How do you stop outgoing spam?

> 2. The issue with email is authentication, not privacy. Authentication can
> be achieved can be achieved easily over port 25, without encryption.

Well, no, not securely it can't. You cannot have a secure authenticated
service running over a raw TCP circuit across public networks.

1. You are adding to the requirement. No matter how reasonable or advisable, encryption (privacy) is a separate function from authentication. And the rationale for doing port 25 port blocking has to do with accountability, not privacy.

2. Just so there is no confusion, I meant encryption as in privacy (content encryption) rather than as part of an authentication mechanism.

3. SMTPAUTH does not require an alternate port, yet it is sufficient for ensuring accountability. Hence it is sufficient for dealing with the reason that port 25 is blocked, without requiring that it be blocked.

> Hence, blocking port 25 blocks legitimately validated email,
> as well as possible spam.

Well, yes, but obviously that doesn't matter. This is the real world Dave.

Thanks for noticing that. That is why I keep citing the impact on real, mobile users and the implication for such minor opportunities such as wireless hotspots.


I don't understand this reasoning. The ISP's justification for blocking
25 except to its own servers is to avoid having its facilities used
for abuse. How would the local ISP enforce use of SMTPAUTH to connect
to some remote ISP?

the claim is that outbound 25 is blocked to prevent spam. however accessing a remote 25 with smtpauth ensures full accountability and, therefore, prevents spam. blocking 25 disables use of this mechanism.


I guess the last 20 years of Internet use have been entirely invalid then. Too bad the 100 million current Internet users do not know that.


> I guess the last 20 years of Internet use have been entirely invalid
> then.
Not necessarily -- it's a matter of what level of risk is acceptable in
a given scenario.

Thank you. That was my point.

It therefore is essential to pay attention to fixing only real-world problems that have an operational basis -- or an extraordinarily unacceptable downside -- before imposing significant change on a large installed base of users.

However we've now reached a point where spammers resort daily to theft
of service against remote mail server and to direct attacks against
target remote mail servers.

As bad as that is, it is a long way from stealing connections. Entirely different technical basis.

The current situation is technically trivial. Stealing connections is not. Perhaps that is why the former happens all the time and the latter does not.

You're pointing out that some users don't want to live with that more restrictive framework.

I am pointing out that there is a balancing act to perform, and that 100 million users is more than "some".

And lest you note that all 100 million are not mobile, and that some mobile users are not inconvenienced, I'll respond that whatever the number is, the impact on mobile hotspot users should finish the question about scale of the impact.

I.e. you can do what you want to do if you use the right tools, but you
can't do it over TCP port 25.

If you think a bit harder about your assertion, you will realize that the port number neither creates nor restricts the protection.

All that changing the port number does is to impose guaranteed inconvenience on the entire population of mobile users.

> Too bad the 100 million current Internet users do not know that.
Indeed it is. Your kind of F.U.D. doesn't help any either.

Noting the impact on the installed base of Internet users is FUD?

And by the way...

For all the supposed benefit of port blocking -- eg, we don't see as much dial-in spam sourcing -- do we have less spam in the world? Is spam less of a problem?

So the inconvenience to mobile users has not solved or even reduced the global problem.

Mechanisms for controlling globe-scaled misbehaviors need to be surgical in the care with which they are chosen and applied. Outbound port blocking is a blunt instrument and it is swung blindly.


Part of the disagreement here is basically one of calibration, how
serious and desparate the spam problem is perceived to be.

One attraction of blocking port 25 is that you can now say to the any
spam complaints about your users demanding an answer WE DON'T ALLOW
PORT 25 ACCESS SO IT MUST BE SOMETHING ELSE and get on with your day
rather than sitting and staring at the headers like tea-leaves trying
to formulate a reasoned reply. Over and over and over and over and
over and over and over and over and over and over and over and over
(get my point?)

And maybe that quick answer would even be true.

Also, with blackhole lists, many running on automatic and
hair-trigger, it lessens the chance that some excess mouth doesn't
manage to get your entire ISP blackholed or at least makes it easier
to make your case.

Think about it: Some little dork with a pc can manage to get your ISP
onto some widely used blackhole list and then your phones and email
complaint lines really light up. Nothing like a few hundred extra
customer complaints an hour to get your attention.

It sucks, Dave, it doesn't suck just a little bit, it sucks kinda like
anthrax in the mail sucks, spam is a wrecking ball which is
successfully taking down the internet we once knew.

If you find that hard to believe I invite you to sit here in my

I guarantee you your words at the end of the day will be "oh my
f***ing god, I just didn't understand how bad it really is."

And it gets worse daily.

If something doesn't come along and stop it I predict in 5 years
e-mail will only work in "gated" communites (corporate LANs) etc and
the net will basically become this passive electronic billboard

Blocking port 25 is kinda like the post office requiring packages over
1lb not be put in mailboxes or banning pocket knives on planes, it's
become so trivial relative to the actual problem it's hardly
worthwhile discussing.