ietf-asrg
[Top] [All Lists]

RE: [Asrg] article: port 25 blocking

2005-04-14 20:04:43
At 9:52 PM -0400 4/14/05, Larry Seltzer wrote:
 2. A non-standard port that is 100% open just like regular SMTP is bound
    to soon be known and start to be abused. It has to be some type of
    restricted profile smtp with authentication (which is what submit is,
    so why reinvent it...).

Right--there's no point in blocking port 25 if you just open up another
port to plain unauthenticated SMTP....

Don't get me wrong, this was just a crazy off-the-top-of-my-head idea and I
can certainly believe I'm wrong, but this reasoning doesn't persuade me.
There's no reason to believe that there would be a few common ports.

Let's say I want to let my team of users access the mail server from their
ISP accounts. I set up SMTP on (pull number out of ass) TCP 48207. I have to
set this up on all their clients (and open it up on any firewalls between
us), so for practical purposes it can't be too many of them.

Assuming the ISP hasn't blocked that port as well (ISP's don't generally
block arbitrary ports) it should solve the problem of getting through the
port 25 block. *Conventional* worms on the system will still fail because
they will be trying to use port 25. A new worm could be written to monitor
all communications looking for SMTP on non-standard ports, but this is a lot
of work when there is still low-hanging fruit out there.

So how is this not going to solve anything? I agree I'd much rather have
users run port 587 and authenticate, but if it's just your sense of
networking asthetics that's offended by this scheme then that's worth
saying.

That certainly is a workable approach, but it may well not be as usable as the port 587 approach, since there are probably marginally fewer mail clients capable of arbitrary port usage than are capable of using port 587 (or the non-standard but unfortunately still widely deployed port 465.) If you can put a non-authenticated SMTP on an arbitrary high port, you can probably put it on port 587 just as easily.

However, there's really no excuse for anyone putting an unauthenticated SMTP for mail submission on any port. Requiring authentication makes a higher bar for malware to get over, and it really is the malware at this point that is the driving motivator for port 25 blocking by connection providers. Requiring authentication does not necessarily make it impossible for some trojan to sniff out how to send mail on a misdesigned system, but it generally easier to dig up basic config information than to find passwords.

Bottom line: putting unauthenticated SMTP for initial mail submission on some port other than 25 gets around port 25 blocking and presents no significant danger *today* but it has its own deployment problems for client systems and is likely to fall to the next generation of malware well before they figure out how to get around existing systems for password security and so crack authenticated SMTP.


--
Bill Cole
bill(_at_)scconsult(_dot_)com


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg