? (3, Interesting)

DarkOx (621550) | more than 5 years ago | (#26896525)

I have never really understood why this is an issue. I do think ISPs should be upfront about it before you sign up and if they change what ports they block and how they police their network you should be allowed out of the contract. I don't think its fair for them to write terms that say we can limit what you do in any way we like.

That aside I would like to ask my fellow slashdots running their own mail servers, (I do speakeasy actaully allows this under their tos) why its a problem for you to use your ISP as a smart host?

Personaly I like it. Unlike at work I don't have to worry about keeping the mail server off the black lists, contacting post masters at other domains to get mistakes corrected etc etc. The ISP does msot of that for me. Now speakeasy will relay for my domain, but I think most ISPs will probably trust whatever is coming from their own network to their relay, I hope they pass it through some outbound filter.

On the inbound side, the MX record points directly at my ip address so I get to handle the mail coming in a filter/black list etc according to my own needs. TLS works too if things need ot stay private.

I suppose the only arugment I can think of is even if you are using TLS your ISP can still read your outboand mail, and if I was using version or comcast I might be more concerned about that....

What are other peoples reasons?

Re:What's this "finally" shit? (1)

gurps_npc (621217) | more than 5 years ago | (#26894663)

Correct for most people this is a good plan. For spammers it is not. They will of course opt out of the restriction.

Re:What's this "finally" shit? (2, Interesting)

dkf (304284) | more than 5 years ago | (#26894955)

Correct for most people this is a good plan. For spammers it is not. They will of course opt out of the restriction.

So long as there is no way for the zombie itself to opt out, there's no (big) problem: the owner probably won't opt out, and the spammer won't go to the (fairly substantial) effort to social engineer his way past the restriction. What this does mean is that it pretty much requires that people who want to opt out call their Customer Services line rather than using a self-service webpage. It's horrible, but necessary.

And for the love of God, don't encourage J Random Grandma to opt out unless she's actually busy overthrowing the government.

Re:What's this "finally" shit? (2, Interesting)

The Great Pretender (975978) | more than 5 years ago | (#26894691)

I recently went through this problem with my work email and Comcast. Someone had reported something, they never explained what, that caused them to put a stop on my port 25 at home. Figuring this out took me many days of bitching at my IT guys at work why they're system was not letting me send emails. Eventually they figured out that it was my ISP and had me call Comcast Customer Service Assurance at 856-317-7272. It turns out that regular Comcast customer services just parrot that the port cannot be unblocked. I talked to the CSA agent and in less than 2 mins he had unblocked up my Port 25. However, he did also say that there was no guarantee that it wouldn't be blocked again, all that had to happen was for someone to make a complaint against me for spam. This includes anyone on an outgoing email who tags any email as spam. His advice was to make sure that everyone wanted the emails when they went out. I can only assume that someone in a CC'd email had tagged me as junk not realizing the consequences.

Re:What's this "finally" shit? (1)

The Great Pretender (975978) | more than 5 years ago | (#26895409)

Before comments jump in irrelevant to the email. Yes I spelled 'they're' instead of 'their' and when I say 'someone had reported something they didn't tell me what', I mean that they couldn't tell me what exactly was the offending piece of email that caused them to shut-down the port 25, thus no way to back track and figure out if it was me or someone was piggy-backing my IP.

Re:What's this "finally" shit? (1)

Vellmont (569020) | more than 5 years ago | (#26895589)


However, he did also say that there was no guarantee that it wouldn't be blocked again, all that had to happen was for someone to make a complaint against me for spam.

So why not take the hint, and send your mail through a 3rd party (maybe the free comcast SMTP server)?

Re:What's this "finally" shit? (1)

The Great Pretender (975978) | more than 5 years ago | (#26896315)

Work require me to send work emails through their server for accountability reasons. While my port 25 was blocked I used my smtp.gmail.com. I don't use my comcast email.

Re:What's this "finally" shit? (4, Funny)

Buelldozer (713671) | more than 5 years ago | (#26895663)

So, you spent "many days bitching at my IT guys at work" and in the end the problem was with your Internet Service at home?! You posted this on Slashdot?

Ummm, yeah, we're going to need your address. I've already handed out the torches and pitchforks.

