A touchy issue, this. Should we consider it Best Current Practice to filter
outgoing port 25 on "residential" (or similarly classified) access points?
Should we consider it BCP to filter outgoing port 25 on pretty much all
access points unless other arrangements are explicitly made?
Our contributor named "Mark" has been harping on the "presumption of
innocence" principle, but it's precisely the viability of that principle
that's in question here. There is a certain quantity of spam which exists by
abusing the "presumption of innocence", so called. It's a badly
emotionally-laden term, since to advocate the converse is to advocate
"presumption of guilt", and you may as well advocate the strangulation of
small furry animals and children while you're about it. Rather than
"presumption of guilt", we should have "explicitly negotiated access". We
could recommend that port 25 be available (in some cases) only when
explicitly arranged, not on the basis of prior "guilt" or "innocence", but
purely to make accountability explicit.
Personally, I reject outright the idea that filtering access points on port 25
has a troublesome impact on mail connectivity for the do-it-yourself crowd,
myself included. If you don't trust your ISP to get it right with regards to
their mail server, it is now ridiculously cheap to get your own virtual
server hosted somewhere and continue to do it yourself without your mail
server hanging off your ISP's access point. Such virtual hosts require
expertise to configure, but have unfettered access. In my view, people who
are still harping on this point need to readjust to the new environment --
keep up with the times. I have seen virtual servers available for US$15 per
month, which is a fraction of what I pay for my broadband access (in
Australia).
On the other hand, malware ("viruses", "worms", "trojans", etc.) which abuses
the openness of port 25 is rife. This is an attack vector that bears serious
consideration. Similarly, "presumption of innocence" falls down for any
dynamically allocated IP address, since there is no permanent identity
associated with the IP. If we work on the "presumption of innocence"
principle here, then the abusers get free reign for a short while, then
tarnish the reputation of all users equally. It simply doesn't work. One
possible suggestion for a BCP is to filter outgoing port 25 for all
dynamically allocated IPs.
Taking the converse view, one could question the effectiveness of port 25
filtering as a whole, relative to its intrusive nature. There is no escaping
the fact that port blocking is intrusive, and it causes problems of its own.
Does it provide a net improvement, or does it merely change the balance of
problems?
Intrusive filtering is NOT the only option. We also have the option to place
information about the IP out of band, as per one of the various DNS options.
This does not change the argument about "presumption of innocence" versus
"explicitly negotiated access" -- it only changes the mechanism by which
filtering is taking place, and the party that elects to do the filtering.
Where information about the trustworthiness of an IP is placed in the DNS,
the mail recipient becomes the one to make decisions: a non-intrusive form of
filtering which can, even so, produce similar results.
With careful semantics, we may even be able to produce a DNS-based solution
which allows do-it-yourselfers to continue to operate their own mail servers,
with limited scope for nuisance to others. An ISP could use in-addr.arpa PTR
records to indicate "residential" or "dynamic" status for IP addresses (with
the connotation that they are not well placed to prevent mail abuse from
those sources). A person operating their own domain could override this
rating by explicitly marking their own mail domain as operating from a given
IP through their own domain records. A recipient can then decide whether to
trust that sender's domain or not, based on his own assessment of risk.
So, having rambled about it for a bit, I conclude that port filtering is a
tool worth considering in certain cases, and I dismiss the "presumption of
innocence" argument as being both emotionally overcharged and no longer
viable. Even so, it seems to me that the non-intrusive DNS-based options can
more closely achieve the goal of recipient-oriented decisionmaking, and are
less likely to cause unintended problems with connectivity generally. Let the
recipients make up their own minds about whether they trust a sender or not:
just give them information on which to base their decision.
Regards,
TFBW
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg