Blocking port 25 Bigpond.com (Australia)

[petzl]

Bigpond block port 25

BigPond’s New Anti-spam Measures

pwellens Posted: Apr 28 2004, 10:21 PM

Australia's Largest ISP (I am in Australia) has had most of its emails servers blocked by Spamcop (bigpond.com),

The fact is Bigpond have had port 25 blocked since 17th of April 2004 for all its users. Email now has to be posted through mail.bigpond.com

So keep up the good work spamcop (again innocent)

[Farelf]

Thanks for that Petzl. Yet the spew continues (still heaps of BigPond servers listed). The change doesn't affect all users actually - looks like they've just taken action to reduce blocking complaints from the majority of their users, the everyday individual customers. Maybe they can concentrate their efforts on the actual offenders now, as they imply in the FAQ you referenced, but I wouldn't hold my breath. Or am I missing something in all of this?

I am still to receive a single spam from BigPond by the way (don't know why, it is obviously out there).

[Must have been wishing too hard - while typing the above, one finally arrived. Not from their main 144.135.24.nnn, 144.135.25.nnn, 144.140.70.nnn or 144.140.71.nnn blocks but from 138-217-186-87.qld.bigpond.net.au which is nicely listed at this time.]

[deckerjt]

Blocking port 25 is not a real answer. It is not too difficult to set up a proxy and send the mail on a different port.

This is what Earthlink does to me ... they block port 25 ... yet in order for some of my customers to recieve my email the originating mailserver domain name must match the domain name I use as my email address

Here is an example as sent from earthlink

myAddr[at]mydomain.com

Outgoing server name = smtp.earthlink.net

Customer's server sees that mydomain.com MX records do not match to earthlink and thus rejects my email. ... and there is the case of some ISPs not allowing you to use your own domain name when sending email which is another problem all together.

Anyway ... what I have resorted to is setting up another port on my remotely hosted server to accept connections for SMTP.

This problem gets more complicated if you don't have the ability to control reverse DNS. Fortunately my hosting provider provides a control panel that allows me to manage reverse DNS for my domain and the IPs assigned to me.

There really needs to be a better and well thought out system rather than clampling unreasonable restrictions on legitimate users.

[WB8TYW]

Blocking port 25 is not a real answer. It is not too difficult to set up a proxy and send the mail on a different port.

That is what the spammers are doing now, and coming out through port 25 on compromised machines. Either a ISP must make sure all their users are not compromised, shutdown discovered machines in minutes of an abuse report, or block port 25 for unregistered mail servers.

And most mail servers that I know of will not accept e-mail from an address that they know to be DHCP allocated. So if someone needs to make sure that their mail is accepted, it needs to be sent from a mail server at a fixed address.

So that either needs to be the mail server provided by the ISP, or one at a different address.

This is recognized by the mail server software and standards, and alternate ports have been provided. Port 587 is one of the ports allocated for this.

This is what Earthlink does to me ... they block port 25 ... yet in order for some of my customers to recieve my email the originating mailserver domain name must match the domain name I use as my email address

Then those customers have a very bad spam filtering system and will be rejecting a lot of real mail, while letting through a lot of spam.

What they should be checking is to see if the rDNS of the mail server matches the name that the mail server claims it has, or at least that the domain matches, if they are going to do any checks on the sending domain name. It should not matter if the sending e-mail address matches the sending domain.

That will give them a much more reliable check, and it is not vulnerable to spoofing as their current set up is.

And then if you sent your mail through the Earthlink server, it would get through and it would pass the rDNS check.

Customer's server sees that mydomain.com MX records do not match to earthlink and thus rejects my email.

One of my public e-mail addresses only has a receiving MX as a mail relay. There are no mail servers that for that domain that I can use to send e-mail. I routinely send e-mail through several mail servers who identify them selves as belonging to what ever ISP I am on, and use my public e-mail address.

And I have never had any rejection notices for doing so.

So while it is possible that one of your customers has such a broken spam filtering method, it is not likely that many are.

It is too easily fooled by spammers and will reject too much real e-mail.

... and there is the case of some ISPs not allowing you to use your own domain name when sending email which is another problem all together.

Yes, some mail servers will not allow custom domains for their residential users.

And here again, what is having port 25 blocked is residential connections on DHCP addresses, not commercial setups on fixed connections.

Anyway ... what I have resorted to is setting up another port on my remotely hosted server to accept connections for SMTP.

There are several ports designated for this purpose. Port 587 is one that is commonly used.

And this can not be abused by spammers as long as the mail server is properly secured.

This problem gets more complicated if you don't have the ability to control reverse DNS. Fortunately my hosting provider provides a control panel that allows me to manage reverse DNS for my domain and the IPs assigned to me.

There really needs to be a better and well thought out system rather than clampling unreasonable restrictions on legitimate users.

One zombied computer on a broadband connection can saturate a local circuit so bad that it can knock out a large number of user's internet connections.

According to media reports, the bandwidth that is stolen through a compromised computer can be worth over $1,200 U.S. per week..