Re:What's this "finally" shit? (3, Funny)

The Great Pretender (975978) | more than 5 years ago | (#26896289)

I live at 1835 73rd Ave NE, Medina, WA 98039

Re:What's this "finally" shit? (4, Interesting)

mibus (26291) | more than 5 years ago | (#26895163)

My home ISP (oblig. disclaimer: I now work for them too) has blocked port 25 outbound by default on 'Home' ADSL connections for a while now.

It's all configurable from the online webtools, so you can turn it back on if you want it.

And there's even an in-depth FAQ [on.net] about it on the site.

IMHO it's a great idea, and I wish more ISPs did it.

You can, but it's hokey (2, Informative)

billstewart (78916) | more than 5 years ago | (#26894015)

Yeah, it's possible to do authentication on Port 25, but it's generally hokey and often broke things when people did it, and left passwords in the clear for eavesdroppers - 587 is a cleaner and more standardized solution. I remember having to configure Eudora for receive-before-send when my email provider was trying that approach...

Re:You can, but it's hokey (2, Interesting)

MSG (12810) | more than 5 years ago | (#26896475)

You do realize that SMTP on port 25 and MSA on port 587 are the same protocol, right? There's no way that one can be hokey and the other not. In both cases, STARTTLS can be used, and should be required before authentication is allowed.

Providers should universally provide service on 587 in order to allow other ISPs to block outbound port 25, but arguing that authentication on 25 is hokey is just silly. The only reason not to bother is that sooner or later, port 25 is going to be blocked by the ISPs of remote users, and you really ought to be providing service on 587.

What ever happened to SSL and port 465? (1, Insightful)

Khopesh (112447) | more than 5 years ago | (#26894915)

What the fuck are they doing on 587? That's a secondary half-ass port used as a compromise and a low-end workaround for ISPs and network admins who blanket-block port 25. If you're to move away from port 25 (which can easily accept TLS for encrypted authentication or even just encrypted data without authentication), you might as well move to the one that requires both authentication and encryption.

NO responsible network or ISP should use plain-text authorization as the default method. I was astounded when I heard that RCN (et al!) fail to offer HTTPS webmail and POP3S email (if not the vastly superior IMAPS), and that TLS commands get dropped on the floor. This is completely unacceptable.

Verizon and co should not be commended for this trivial step, they should be scolded for not going full-on SSL.

Re:What ever happened to SSL and port 465? (0)

sgt scrub (869860) | more than 5 years ago | (#26896339)

Agreed. Port 465 traffic is the standard port for smtps and should be the ONLY port an email client should be sending email. If anyone believes a cable modem's traffic can't be sniffed for plain text smtp authentication they need to share that good dope with a hippy.

Re:What ever happened to SSL and port 465? (4, Informative)

jeaton (44965) | more than 5 years ago | (#26896481)

Port 587 was allocated by IANA and is documented by the IETF in RFC 2476, and the STARTTLS capability is documented in RFC 2487. It is not clear from the article whether Verizon is going to require STARTTLS or not. They may require STARTTLS for all mail on port 587 if they so choose.

I assume that the "full-on SSL" that you would prefer refers to the non-standard port 465 ("SMTPs"). That port was chosen arbitrarily by Microsoft, has not been standardized by any common standards body, and was previously already allocated to "URL Rendesvous Directory for SSM".

Why perpetuate non-standards when there are established standards which have the same functionality?

Re:What ever happened to SSL and port 465? (2, Insightful)

MSG (12810) | more than 5 years ago | (#26896501)

Don't be stupid. Verizon is planning to block outbound port 25 like a lot of other ISPs do in order to prevent trojans from sending out email. It's not their business to impose a requirement that other mail providers use their choice of STARTTLS on 587 or SSL on 465.

If anyone is failing to do SSL, it has nothing to do with Verizon blocking outbound port 25, and Verizon should in no way be scolded for taking this step.

Re:What's this "finally" shit? (1)

slamb (119285) | more than 5 years ago | (#26896629)

You can set up port 25 SMTP to require authentication for relay purposes, without having to configure end user's machines for another port.

You can set up a MSA (mail submission agent) on port 25, but Verizon users will not be able connect to it after this change. If you run a mail service, the practical effects of this change are (1) you will need to set up port 587 if you have any customers who get transit through Verizon and (2) you will receive less spam.

