Friday 3 April 2009

Blocking port 25

I had a call from a friend complaining that they just purchased a wireless broadband stick (from Telstra using their Next-G network which is a HSDPA network using UMTS850MHz) and the could not send mail via their normal mail accounts.

A few minutes of checking found that Telstra and Bigpond block outgoing access to port 25 to anything other than their own mail servers.

The reasons are listed here [bigpond.custhelp.com] as well as at other pages. This post will list why their reasons are flawed, and how to get around them.

Flawed Reasoning

Bigpond claims they manage the use of port 25 to "to prevent spammers sending unsolicited email using [their] network." OK, that sounds fair enough at first glance, but when you realise how easy this is to get around (use a different port, for example) then this reason becomes redundant.

Bigpond claims that other ISPs are taking similar steps and that their changes have been "proven to prevent some types of spam activity". However spammers, like advertisers, attempt to stay ahead of the latest trends, and as soon as one method of spamming is blocked, they will use another. Also Internode (as an example) blocks port 25 by default, but lets you turn this feature off.

Furthermore, spammers are setting up real mail servers around the world. In conjunction with a tailored trojan that uses a different port to send mail, Bigponds efforts are useless. In fact Spam levels are back to 95% of all email traffic!

Finally, you could pay the extra money for a fixed IP address from Telstra, and they won't block the port. In my opinion, this is shameless money grabbing. Please explain why a user on a fixed IP address is not susceptible to a spam sending trojan or virus?

Perhaps the spam is purposefully malicious, and Telstra would like to know whose account to suspend? Telstra (along with most ISPs) keep detailed logs of traffic and authentications, so they can easily tell which user from a dynamic IP address was accessing which sites at any point in recent history, therefore static IP addresses are no easier to crack down on.

More Problems than Solutions

Bigpond says that you can use their Bigpond mail server to send mail, and thus get around the port block. You can in fact do this, and still have your email appear to come from you@yourhost.com (and not you@bigpond.com).

This solution is not ideal for two reasons:

1. Travelling
The frequent traveller, like my friend, is often on different networks. He must be able to use whichever network he is on and send / receive his normal email. To set up a different outgoing mail server, and perhaps a different profile (from whichever mail client he is using) for each network is both time consuming and pointless.

2. Your email looks like spam
When you send email where the FROM address is you@yourhost.com, but it goes through a different email server you@bigpond.com, the recipient's (him@friendsmail.com) mail server may block or mark your email as spam.

This is because exactly that technique (using a FROM address and mail server that do not match) is used by spammers to send spam. The recipient mail server checks the DNS records of the sender (yourhost.com), and if they don't match the originating server (bigpond.com), then your email may be deleted, rejected, or set aside.

Getting around it

OK, so what do you do to get around it? By far the best way is to authenticate with your mail server, and use a secure port. By using a secure port (usually not port 25) Bigpond won't block your outgoing mail. In fact this should work for many networks that block port 25.

You have the added advantage that your mail is probably encrypted, or at least your password will be (don't rely on this to encrypt sensitive emails though, as you can bet it will be transmitted in plain text at some stage of the process).

Is my mail server compatible?
The best thing to do is try! Different mail clients do this in different ways:

Evolution 2.24.5
Edit > Preferences > Mail Accounts > Edit > Sending Email > Use Secure Connection

Thunderbird 3.0b3
Edit > Account Settings > Outgoing Server > Edit > Connection Security

Outlook [including Express]
You have to edit your account settings from one of the main menus. You may have to then choose View or Change existing email accounts. Then select the account and choose Change; then more settings (I think) and then you should see a secure option. Note the SPA option is not what you're looking for here, although you can use it if supported.

If you get timeouts or errors sending mail, then try slightly different options (if you have a choice).

2 comments:

Nicholas Meredith said...

Re: your "Flawed Reasoning - Bigpond claims they manage the use of port 25 to "to prevent spammers sending unsolicited email using [their] network." ... but when you realise how easy this is to get around then this reason becomes redundant."

I appreciate the thought-process you've worked through, but you have some very flawed logic at this point.

First of all, you cannot send to any recipient MX servers to relay/deliver mail except on port 25. If you want to sent over a different port to a custom server, then that is the effective spam source, as it will be the one having to then relay to the real recipient MX server on port 25. So it DOES stop you from spamming out to the world. Using a VPN, or a GRE tunnel or SSH socks tunnel or an SMTP relay server on a different port is just moving the 'source' of the spam to an external host, but does the job of keeping Telstra's IP block on good standing with spamming blacklists etc.

Secondly, and also far more likely to be the real issue here, is the significant portion of the customer base at any time will have malware, worms, viruses or other infections, constantly attempting to spam out emails for any number of botnet masters out there.

These thousands, if not tens of thousands of computers periodically attempting outbound connections to thousands of remote mail servers to their TCP destination port of 25, to send unsolicited mail. The more times this occurs, the more black marks the individual IP addresses will get. As more and more IP addresses within an allocated subnet block are noticed by blacklists, eventually the entire subnet of tends of thousands of IP addresses will be entirely blacklisted as a whole, due to having such a terrible reputation among a significant number of IP addresses within that given subnet range.

I see this post is a few years old now, but if you haven't changed your opinion on this since that time, I hope you can still publish this comment to give a second view on these issues. I'm not affiliated with Telstra in any way I might add.

Iain said...

Thanks for your reponse Nicholas, yes I realise I'm not entirely correct, however the non-existance of an option to change this setting (at the time, don't know about now), even on a pre-defined mail host basis, was what really got me annoyed!

 
Copyright 2009 Another Blog. Powered by Blogger Blogger Templates create by Deluxe Templates. WP by Masterplan