LIME St. Lucia Communicates to Customers on SMTP Blocking Issue - with Tight Deadline?

This is an update to the precursor articles:

• LIME St. Lucia SMTP Blocking - End User Edition
• 2009-09-12 - LIME St. Lucia - Blocks SMTP Communication - Outbound Traffic on Port 25 - Disrupts a Business from Sending E-mail for at Least 1 Week!

On September 15th, 2009, at 10:35 hours AST (Atlantic Standard Time) LIME St. Lucia sent an e-mail to customers titled "FW: Email Experience/Spamming":

1. Requesting information on the mail servers used by their business.
2. Encouraging those hosting mail servers on-site and using dynamic IP addresses to move to using a static IP address.
3. Requesting the information be sent by close of business today (September 15th, 2009).

Clearly they have not accounted for the situation where the clients do not host an on-site mail server (and therefore have no need for a static IP address, a static IP has a monthly recurrent cost) and wish to maintain communication with their 3rd party e-mail service provider!


Consider the scenario where an employee expects to access his e-mail from Microsoft Outlook on his residential LIME-provisioned ADSL connection at his home. This e-mail could be hosted either on his business place's on-site mail server or on that of a 3rd party provider. Let's hope that employee and his technical support / e-mail service providers are aware of the alternative means of regaining productivity!


Where are the Caribbean's Telecommunication Regulatory Authorities and Consumer Commissions on this matter? I know I e-mailed NTRC (http://www.ntrc.org.lc) at ntrc_slu@candw.lc - e-mail from their web page!


As of September 15th, 2009, 13:20 hrs AST no update was done in the Service Alerts (http://www.time4lime.com/whats_new.jsp?whats_menu=Service_Alerts) or Press Releases (http://www.time4lime.com/whats_new.jsp?whats_menu=Press_Releases) section of the LIME St. Lucia web-site.


By the way, those direct hyper-links above are likely to fail because the web server would NOT know the country context unless chosen from on the LIME Home Page (http://www.time4lime.com). Any further discussion on this is for another blog though. :-)

LIME St. Lucia SMTP Blocking - End User Edition

By: Jason Hynds
Site: http://jsun4it.blogspot.com
Date: 2009-09-14


LIME St. Lucia was discovered to be one of the sites for a hush hush change in network policy that blocks persons from sending e-mail through third party E-mail Service Providers (ESP) using SMTP (Simple Mail Transfer Protocol) on TCP (Transmission Control Port) port 25.

LIME St. Lucia (http://www.time4lime.com) has not issued any on-line alerts on this change in policy. Checks were made up to September 12th, 2009 on their Service Alerts web page - which was empty, and also with other informational pages such as Press Releases and Promotions.

This network policy changes apparently intends to combat spam from originating on the LIME network, especially from subscribers with infected computers commonly called zombies. These zombie computers can act as a spam sources by mimicking the functionality of mail servers. Such spamming computers can utilize significant network bandwidth and cause spammed destinations to complain to and for the customers' Internet Service Provider (ISP).

Unfortunately the same SMTP on port 25 is popularly used for legitimate business communication. Particularly those end users and businesses utilizing third party ESPs are expected to be affected by this policy change. It is suspected those using LIME St. Lucia as their ESP remain unaffected, but this has not been confirmed. This possibility however raises the question of if this action can be considered an anti-competitive business practice, especially since the choice of Internet Service Providers (ISP) is limited, and most local and regional ESPs are likely to be considerably smaller and less technically resourced than LIME.

This network policy change may have resulted in multi-day and multi-week outages for some customers and shaken their confidence in their otherwise innocent ESPs. Some affected LIME clients have been notably peeved at what has been seen as the lack of proper notice from LIME.

The network policy change is known to affect ADSL (Asynchronous Digital Subscriber Line) subscribers. It is however possible that, at least on initial roll-out, leased line customers were also affected. This change in policy appears to be 2 to 3 weeks old at the time of publication.

For ADSL subscribers looking to resolve this issue, LIME states they must first migrate to a premium business package, at additional cost - if not already on one. Perhaps at no additional cost the customer can use LIME St. Lucia as a smart host - as this is the standard practice by ISPs who implement this policy.

The SMTP protocol on port 25 has traditionally been used for both:

1. sending e-mail messages between end-user e-mail client software (such as Microsoft Outlook, Mozilla Thunderbird and Eudora) and mail servers - a process known as message submission and,
   
2. for sending e-mail between source and destination e-mail servers - a process called message relaying.