Verizon wants to stop customers from directly connecting to outside MTAs (mail transfer agents, which run on port 25). This will stop customers from sending spam from Verizon's network.

However, they need to allow customers to send mail to MSAs outside their network or customers will (rightfully) sue them for anticompetitive practices. The solution is to encourage use of a separate port for MSAs, port 587. This is outlined in RFC 2476 [ietf.org] .

Verizon's making a good move here. It will be a temporary inconvenience to some of their customers who will have to get their outside MSAs to set up the submission port, but that's a pretty small cost for stopping the spam.

Do zombies even use ISP mail servers? (0)

Anonymous Coward | more than 5 years ago | (#26893565)

Don't most zombies implement their own SMTP clients? In other words, they wouldn't even use the ISP's mail servers...

Re:Do zombies even use ISP mail servers? (5, Insightful)

stevey (64018) | more than 5 years ago | (#26893773)

Indeed.

But if you're the ISP you can just say "Hey customers outgoing port 25 is blocked - use authentication and port 587 to send mail".

In general I'm against ISP blocking services, but in the case of spam prevention its a good choice to make.

(The ideal would be to allow outgoing, but cut people off if they spam. That would punish only the guilty, but I guess they're not so keen on that).

Re:Do zombies even use ISP mail servers? (1, Troll)

bluefoxlucid (723572) | more than 5 years ago | (#26893921)

those who would give up blahblah ben franklin

In general I'm against monitoring people secretly and continuously; but in the case of cities where children are legally or physically possibly present, it's a good choice to make to stop pedophiles.

Re:Do zombies even use ISP mail servers? (4, Insightful)

Chabo (880571) | more than 5 years ago | (#26894113)

In general I'm against monitoring people secretly and continuously; but in the case of cities where children are legally or physically possibly present, it's a good choice to make to stop pedophiles.

... what?

Re:Do zombies even use ISP mail servers? (4, Insightful)

robot_love (1089921) | more than 5 years ago | (#26894929)

He's saying that a losing a little bit of liberty to gain some safety isn't worth it. He did this by cleverly rewording the original poster's statement about email to make it about pedophiles to highlight the fact it's essentially the same issue, simply in a different context.

Re:Do zombies even use ISP mail servers? (0, Troll)

bluefoxlucid (723572) | more than 5 years ago | (#26895151)

The best part is it's ridiculously close to a strawman fallacy, and just barely escapes by actually being analogous to the original argument.

Re:Do zombies even use ISP mail servers? (3, Interesting)

erroneus (253617) | more than 5 years ago | (#26894199)

Yes and it is only a matter of time before that changes and evolves.

The reason these alternative ports and blocking works is because most everyone else isn't doing this. When it comes to the point where most people are doing this, new methods will arise.

The first scenario that comes to mind is that the next generation of bot-ware will listen to your outgoing email traffic and learn your password then configure itself to send email based on that information. Then once again, the problem returns. And if *I* can conceive of this, then I *know* spammers have already thought of this. (I am comfortable in the assumption that I have never come up with an original idea.) You can expect this to occur within the next year or so. The drive to these measures are largely based on the size of the target audience after all. (This is the reason Mac OS X is mostly immune to attacks and infection... it isn't yet a big enough target!)

Things will get crazier before they get better.

Re:Do zombies even use ISP mail servers? (2, Informative)

GigaplexNZ (1233886) | more than 5 years ago | (#26895201)

The first scenario that comes to mind is that the next generation of bot-ware will listen to your outgoing email traffic and learn your password then configure itself to send email based on that information. Then once again, the problem returns.

The advantage in this instance is that the ISP can easily identify (because the zombie used the user/pass) who has been zombified and inform the customer to get their machine disinfected.

Re:Do zombies even use ISP mail servers? (0)

Anonymous Coward | more than 5 years ago | (#26894291)

Doing that would not cut out the ISP's mail server. Maybe yours was a simple slip up, but "SMTP client" is something like Outlook Express or Eudora... each still needs a mail server. I can attest that writing an SMTP client is fairly simple.

Now as to servers, I'm not as well informed. I don't know what difficulties there are in writing a program to spoof a mail server just passing along a message. I figure that's much harder to do or viruses would probably start there instead.

