Open Port 25 from Your ISP? Cash or Charge? Port for Unsecured SMTP a Malware Magnet Michael Hall
Just last week, my hometown of Portland, OR, cut the ribbon on its new, free, municipal Wi-Fi network. It's still a work in progress, with just the downtown and a few select neighborhoods covered, but by 2008, the city says we'll have 95 percent coverage.
Portland already has a project designed to provide free wireless in the form of Personal Telco, but I suspect the city-supported network will grow more quickly and prove more comprehensive.
Because one of my hobbies involves wringing my hands and worrying about the security implications of anything that is as easy to connect to as a free, nonsecure wireless network blanketing an entire metropolitan area, I immediately went to the sponsoring company's site and checked out the technical FAQ to see what sort of traffic is and isn't allowed over the city network.
For starters, the FAQ says VPN traffic is allowed, and that's great. Businesses should hold themselves responsible for the security of their mobile users on open networks. I'd love to be a fly on the wall as local business IT organizations come to grips with a mobile workforce that's suddenly really mobile, not to mention currently unconnected employees who might find themselves accessing company resources over an insecure network simply because they can, or as a backup if their own ISP connection fails.
Another entry in the FAQ points out something I welcome with open arms:
Does MetroFi block Port 25?
Yes, MetroFi does block port 25 to avoid spam and network abuse of the Free wireless network. Web based e-mail can be accessed using the MetroFi free service.
MetroFiUs Premium Service, does not block port 25, and is ad free.
If you need to use Port 25 to send and receive e-mail, sign up for the MetroFi fee based service for $19.95 a month.
Port 25 is the traditional port for unsecured SMTP, the protocol that pushes mail around the Internet. When a computer gets owned by malware and turned into a zombie spam relay, it's spewing its payload over port 25.
A lot of ISPs are already blocking port 25 in an attempt to curb spam. Others are slower to do so, often because they want to provide power users with a full-service connection and the capability to run an SMTP server for their own domain. Some that allow access to port 25 do so with an additional penalty if a user mistakenly allows a computer connected to the ISP to act as a spam relay. I once got a panicked call at 7 a.m. from a friend whose Linux server had been hijacked thanks to an insecure Web feedback form. His ISP was preparing to charge him $200 for a spam incident, with threats to levy more charges if he didn't lock his system down.
Plenty of ISPs just block the connection, though, and it's not uncommon to spot folks on forums and mailing lists complaining about their "stupid ISP" blocking port 25. "It's my connection, I paid for it, I should get full service," goes their reasoning.
As someone who has run his own mail server out of his home, I feel their pain. But I also think the Internet is a commons ... not a gated community with houses built so close together grass can't grow in the two foot strips between McMansions. A privilege a few people have need for has to be weighed against the massive liability presented by broadband-connected users with little experience or motivation when it comes to protecting their computers from malware.
And while a $200 fee to clean up a spam incident appeals to my punitive side, it's a threat that has to be about something that means something to the person reading it. Or backed up when the person who didn't understand it goes to court to get out of paying for the many times he allowed his computer to roll over and play zombie for the Russian spam mafia.
Rather than arbitrarily introducing a blanket block on port 25 and calling it a day, more ISPs should consider providing themselves with a new revenue stream in the form of selling access to a completely open connection. Some do a variation on this in the form of charging more for static IPs, which discourage a lot of users from running potentially dangerous services unless they also know about services like DynDNS. That's not enough, though, when the real problem is the people who don't even realize they're running a spam relay that doesn't care if it's operating from a dynamic IP.
A small fee would force people to consider whether they wanted to pay it at all (most wouldn't since they wouldn't need the service it provided), and it would remunerate ISPs for maintaining an added layer of complexity on their networks (however slight) for users who insist on running services on consumer-grade connections. And, let's face it, it'd provide some remuneration for the smart-but-not-smart-enough home networkers who accidentally leave their SMTP servers open despite the great advice they get from sites like Practically Networked.
Yes, it's their connection and they're paying for it, but it's our Internet and we need to maintain it better.
Just last week, my hometown of Portland, OR, cut the ribbon on its new, free, municipal Wi-Fi network. It's still a work in progress, with just the downtown and a few select neighborhoods covered, but by 2008, the city says we'll have 95 percent coverage.