Network News

X My Profile
View More Activity

Verizon to Implement Spam Blocking Measures

Verizon.net is home to more than twice as many spam-spewing zombies as any other major Internet service provider in the United States, according to an analysis of the most recent data from anti-spam outfit Spamhaus.org. Verizon, however, says it plans to put measures in place to prevent it from being used as a home to so many spammers.

Security Fix examined the latest stats from Spamhaus's "composite block list," (CBL) which relies on intelligence relayed by large spamtraps and e-mail infrastructures around the world. The list only is comprised of Internet addresses that have been observed to be sending spam, worms and viruses, or participating in other malicious activity.

Spamhaus currently includes 225,454 U.S. based Internet addresses on its CBL. Of those, nearly one-quarter -- almost 56,000 -- are assigned to Verizon.net. Comcast, which according to Spamhaus is home to the next-largest concentration of malicious hosts among U.S. ISPs, has fewer than half as many listings.

ispcbl.JPG

If spammers are attracted to the company's network, it may be because Verizon still allows customers to send e-mail on Port 25, the communications channel that is traditionally used by large organizations to send e-mail.

Most other large ISPs long ago stopped allowing customers to send mail on Port 25 because spammers typically set up junk e-mail relays on this port after infecting a computer with malware designed to convert the host system into a spam zombie.

Many ISPs have migrated customers away from Port 25 to sending and receiving e-mail on port 587, which - unlike Port 25 - requires the sender to authenticate him or herself with a username and password before it will permit the sending or relaying of e-mail.

Verizon spokesman Clifford Lee said within the next few months, the company plans to shift to using Port 587 for e-mail originating on the Verizon network.

"The majority of our network customers will not be impacted by the change," Lee said. "For those Verizon.net customers who use a Web browser to access their email, the Port 25 blocking should be transparent and their email usage should not be impacted. By switching to port 587, which uses authentication and is the industry accepted alternative to Port 25, Verizon will be able to quickly identify spammers, including those using so-called zombie systems, and shut them down."

"Those customers who may be impacted by the shift to port 587, will be notified in advance of the change and we will provide them with the technical assistance needed to accommodate the switch to port 587."

By Brian Krebs  |  February 17, 2009; 8:00 AM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Apple Patches More Than 50 Security Holes
Next: Travel-Booking Site for Federal Agencies Hacked

Comments

Finally, Verizon, Finally!!

I found out I was a spammer when I investigated a message returned to me. I ended up talking with someone from SORBS.

After emailing SORBS a couple of times, I received this message from Michelle Sullivan:


“SORBS lists IP addresses that send spam. Often there is real email mixed with the spam, sometimes deliberately, sometimes accidentally.

In this case you are using an IP address to send your email that has previously, and is still, sending spam. The IP address is blocked.

I'd contact your provider and complain bitterly about it, because it's
the provider that is listed, not you specifically.”


I send out a newsletter with about 250 subscribers. After talking with SORBS, I contacted Verizon and found out that, even though we signed up for Verizon Business, they limit the amount of email I can send a week to 500 messages. I rarely approach 200 messages and the newsletter is a monthly. Verizon told me I couldn’t even send the newsletter in one blast; I had to limit it to 100 subscribers an hour! And in late Fall 2008, some providers, like MS, would reject my mail simply because it had @Verizon.net in the sender’s address. I knew I wasn't sending out large amounts of email, let alone spam.

Within those imposed limits, Verizon still could not bring its huge entity to investigate my complaint. In late December, we switch to Constant Contact to email the newsletter. While my boss uses Cox since he works mostly from home, the office is still “connected” with Verizon!

Boy, I hate Verizon! Now, maybe they will kill the Zombies from all those “dead zones” they claim not to have!

Posted by: ummhuh1 | February 17, 2009 12:39 PM | Report abuse

This is great news!
I fix home PCs for a living, and I know that my customers will ignore any notifications from Verizon about their SMTP port (and we all know they won't send any notifications: this IS Verizon, after all).
I'll make a cool ninety bucks each time I type "587" ...just like I did when Comcast rolled out this change over the last two years.

Posted by: williehorton | February 17, 2009 6:52 PM | Report abuse

Bravo Verizon! We need to put spammers in their place and prevent them from sending out their useless crud.

Posted by: alexinalexandria | February 17, 2009 8:49 PM | Report abuse

This is good news! Many Verizon IP's have a bad reputation. So, they get blocked by the big corporate spam filter configured to use IP reputation for blocking connections.

Posted by: josephdurnal | February 17, 2009 8:52 PM | Report abuse

As most mail administrators, I have administered multiple mail systems in multiple environments for several years. I've seen everything from an early Sendmail to the monstrosities that offer complete environments. What I can say is this...

Not knowing the configuration of these giants' roaming/outgoing/outbound/whatever-they-call-it servers and commenting on port 25 without knowing these configurations coupled with not referencing the very material you're touting with your "port 587", diminishes your credibility with those that actually do have experience in the field as well as paints you as a babbling buffoon. Sure, we all hate spam and spammers and some of us even wish 1000 deaths upon those that bombard us daily, but let's face it... spammers are growing and they are relentless. While this port change you're advocating does slow down spammers, it's only a temporary diversion until they find whatever port you are running on and pick up where they left off. The only interesting thing you have posted is the stats on spam. The ratios are quite astounding; but whatever these guys' problems are, the port is not the issue. You could configure a mail server to run on any port. Granted, you wouldn't be exchanging mail with the rest of the community if you didn't use one that's recognized, but you could do it.

Anyone that has ever operated a mail server and read any of the RFCs can quickly tell you that there is no difference in using port 587 and port 25 if the same measures that RFC 4409 (the RFC speaking to port 587) are implemented on port 25 (including smpt-auth). Authentication, verification, filtering, and rejection are not exclusive to port 587 as this article would like you to believe. Most ISP's and webhosting companies do this very thing on port 25 for specific mail servers. Try reading RFC 4409 (the RFC that speaks to port 589). All it does is create a scenario where an SMTP server is to be run on port 589 instead of 25 for no other reason than to behave like what most servers in a responsible environment are already doing. Yes, they are acting like submission servers... so what? If that is their purpose, they're doing what they are supposed to - regardless of what port they are running on.

This appears to be nothing more than an uninformed/misinformed slam article directed at the big guys.

Quick! Get the Magic Server Pixie Dust! These readers are buying anything now! (And, apparently, so is the Post.)

Posted by: smtpguy | February 17, 2009 9:42 PM | Report abuse

Don't mix up a change in the protocol Verizon customers use to reach VZ's mail servers with a change in what protocols VZ allows their customers to use to deliver mail directly. VZ customers who wanted to use VZ's mail servers are changing from Port 25 to the better-authenticated Port 587, and this will make it harder to steal their passwords and easier to keep them from spamming, but most ISPs do that pretty effectively anyway, so it won't block much spam.

What it won't change is that people who run their own mail servers at home can still use Port 25 SMTP mail transfer to deliver their mail, whether they're real humans running Linux or virus-infected zombie corpses running spamware. Some ISPs like to block port 25 to interfere with both types of mail servers, which in my opinion is a bad idea. Real users can also use SSL-encrypted secure ports like 465 to deliver mail; it's a bit slower, so the zombies don't usually use it, but it's not like that they care about wasting CPU time.

This move by Verizon is a good thing, but it's not going to change overall spam much. On the other hand, spammers-vs-ISPs is an arms race, and this will give us a few more tools to use.

Posted by: hype1 | February 18, 2009 12:13 AM | Report abuse

I have been shocked by Verizon's spam statistics for some time, and as a FiOS customer, have had several messages blocked because they originate from a Verizon IP that is on various block lists.