I do know that ISPs do normally restrict customers from using port 25 (and possibly other common mail ports) except for communication with their own mail server. So a simple SMTP client program sending spam out is restricted to communicating only with the "right" server, the ISP's server.

Re:Do zombies even use ISP mail servers? (1)

Drgnkght (449916) | more than 5 years ago | (#26895191)

Writing a program to act like a mail server for the purpose of sending spam would not be difficult. You wouldn't need to implement any kind of backend just the simple mail transfer protocol. Take a look at the RFCs 821 [ietf.org] and 2821 [ietf.org] . The original RFC is 821. It contains most everything you would need to write a mailer. The actual communication is very simple by design.

And for the record some virus and trojans do implement this.

Verizon spam zombies (5, Funny)

benjfowler (239527) | more than 5 years ago | (#26893577)

I feel a great disturbance in the Force, as if millions of voices cried out in terror and were suddenly silenced...

Re:Verizon spam zombies (4, Funny)

SpiffyMarc (590301) | more than 5 years ago | (#26893867)

They're spam zombies. It's a million voices groaning out URrGgGHghHHhh followed by a couple late chants of "brains."

Re:Verizon spam zombies (1)

bluefoxlucid (723572) | more than 5 years ago | (#26895113)

Zombies don't feel terror, they only feel hunger... for brains...

Re:Verizon spam zombies (0)

Anonymous Coward | more than 5 years ago | (#26895905)

Zombies don't feel terror, they only feel hunger... for brains...

ehlo console
MAIL FROM: LUVBRAINS2000@VERIZONZOMBIE.NET
RCPT TO: XHAVEBRAINSX@VERIZON.NET
data
TO: XHAVEBRAINSX@VERIZON.NET
FROM: LUVBRAINS2000@VERIZONZOMBIE.NET
sUBJECT: YOU HAVE BRAINS???
BRAAAAAIINS
.
quit

Can't see that as longterm solution (0)

Anonymous Coward | more than 5 years ago | (#26893607)

Can't see how this will prevent sending spam.
Maybe in future zombies have their own built-in sendmail.

Enabler, not longterm solution (2, Insightful)

billstewart (78916) | more than 5 years ago | (#26893959)

Most ISPs already do a fair bit of policing on the users of their mail servers, so this probably won't make a big dent (though botnets keep evolving, and if the scalability works to use ISP mail servers, they'll go back to it.) This basically provides a cleaner, more standardized solution for mail submission and authentication. VZ might block Port 25 later, and getting their users onto 587 makes it easier.

Zombies already do deliver their mail directly using Port 25. They're not generally running Real Sendmail (which is way too big and heavy for what they need) - in general they're running stripped-down mail senders that don't bother checking error messages correctly, which is why greylisting's "Go away and come back in 5 minutes" is enough to discourage lots of them. But lots of ISPs have been jumping on the "Block Port 25" bandwagon (with no apologies to Linux users who run their own sendmail), so maybe the zombies will go back to using ISP mail servers more often.

Re:Enabler, not longterm solution (1)

nabsltd (1313397) | more than 5 years ago | (#26894871)

But lots of ISPs have been jumping on the "Block Port 25" bandwagon (with no apologies to Linux users who run their own sendmail), so maybe the zombies will go back to using ISP mail servers more often.

Many ISPs will let you use outbound port 25 if you request it. This usually means only responsible users will have the ability.

Also, you can configure sendmail to use port 587 on another server as the relay, so you could still use your own sendmail and relay through the ISP server.

Re:Enabler, not longterm solution (0)

Anonymous Coward | more than 5 years ago | (#26896177)

with no apologies to Linux users who run their own sendmail

None deserved, because probably 80% of them have some line in their sendmail.cf file like
>&;:$=M m QQ!2z ~dnl
that not only turns their server into an open relay, but sends every email 5 times, and on every third tuesday sends the entire contents of your harddrive as an attachment too.

For the love of God, if you don't have a clue as to what you're doing, don't do sendmail. Use exim, the installation script configures 80% of the sites out there in 1-4 questions, and for the remainder, the configuration is in a human-readable syntax that doesn't require learning a whole macro language just to configure the program that creates the configuration file for you.

(PROTIP: if you even think about asking a question about sendmail.cf, you are demonstrating that have no fucking clue what you're doing, and by continuing to use sendmail you deserve to have your computing license revoked until you have memorized the entire m4 documentation.)

