Oh those evil SMTP connections



  • So I posted a support ticket to my campus' tech support site. I don't remember the exact wording and don't feel like looking it up, but basically, I wasn't able to send any e-mail, and Gmail's troubleshooting guide came to the conclusion that it was a network problem. I'm not generally knowledgeable about how networks and Internets and stuff like that work, but from what little I know it seemed like a good conclusion.

    Got this reply today:

    "I believe this is blocked by packet shaper.  We had problems with email viruses and got put on many blacklists so we blocked smtp outbound from our network.  We will have to ask this student to use web access for gmail."

    Not sure where to begin here, but I don't think I have to, because my college blocked e-mail (specifically outbound e-mail, but whatever). And you can't beat that.



  •  I don't know many university network admins who would appreciate running botnets on their campus. It's pretty standard practice to block outgoing SMTP for all machines but the corporate email servers, especially on a college campus, where you don't have any control over most of the machines on the network.



  •  Thats common and normal. Remember, you don't own the network, and there are plenty of people out there (maybe you?) who would let their machines become spam sending zombies. If they did NOT block port 25 i'd say they were being irresponsible. 

     



  • This is the normal practice of organizations that don't want to have their networks hijacked for sending spam.  You need to route through the university's SMTP server or use web mail.  There is no WTF here.



  •  Where's the WTF? In the netherlands all major providers block outgoing SMTP traffic from their clients, except when it's to their servers. Thats not a problem since they are open relays if you are one of their customers (either verified by your IP or by authentication with one of their email adresses).

    It would be a WTF if the university doesn't provide a SMTP server/relay for within their network though, because that would effectively block emailing from within the network.



  • I wish I had a ceramic vessel to give you.  Perhaps one that comments on the (lack of) quality of this thread.



  • @bstorer said:

    I wish I had a ceramic vessel to give you.  Perhaps one that comments on the (lack of) quality of this thread.

    Go-go gadget Ceramic WTF-meter?



  • @curtmack said:

    Got this reply today:

    "I believe this is blocked by packet shaper.  We had problems with email viruses and got put on many blacklists so we blocked smtp outbound from our network.  We will have to ask this student to use web access for gmail."

    I'm pretty sure Gmail is not using standard SMTP port 25.


  • @curtmack said:

    Not sure where to begin here, but I don't think I have to, because my college blocked e-mail (specifically outbound e-mail, but whatever). And you can't beat that.

    And so has virtually1 every university I've gotten to know well enough to say one way or the other.

    Commonly, IT staff can send email directly, and everyone can send outbound email through their webmail programs.  Other than that, SMTP outbound is blocked (both 25 and 587, and sometimes even 24).

    Connecting to gmail via port 443 (https) and using their webmail should work just fine.  If that doesn't work, you have something to complain about.

    1 I can't think of any exceptions.  Just leaving some wiggle room in case there is one.



  • @alegr said:

    @curtmack said:

    Got this reply today:

    "I believe this is blocked by packet shaper.  We had problems with email viruses and got put on many blacklists so we blocked smtp outbound from our network.  We will have to ask this student to use web access for gmail."

    I'm pretty sure Gmail is not using standard SMTP port 25.

    They use port 587 for mail submission, which is standard. 



  • @morbiuswilters said:

    @alegr said:

    I'm pretty sure Gmail is not using standard SMTP port 25.

    They use port 587 for mail submission, which is standard. 

    They use port 465 with SSL. That's what I have in my gmail SMTP settings. Their POP3 uses 995.



  • @alegr said:

    @morbiuswilters said:

    @alegr said:

    I'm pretty sure Gmail is not using standard SMTP port 25.

    They use port 587 for mail submission, which is standard. 

    They use port 465 with SSL. That's what I have in my gmail SMTP settings. Their POP3 uses 995.

    They use both: port 465 for POP users and port 587 for IMAP.  Ports 465 and 587 are both for use with SSL. 



  •  TRWTF is using GMail



  • @Helix said:

     TRWTF is using GMail

     

    Thank you for sharing that insightfull comment with us in a week old thread.



  • @dtech said:

    It would be a WTF if the university doesn't provide a SMTP server/relay for within their network though, because that would effectively block emailing from within the network.
    Most that block that traffic don't provide a relay. Staff get Exchange, students get webmail, and people trying to use Outlook with their own domain and MX get f***ed.


  • Garbage Person

    @TwelveBaud said:

    @dtech said:
    It would be a WTF if the university doesn't provide a SMTP server/relay for within their network though, because that would effectively block emailing from within the network.
    Most that block that traffic don't provide a relay. Staff get Exchange, students get webmail, and people trying to use Outlook with their own domain and MX get to learn about SMTP over SSL (if they have their own server) or SSL tunnels (if they don't)
    FTFY.



