ISP port blocking practice

From Tue Sep 7 15:15:13 2010
Date: Mon, 6 Sep 2010 19:55:06 -0500
From: Brett Frankenberger <>
Subject: Re: ISP port blocking practice
Cc: NANOG list <>

> Having worked in past @ 3 large ISPs with residential customer pools
> I can tell you we saw a very direct drop in spam issues when we
> blocked port 25.

No one is disputing that. Or, at least, I'm not disputing that. I'm
questioning whether or not the *Internet* has experienced any decrease
in aggregate spam as a result of ISPs blocking port 25. Did the spam
you blocked disappear, or did it all get sent some other way?

_I_ can't say about 'some other way', but, on average, between 1/4 and 1/3
of the all the incoming spam at my personal server is 'direct to MX', that
would have been been, at least 'slowed a little bit' by "classical, dumb"
port 25 blocking.

Now, a *smart* port 25 enforcer -- where traffic outbound to port 25 was
selectively NATted into a 'data sink' -- something that replies "200" to
everything up to the DATA command, and _always_ gives a 5xy response to
that (with text like "you must send outgoing mail though our server'),
WOULD kill the traffic dead. Or, at least, force the spamware writers to
start paying attention to SMTP response codes, *IF* they wanted to count
deliveries. All available evidence says that -most- spammers/spamware/
botnets pay no attention to such -- as established by the effectiveness of
GreetPause, and greylisting.

It is worth noting that this kind of 'smart' port 25 blocking would also
automatically identify 'infected' machines, and by consulting the records
of who is corrently on that IP address, tell _which_customer_ is has the
infected machine, *AND* notify the customer of their problem. all without
any need for any (expensive) human involvement.

Aside, if spamware _had_ to 'obey the rules' of SMTP transactions, regarding
reading reply codes, that alone would probalbly reduce by 50%, if not
more, the aggregate sending _capacity_ of the world's spam sources. Whether
that would make much of a difference, I don''t know -- depnds on how far
existing 'capacity' exeeeds existing usage/demand.133-136 140 142-145 147