It would be useful, however, to know how much spam an ISP generates on a per subscriber basis, since naturally larger ISPs will generate more spam overall, even if they are actually regulating the problem more effectively then some smaller ISPs. I doubt that's the case with Verizon, but simply by comparing total spam associated with Verizon, it is impossible to tell for sure.

Also, those of you using Thunderbird and subscribing to Verizon can make the change to Port 587 outbound now, while you're thinking of it (and avoid paying williehorton, above, $90 eventually). Simply go to Tools ==> Account Settings ==> Outgoing Server (SMTP) ==> Edit (after highlighting your Verizon server, if necessary), then plug in "587" instead of the "25" that may be in the Port box already.

You may need to specify a TLS secure connection as well; I'm not sure. But it's easy to experiment by sending yourself an email message. When I changed it a moment ago, it worked right away. Good luck.

Posted by: rboltuck | February 18, 2009 7:12 AM | Report abuse

...and, as a Mac fan, people wonder why I don't have an iPhone! Hello! Verizon has the best customer service in the business.

Posted by: mibrooks27 | February 18, 2009 1:32 PM | Report abuse

There's a difference between not going into all the gory details, and being a "babbling buffoon". It's inaccurate to say "While this port change you're advocating does slow down spammers, it's only a temporary diversion until they find whatever port you are running on and pick up where they left off." That would be true if the only difference between port 25 and port 587 is the port number. But such a change would be worse than pointless, it would merely add large customer support costs while providing no benefit.

It's true that "You could configure a mail server to run on any port. Granted, you wouldn't be exchanging mail with the rest of the community if you didn't use one that's recognized, but you could do it." but it's also totally besides the point.

It's misleading to say that "Anyone that has ever operated a mail server and read any of the RFCs can quickly tell you that there is no difference in using port 587 and port 25 if the same measures that RFC 4409 (the RFC speaking to port 587) are implemented on port 25 (including smpt-auth). Authentication, verification, filtering, and rejection are not exclusive to port 587 as this article would like you to believe."

The reason for having two ports (25 and 587) is to separate mail submission from mail relay. Mail submission is to be done only by authorized entities, such as customers, and needs to be authenticated so the server knows which specific account is submitting the message. Such messages are then accepted for delivery to anyone anywhere.

By contrast, mail relay is done by arbitrary entities who can't be authenticated because there is no prior relationship. Hence, mail relay should only be accepted for delivery to local entities.

Because of this key difference, it's just not true that there is "no difference in using port 587 and port 25", neither can "the same measures that RFC 4409 (the RFC speaking to port 587) are implemented on port 25 (including smpt-auth)". Of course, it's possible to separate the servers, and run a submission-only server on port 25 that is distinct from a different relay-only server that is also on port 25, but that is generally more complex and harder to manage.

Posted by: emailguy | February 18, 2009 3:22 PM | Report abuse

Oh, Snap!

Posted by: JkR- | February 18, 2009 4:21 PM | Report abuse

Easy on poor Brian K - he got the essentials right: Verizon will be requiring the sender to authenticate him or herself with a username and password before it will permit the sending or relaying of e-mail. No matter what port is used, authentication is the key. The spammers will adjust, I am sure, but this is a vitally needed change.

RCN made this switch (without notice!) a month or so ago and I had to reconfigure a number of machines to be able to send mail again. It was clear what RCN had done after mail started to stack in the outbox and examining the pop3 logs showed entries like: "Server requires authentication." The average user will probably have to call Verizon to get it straightened out since they probably won't be able to email anyone about the problem once Verizon makes the change!

A larger issue is that the Feds are close to clueless about securing the internet infrastructure. Instead of going after the waves of people and foreign gov'ts invading the US's computers, they're busy chasing a bunch of bearded fanatics around the mountains halfway across the world. How can hope to solve their problems when we can't even solve our own?

We're always fighting yesterday's wars, it seems. The idea that there are millions of zombie PCs on US net should be anathema to Homeland Security, but they're too busy inspecting shoes, belt buckles and suspicious looking water bottles to care about real threats.