  • @dtech said:

     Where's the WTF? In the netherlands all major providers block outgoing SMTP traffic from their clients, except when it's to their servers.

    Hah! In Finland, incoming and outgoing SMTP traffic that doesn't go through the ISP mail server is blocked by the order of the Finnish Communications Regulatory Authority, unless the ISP gives the customer a sermon on the risks involved, monitors the volume of the outbound traffic and mercilessly crushes the spammage. I was pretty freaked when I found out about this - not the block itself, but that the order came from the government. Spam and botnetting is really serious business.



  • @WWWWolf said:

    In Finland, incoming and outgoing SMTP traffic that doesn't go through the ISP mail server is blocked by the order of the Finnish Communications Regulatory Authority
     

    What's the point of blocking incoming traffic, other than provide inconvenience for customers?



  • @dtech said:

    What's the point of blocking incoming traffic, other than provide inconvenience for customers?
     

    So that no-one can set up an open mail relay.



  • @Zemm said:

    @dtech said:

    What's the point of blocking incoming traffic, other than provide inconvenience for customers?
     

    So that no-one can set up an open mail relay.

    Presumably if outgoing SMTP were blocked, open relays and botnets would not be an issue.  Though, running an MTA on a consumer Internet connection is pretty silly anyway.



  • @morbiuswilters said:

    @Zemm said:

    @dtech said:

    What's the point of blocking incoming traffic, other than provide inconvenience for customers?
     

    So that no-one can set up an open mail relay.

    Presumably if outgoing SMTP were blocked, open relays and botnets would not be an issue.  Though, running an MTA on a consumer Internet connection is pretty silly anyway.

     

    IIRC some old servers are open relays out of the box, and were abused by spammers/scammers without the owner of the server even knowing they were running a mail server. Or these machines had security issues in the MTA which caused other problems.

    Another reason to block incoming port 25 on a residential connection  is to "upsell" them to a business plan which would cost an order of magnitude more...



  • @Zemm said:

    IIRC some old servers are open relays out of the box, and were abused by spammers/scammers without the owner of the server even knowing they were running a mail server. Or these machines had security issues in the MTA which caused other problems.
     

    They can only be abused if they can send spam out, which they can't since outgoing traffic is blocked.
    Altough on second thought, it could be used as a relay to the provider's mailserver.

    @Zemm said:

    Another reason to block incoming port 25 on a residential connection  is to "upsell" them to a business plan which would cost an order of magnitude more...

    I think that is more likely to be the reason.

     



  • @dtech said:

    Altough on second thought, it could be used as a relay to the provider's mailserver.

    Most zombies do not receive commands over port 25, so blocking inbound SMTP will not do anything to stop this.  The provider needs to handle the possibility of spam being relayed through them if inbound 25 is blocked or not, so this does nothing to reduce the possibility of spam.



  • @morbiuswilters said:

    Most zombies do not receive commands over port 25, so blocking inbound SMTP will not do anything to stop this.  The provider needs to handle the possibility of spam being relayed through them if inbound 25 is blocked or not, so this does nothing to reduce the possibility of spam.
     

    Some just set up an open smtp relay and then report their IP by going to a specific site/reporting to a specific server, the lists are then sold to spammers, so they do exist. But this would be an easy circumvention. Or you just use another port and let the zombie report its port too...



  • @dtech said:

    @morbiuswilters said:

    Most zombies do not receive commands over port 25, so blocking inbound SMTP will not do anything to stop this.  The provider needs to handle the possibility of spam being relayed through them if inbound 25 is blocked or not, so this does nothing to reduce the possibility of spam.
     

    Some just set up an open smtp relay and then report their IP by going to a specific site/reporting to a specific server, the lists are then sold to spammers, so they do exist. But this would be an easy circumvention. Or you just use another port and let the zombie report its port too...

    I question the accuracy of your information.  Setting up zombies to run as normal open relays would be foolish because they would quickly be "stolen" by other spammers who just use any open relay they can find.  What's more, open relays tend to be caught by spam blacklists fairly easily, making them really useless for spamming.  It's like running a crackden with a sign out front that says "Crack For Sale".  Regardless, blocking outbound SMTP is still a necessity if an ISP is trying to limit spam from their network and if they permit relaying through their SMTP servers they should have some mechanism for catching spam relays and cutting them off.  Limiting inbound SMTP may just be part of a larger "least-privileged access" policy towards limiting spam, but it would have negligible impact on actual amount of spam if outbound SMTP is not blocked or inadequate spam-prevention measures are implemented on the ISP's SMTP relay.



  • @Zemm said:

    @dtech said:

    What's the point of blocking incoming traffic, other than provide inconvenience for customers?
     

    So that no-one can set up an open mail relay.

    Except for the morons at the ISPs.

Log in to reply