When one of these viruses hit, and ISP can have thousands of home computers that are now either blasting viruses or spam within a the first hour of the virus'es life.

By having port 25 universally blocked, it makes these networks virtually useless for spammers. And it prevents a lot of abuse to other networks.

And it greatly reduces the cash operating costs of the ISP, both for bandwidth charges, and for dealing with the abuse reports.

Too many home users are not qualified to operate a mail server, and ISPs can not take the time to determine which of their customers are competent, even if they could find a way.

Economically this is the only way that a large ISP can control the costs that spammers are inflicting on them through zombied computers. Just like the most cost effective way to keep spam out of the inboxes is not to accept e-mail from known compromised computers.

-John

Personal Opinion Only

[petzl]

According to media reports, the bandwidth that is stolen through a compromised computer can be worth over $1,200 U.S. per week..

Amazing how comcast survive?

Bigpond are noted as incompetent

blocking port 25 is a smart move

[Miss Betsy]

Too many home users are not qualified to operate a mail server, and ISPs can not take the time to determine which of their customers are competent, even if they could find a way.

There is a simple way to determine whether someone is competent or not: have them take a test. 'Licensing' has come up a number of times in discussion of how to control spam (and incompetent practices).

Of course, individual ISP's don't have the time and expertise to come up with a test, but ISP associations could do that for their members.

It wouldn't solve all the problems (since look at all the incompetent drivers on the highways), but it does cut down on people who know absolutely nothing.

Miss Betsy

[justbrilliant]

Just had a bounce message from email I sent to a mate. Good thing it wasn't important. Well done spamcop, looks like you've got all of Bigpond on your list. Oh well, it's only the biggest ISP In Oz.....

[Spambo]

So you think that spam victims should be forced to accept spewage coming from big ISPs?

[justbrilliant]

Spambo, nope.

Be nice if ISPs that decided to run something like spamcop would let their customers know though.

I'm a big boy now and would rather make the choice of what is spam or not myself, which is why I use mailwasher (an unpaid ad )

[Merlyn]

Just had a bounce message from email I sent to a mate. Good thing it wasn't important. Well done spamcop, looks like you've got all of Bigpond on your list. Oh well, it's only the biggest ISP In Oz.....

Not enough of bigpond is listed. Bigpond in nothing but a cesspool of criminal 419 scammers and they still refuse to do anything about them.

As long as you hang around with services that will not deal with spam then expect more blocks.......

[Spambo]

Be nice if ISPs that decided to run something like spamcop would let their customers know though.

I'm a big boy now and would rather make the choice of what is spam or not myself, which is why I use mailwasher (an unpaid ad )

I don't disagree with you, but it isn't SpamCop that is at fault. SpamCop is not forcing anyone to use the data it collects. In fact quite the opposite is true. SpamCop's email customers are paying it to collect data about where reported spam is coming from and to use that data to keep potential spam out of their inboxes.

The data is available to the public and some admins do use it to bounce email (SpamCop doesn't, it diverts potential spam to a "held mail" folder).

If a provider is using the data to bounce email that is something that is between the provider and its users. SpamCop cannot control the policy decisions made by admins in independent networks. If the customers don't like their provider's policies and cannot convince the provider to change then they should find an email service that is willing to meet their needs.

If your email is bouncing because of other customers on your provider's network then you need to discuss the problem with your provider, or find another way to get your email delivered (there are plenty of free and low cost email services available on the Internet). No one but your provider can control what kind of traffic is coming out of their network, the rest of the world can only decide whether or not to accept that traffic.

[WB8TYW]

According to media reports, the bandwidth that is stolen through a compromised computer can be worth over $1,200 U.S. per week..

blocking port 25 is a smart move

Petzl,

That is the retail commercial cost if the spammer had to pay for the bandwidth that they were stealing, not the wholesale cost to an ISP.

Except for low volume connections, like small businesses or residential users, bandwidth is sold by metered amounts, just like electricity, water or any other utility.

A large ISP may not be keeping track separately of the cost of spam coming into or out of their network, and the technicians may not understand that the profits or lack there of directly affect their pay increases, or their chance of a layoff. And they may have peering arangements that mean that they only pay if the traffic is significantly more in one direction. They still need to have enough bandwith to handle the average load, and it does not take many zombies to overload a router segment. In many cases it only takes one.

My guess (with little data to back it up) is that if an ISP allows a zombied computer to send spam for a week, it will cost that ISP more in excess bandwidth charges than they would make in profit from that customer in a month. The broadband ISPs are right now claiming that they are barely making a profit if at all, so it would not take very many compromised computers relaying spam directly through 25 to wipe out their earnings.

A small operation may be on a fixed rate low bandwidth pipe, and not have enough of a total mail volume to hit a limit, so they can use content filtering. That is until they hit their bandwidth cap. Then they get a choice to pay more, or wait for the start of the next metering period with no access.