PORT 587 THE GATE TO HELL (1, Funny)

Anonymous Coward | more than 5 years ago | (#26893627)

Last week I routed an email through PORT 587 and this came out of it:

Hai Adonai Abmozedel, Adonai Garntaturagah, Adonai Hai Prezelbuuub, Adonai Hai Koadze....and so on.

Is their choice really smart ?

Re:PORT 587 THE GATE TO HELL (2, Funny)

Samschnooks (1415697) | more than 5 years ago | (#26894093)

Somebody fucked with you. They mapped port 587 on that machine to port 666.

Re:PORT 587 THE GATE TO HELL (0)

Anonymous Coward | more than 5 years ago | (#26895511)

Port 666 is reserved for Doom (video game)

Won't make a difference in the long run (1)

Coram (4712) | more than 5 years ago | (#26893665)

This is a good thing, but it's unlikely to improve things in anything other than the short term. They are quite capable of identifying which customers are zombie spam relays already by looking at IP addresses and authentication logs. I did this back in the days of dialup when i did a lot of work on mail systems for another large isp/telco. They are still left with the matter of contacting the customer and explaining the problem and guiding through to a solution. This is expensive to do, and requires hand holding as the customer isn't going to understand what do. It's still cheaper for the ISP to ignore the problem. Zombies will still operate, just now they have to steal authentication details. Big deal.

Re:Won't make a difference in the long run (1)

stevey (64018) | more than 5 years ago | (#26893863)

They should just re-route outgoing connections on port 80 to :

  • you're.a.spammer.verizon.net

Or similar. That way the customer knows what to do.

Of course that level of control would be easy for the ISP to avoid, but theres a tradeoff - do you block all outgoing :25 access, or only that belonging to known-bad/known-compromised users?

Me I'd block the spammers. But I guess it'd be easier to block all users.

Re:Won't make a difference in the long run (1)

Coram (4712) | more than 5 years ago | (#26894161)

Those are the same options my former employer wrestled with. Many users don't care if they are a zombie spam bot, or at least it falls into the "too hard" basket. The choice (for the ISP) is "do i turn off service to my paying customers, or do i let spam go out to people who aren't my paying customers?". If the financial consequences of accepting that you can be a spam hub are less than the consequences of pissing off customers you've disabled email for, then you choose to let the spam run wild. Until the economies of this change (either it becomes expensive to send spam or it becomes expensive for ISPs to allow it), spam remains a problem.

Re:Won't make a difference in the long run (0)

Anonymous Coward | more than 5 years ago | (#26895709)

The right answer is obviously to send an automated email informing them that according to your data their computer is compromised and if the spam doesn't stop the offending ports will be locked.

Re:Won't make a difference in the long run (2, Insightful)

vux984 (928602) | more than 5 years ago | (#26895897)

The right answer is obviously to send an automated email informing them that according to your data their computer is compromised and if the spam doesn't stop the offending ports will be locked.

That's not an obviously right answer.

First they'll ignore your email. (Assuming they even get it, because the people with zombie PCs don't check their ISP mail they mostly use hotmail/gmail/yahoo etc so they'll never see the message from their ISP.)

Then you follow through on your threat and block their access.

At which point they phone your Customer Support to complain that their 'internets is broken', bitch that you never warned them, and when your CSR tells them they need to have someone clean out their PC they go ballistic because that's hard or expensive. And the whole time they're on the phone with your CSR its costing you money, and creating an unhappy customer.

It might actually cost you less to just let the zombie spam away, and keep the customer is happy.

Arrest, Try, Convict, and Sentence +1, Incendiary (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26893677)

The world's largest crime syndicate AND Congress [whitehouse.org] .

Thank you for helping to spread freedom and democracy.

Yours In Socialism,
Kilgore Trout

Re:Arrest, Try, Convict, and Sentence +1, Incendia (0)

Anonymous Coward | more than 5 years ago | (#26894827)

LOL + (-1) stupidity

Comcast did it already (1)

Dwedit (232252) | more than 5 years ago | (#26893717)

Comcast has required email to be on port 587 for a while now.

