Verizon.net Finally Moving Email To Port 587

The Washington Post's Security Fix blog is reporting that Verizon, long identified as the largest ISP source of spam, is moving to require use of the submission port, 587, in outbound mail — and thus to require authentication. While spammers may still be able to relay spam through zombies in Verizon's network, if the victims let their mail clients remember their authentication credentials, at least the zombies will be easily identifiable. Verizon pledges to clean up their zombie problem quickly. We'll see.

Finally, Verizon, Finally!!

[Smidge207]

I found out I was a spammer when I investigated a message returned to me. I ended up talking with someone from SORBS. After emailing SORBS a couple of times, I received this message from Michelle Sullivan: "SORBS lists IP addresses that send spam. Often there is real email mixed with the spam, sometimes deliberately, sometimes accidentally. In this case you are using an IP address to send your email that has previously, and is still, sending spam. The IP address is blocked. I'd contact your provider and complain bitterly about it, because it's the provider that is listed, not you specifically."

I send out a newsletter with about 250 subscribers. After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages. I rarely approach 200 messages and the newsletter is a monthly. Verizon told me I couldnâ(TM)t even send the newsletter in one blast; I had to limit it to 100 subscribers an hour! And in late Fall 2008, some providers, like MS, would reject my mail simply because it had @Verizon.net in the senderâ(TM)s address. I knew I wasn't sending out large amounts of email, let alone spam.

Within those imposed limits, Verizon still could not bring its huge entity to investigate my complaint. In late December, we switch to Constant Contact to email the newsletter. While my boss uses Cox since he works mostly from home, the office is still âoeconnectedâ with Verizon!

Boy, I hate Verizon! Now, maybe they will kill the Zombies from all those dead zones they claim not to have!

=smidge=

Re:What's this "finally" shit?

[erroneus]

This implies that they are blocking all outbound port 25 requests. All ISPs in Japan that I am aware of have been doing this for a long time. The problem is that if you have a 3rd party email service provider, you can no longer send email through them because port 25 will be blocked and if the other party offers the alternative port as well, it is still often blocked.

Still, for MOST people, this is a good plan. I just think that users should be informed of this change, informed why it is a good idea for MOST people and to give them an option to "opt out" of the restriction in some way if the restriction is not compatible with their current needs.

E-mail Clients and Ports

[dlevitan]

I wish that more software would default to 587 instead of 25. For example, Thunderbird doesn't even mention the possibility of 587 as a "default" port, which really needs to be changed.

In any case, it's good to see the change to 587 become more widespread and hopefully it will eventually become the default port for sending messages (along with encryption + authentication), while 25 will be reserved exclusively for server-to-server communication.

Re:Do zombies even use ISP mail servers?

[erroneus]

Yes and it is only a matter of time before that changes and evolves.

The reason these alternative ports and blocking works is because most everyone else isn't doing this. When it comes to the point where most people are doing this, new methods will arise.

The first scenario that comes to mind is that the next generation of bot-ware will listen to your outgoing email traffic and learn your password then configure itself to send email based on that information. Then once again, the problem returns. And if *I* can conceive of this, then I *know* spammers have already thought of this. (I am comfortable in the assumption that I have never come up with an original idea.) You can expect this to occur within the next year or so. The drive to these measures are largely based on the size of the target audience after all. (This is the reason Mac OS X is mostly immune to attacks and infection... it isn't yet a big enough target!)

Things will get crazier before they get better.

Re:Finally, Verizon, Finally!!

[ILikeRed]

Guess what, unless you were careful to

• Include the correct Header info (You did mark your messages "Bulk" - right?)
• Provide an automated opt-out method
• and... Included your valid physical postal address

than guess what, you not only are a spammer, but you probably also broke the law [ftc.gov].

Re:What's this "finally" shit?

[The Great Pretender]

I recently went through this problem with my work email and Comcast. Someone had reported something, they never explained what, that caused them to put a stop on my port 25 at home. Figuring this out took me many days of bitching at my IT guys at work why they're system was not letting me send emails. Eventually they figured out that it was my ISP and had me call Comcast Customer Service Assurance at 856-317-7272. It turns out that regular Comcast customer services just parrot that the port cannot be unblocked. I talked to the CSA agent and in less than 2 mins he had unblocked up my Port 25. However, he did also say that there was no guarantee that it wouldn't be blocked again, all that had to happen was for someone to make a complaint against me for spam. This includes anyone on an outgoing email who tags any email as spam. His advice was to make sure that everyone wanted the emails when they went out. I can only assume that someone in a CC'd email had tagged me as junk not realizing the consequences.

Re:What's this "finally" shit?

