2009-09-12 – LIME St. Lucia – Blocks SMTP Communication – Outbound Traffic on Port 25 – Disrupts a Business from Sending E-mail for at Least 1 Week!

What Has LIME St. Lucia Done?

LIME St. Lucia has blocked the e-mail communication in a manner that stops Asynchronous Digital Subscriber Line (ADSL) Internet service subscribers from being able to send e-mail from desktop (or end-user) e-mail clients such as Microsoft Outlook, Microsoft Outlook Express, Mozilla Thunderbird, Eudora etc.

An Introduction to ESMTP

Extended Simple Mail Transfer Protocol (ESMTP) is a protocol used to transport Internet mail. It is used both as:

1. An inter-server transport protocol (transfer of messages between mail servers on the Internet) and,

2. As a mail submission protocol (transfer of messages from end-user e-mail clients to their subscribing mail server - often with restricted behaviour enforced).

The protocol operates on Transmission Control Protocol (TCP) port 25 [http://en.wikipedia.org/w/index.php?title=Extended_SMTP&oldid=312435768].

Message Submission and Secure SMTP

For years, port 25 has been the well known port for Simple Mail Transfer Protocol (SMTP) communication. However, under the weight of Internet spam, concerted efforts were made to separate inter-server transport from mail submission via the development of a message submission protocol (see RFC 4409 - Message Submission for Mail (April 2006) at http://tools.ietf.org/html/rfc4409) and the use of a separate well known port for this function. In essence, very similar software, and essentially the same SMTP protocol, is used for both functions. The separation of the two (2) functions lends to better e-mail management and security policies.

The adoption of a Message Submission specific port, notably port 587, as well as other other secure SMTP communication ports such as for SMTP over SSL or TLS has experienced a quite slow roll-out amongst both E-mail Service Providers (ESP) and end-users. Some system / network / e-mail / security administrators are blissfully unaware of their existence. Clear evidence of this is:

1. The absence of these services on some nationally and internationally popular mail servers and,

2. Firewall policies at some sites that specifically prohibit communication on the ports that these services use.

Thus, port 25 is by usually the most popular port used by E-mail Service Providers (ESP) and by local mail server implementations to communicate both with end-user e-mail software and with other mail servers when sending e-mail.

Concerns with the Blocking of TCP Port 25

It is in this context we address the action by LIME St. Lucia. The major concerns with its action are:

1. The business communication disruption to persons using end-user e-mail client software to communicate with an external, Internet-based mail server to which they are subscribers. Typically, that external mail server performs an e-mail relaying service on behalf of the e-mail subscriber. Most small and medium-size businesses (SMB) with simple local network architectures would have such a set-up, some relying on LIME St. Lucia to perform this service, others relying on some third party provider.

2. The difficulty in troubleshooting this type of issue without explicit knowledge of LIME St. Lucia's change in policy. Otherwise, it could take significant time to stumble on this issue or to conclusively rule out other possibilities.

3. The absence of information pertaining to this policy in the Service Alerts or other informational sections of LIME St. Lucia's web-site (http://www.time4lime.com).

Specific to two (2) known cases of service disruptions emanating from this action by LIME:

1. A business endured a disruption in service for at least 1 week without knowing that the fault lay with its Internet Service Provider (ISP).

2. In another, site Information Technology (IT) personnel initially attributed the fault to a configuration or failure condition in the network-level firewall and, at the very least, wasted time trying to swap devices.

An important question is, how much money do those outage translate into? How many more case of this exist?

Assumably, Internet subscribers of business-class services, as well as those paying for static IP addresses were immune to this network configuration issue. Or alternatively, such persons were suitably and comprehensively informed, inclusive of mitigation measures such as:

1. The provision of a smart host to use to circumvent this SMTP blockage and,

2. Informing on the use of the message submission protocol.

As the author is not based in St. Lucia, further assessment on this is not possible without persons sharing their experience. However, information reaching me suggests this issue also occurred with Internet leased circuit subscribers.

Conclusions

There are several problems with the application of the solution of blocking TCP port 25 in response to whatever network performance of security issues LIME St. Lucia had encountered:

1. There are better solutions for blocking communication from illegitimate mail servers.

• At the destination mail server level employing:

1. DNS Blackhole Lists (DNSBLs) that list dynamically assigned IP addresses can stop unauthenticated SMTP communication attempts from zombie computer systems before they are able to transfer bulky or malicious data to the destination mail server.

2. Grey-listing can slow down or avoid spam sources from being able to successfully transfer messages to a destination mail server, depending on the configuration of the grey-listing and the spam source.

3. Certain e-mail validation / authentication schemes such as Sender Policy Framework (SPF) can be used to reject mail from unauthorized originating mail servers.

