Forgot your password?
typodupeerror
Spam Businesses Communications

Verizon.net Finally Moving Email To Port 587 195

Posted by kdawson
from the decade-late-and-a-megabuck-short dept.
The Washington Post's Security Fix blog is reporting that Verizon, long identified as the largest ISP source of spam, is moving to require use of the submission port, 587, in outbound mail — and thus to require authentication. While spammers may still be able to relay spam through zombies in Verizon's network, if the victims let their mail clients remember their authentication credentials, at least the zombies will be easily identifiable. Verizon pledges to clean up their zombie problem quickly. We'll see.
This discussion has been archived. No new comments can be posted.

Verizon.net Finally Moving Email To Port 587

Comments Filter:
  • try PRQ.se (Score:2, Informative)

    by Anonymous Coward

    I've been routing my traffic thru their traffic for a few years now, they're not limiting anyone and keep great privacy. what i heard their tunnel service will be open for new customers in a few days again so now is a great time.

  • Sounds like a great opportunity to charge millions of clueless users $50 to change the setting for them. I see a Vegas vacation on my event horizon.

  • by Smidge207 (1278042) on Tuesday February 17, 2009 @05:11PM (#26893547) Journal

    I found out I was a spammer when I investigated a message returned to me. I ended up talking with someone from SORBS. After emailing SORBS a couple of times, I received this message from Michelle Sullivan: "SORBS lists IP addresses that send spam. Often there is real email mixed with the spam, sometimes deliberately, sometimes accidentally. In this case you are using an IP address to send your email that has previously, and is still, sending spam. The IP address is blocked. I'd contact your provider and complain bitterly about it, because it's the provider that is listed, not you specifically."

    I send out a newsletter with about 250 subscribers. After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages. I rarely approach 200 messages and the newsletter is a monthly. Verizon told me I couldnâ(TM)t even send the newsletter in one blast; I had to limit it to 100 subscribers an hour! And in late Fall 2008, some providers, like MS, would reject my mail simply because it had @Verizon.net in the senderâ(TM)s address. I knew I wasn't sending out large amounts of email, let alone spam.

    Within those imposed limits, Verizon still could not bring its huge entity to investigate my complaint. In late December, we switch to Constant Contact to email the newsletter. While my boss uses Cox since he works mostly from home, the office is still âoeconnectedâ with Verizon!

    Boy, I hate Verizon! Now, maybe they will kill the Zombies from all those dead zones they claim not to have!

    =smidge=

    • by Jurily (900488) <[jurily] [at] [gmail.com]> on Tuesday February 17, 2009 @05:20PM (#26893701)

      I send out a newsletter with about 250 subscribers per zombie.

    • Re: (Score:2, Interesting)

      by ILikeRed (141848)
      Guess what, unless you were careful to
      • Include the correct Header info (You did mark your messages "Bulk" - right?)
      • Provide an automated opt-out method
      • and... Included your valid physical postal address

      than guess what, you not only are a spammer, but you probably also broke the law [ftc.gov].

      • Re: (Score:2, Informative)

        by Anonymous Coward
        Since he is sending out a news letter to subscribers, I imagine the following in the page you referenced applies:

        A "transactional or relationship message" — email that facilitates an agreed-upon transaction or updates a customer in an existing business relationship — may not contain false or misleading routing information, but otherwise is exempt from most provisions of the CAN-SPAM Act.

      • by GoodNicksAreTaken (1140859) on Tuesday February 17, 2009 @10:20PM (#26897293)
        IANAL, Yet.
        Guess what, "The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email"
        Parent did not specify that it was commercial email and "newsletter" indicates that it likely is not. Even if they were of a commercial nature they would likely be exempted under the CAN-SPAM act as they would qualify as "relationship" messages [cornell.edu].
        • Re: (Score:2, Flamebait)

          by Stiletto (12066)

          From the parent's posting:

          After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages.

          Sounds like commercial mail to me. Sounds like SPAM.

    • by nabsltd (1313397) on Tuesday February 17, 2009 @06:28PM (#26894803)

      I send out a newsletter with about 250 subscribers. After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages.

      Verizon Business accounts assume that you will probably be running a business, and have your own domain.

      If you do things this more professional way, there are no limits with Verizon DSL or FiOS (other than the speed you pay for being a "limit").

    • by Obfuscant (592200)
      @Verizon.net in the senderâ(TM)s address.

      There's a problem with your posting. What is trademarked about whatever it is you are referring to?

      In late December, we switch to Constant Contact to email the newsletter.

      Oh, that's rich. Complain about being branded a spammer, and then hire a professional spammer to send your email for you.