[dkf]

Correct for most people this is a good plan. For spammers it is not. They will of course opt out of the restriction.

So long as there is no way for the zombie itself to opt out, there's no (big) problem: the owner probably won't opt out, and the spammer won't go to the (fairly substantial) effort to social engineer his way past the restriction. What this does mean is that it pretty much requires that people who want to opt out call their Customer Services line rather than using a self-service webpage. It's horrible, but necessary.

And for the love of God, don't encourage J Random Grandma to opt out unless she's actually busy overthrowing the government.

Re:What's this "finally" shit?

[mibus]

My home ISP (oblig. disclaimer: I now work for them too) has blocked port 25 outbound by default on 'Home' ADSL connections for a while now.

It's all configurable from the online webtools, so you can turn it back on if you want it.

And there's even an in-depth FAQ [on.net] about it on the site.

IMHO it's a great idea, and I wish more ISPs did it.

Re:You can, but it's hokey

[MSG]

You do realize that SMTP on port 25 and MSA on port 587 are the same protocol, right? There's no way that one can be hokey and the other not. In both cases, STARTTLS can be used, and should be required before authentication is allowed.

Providers should universally provide service on 587 in order to allow other ISPs to block outbound port 25, but arguing that authentication on 25 is hokey is just silly. The only reason not to bother is that sooner or later, port 25 is going to be blocked by the ISPs of remote users, and you really ought to be providing service on 587.

Re:What's this "finally" shit?

[DarkOx]

I have never really understood why this is an issue. I do think ISPs should be upfront about it before you sign up and if they change what ports they block and how they police their network you should be allowed out of the contract. I don't think its fair for them to write terms that say we can limit what you do in any way we like.

That aside I would like to ask my fellow slashdots running their own mail servers, (I do speakeasy actaully allows this under their tos) why its a problem for you to use your ISP as a smart host?

Personaly I like it. Unlike at work I don't have to worry about keeping the mail server off the black lists, contacting post masters at other domains to get mistakes corrected etc etc. The ISP does msot of that for me. Now speakeasy will relay for my domain, but I think most ISPs will probably trust whatever is coming from their own network to their relay, I hope they pass it through some outbound filter.

On the inbound side, the MX record points directly at my ip address so I get to handle the mail coming in a filter/black list etc according to my own needs. TLS works too if things need ot stay private.

I suppose the only arugment I can think of is even if you are using TLS your ISP can still read your outboand mail, and if I was using version or comcast I might be more concerned about that....

What are other peoples reasons?

Re:PORT 587 THE GATE TO HELL

[lgw]

Port 666 is reserved for Doom (video game)

Wow, I thought AC was joking, but it's right there in RFC1700!

doom 666/tcp doom Id Software
doom 666/tcp doom Id Software

Re:Do zombies even use ISP mail servers?

[nine-times]

(The ideal would be to allow outgoing, but cut people off if they spam. That would punish only the guilty, but I guess they're not so keen on that).

I'd be more content if they said, "You're blocked by default, but contact our support line and we'll open port 25 for you."

But I find it really frustrating when they block port 25. I use two different email services, and both of them require authentication and SSL, but do it via port 25, so I can't use them for outgoing SMTP if that port is blocked. I've had an ISP block port 25 on me, requiring me to use their SMTP server, but then they wouldn't let me use their SMTP server when I wasn't connecting through them. That's a pretty annoying problem, considering I have a laptop and have to manually change SMTP servers whenever I change locations. And even if ISPs let you use their SMTP server from other locations, if they're using port 25 and other ISPs are blocking that port, then you'll still have to manually change your SMTP server whenever you change locations. It's stupid.

I vaguely suspect that there's some kind of attempt here to get you to use your ISP's email address by making everything else not-work, thereby making it more difficult to change ISPs. Or maybe it's just a means to milk extra money by charging a fee for opening port 25. My old ISP charge $15 a month to open ports 25 & 80.

Re:What's this "finally" shit?

[SaDan]

I have Comcast Business internet, and it is exactly as others have described: no blocked ports, no upload/download limits, and (so far) very decent customer service.

I also have five static IPs, run an email server and web server out of my house for commercial and non-commercial purposes. I've had zero issues in the year I have had this configuration.

Re:What's this "finally" shit?

[SaDan]

If you use your Comcast SMTP servers for outbound email the same way you use Google's, you will be able to send work email from home. This will get around the port 25 block they (Comcast) have in place, because you are authenticating with Comcast in order to send email.

If your IT guys at work didn't have a problem getting your email when you were sending it through Google, they shouldn't care if you send it through Comcast. There's no more or less accountibility, and you actually aren't sending through the work email server if you go through Google anyways.

I'd give the Comcast SMTP server(s) a shot.