2009-09-12 – LIME St. Lucia – Blocks SMTP Communication – Outbound Traffic on Port 25 – Disrupts a Business from Sending E-mail for at Least 1 Week!

What Has LIME St. Lucia Done?

LIME St. Lucia has blocked the e-mail communication in a manner that stops Asynchronous Digital Subscriber Line (ADSL) Internet service subscribers from being able to send e-mail from desktop (or end-user) e-mail clients such as Microsoft Outlook, Microsoft Outlook Express, Mozilla Thunderbird, Eudora etc.

An Introduction to ESMTP

Extended Simple Mail Transfer Protocol (ESMTP) is a protocol used to transport Internet mail. It is used both as:

1. An inter-server transport protocol (transfer of messages between mail servers on the Internet) and,

2. As a mail submission protocol (transfer of messages from end-user e-mail clients to their subscribing mail server - often with restricted behaviour enforced).

The protocol operates on Transmission Control Protocol (TCP) port 25 [http://en.wikipedia.org/w/index.php?title=Extended_SMTP&oldid=312435768].

Message Submission and Secure SMTP

For years, port 25 has been the well known port for Simple Mail Transfer Protocol (SMTP) communication. However, under the weight of Internet spam, concerted efforts were made to separate inter-server transport from mail submission via the development of a message submission protocol (see RFC 4409 - Message Submission for Mail (April 2006) at http://tools.ietf.org/html/rfc4409) and the use of a separate well known port for this function. In essence, very similar software, and essentially the same SMTP protocol, is used for both functions. The separation of the two (2) functions lends to better e-mail management and security policies.

The adoption of a Message Submission specific port, notably port 587, as well as other other secure SMTP communication ports such as for SMTP over SSL or TLS has experienced a quite slow roll-out amongst both E-mail Service Providers (ESP) and end-users. Some system / network / e-mail / security administrators are blissfully unaware of their existence. Clear evidence of this is:

1. The absence of these services on some nationally and internationally popular mail servers and,

2. Firewall policies at some sites that specifically prohibit communication on the ports that these services use.

Thus, port 25 is by usually the most popular port used by E-mail Service Providers (ESP) and by local mail server implementations to communicate both with end-user e-mail software and with other mail servers when sending e-mail.

Concerns with the Blocking of TCP Port 25

It is in this context we address the action by LIME St. Lucia. The major concerns with its action are:

1. The business communication disruption to persons using end-user e-mail client software to communicate with an external, Internet-based mail server to which they are subscribers. Typically, that external mail server performs an e-mail relaying service on behalf of the e-mail subscriber. Most small and medium-size businesses (SMB) with simple local network architectures would have such a set-up, some relying on LIME St. Lucia to perform this service, others relying on some third party provider.

2. The difficulty in troubleshooting this type of issue without explicit knowledge of LIME St. Lucia's change in policy. Otherwise, it could take significant time to stumble on this issue or to conclusively rule out other possibilities.

3. The absence of information pertaining to this policy in the Service Alerts or other informational sections of LIME St. Lucia's web-site (http://www.time4lime.com).

Specific to two (2) known cases of service disruptions emanating from this action by LIME:

1. A business endured a disruption in service for at least 1 week without knowing that the fault lay with its Internet Service Provider (ISP).

2. In another, site Information Technology (IT) personnel initially attributed the fault to a configuration or failure condition in the network-level firewall and, at the very least, wasted time trying to swap devices.

An important question is, how much money do those outage translate into? How many more case of this exist?

Assumably, Internet subscribers of business-class services, as well as those paying for static IP addresses were immune to this network configuration issue. Or alternatively, such persons were suitably and comprehensively informed, inclusive of mitigation measures such as:

1. The provision of a smart host to use to circumvent this SMTP blockage and,

2. Informing on the use of the message submission protocol.

As the author is not based in St. Lucia, further assessment on this is not possible without persons sharing their experience. However, information reaching me suggests this issue also occurred with Internet leased circuit subscribers.