• Perhaps LIME's network engineers can identify the users / spam sources that led to this SMTP blocking decision and inform them of their non-compliance with the Acceptable Use Policy (AUP) associated with their service:

1. The captive portal solutions used by LIME Barbados to notify of ADSL modem upgrades may be employed to notify offending users of their situation, or alternatively a simple telephone call or letter.

2. This may be an opportunity to partner with an Information Technology (IT) support organization to offer “for fee” corrective service to subscribers afflicted with malware.

3. Resolution of the issue, or mitigation of it, may involve the use of some host-based or network-level firewall that restricts outbound SMTP traffic, on a per computer or per site basis, to the finite list of valid mail relay servers.

4. Additionally, it would be useful to identify the source computer(s) and application(s) / process(es) performing the malicious SMTP activity and to disinfect the machine(s) whilst enacting measures to avoid a repeat of similar infections.

5. The level of corrective service could be based on client desire and budget.

6. However, a zombie computer may be under-performing for the end-user and making the end-user(s) think that LIME St. Lucia's Internet service is slowly. Therefore, identifying and correcting the real issue could yield reputation benefits.

• Although, I am not specifically sure of operation or availability of the SMTP proxy setting described here, it seems such an operation is likely and could allow network operators to restrict its user base to using SMTP-AUTH communication from its network or otherwise communicate from mail servers with legitimate host names. The network operator would thus funnel SMTP traffic through the proxy and it would reject SMTP traffic once:

1. SMTP-AUTH fails or alternatively,

2. The HELO / EHLO greeting host name does not match the originating IP address when an DNS A record lookup is performed on the host name.

2. It is possible this action of blocking SMTP communication may be considered monopolistic and malicious against third party E-mail Service Providers (ESP), specifically if the Internet Service Provider has blocked SMTP communication to all Message Transfer Agents (MTA) other than its own.

RECOMMENDATIONS

LIME St. Lucia should seriously consider reversing this policy and utilizing other means to handle whatever problem they had. Really, this network policy decision must be informed by the human and the business perspective, especially in terms of productivity loss, cost of outage and cost of remedial IT services.

The use of the message submission TCP port 587 for SMTP-AUTH communication needs to be introduced to the user base and a smart host feature may be provided. However, further concerns may exist with blocking communication to all other mail server providers other than the ISP's own.

A more offender specific - that is targeted blocking, and further corrective action, needs to be employed rather that the user of broad-spectrum and disruptive network policy settings.

If this SMTP blocking is later deemed the only viable long-term solution, there needs to be a notification and education campaign to reduce possible harsh effects to end-user and business place productivity and any attribution of uncompetitive practices to the company. This is especially the case if the consumer does not actually have the real power of choice with respect to any affected business-level Internet service.

LIME St. Lucia should ensure their dynamic IP ranges issued to dial-up and DSL clients are registered with the appropriate DNS-based Blackhole List (DNSBL) e.g. Spamhaus Policy Block List (PBL) http://www.spamhaus.org/pbl/. Such IP addresses should theoretically never be used to operate Mail Transfer Agents (MTA). Most e-mail administrators should expect the previous to be the case.

Any destination mail servers afflicted with a spam problem originating from a LIME St. Lucia IP range should seriously consider improving their e-mail administration and security practices, especially by employing the DNSBL containing a list of dynamic assigned public IP addresses issued by ISPs.

If LIME St. Lucia has an issue with bandwidth utilization for spam activities originating from their subscribers, there is likely another, more suitable, service provider network solution to this problem other than full TCP port 25 blocking.

LIAT Can’t Do Simple Arithmetic? Plays Musical Chairs with Confirmed Reservations. 3-Year Old Child Suffers!

UPDATE

On Sunday, July 5th, 2009 our daughter's aunt - after several calls to LIAT in Barbados, Antigua and St. Vincent from Friday to Sunday - found a non-managerial LIAT employee who was most helpful.

This customer service champion within LIAT asked us to come to the airport that morning. By afternoon, after a few minor moments of uncertainty, our daughter was trotting through Immigration in the company of this wonderful LIAT employee. Our daughter was actually accompanied on the plane by a lady her aunt knew. However, the LIAT employee also had a travelling mother available as a possible in-flight companion.

On Monday, July 6th, 2009 we were grateful to have or correspondence acknowledged by phone calls, clarifications and apologies from LIAT's management.


ORIGINAL POST

On the evening of Friday, July 3rd, 2009 I had the displeasure of dealing with LIAT and observing suspect business ethics, suspect arithmetic and an unprofessional game of musical chairs with confirmed and paid carriage reservations.

Our 3-year old daughter was confirmed to travel to St. Vincent & the Grenadines on scheduled 9:10 pm departure of LIA369 flight out of Barbados. Her Aunt had booked the ticket from St. Vincent and managed to squeeze her on the same flight as one of our Vincy Mas bound friends about 9 days prior. Our friend’s ticket was booked about a month prior. Being under 5 years of age she must be accompanied by a caretaker, and cannot be the flight attendant’s responsibility. By this, we mean her ticket had to be associated with our friend’s ticket (an explicit reference on our daughter’s ticket).

