Port 25, The Nuclear
Option"> But the technique that generates the most controversy is when an ISP blocks port 25, as SBC recently began to do. As one prominent researcher put it, blocking port 25 begins the process of shifting the cost burden for spam from the end user to the ISP and others whose sloppiness in administration is responsible for the unchecked proliferation of spam, and these same people are in a position, through responsible system administration, to choke off most of the abuse. He also argued that the cost benefits of fixing their systems are enough incentive to do it.The depressing counterargument is that many of these systems have excess capacity enough to handle the abuse and that laziness is its own reward. When this is the case, theres no choice but for other ISPs to start blocking the offending ISP, as AOL has done many a time. This is another point on which a consensus is emerging: that ISPs dont take action to stop spammers on their networks until there is a gun to their heads, generally in the sense that their customers are prevented from sending mail. This is where the major RBLs like Spamhaus and MAPS can play a big role. They have a bad reputation among some, and Ive personally been among the collateral damage from an RBL block. But it was my hosting services fault that my server got on the block because they didnt do anything about the spammer on the same address that I had. Enough of us called and screamed, and something was done about it. Not every little domain has the clout to block a major ISP. The little guy ends up hurting and angering his customers, but the big ISP wont even notice. But when one major ISP, or a service like MAPS, blocks a major ISP, it gets their attention. The corollary to this is that when you block someone, you need to be responsive when they fix the problem. The fact that ISPs have no reason to not let users opt out of the system is what cinches it for me. One researcher suggested to me that it was much easier for ISPs just to block a whole range of addresses than to have to put up a system for tracking who was to be blocked and who shouldnt, but this is basically just arguing laziness as an excuse. Besides, the SBC system supports letting users request an opt-out. Why can SBC do it and others cant? The same researcher was concerned that the opt-out system would be taken over by spammers who would opt-out their zombie systems. But its not hard to imagine well-designed authentication systems that mail back a message to the customer and require them to connect back. And as for the added cost to the ISP for this, Id suggest that they might just save a lot of money by eliminating spammers and mail worms from their networks, but even if you think this is a costly solution, let them charge for the opt-out. Doesnt bother me. Next page: Port 25, The Counterarguments
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.