Re:Comcast did it already (0)

Anonymous Coward | more than 5 years ago | (#26893745)

Yep, they turned me off at home the other day for port 25 with no warning whatsoever. When I called, I was told they're slowing rolling it out to everyone (port 25 blocking that is).

Re:Comcast did it already (1)

PitaBred (632671) | more than 5 years ago | (#26895333)

Yup. They hit me a few months ago. Fuckers. There's not even a way to opt out of it that I can find.

Re:Comcast did it already (1)

whoever57 (658626) | more than 5 years ago | (#26895137)

Comcast has required email to be on port 587 for a while now.

Not where I am:
$ telnet a.mx.mail.yahoo.com. 25
Trying 67.195.168.31...
Connected to a.mx.mail.yahoo.com.
Escape character is '^]'.
220 mta112.mail.ac4.yahoo.com ESMTP YSmtp service ready
quit
221 mta112.mail.ac4.yahoo.com
Connection closed by foreign host.

Article Confuses Mail Servers vs. Network Filters (2, Insightful)

billstewart (78916) | more than 5 years ago | (#26893877)

As far as I can tell from this article and a few others that are derived from the same press releases, what VZ is doing here is setting up their own mail servers to use Port 587 submission instead of Port 25. That won't stop zombies or legitimate Linux mail systems from sending mail directly to their recipients' systems, though I'm guessing that they'll get around to blocking Port 25 (sigh) once they've got most of their users migrated to 587.

What this will do is give them authentication, which makes it easier for them to block customers who use VZ's mail servers from spamming, but I'd be surprised if there's much of that happening (though botnets keep evolving their techniques.) It's already possible to reduce that simply by using passwords, or using various hokey port 25 authentication methods like receive-before-send; this cleans up the process a bit.

Re:Article Confuses Mail Servers vs. Network Filte (1)

nabsltd (1313397) | more than 5 years ago | (#26895041)

It's already possible to reduce that simply by using passwords, or using various hokey port 25 authentication methods like receive-before-send; this cleans up the process a bit.

There is no requirement for any "hokey" authentication...port 25 for connections from inside an ISP could be routed (netcat, iptables, etc.) straight to where an MTA that allows relaying would be listening. For bonus points, any connection from inside the ISP to port 25 on any machine would end up at the same ISP "internal" MTA.

Meanwhile, connections to port 25 from outside the ISP would be routed to a "normal" MTA that doesn't require authentication and will not relay...it would only accept e-mail for domains local to "isp.com".

You don't even need authentication to make this work...authentication just gives you one more piece of proof where a connection came from.

Re:Article Confuses Mail Servers vs. Network Filte (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26895469)

Don't suggest that.

Transparent proxies are the work of the devil and a long step towards full-blown internet censorship.

Or do you work for a company that sells Great Firewalls to China?

Re:Article Confuses Mail Servers vs. Network Filte (1)

icydog (923695) | more than 5 years ago | (#26896563)

If you want the ISP's MTAs to relay mail sent from internal computers, then this will break TLS over port 25 as the certificates will (by design) be invalid for the ISP's servers.

Re:Article Confuses Mail Servers vs. Network Filte (1)

kindbud (90044) | more than 5 years ago | (#26895883)

What hokey port 25 authentication methods? Any authentication methods offered on port 587 can also be offered on port 25. There is nothing magical about "25" that makes strong authentication unpossible. There is nothing magical about "587" that makes it any more secure than "25." You can run a open relay just as easily on port 587 as you can run one on port 25. You can run SMTP-AUTH and TLS on port 25, and permit relaying to authenticated clients that use TLS, while non-authenticated and/or plain-text clients can only send mail destined for your own domains.

Setting aside port 587 for smtp-submit simply makes the firewall rules at the border easier to manage.

This makes sense but exceptions exist (1)

davidwr (791652) | more than 5 years ago | (#26893981)

This makes sense for 99.9+% of customers including probably 99.99% of non-business customers. Customers who claim to have a legitimate need for port 25 and who can demonstrate they have the technical and management infrastructure in place to prevent abuse and the liability insurance or proof of financial responsibility should they fail should be allowed to continue using it subject to termination at any time if it is abused. Heck, I might even just settle for proof of financial responsibility, if they had enough insurance to cover damages from the time spamming was discovered until the plug was pulled.

great, only 7 years late (5, Informative)

Indy1 (99447) | more than 5 years ago | (#26894099)

Verizon has been an epic sewer network for years, and has ignored their spam problem for years. If they want to clean up now (or make a lame attempt to clean up, as most telco's do), fine. It just means less work for iptables at my end.

