M³AAWG Reminds all Service Providers Carrying Email: Block Access to Port 25

Connectivity providers continually battle against spammers and abusers who exploit their networks by anonymously hijacking customer computers and connecting to the network through unblocked ports. Despite improved network management practices, port 25 is still misused by bad actors. 

Manage Port 25 to Prevent Customers from Accidentally or Deliberately Sending Spam  

It’s been almost two decades since the Messaging Malware Mobile Anti-Abuse Working Group (M³AAWG) first published guidance on managing port 25. A team inside M³AAWG’s Expert Advisor Program recently reviewed that guidance. Blocking port 25 for all but a few restricted purposes is still considered an industry best practice.

In an updated Best Common Practices for Managing Port 25 for Internet Protocol (IP) Networks, M³AAWG recommends continued vigilance over port 25 in the battle to prevent compromise of provider networks.   

“As new networks come online, and existing networks expand and change their equipment, it might seem obvious that they need to be sure they’re configured securely, but surprisingly often they aren’t, and a reminder helps,” said John Levine, an expert advisor with M³AAWG.

M³AAWG Expert Advisors conducted the document review and analysis of recommended practices. The team found port 25 continues to be exploited by spammers and abusers.

Barry Leiba, M³AAWG Expert Advisor, added that minor updates were made to the document but, “The key point is that it says substantially what it did 18 years ago: blocking port 25 in most cases is the single most important operational practice for preventing your network from being used to send spam.”

How Zombies Invade, Drive up Costs and Blocklist Your Network

A customer’s computer can be anonymously reconfigured to operate as a sending email server.

These undetected “zombies” or “botnets” are used to connect directly to SMTP hosts.

The customer often experiences sluggish performance, particularly when doing network-intensive tasks such as gaming or video streaming.

The spammer may be saturating upstream bandwidth and limiting downstream bandwidth.

Complaints to customer support, abuse, and network operations departments can drive costs to painful heights if even a small number of “zombie” devices are present.

The provider may also soon find that its entire network is “blocklisted,” prohibited from sending email to popular destinations based on the pattern of abuse originating from its network.

7 Steps to Prevent Email Transmission Abuse

M³AAWG continues to recommend the following set of Email Transmission Best Practices for internet and Email service providers:

1. Provide email submission services on ports 465 and 587 as described in Request For Comments (RFC) 6409 and the updates in RFC 8314.
2. Require authentication for email submission as described in RFC 4954.
3. Allow customer hosts to connect to port 465 and 587 submission servers on your network and on other networks.
4. Configure email client software to use port 465 or 587 and authentication for email submission.
5. Block access to port 25 from all hosts on your network other than those that you explicitly permit to operate as SMTP relays. Such hosts will certainly include your own email submission servers and may also include the legitimate email submission servers of responsible customers.
6. Block incoming traffic to your network from port 25 other than to authorized SMTP relay hosts. This prevents potential abuse from spammers using asymmetric routing and spoofing of IP addresses on your network.
7. Ensure that all hosts send traffic only with their own source IP address to prevent abusive asymmetric routing as advocated by the Mutually Agreed Norms for Routing Security (MANRS) project.

The Benefits of Secure Email Transmission

A provider requiring authentication and aggregating email transmission traffic through SMTP relays will realize these benefits:

• They can identify the party responsible for submitted messages.
• They can filter out spam, viruses, and other abusive message payloads.
• They can monitor and limit, per customer and/or in aggregate, transmission rates.
• They can enforce acceptable use policies and terms of service for email submission.

Customer Education is Key

• Implementing the steps outlined above will help ensure infected computers can no longer be vehicles of anonymity.
• Victimized computers can be rapidly identified and quarantined until the owner becomes aware of the problem and corrects it.
• In the process, customers are educated about security threats and are encouraged to better protect themselves.

Block Access to Port 25 and Keep Your Network Safe

M³AAWG continues to recommend diligence over the security of port 25 and all ports used in email transmission.  Implementing these best practices increases security for the provider and all end users.  

More details can be found in the updated document Best Common Practices for Managing Port 25 for IP Networks.

M³AAWG continually publishes best practices and white papers to provide the industry with recommendations and background information to help fight online abuse. Visit the Best Practices library on our webpage.