Our daughter and the accompanying adult arrived at check-in at approximately 8:08 pm - over 1 hour before flight departure. On check-in we were informed that there are two persons to be checked in but only one seat available. Additionally, the check-in agent said she would confer with her supervisor on the issue. Our suggestions that were shot down included asking about 1) accommodating someone in the jump seat in order to make a fit and 2) some type of double seating of our friend and daughter. The final statement was that they could not be both accommodated on the flight.

Mainly because we did not want to disadvantage our young friend’s carnival schedule we indicated to her that she should take the seat before the check-in window expired. After all the discussions with the counter agents, our friend was checked-in. Our daughter’s ticket was thus cancelled by the counter agents (there being no other alternative) but we were unable to reschedule her flight on account of not knowing any other accompanying adult on a later flight.

As far as we know, check-in closes 45 minutes prior to the flight’s departure time. Thus, we made it to the check-in counter within the stipulated time. When presented with comments on how the situation is unfair and questions on why this situation would occur, a LIAT counter agent indicated that overbooking was industry practice. She further explained that this was carnival season and a time of high traffic to that particular destination and with the overbooking it behooves passengers to check-in as early to avoid such situations. She indicated that we had a 2 hour check-in window and we arrived last to check-in. She stated she does not know the overbooking ratio.

This flight was the last of the day between Barbados and St. Vincent. At the counter we were informed it was delayed and would be departing around 11 pm. While we were still at the counter, we overheard a counter agent tell a baggage handler the flight was closed. Just after that most of the staff started to disperse. There was however a single adult lady intended to go to St. Vincent still lingering at the counter. That lady was not on the flight for which our friend was supposedly the final person to check-in for the last available seat. We left her at the counter, but it would be interesting to know what happened next for her.

We consider the LIAT’s representative explanation unsatisfactory. Clearly LIAT’s procedures or flight reservation system would have to be faulty to permit this particular situation. Overbooking cannot be an appropriate explanation because whilst one may conceivably allow more bookings than there are seats, one should not allow more confirmed reservations on a flight than there are seats.

LIAT is a plane and the ability to carry each passenger should be determined by seating capacity and informed by the passenger type (child or adult, which probably informs on estimated weights and seating arrangements). Simply put, the most reasonable conclusion is that our 3-year old daughter - a Vincentian national, returning home - got bumped from the flight to accommodate someone else who was allowed to check-in prior or after.

Does SurePay Barbados’ Web Page Really Have A Defunct Outlet Listed?

Location: Barbados
Afflicted Site: www.surepaybills.com/bb_main.php
Affliction: Outlet location information is out of date.
Type of Business: Electronic bill payment services via
multiple small outlets located in malls and supermarkets.

Company Tagline: The convenient way to pay.

On the afternoon of Saturday, June 27^th, 2009, it was discovered that SurePay Barbados, did not have an up-to-date listing of its outlet locations on its corporate website. SurePay is a division of the Information and Communications Technology (ICT) company ILLUMINAT (http://www.illuminatnm.com/) and member of the Neal & Massy Group.

Any customers checking the trusty WorldWide Web (WWW) to find a suitable outlet location should cross check that information; in order to avoid any extra searching, extra commuting or wastage of time and other resources.

The Merchandise King, Spooners Hill location listed on the page http://www.surepaybills.com/bb_main.php was reportedly closed for several months, to approximately one year.

The accuracy of other listed locations was not checked. This is clearly an exercise for Illuminat's employees. Following that exercise, they can try accessing the user interface (UI) to their website’s content management system (CMS) to update the identified web page, or otherwise find a webmaster.

Corporate reality and corporate web presence should not become unsynchronized by a period of months. The Web is a dynamic medium. The corporate web presence should always contain relevant and accurate contact information – covering electronic, telephony, mailing and geographic contact - at the very least. It may not be difficult to imagine a listing of outlet locations and contact information in the annually published telephone directory being a few months out of date, however excusing a similar occurrence on the Web is more difficult.

DISCLAIMER
All information provided in this document is "as is", with no specific warranties, expressed or implied as to applicability or accuracy.
All trademarks, trade names and registered trademarks are the property of their respective holders.

AUTHOR'S COMMENT: On Mon, Jun 29, 2009 at 12:24 PM SurePay responded to state that the site was updated.

Certainly cursory examination shows a few other things changing under the St. Michael outlet information other than the defunct outlet I mentioned.

The One Accord Plaza location has changed from Push Shoes to Insurance Sales & Services and the contact numbers on opening hours are different. It appears another outlet in Rock Dundo was added.

Good work Illuminat / SurePay! Thanks for being responsive. Try not to let the site age so much next time.