Its amazing how slow some things can be in the fast-moving Internet age, and how conservative some companies can be in it. But in order to make the Internet more secure, were going to have to force some changes in place, because they arent happening fast enough.
Regular readers might have guessed Im talking about one of my favorite obsessions, port 25 blocking. Ive been writing about it for a long time, arguing that normal consumer ISP accounts should, by default, be blocked from transmitting out port 25 to the Internet. This is the SMTP port, the one used for sending e-mail, and the port used by spam and malware bots.
Normal users might need access to port 25 to their ISPs mail servers, but I would argue even that isnt usually necessary, since there is a better port, port 587, which serves the same purpose and which is more difficult to abuse since it requires authentication.
But if an ISP still uses port 25 for user submission of mail, they need to require SMTP AUTH anyway.
The goal of this is to stop the main activities of spamming and mail-based malware bots. (This includes phishing, since phishing attacks are, almost as a rule, spammed out with the same techniques.)
All these are arguments that have been made for many, many years, and yet there are many large ISPs that have not implemented them as policy.
Its not like they dont want to. Talk to them (if you get them to answer the phone) and youll hear that theyre working on it, or that its hard to do.
Read some of Larry Seltzers prior columns on port 25 blocking
- Calling All ISPs: What Are You Doing to Stop Mailer Worms?
- Free and Open Port 25 Use Is Doomed
- Shutting Down the Highway to Internet Hell
- In Fight Against Spam, No More Excuses for ISPs
On the outside, its easy to look at a large ISP like Comcast and assume that its straightforward to implement such security features.
But in fact their networks are often much more complex than it appears, especially with the large cable modem companies.
They were all built by acquisition, basically in the 90s. Their network consists of multiple separate networks tied together with boxes from Cisco and similar companies.
To get a sense of Comcasts network, look at their ASN list.
Comcast owns 13 different IP network allocations. SBC and AT&T, now one company, have many times that, although its not clear how many of them are used for consumer services.
When you tie many different networks together like that, it is necessarily difficult to apply common policies to them. Difficult, but not impossible.
Im happy to assert that all it takes is money. Most of the money isnt in the form of equipment or software, but in the form of support for users in dealing with the inevitable problems they experience when the rules are implemented.
I know some of you are saying something along the lines of "nobodys going to tell me I cant run a mail server," and the answer is that—assuming your ISP agreement permits running servers, which it may not—there is no reason why they need to make you shut off your server.
All they need to do is to have users request to have port 25 opened. Users infected by bots wont do this. It will result in some increase in support calls, once again a problem of money.
So whos going to pay for all this? I dont really care, but if prices go up, then its well worth it.
But when I see ISPs like Verizon using cutthroat pricing like $19.95 per month for (slow) DSL service, I know things arent going to get any better the way they are.
Im actually ready to contemplate mandates by the FTC or whoever else might claim responsibility for safe and fair ISP networking practices.
Perhaps its time that ISPs be required to implement some of these rules. This would give them an out for when customers complain about having to reconfigure their software, and it would mean customers have nothing to gain by switching ISPs just for this reason.
Mandates like this impose cost, and its only fair that Internet users bear that cost, sort of like highway tolls going to improve highway safety.
Perhaps ISPs should be given a fixed amount of time to implement the changes, and be allowed a surcharge for that period.
The last year or so has seen a general leveling off of spam and very few outbreaks of mail-based malware. Many factors are responsible for this, including hard work in other techniques by ISPs.
We might go on forever keeping spam and malware at these levels, but I think we can do a lot better, and all efforts to make big dents in these problems begin with authentication of e-mail. Wouldnt you pay something more to have a safer Internet?
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at firstname.lastname@example.org.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.