      I have never been able to get off a "constant contact" email list once some idiot gave them my address. Never. They take their responsibility (constant contact) quite l

    • ... are intriguing and I wish to subscribe to your newsletter.

    • Re: (Score:2, Informative)

      by PuddleBoy (544111)
      In late December, we switch to Constant Contact to email the newsletter.

      A number of admins I know block all email originating from Constant Contact as UCE. That's the problem with a lot of 'email marketing firms' - they take legit users along with spammers or quasi-spammers. Unless you decide to truly take control of your email by operating your own mail server, you run the risk of getting caught using an entity that gets blocked for their other clients' activities.

    • by mi (197448)

      even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages. I rarely approach 200 messages and the newsletter is a monthly. Verizon told me I couldnâ(TM)t even send the newsletter in one blast; I had to limit it to 100 subscribers an hour!

      I'm in the same situation — I run a mailing list with about 60 subscribers. Normally, things are just fine, but when a discussion springs up, the 100/hour limit is easily hit. The particularly dumb bug on Veri

  • by the unbeliever (201915) <chris+slashdot@@@atlgeek...com> on Tuesday February 17, 2009 @05:11PM (#26893551) Homepage

    You can set up port 25 SMTP to require authentication for relay purposes, without having to configure end user's machines for another port.

    • Re: (Score:3, Insightful)

      by value_added (719364)

      You can set up port 25 SMTP to require authentication for relay purposes, without having to configure end user's machines for another port.

      More broadly, authentication can be configured for port 25, port 587, or not at all. Typically, the submission port requires authentication.

      As for the article, this factoid is amusing:

      Spamhaus currently includes 225,454 U.S. based Internet addresses on its CBL. Of those, nearly one-quarter -- almost 56,000 -- are assigned to Verizon.net. Comcast, which according to Spam

    • by erroneus (253617) on Tuesday February 17, 2009 @05:22PM (#26893733) Homepage

      This implies that they are blocking all outbound port 25 requests. All ISPs in Japan that I am aware of have been doing this for a long time. The problem is that if you have a 3rd party email service provider, you can no longer send email through them because port 25 will be blocked and if the other party offers the alternative port as well, it is still often blocked.

      Still, for MOST people, this is a good plan. I just think that users should be informed of this change, informed why it is a good idea for MOST people and to give them an option to "opt out" of the restriction in some way if the restriction is not compatible with their current needs.

      • by Artraze (600366)

        > This implies that they are blocking all outbound port 25 requests.

        It doesn't imply that at all. Now they do that in the future, but there's absolutely no logical reason to do so now. After all, they'll have enough complaints on their hands with just this transition, let alone blocking all other (possibly unauthenticated) outgoing mail too.

        No, port 587 is simply where authenticated SMTP usually goes, and so that's the port they're using. It also helps that most mail clients automagicly link 587 and a

        • by PitaBred (632671)
          What pisses me off is that Comcast did the same thing a few months back. I can no longer run a mail server on my home machine. It's not an Internet connection... it's a web and email connection now.
          • by tepples (727027)

            Comcast did the same thing a few months back. I can no longer run a mail server on my home machine.

            Per the TOS for home-tier service, you never could. As I understand it, the restriction goes away once you upgrade your high-speed Internet service to Comcast Business Class.

            • Wow. Not a ripoff at all!
              • Wow. Not a ripoff at all!

                No, not really. You pay more for business class, and they do things like ignore the stupid 250 GB home-user cap, or unblock port 25 since they expect businesses to have IT people.

                • Re: (Score:3, Insightful)

                  by characterZer0 (138196)

                  Will they even let you get business class? My ISP (Time Warner) simply refuses to sell business class to a building zoned residential.

                  • Re: (Score:2, Interesting)

                    by SaDan (81097)

                    I have Comcast Business internet, and it is exactly as others have described: no blocked ports, no upload/download limits, and (so far) very decent customer service.

                    I also have five static IPs, run an email server and web server out of my house for commercial and non-commercial purposes. I've had zero issues in the year I have had this configuration.

          • by drolli (522659)

            While i see the issue i normally hardly see it necessary or even advantageous nowadays to run my own e-mail server, neither on my home machine nor on my machine at work/university. Email servers are something which required you seeing available for 24x7 in case somebody starts (due to some misconfiguration or bug in the software) to use your machine as a relay for his spam. You can get yourself quite easily blacklisted nowadays, so if you are interested in your email arriving at the recipients, just use som

      • by gurps_npc (621217)
        Correct for most people this is a good plan. For spammers it is not. They will of course opt out of the restriction.
        • Re: (Score:3, Interesting)

          by dkf (304284)

          Correct for most people this is a good plan. For spammers it is not. They will of course opt out of the restriction.