As an aside, can anyone tell me why the WaPo site is so heavily infested with javascript? When I'm forced to use dial-up access (Oh, the horror!) the WaPo site is the slowest and most unusable of any newspaper site in the country. A typical page load seems to resend some parts of the page over and over again. Surf with javascript turned off and you'll end up in one of the inner rings of hell, forced to sign in between every page jump.

In a era of folding newspapers, you would expect website designers for newspapers to opt for attracting as many readers as possible. Instead, the Post designers have the worst case of featuritis I've seen in a long time. Don't they know why Google got rich? KISS!

Peggy

Posted by: Peggy_M | February 18, 2009 4:28 PM | Report abuse

Well, count me as unhappy. I am a Verizon DSL subscriber, and I don't see anything about this in my inbox or on their web site. They seem to have implemented it already, and my wife is even less happy about it.

Posted by: Pogo3 | February 18, 2009 5:52 PM | Report abuse

Verizon has outgoing.verizon.net mail server listening on port 587, but it doesn't seem to require password authentication, only a user name consistent with the FROM header. I'm using Thunderbird, and I can send mail on port 587, as described above, with no entry in the saved password list, and I'm not prompted for a password.

Is Verizon planning to also require a password? All they're doing now is requiring a spammer to know the name of a Verizon e-mail account, and be willing to spoof the e-mail as coming from that address, the very thing they'd like to do anyway.

Posted by: mark51 | February 19, 2009 12:28 AM | Report abuse

@smtpguy

You lose credibility right away with those of us who read Brian's column regularly when you say he's a "babbling buffoon". If Brian got something wrong, by all means correct him; but that's quite a leap you're making there. Maybe you should switch your handle to nomiddlegroundguy.

And it seems that Brian got it right in his article anyway; so if there's a babbling buffoon in this thread it's not Brian.

Posted by: mark51 | February 19, 2009 12:35 AM | Report abuse

@Peggy

Ditto on the heavy WaPo pages. I think my house lights get dimmer every time the WaPo main page refreshes. I wrote an HTML proxy a couple years ago, which parses every HTML page and inserts a proxy string at the beginning of each url reference. I used the WaPo site as my test bed, since if I could process those pages correctly I could handle anything. And I never did get it working properly with WaPo pages.

Posted by: mark51 | February 19, 2009 12:43 AM | Report abuse

mark51,

Perhaps you misunderstood me when I made the statement. What came immediately before the remark is "with those that actually do have experience in the field". And that was, I admit, a knee-jerk response to a published statement that was inaccurate and avoidable with minimal homework.

Re-reading it, I honestly didn't mean it as harshly as it sounded - thought it couldn't sound any other way. It wasn't meant as a personal attack on him, but was merely to add emphasis to a scenario that included anyone that would make inaccurate claims without research. Same as if you were a certified mechanic and you overheard some shade-tree giving one of their customers an explanation that was, while achieving the same ends as you would take, somewhat bogus. No, I'm not calling him a shade-tree mechanic. I'm sure he has vast knowledge in areas that would put me at a two-year old level. I'm locked into small areas of special interest.

All this being said, I'm sure that after re-reading what he wrote, Brian will even admit that part of his article was mistaken.

I apologize, Brian, if I came off as sandblasting you.

Posted by: smtpguy | February 19, 2009 1:06 AM | Report abuse

At the ICANN meetings in London (UK) last week I finally came to understand why the issues of spam are so intractable. The Domain Name System is run by the registrars for the registrars. Those wishing to cleanse the system are not aware how cheap it is to join, for example, ICANN, and help change the balance of power.

I hae included the necessary links in my latest blog for the UK's Computer Weekly

http://www.computerweekly.com/blogs/when-it-meets-politics/2009/02/is-the-internet-really-only-48.html

Posted by: PhilipVirgo | February 19, 2009 9:00 AM | Report abuse

@PV

Thanks for the link!

Posted by: featheredge9 | February 19, 2009 8:01 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company