For those who are sick of Verizon's bullshit, here's my list (no promises this is complete, but it should have most of em) of Verizon's ip blocks.

  206.46.0.0/16
  66.12.0.0/14
  207.68.0.0/17
  71.96.0.0/11
  72.64.0.0/11
  72.42.0.0/18
  71.160.0.0/15
  71.162.0.0/16
  96.224.0.0/11
  98.108.0.0/14
  98.112.0.0/13
  68.160.0.0/14
  162.84.0.0/16
  162.83.0.0/16
  151.204.0.0/15
  138.88.0.0/21
  66.171.0.0/16
  66.14.128.0/17
  151.201.0.0/16
  138.89.0.0/16
  141.149.0.0/16
  141.150.0.0/15
  141.152.0.0/14
  141.156.0.0/15
  141.158.0.0/16
  68.160.192.0/18
  68.161.192.0/18
  66.14.0.0/17
  151.196.0.0/14
  151.200.0.0/14
  151.204.0.0/15
  129.44.0.0/16
  138.88.0.0/16
  64.222.0.0/15
  68.236.0.0/14
  70.104.0.0/13
  70.16.0.0/13
  71.96.0.0/11
  209.158.0.0/16
  209.159.0.0/19
  71.160.0.0/11
  173.64.0.0/12
  70.192.0.0/11
  66.174.0.0/16
  75.224.0.0/12
  75.240.0.0/13
  75.192.0.0/10
  97.0.0.0/10

Re:great, only 7 years late (0, Offtopic)

phantomcircuit (938963) | more than 5 years ago | (#26894699)

CIDR [wikipedia.org]

E-mail Clients and Ports (2, Interesting)

dlevitan (132062) | more than 5 years ago | (#26894147)

I wish that more software would default to 587 instead of 25. For example, Thunderbird doesn't even mention the possibility of 587 as a "default" port, which really needs to be changed.

In any case, it's good to see the change to 587 become more widespread and hopefully it will eventually become the default port for sending messages (along with encryption + authentication), while 25 will be reserved exclusively for server-to-server communication.

Re:E-mail Clients and Ports (1)

ZerdZerd (1250080) | more than 5 years ago | (#26895265)

Darn, why can't all the spammers stop using port 25, so we can use it again!

Remembering credentials?! (4, Insightful)

coljac (154587) | more than 5 years ago | (#26894353)

I like the suggestion that people are somehow lax in security because their mail client remembers their password. Who are these guys who type the password in every 3 minutes when they check their mail?

Re:Remembering credentials?! (1, Funny)

Anonymous Coward | more than 5 years ago | (#26894779)

I am and I've never had a probsnoopy417$lem with it.

Re:Remembering credentials?! (1)

Scotch42 (1120577) | more than 5 years ago | (#26895027)

I like the suggestion that people are somehow lax in security because their mail client remembers their password. Who are these guys who type the password in every 3 minutes when they check their mail?

once per session is enough... the client may keep the password in RAM never writing it to a file.

New generation of bots (1)

IGnatius T Foobar (4328) | more than 5 years ago | (#26894573)

As more and more consumer ISP's block outbound connections on port 25, this will only accelerate the development of newer, smarter zombie bots that know how to read the configuration settings of popular email programs (perhaps even the passwords for popular webmail sites stored in your browser's saved password list) and use those settings to send mail.

This will be even more wonderful because all of that spam will now have your name and email address on it.

The numbers don't match up (1)

dave562 (969951) | more than 5 years ago | (#26894627)

I often seen antecdotal numbers in the "millions" when people talk about zombie infected boxen. Yet the article quotes Spamhaus.org claiming "225,454" machines on all networks are sending spam. Even if one were to assume that only a quarter of all zombie machines are sending spam at any one given time, that's still only a million boxes that are compromised and sending spam.

What's the deal? Are there really millions and millions of compromised Windows boxes out there in zombie networks? Or are the numbers over blown when matched up against activity logs that monitor traffic from compromised boxes?

Re:The numbers don't match up (1)

LingNoi (1066278) | more than 5 years ago | (#26895823)

There's probably millions, just not used for sending spam.

Most botnet owners charge for their usage for denial of service attacks. A popular example being halo tards DOSing others in the games at $500 a pop so they lag and can be killed easier.

Re:The numbers don't match up (1)

irtza (893217) | more than 5 years ago | (#26895827)

well, that depends on how the 225,454 number is derived. I doubt they can detect all machines behind a firewall - including simple home routers. Figure that if one machine on a home network is infected - the others are likely to be as well (same people managing them).

cant identify by ip? (0)

Anonymous Coward | more than 5 years ago | (#26895177)

..."if the victims let their mail clients remember their authentication credentials, at least the zombies will be easily identifiable."...

are they saying they don't keep track of who uses which IP? you gotta be kidding me.

what they're doing is the easy thing, block port 25 and with it the majority of the spambots. they just dont want the hassle of getting the trojans removed from those thousands of machines. too expensive.

Good Changes (1)

Snker (1480357) | more than 5 years ago | (#26895487)

Is a very good idea for reduce spam

Completely pointless? (3, Insightful)

MikeBabcock (65886) | more than 5 years ago | (#26895913)

In my opinion, the transition to port 587 is nearly pointless. I already use authentication on port 25 to identify customers.

And according to one of the only people I'd trust on SMTP issues, "the SUBMIT specification has several fundamental flaws that make compliance practically impossible. I advise against all use of port 587" -- djb [cr.yp.to] .

It's not pointless (1)

pavon (30274) | more than 5 years ago | (#26896479)

It is useful because it allows ISPs to block port 25 for customers who do not run their own mail server (the vast majority of them). This makes it impossible for zombied machines to send mail directly , instead having to go through a relay. Open relays are much easier to filter against / get shutdown for abuse, than a whole swath of zombie computers. Mail going through authenticated relays is also easier to monitor for abuse, plus once the mailhosts relaying the authenticated mail are affected by zombie generated SPAM, they then have an incentive to do something about it.

In short it forces zombie SPAM to be channeled through choke points where it can be more easily identified and shutdown.

As for DJB, IIRC, his complaints against SUBMIT were entirely restricted to the fact that it will be yet another case where everyone implements defacto behavior, rather than following the standard to the letter, because the standard has some flaws in the way it is written. I agree that this is annoying for new implementers, as they have to look beyond the standard to "conventional wisdom" to figure out how to be interoperable. But this is true of every single network protocol in existence to varying degrees. I don't think he had any complaints about the idea of authenticated relays happening on a different port than mailhost-to-mailhost delivery. But, I can't find anything more detailed than what you posted so I can't say for sure.

hehe (3, Informative)

pavon (30274) | more than 5 years ago | (#26896843)

I just reread your link. In it DJB explicitly advises against running authentication on port 25. In fact, for security reasons, he wrote two separate programs, qmail-smptd and ofmipd, to keep the tasks of relaying authenticated email and accepting mail for local delivery as removed from one another as possible.

He defends the idea of separating these two tasks, not only to separate ports but separate programs, on this thread [imc.org] on the IETF-SUBMIT mailing list.

So, yeah, his complaint against port 587 was simply that if you can't implement the SUBMIT standard correctly (which according to him noone can), you should use a different port then the one specified in that standard. The rest of the world doesn't care, because it sees all the various authentication methods (including SUBMIT) as extensions to SMTP, and not as a different protocol (OFMIP as DJB calls them collectively), and have no qualms running a standard (non-SUBMIT compliant) SMTP server on port 587.

but are they still using that spamhaus crap? (1)

Uzik2 (679490) | more than 5 years ago | (#26896641)

grr! Spamhaus is a sock puppet for industry forcing little guys running mail servers off the internet.

wishing for Domain Keys Identified Mail (DKIM) ? (1)

johnjones (14274) | more than 5 years ago | (#26896913)

YAY port 587 is a great thing !

but are they going to sign their mail ?

now that would be a good thing so people can not FAKE a @Verizon.net address
google paypal yahoo etc do this

if Verizon did it people would start to respect @Verizon.net

simple if I get a Verizon.net address and it pass's the DKIM then I know it came from their domain

but a big WELL DONE ! someone with a clue got this done !

regards

John Jones

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?