Conclusions

There are several problems with the application of the solution of blocking TCP port 25 in response to whatever network performance of security issues LIME St. Lucia had encountered:

1. There are better solutions for blocking communication from illegitimate mail servers.

• At the destination mail server level employing:

1. DNS Blackhole Lists (DNSBLs) that list dynamically assigned IP addresses can stop unauthenticated SMTP communication attempts from zombie computer systems before they are able to transfer bulky or malicious data to the destination mail server.

2. Grey-listing can slow down or avoid spam sources from being able to successfully transfer messages to a destination mail server, depending on the configuration of the grey-listing and the spam source.

3. Certain e-mail validation / authentication schemes such as Sender Policy Framework (SPF) can be used to reject mail from unauthorized originating mail servers.

• Perhaps LIME's network engineers can identify the users / spam sources that led to this SMTP blocking decision and inform them of their non-compliance with the Acceptable Use Policy (AUP) associated with their service:

1. The captive portal solutions used by LIME Barbados to notify of ADSL modem upgrades may be employed to notify offending users of their situation, or alternatively a simple telephone call or letter.

2. This may be an opportunity to partner with an Information Technology (IT) support organization to offer “for fee” corrective service to subscribers afflicted with malware.

3. Resolution of the issue, or mitigation of it, may involve the use of some host-based or network-level firewall that restricts outbound SMTP traffic, on a per computer or per site basis, to the finite list of valid mail relay servers.

4. Additionally, it would be useful to identify the source computer(s) and application(s) / process(es) performing the malicious SMTP activity and to disinfect the machine(s) whilst enacting measures to avoid a repeat of similar infections.

5. The level of corrective service could be based on client desire and budget.

6. However, a zombie computer may be under-performing for the end-user and making the end-user(s) think that LIME St. Lucia's Internet service is slowly. Therefore, identifying and correcting the real issue could yield reputation benefits.

• Although, I am not specifically sure of operation or availability of the SMTP proxy setting described here, it seems such an operation is likely and could allow network operators to restrict its user base to using SMTP-AUTH communication from its network or otherwise communicate from mail servers with legitimate host names. The network operator would thus funnel SMTP traffic through the proxy and it would reject SMTP traffic once:

1. SMTP-AUTH fails or alternatively,

2. The HELO / EHLO greeting host name does not match the originating IP address when an DNS A record lookup is performed on the host name.

2. It is possible this action of blocking SMTP communication may be considered monopolistic and malicious against third party E-mail Service Providers (ESP), specifically if the Internet Service Provider has blocked SMTP communication to all Message Transfer Agents (MTA) other than its own.

RECOMMENDATIONS

LIME St. Lucia should seriously consider reversing this policy and utilizing other means to handle whatever problem they had. Really, this network policy decision must be informed by the human and the business perspective, especially in terms of productivity loss, cost of outage and cost of remedial IT services.

The use of the message submission TCP port 587 for SMTP-AUTH communication needs to be introduced to the user base and a smart host feature may be provided. However, further concerns may exist with blocking communication to all other mail server providers other than the ISP's own.

A more offender specific - that is targeted blocking, and further corrective action, needs to be employed rather that the user of broad-spectrum and disruptive network policy settings.

If this SMTP blocking is later deemed the only viable long-term solution, there needs to be a notification and education campaign to reduce possible harsh effects to end-user and business place productivity and any attribution of uncompetitive practices to the company. This is especially the case if the consumer does not actually have the real power of choice with respect to any affected business-level Internet service.

LIME St. Lucia should ensure their dynamic IP ranges issued to dial-up and DSL clients are registered with the appropriate DNS-based Blackhole List (DNSBL) e.g. Spamhaus Policy Block List (PBL) http://www.spamhaus.org/pbl/. Such IP addresses should theoretically never be used to operate Mail Transfer Agents (MTA). Most e-mail administrators should expect the previous to be the case.

Any destination mail servers afflicted with a spam problem originating from a LIME St. Lucia IP range should seriously consider improving their e-mail administration and security practices, especially by employing the DNSBL containing a list of dynamic assigned public IP addresses issued by ISPs.

If LIME St. Lucia has an issue with bandwidth utilization for spam activities originating from their subscribers, there is likely another, more suitable, service provider network solution to this problem other than full TCP port 25 blocking.