The actual correct solution to resolve a problem in message submission is for the customer and their ESP to utilize message submission on port 587, instead of port 25, as described in RFC 4409 (http://tools.ietf.org/html/rfc4409). LIME St. Lucia does not block this port. By applying this solution, the customer is neither coerced into paying LIME St. Lucia more money in order to workaround its silent change in network policy nor does he/she have to introduce LIME's mail servers into the process of message delivery (thus separating technical support responsibility for mail issues based on if messages are being sent or received).

To resolve an issue with message relaying - where a publicly accessible mail server is operated on-site, is may be necessary to request a site exception to this policy from LIME St. Lucia.

If further silence comes from LIME on this issue, other jurisdictions should probably brace for similar policy changes.

2009-09-12 – LIME St. Lucia – Blocks SMTP Communication – Outbound Traffic on Port 25 – Disrupts a Business from Sending E-mail for at Least 1 Week!

What Has LIME St. Lucia Done?

LIME St. Lucia has blocked the e-mail communication in a manner that stops Asynchronous Digital Subscriber Line (ADSL) Internet service subscribers from being able to send e-mail from desktop (or end-user) e-mail clients such as Microsoft Outlook, Microsoft Outlook Express, Mozilla Thunderbird, Eudora etc.

An Introduction to ESMTP

Extended Simple Mail Transfer Protocol (ESMTP) is a protocol used to transport Internet mail. It is used both as:

1. An inter-server transport protocol (transfer of messages between mail servers on the Internet) and,

2. As a mail submission protocol (transfer of messages from end-user e-mail clients to their subscribing mail server - often with restricted behaviour enforced).

The protocol operates on Transmission Control Protocol (TCP) port 25 [http://en.wikipedia.org/w/index.php?title=Extended_SMTP&oldid=312435768].

Message Submission and Secure SMTP

For years, port 25 has been the well known port for Simple Mail Transfer Protocol (SMTP) communication. However, under the weight of Internet spam, concerted efforts were made to separate inter-server transport from mail submission via the development of a message submission protocol (see RFC 4409 - Message Submission for Mail (April 2006) at http://tools.ietf.org/html/rfc4409) and the use of a separate well known port for this function. In essence, very similar software, and essentially the same SMTP protocol, is used for both functions. The separation of the two (2) functions lends to better e-mail management and security policies.

The adoption of a Message Submission specific port, notably port 587, as well as other other secure SMTP communication ports such as for SMTP over SSL or TLS has experienced a quite slow roll-out amongst both E-mail Service Providers (ESP) and end-users. Some system / network / e-mail / security administrators are blissfully unaware of their existence. Clear evidence of this is:

1. The absence of these services on some nationally and internationally popular mail servers and,

2. Firewall policies at some sites that specifically prohibit communication on the ports that these services use.

Thus, port 25 is by usually the most popular port used by E-mail Service Providers (ESP) and by local mail server implementations to communicate both with end-user e-mail software and with other mail servers when sending e-mail.

Concerns with the Blocking of TCP Port 25

It is in this context we address the action by LIME St. Lucia. The major concerns with its action are:

1. The business communication disruption to persons using end-user e-mail client software to communicate with an external, Internet-based mail server to which they are subscribers. Typically, that external mail server performs an e-mail relaying service on behalf of the e-mail subscriber. Most small and medium-size businesses (SMB) with simple local network architectures would have such a set-up, some relying on LIME St. Lucia to perform this service, others relying on some third party provider.

2. The difficulty in troubleshooting this type of issue without explicit knowledge of LIME St. Lucia's change in policy. Otherwise, it could take significant time to stumble on this issue or to conclusively rule out other possibilities.

3. The absence of information pertaining to this policy in the Service Alerts or other informational sections of LIME St. Lucia's web-site (http://www.time4lime.com).

Specific to two (2) known cases of service disruptions emanating from this action by LIME:

1. A business endured a disruption in service for at least 1 week without knowing that the fault lay with its Internet Service Provider (ISP).

2. In another, site Information Technology (IT) personnel initially attributed the fault to a configuration or failure condition in the network-level firewall and, at the very least, wasted time trying to swap devices.

An important question is, how much money do those outage translate into? How many more case of this exist?

Assumably, Internet subscribers of business-class services, as well as those paying for static IP addresses were immune to this network configuration issue. Or alternatively, such persons were suitably and comprehensively informed, inclusive of mitigation measures such as:

1. The provision of a smart host to use to circumvent this SMTP blockage and,

2. Informing on the use of the message submission protocol.

As the author is not based in St. Lucia, further assessment on this is not possible without persons sharing their experience. However, information reaching me suggests this issue also occurred with Internet leased circuit subscribers.

