Aug 1, 2012

Updated Management of SMTP Port 25

Email is a fundamental part of the way we communicate today, carrying everything from personal day-to-day communications to important financial communications. Over the past few years more and more users access comcast.net email through our Xfinity Connect site using their web browser. Many customers also use email clients such as Mozilla Thunderbird or the Apple Mail.app. Unfortunately and despite the fact that ISPs like Comcast offer tools to better secure email, many customers using email clients are still sending email using port 25.

Over the past few years, Comcast has managed port 25 by selectively blocking its use in response to spam complaints. This made sense when spam was often sent by an end-user clicking a "send" button. But in this age of bot networks, malware is now responsible for sending the most spam and users are unaware that spam is being sent by their computer.

As a result, we are updating our management of port 25. In order to ensure a more secure network and email domain, Comcast will no longer by default allow access to port 25 for our residential Internet users. In addition, we are asking comcast.net email users to migrate to port 465, which offers SSL encryption. We will continue to support the industry standard port 587. Upon request to our Customer Security Assurance team this block can be removed, enabling access to use port 25 for other email domains, though the comcast.net email servers will no longer accept submission via port 25. These changes will occur gradually across our network beginning today.

This change in approach for managing port 25 is consistent with industry best practices. Most of the ISPs in the U.S. block port 25 and for the vast majority of our users there will be no impact. In addition, there is a vast body of industry recommendations and advice that is in favor of blocking port 25 and is supportive of this step.

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is a large industry organization that works to minimize abuse on the Internet. Amongst its members are such companies as Microsoft, Google, Yahoo, AOL, Comcast, AT&T, and Verizon, as well as many other communications companies such as Vodafone, Telefonica and France Telecom. M3AAWG published a paper back in 2005 recommending active management of port 25. Comcast complied with these recommendations by introducing targeted port 25 blocks that reduced the spam output per subscriber to amongst the lowest in the country. This paper can be found on the M3AAWG website here.

The Internet Engineering Task Force (IETF) has also issued advice in the form of a number of Request for Comment (RFCs) that recommend the use of ports other than port 25 for the sending of email. The two most relevant are RFC 5068 (see Sections 3.1 and 3.2) and RFC 4409 (see Section 3.1).

There are number of other influential bodies that recommend against the use of port 25.The Federal Trade Commission (FTC), an organization that has taken legal action against many spammers, also recommends that port 25 is blocked by ISPs. The recommendation is as follows: "block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers."

Finally, the ITU also recommends blocking port 25 in their document named "ITU Botnet Mitigation Toolkit." This can be found here. Whilst this document is focused on the remediation of botted computers, blocking port 25 is seen as an important step in mitigating the spam that is sent from botted machines.

We do not plan to introduce the block all at once, but phase it in over a period of a couple of months so as to minimize any potential for disruption. In the end, our email domain and our network will be better and more valuable to our customers.

Tags : email, Internet Engineering Task Force, Messaging Malware and Mobile Anti-Abuse Working Group, Security, SMTP

 
Print

Follow Us
comments powered by Disqus