[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] Verizon DSL block

From: Sean Kamath
Subject: Re: [Nmh-workers] Verizon DSL block
Date: Fri, 22 Jan 2010 16:22:55 -0800
User-agent: Thunderbird (X11/20081216)

Earl Hood wrote:
> On January 22, 2010 at 16:26, Ken Hornstein wrote:
>> The port 25 block is pretty much standard for large ISPs today; it's
>> to prevent spammers from using massive networks of compromised PCs to
>> deliver spam.
> Changing ports is useless unless authentication is required.
> If deterring spammers is the primary goal, then ISPs can just require
> authentication for customers over the standard SMTP port.
> Changing to the submission port provides no benefit unless
> authentication is required since spammers just tweek things to use
> the submission port to send spam.
> However, even with authentication, if a system is zombied, probably
> would not take much for authentication credentials to be stolen by
> the malware and used for sending out spam.

Most people (such as myself) who run personal mail servers have it set
up so port smtp port accepts mail for the domain, but will not forward,
and submission port that will forward, but must be authenticated.  If
you're just listening on port 25 and 587 but do the same thing
regardless, well, you're wrong. :-)

Also, even if user X is compromised, and their account is being use to
spam the crap out of machines, then at least there's a chokepoint.
Either the admin is going to notice something unusual is up, and stop
it, or they won't and they'll one day find out they're on a RBL
somewhere, and *NO* mail is going out.

Requiring authentication on port 25 is pointless.  I say pointless
because most do anyway, allowing you to authenticate on port 25 and
relay through them.  No authentication, no relay.  Port 587 just sort of
makes it easier to separate incoming (to your systems) from outgoing
(from your systems; oddly thought of, since it's really "incoming
intended to go out").  Further, you don't want the spambot army of death
attacking port 25 trying to authenticate, and thus also blocking regular
incoming mail.  Granted, it would block incoming-intended-to-go-out
mail. :-)


Sent from the 1st Circle

reply via email to

[Prev in Thread] Current Thread [Next in Thread]