          So long as there is no way for the zombie itself to opt out, there's no (big) problem: the owner probably won't opt out, and the spammer won't go to the (fairly substantial) effort to social engineer his way past the restriction. What this does mean is that it pretty much requires that people who want to opt out call their Customer Services line rather than using a self-service webpage. It's horrible, but necessary.

          And for the love of God, don't encourage J Random Grandma to opt out unless she's actually bu

      • Re: (Score:3, Interesting)

        I recently went through this problem with my work email and Comcast. Someone had reported something, they never explained what, that caused them to put a stop on my port 25 at home. Figuring this out took me many days of bitching at my IT guys at work why they're system was not letting me send emails. Eventually they figured out that it was my ISP and had me call Comcast Customer Service Assurance at 856-317-7272. It turns out that regular Comcast customer services just parrot that the port cannot be unbloc
        • Before comments jump in irrelevant to the email. Yes I spelled 'they're' instead of 'their' and when I say 'someone had reported something they didn't tell me what', I mean that they couldn't tell me what exactly was the offending piece of email that caused them to shut-down the port 25, thus no way to back track and figure out if it was me or someone was piggy-backing my IP.
        • by Vellmont (569020)


          However, he did also say that there was no guarantee that it wouldn't be blocked again, all that had to happen was for someone to make a complaint against me for spam.

          So why not take the hint, and send your mail through a 3rd party (maybe the free comcast SMTP server)?

          • Work require me to send work emails through their server for accountability reasons. While my port 25 was blocked I used my smtp.gmail.com. I don't use my comcast email.
            • by drinkypoo (153816)

              Just use an ssh tunnel to work, this is one of the times when it seems like it's actually a valid and even reasonable use.

        • by Buelldozer (713671) <cliff.gindulis@net> on Tuesday February 17, 2009 @07:29PM (#26895663)

          So, you spent "many days bitching at my IT guys at work" and in the end the problem was with your Internet Service at home?! You posted this on Slashdot?

          Ummm, yeah, we're going to need your address. I've already handed out the torches and pitchforks.

      • by mibus (26291) on Tuesday February 17, 2009 @06:50PM (#26895163) Homepage

        My home ISP (oblig. disclaimer: I now work for them too) has blocked port 25 outbound by default on 'Home' ADSL connections for a while now.

        It's all configurable from the online webtools, so you can turn it back on if you want it.

        And there's even an in-depth FAQ [on.net] about it on the site.

        IMHO it's a great idea, and I wish more ISPs did it.

    • Yeah, it's possible to do authentication on Port 25, but it's generally hokey and often broke things when people did it, and left passwords in the clear for eavesdroppers - 587 is a cleaner and more standardized solution. I remember having to configure Eudora for receive-before-send when my email provider was trying that approach...

      • Re: (Score:3, Interesting)

        by MSG (12810)

        You do realize that SMTP on port 25 and MSA on port 587 are the same protocol, right? There's no way that one can be hokey and the other not. In both cases, STARTTLS can be used, and should be required before authentication is allowed.

        Providers should universally provide service on 587 in order to allow other ISPs to block outbound port 25, but arguing that authentication on 25 is hokey is just silly. The only reason not to bother is that sooner or later, port 25 is going to be blocked by the ISPs of rem

    • by slamb (119285) *

      You can set up port 25 SMTP to require authentication for relay purposes, without having to configure end user's machines for another port.

      You can set up a MSA (mail submission agent) on port 25, but Verizon users will not be able connect to it after this change. If you run a mail service, the practical effects of this change are (1) you will need to set up port 587 if you have any customers who get transit through Verizon and (2) you will receive less spam.

      Verizon wants to stop customers from directly co

      • Or you can set up your MSA's on any random port, it doesn't really matter. My personal mail server accepts connections on SMTP, SMTPS, submission, and two other random ports just in case the above are blocked.

        • by slamb (119285) *

          Or you can set up your MSA's on any random port, it doesn't really matter. My personal mail server accepts connections on SMTP, SMTPS, submission, and two other random ports just in case the above are blocked.

          That works, of course, but there are benefits to standardization, among them reduced user confusion.

          What ISPs have you encountered that block port 587 but allow any of your others?

          • Mostly it's hotel internet access that filters anything listed as a "common" tcp port until you pay an exorbitant fee. I could have gotten around that by putting SSH on a non-standard port and making a tunnel, but what's the fun in that.