Conclusions

There are several problems with the application of the solution of blocking TCP port 25 in response to whatever network performance of security issues LIME St. Lucia had encountered:

1. There are better solutions for blocking communication from illegitimate mail servers.

• At the destination mail server level employing:

1. DNS Blackhole Lists (DNSBLs) that list dynamically assigned IP addresses can stop unauthenticated SMTP communication attempts from zombie computer systems before they are able to transfer bulky or malicious data to the destination mail server.

2. Grey-listing can slow down or avoid spam sources from being able to successfully transfer messages to a destination mail server, depending on the configuration of the grey-listing and the spam source.

3. Certain e-mail validation / authentication schemes such as Sender Policy Framework (SPF) can be used to reject mail from unauthorized originating mail servers.

• Perhaps LIME's network engineers can identify the users / spam sources that led to this SMTP blocking decision and inform them of their non-compliance with the Acceptable Use Policy (AUP) associated with their service:

1. The captive portal solutions used by LIME Barbados to notify of ADSL modem upgrades may be employed to notify offending users of their situation, or alternatively a simple telephone call or letter.

2. This may be an opportunity to partner with an Information Technology (IT) support organization to offer “for fee” corrective service to subscribers afflicted with malware.

3. Resolution of the issue, or mitigation of it, may involve the use of some host-based or network-level firewall that restricts outbound SMTP traffic, on a per computer or per site basis, to the finite list of valid mail relay servers.

4. Additionally, it would be useful to identify the source computer(s) and application(s) / process(es) performing the malicious SMTP activity and to disinfect the machine(s) whilst enacting measures to avoid a repeat of similar infections.

5. The level of corrective service could be based on client desire and budget.

6. However, a zombie computer may be under-performing for the end-user and making the end-user(s) think that LIME St. Lucia's Internet service is slowly. Therefore, identifying and correcting the real issue could yield reputation benefits.

• Although, I am not specifically sure of operation or availability of the SMTP proxy setting described here, it seems such an operation is likely and could allow network operators to restrict its user base to using SMTP-AUTH communication from its network or otherwise communicate from mail servers with legitimate host names. The network operator would thus funnel SMTP traffic through the proxy and it would reject SMTP traffic once:

1. SMTP-AUTH fails or alternatively,

2. The HELO / EHLO greeting host name does not match the originating IP address when an DNS A record lookup is performed on the host name.

2. It is possible this action of blocking SMTP communication may be considered monopolistic and malicious against third party E-mail Service Providers (ESP), specifically if the Internet Service Provider has blocked SMTP communication to all Message Transfer Agents (MTA) other than its own.

RECOMMENDATIONS

LIME St. Lucia should seriously consider reversing this policy and utilizing other means to handle whatever problem they had. Really, this network policy decision must be informed by the human and the business perspective, especially in terms of productivity loss, cost of outage and cost of remedial IT services.

The use of the message submission TCP port 587 for SMTP-AUTH communication needs to be introduced to the user base and a smart host feature may be provided. However, further concerns may exist with blocking communication to all other mail server providers other than the ISP's own.

A more offender specific - that is targeted blocking, and further corrective action, needs to be employed rather that the user of broad-spectrum and disruptive network policy settings.

If this SMTP blocking is later deemed the only viable long-term solution, there needs to be a notification and education campaign to reduce possible harsh effects to end-user and business place productivity and any attribution of uncompetitive practices to the company. This is especially the case if the consumer does not actually have the real power of choice with respect to any affected business-level Internet service.

LIME St. Lucia should ensure their dynamic IP ranges issued to dial-up and DSL clients are registered with the appropriate DNS-based Blackhole List (DNSBL) e.g. Spamhaus Policy Block List (PBL) http://www.spamhaus.org/pbl/. Such IP addresses should theoretically never be used to operate Mail Transfer Agents (MTA). Most e-mail administrators should expect the previous to be the case.

Any destination mail servers afflicted with a spam problem originating from a LIME St. Lucia IP range should seriously consider improving their e-mail administration and security practices, especially by employing the DNSBL containing a list of dynamic assigned public IP addresses issued by ISPs.

If LIME St. Lucia has an issue with bandwidth utilization for spam activities originating from their subscribers, there is likely another, more suitable, service provider network solution to this problem other than full TCP port 25 blocking.