short Botnet list and Cashing in on DoS

i was recently chastised for posting non-operational content to nanog, and
so, while i am willing to beat the drum for source address validation, i'm
very concerned about commenting further in what has to be the 40th or 50th
version of this thread in the last ten years. with trepidation, then:

> there are many ways of sending spam that dont use port 25..

True, but reducing spam from millions to thousands seems like something
good, no?

no. (thanks for asking.) that's not good. network abuse is a very strong
economic force -- whether it's spam, ddos-for-hire, or whatever. blocking
port 25 will make legitimate smtp permanently hard to use, while making non-
legitimate smtp temporarily hard to use. if i learned anything at MAPS, it
was that taking actions which merely harden, toughen, and educate spammers
is counter-productive. good counteractivity must be recombinant, not just
reactive. short term effectiveness is completely irrelevant, and not "good."

> individual rules are costly to implement and users wont use a service
> where you have to pay more for basic services

Several big ISP's are blocking port 25 now. I believe this will catch.

had this been done in 1998 when the anti-spam community first warned about
it, then a lot of good could have been done. but network abuse takes many
more forms than smtp delivery now. stopping outbound tcp/25 won't make any
notable difference to a network's support costs, by the end of the year. on
the other hand, source address validation would make a notable difference in
support costs, by the end of the first quarter after it was deployed.

It limits the amount of junk coming out from their users, and the usage of
their tubes.

no. blocking outbound tcp/25 would not have that effect. doing BCP38 would.

I doubt even 0.001% of dynamic range Cable/DSL users will ever call to ask
for port 25 to be opened.

This is something ISP's can implement, and it works.

if you define "works" very narrowly, perhaps as "causes the next wave of
abuse coming from your network to not be in the form of outbound tcp/25",
then i'd have to agree. but i don't define "works" that way since it will
just shift costs toward the following months, after the attackers retune
for their reduced capability (perhaps by inventing some new capabilities).