  • by benjfowler (239527) on Tuesday February 17, 2009 @05:13PM (#26893577)

    I feel a great disturbance in the Force, as if millions of voices cried out in terror and were suddenly silenced...

  • Comcast has required email to be on port 587 for a while now.

    • by whoever57 (658626)

      Comcast has required email to be on port 587 for a while now.

      Not where I am:
      $ telnet a.mx.mail.yahoo.com. 25
      Trying 67.195.168.31...
      Connected to a.mx.mail.yahoo.com.
      Escape character is '^]'.
      220 mta112.mail.ac4.yahoo.com ESMTP YSmtp service ready
      quit
      221 mta112.mail.ac4.yahoo.com
      Connection closed by foreign host.

  • by billstewart (78916) on Tuesday February 17, 2009 @05:30PM (#26893877) Journal

    As far as I can tell from this article and a few others that are derived from the same press releases, what VZ is doing here is setting up their own mail servers to use Port 587 submission instead of Port 25. That won't stop zombies or legitimate Linux mail systems from sending mail directly to their recipients' systems, though I'm guessing that they'll get around to blocking Port 25 (sigh) once they've got most of their users migrated to 587.

    What this will do is give them authentication, which makes it easier for them to block customers who use VZ's mail servers from spamming, but I'd be surprised if there's much of that happening (though botnets keep evolving their techniques.) It's already possible to reduce that simply by using passwords, or using various hokey port 25 authentication methods like receive-before-send; this cleans up the process a bit.

    • by nabsltd (1313397)

      It's already possible to reduce that simply by using passwords, or using various hokey port 25 authentication methods like receive-before-send; this cleans up the process a bit.

      There is no requirement for any "hokey" authentication...port 25 for connections from inside an ISP could be routed (netcat, iptables, etc.) straight to where an MTA that allows relaying would be listening. For bonus points, any connection from inside the ISP to port 25 on any machine would end up at the same ISP "internal" MTA.

      Meanwhile, connections to port 25 from outside the ISP would be routed to a "normal" MTA that doesn't require authentication and will not relay...it would only accept e-mail for dom

      • by icydog (923695)
        If you want the ISP's MTAs to relay mail sent from internal computers, then this will break TLS over port 25 as the certificates will (by design) be invalid for the ISP's servers.
    • by kindbud (90044)

      What hokey port 25 authentication methods? Any authentication methods offered on port 587 can also be offered on port 25. There is nothing magical about "25" that makes strong authentication unpossible. There is nothing magical about "587" that makes it any more secure than "25." You can run a open relay just as easily on port 587 as you can run one on port 25. You can run SMTP-AUTH and TLS on port 25, and permit relaying to authenticated clients that use TLS, while non-authenticated and/or plain-text

  • by Indy1 (99447) <spamtrap@fuckedregime.com> on Tuesday February 17, 2009 @05:44PM (#26894099) Homepage

    Verizon has been an epic sewer network for years, and has ignored their spam problem for years. If they want to clean up now (or make a lame attempt to clean up, as most telco's do), fine. It just means less work for iptables at my end.

    For those who are sick of Verizon's bullshit, here's my list (no promises this is complete, but it should have most of em) of Verizon's ip blocks.

      206.46.0.0/16
      66.12.0.0/14
      207.68.0.0/17
      71.96.0.0/11
      72.64.0.0/11
      72.42.0.0/18
      71.160.0.0/15
      71.162.0.0/16
      96.224.0.0/11
      98.108.0.0/14
      98.112.0.0/13
      68.160.0.0/14
      162.84.0.0/16
      162.83.0.0/16
      151.204.0.0/15
      138.88.0.0/21
      66.171.0.0/16
      66.14.128.0/17
      151.201.0.0/16
      138.89.0.0/16
      141.149.0.0/16
      141.150.0.0/15
      141.152.0.0/14
      141.156.0.0/15
      141.158.0.0/16
      68.160.192.0/18
      68.161.192.0/18
      66.14.0.0/17
      151.196.0.0/14
      151.200.0.0/14
      151.204.0.0/15
      129.44.0.0/16
      138.88.0.0/16
      64.222.0.0/15
      68.236.0.0/14
      70.104.0.0/13
      70.16.0.0/13
      71.96.0.0/11
      209.158.0.0/16
      209.159.0.0/19
      71.160.0.0/11
      173.64.0.0/12
      70.192.0.0/11
      66.174.0.0/16
      75.224.0.0/12
      75.240.0.0/13
      75.192.0.0/10
      97.0.0.0/10

  • by dlevitan (132062) on Tuesday February 17, 2009 @05:48PM (#26894147)

    I wish that more software would default to 587 instead of 25. For example, Thunderbird doesn't even mention the possibility of 587 as a "default" port, which really needs to be changed.