It is the operations that are too small to be an ISP, but too large to by a fixed rate plan that see the direct cost of either letting a compromised computer send spam, or letting spam from identified spam sources into their machine.

If someone wants an "unfiltered" e-mail account, then they need to get a commercial metered tap so that they are not forcing others to pay the uneeded extra costs for letting the spam through, such as bandwidth, mail server disk space, and CPU capacity to run a content filter.

See the topic "The cost of spam" currently pinned in the lounge, and it should be linked to one of the pinned topics here.

-John

Personal Opinion Only

[WB8TYW]

There is a simple way to determine whether someone is competent or not:  have them take a test.  'Licensing' has come up a number of times in discussion of how to control spam (and incompetent practices).

Of course, individual ISP's don't have the time and expertise to come up with a test, but ISP associations could do that for their members.

Miss Betsy, I have been a customer several different broadband ISPs if you count buyouts and the different outsourcing of technical staff.

And over 1/2 of the upperlevel technical support people that I have had to deal with could not pass an elementary internet driving license test.

When an technician takes the old mail server off line for replacement and puts the new mail server on line before loading in the user accounts, it rejects all incoming e-mail with a no such user code until the account get loaded. The first time it happens can be considered an accident.

When they repeat the same performance a couple of months later, after receiving reports detailing what they did wrong, it appears that the organization has a severe learning disability.

These people are having enough problems with their own technical staff, there is no way that they can try to verify the qualifications of even a fraction of their customers.

The ISPs are blocking port 25 for at least one of two reasons.

1. It saves them operational cash.

2. Some major ISPs may have told them that if they do not, no e-mail from anywhere in their address blocks will be accepted by them.

Usually the if it was case #2, the ISP will not publically talk about it if it has not already make the papers.

-John

Personal Opinion Only

[petzl]

justbrilliant

looks like you've got all of Bigpond on your list.

Your windows computer is secure right?

My signature points to free resources for you to make it so

Ad-Aware is also good for checking on spyware suggest one use both (get latest definitions)

IF bigpond have had port 25 blocked, then they have had no affect? Bigpond have a notoriety of being stupid and expensive

[Farelf]

Not enough of bigpond is listed.  Bigpond in nothing but a cesspool of criminal 419 scammers and they still refuse to do anything about them.

Groucho Marx might say, "I resemble that remark," but I don't. I would be more concerned about IPs actually in the top 200 to start with (or their domains).

Alternative view: Telstra BigPond is mostly 2-3 million ordinary users who have (unfortunately) never heard of SpamCop and have no clue as to their vulnerabilities. But between them, they own 49% of the shares (stock) in Telstra. The Telstra CEO is paid an inordinant salary to maintain the enterprise in an eminently saleable state in case the Commonwealth (Federal) Government is ever able to proceed with its plans to complete the process of selling the remaining 51% to the people who already own it (the Australian public). The CEO can relied upon to react with vigour to anything which will affect share prices and dividends. Closing port 25 on BigPond servers is presumably such an issue.

If 419 Nigerian scams apparently originate from Australia, they should be reported to the Australian Federal Police, er-waoc <at> afp.gov.au, who are under the quaint impression these mostly come from "elsewhere" and they should be disabused of such a notion whenever proof to the contrary is available.

The Australian Feds are also under the impression that sending the things from within Australia is not contrary to Australian law (http://www.afp.gov.au/page.asp?ref=/Crime/Fraud/DealScam.xml). This is an arguable point, to put it mildly, the (Commonwealth) Criminal Code Act of 1995 says "A person who attempts to commit an offence is guilty of the offence of attempting to commit that offence and is punishable as if the offence attempted had been committed." and (hopefully) fraud is an offence. However, like real cops everywhere, they do not enjoy being told by "civillians" what their job is and they operate to higher standards of evidence than most of us would require - until such time *we* might be the subject of criminal investigation.

In my opinion, if they had a real interest in 419 scams they seek an arrangement with SpamCop themselves but they are presumably a bit pre-occupied with "the war on terror" and their recent deployments and commitments to Cyprus, Namibia, Angola, Thailand, Cambodia, South Africa, Mozambique, Haiti, Somalia, Bougainville, East Timor, Solomon Islands and Papua New Guinea - a number of which are continuing. Welcome to the real world.

For general spam originating from Australia and therefore coming under the spam Act, the reporting address is reportingspam <at> aca.gov.au (the Consumer Authority) but this is for "unsolicited commercial email" (not necessarily bulk email) where "commercial" roughly means: actually or purportedly advertising or selling goods and services - in other words, just about everything else (http://www.aca.gov.au/consumer_info/spam/reportingcomplaintsenquiries.htm). Again, if they were really "dinkum" they could do far worse than talk to SpamCop, but that's just my uninformed opinion. [As mentioned elsewhere, the Australian spam Act, holds the "sender" accountable, the precise detail which is invariably forged in the great majority of what we would regard as problem spam. "Carriers" are regarded as innocent in most circumstances.]

petzl (your last) - excellent points which cannot be emphasised (or explained) too many times.