    In any case, it's good to see the change to 587 become more widespread and hopefully it will eventually become the default port for sending messages (along with encryption + authentication), while 25 will be reserved exclusively for server-to-server communication.

  • by coljac (154587) on Tuesday February 17, 2009 @06:00PM (#26894353) Homepage

    I like the suggestion that people are somehow lax in security because their mail client remembers their password. Who are these guys who type the password in every 3 minutes when they check their mail?

    • I like the suggestion that people are somehow lax in security because their mail client remembers their password. Who are these guys who type the password in every 3 minutes when they check their mail?

      Every three minutes? In my day we were checking our mail every 20 seconds, both ways uphill, and tapping out the password in binary!

  • As more and more consumer ISP's block outbound connections on port 25, this will only accelerate the development of newer, smarter zombie bots that know how to read the configuration settings of popular email programs (perhaps even the passwords for popular webmail sites stored in your browser's saved password list) and use those settings to send mail.

    This will be even more wonderful because all of that spam will now have your name and email address on it.
  • I often seen antecdotal numbers in the "millions" when people talk about zombie infected boxen. Yet the article quotes Spamhaus.org claiming "225,454" machines on all networks are sending spam. Even if one were to assume that only a quarter of all zombie machines are sending spam at any one given time, that's still only a million boxes that are compromised and sending spam.

    What's the deal? Are there really millions and millions of compromised Windows boxes out there in zombie networks? Or are the number

    • by LingNoi (1066278)

      There's probably millions, just not used for sending spam.

      Most botnet owners charge for their usage for denial of service attacks. A popular example being halo tards DOSing others in the games at $500 a pop so they lag and can be killed easier.

    • by irtza (893217)
      well, that depends on how the 225,454 number is derived. I doubt they can detect all machines behind a firewall - including simple home routers. Figure that if one machine on a home network is infected - the others are likely to be as well (same people managing them).
  • by MikeBabcock (65886) <mtb-slashdot@mikebabcock.ca> on Tuesday February 17, 2009 @07:52PM (#26895913) Homepage Journal

    In my opinion, the transition to port 587 is nearly pointless. I already use authentication on port 25 to identify customers.

    And according to one of the only people I'd trust on SMTP issues, "the SUBMIT specification has several fundamental flaws that make compliance practically impossible. I advise against all use of port 587" -- djb [cr.yp.to].

    • It is useful because it allows ISPs to block port 25 for customers who do not run their own mail server (the vast majority of them). This makes it impossible for zombied machines to send mail directly , instead having to go through a relay. Open relays are much easier to filter against / get shutdown for abuse, than a whole swath of zombie computers. Mail going through authenticated relays is also easier to monitor for abuse, plus once the mailhosts relaying the authenticated mail are affected by zombie gen

    • hehe (Score:4, Informative)

      by pavon (30274) on Tuesday February 17, 2009 @09:35PM (#26896843)

      I just reread your link. In it DJB explicitly advises against running authentication on port 25. In fact, for security reasons, he wrote two separate programs, qmail-smptd and ofmipd, to keep the tasks of relaying authenticated email and accepting mail for local delivery as removed from one another as possible.

      He defends the idea of separating these two tasks, not only to separate ports but separate programs, on this thread [imc.org] on the IETF-SUBMIT mailing list.

      So, yeah, his complaint against port 587 was simply that if you can't implement the SUBMIT standard correctly (which according to him noone can), you should use a different port then the one specified in that standard. The rest of the world doesn't care, because it sees all the various authentication methods (including SUBMIT) as extensions to SMTP, and not as a different protocol (OFMIP as DJB calls them collectively), and have no qualms running a standard (non-SUBMIT compliant) SMTP server on port 587.

  • YAY port 587 is a great thing !

    but are they going to sign their mail ?

    now that would be a good thing so people can not FAKE a @Verizon.net address
    google paypal yahoo etc do this

    if Verizon did it people would start to respect @Verizon.net

    simple if I get a Verizon.net address and it pass's the DKIM then I know it came from their domain

    but a big WELL DONE ! someone with a clue got this done !

    regards

    John Jones

  • verizon obviously has some equipment or customers behind their mailservers that do not support starttls. to avoid total breakage i would imagine they will include port forwarding on a few nets as well. moving the ports is...a bandage at best.
  • Verizon pledges to clean up their zombie problem quickly.

    That's what they said abot Ravenholm, and see what happened!

Take care of the luxuries and the necessities will take care of themselves. -- Lazarus Long

Working...