Among the ISPs that offer security, many of them attempt to do so by blocking traffic through Port 25, the server port used for simple mail transfer protocol (SMTP) transmissions. This practice prevents e-mail from in-network computers from going to any other mail servers on the Internet unless the mail first goes through central ISP mail servers or a mail server that has been added to an exception list.
Dave Jevans, chairman of the Anti-Phishing Working Group(www.antiphishing.org), says the method is widely considered to be a best practice for detecting and preventing spam and phishing senders on ISP networks. Many of these senders are zombies (also know as bots), which are often also used for DDoS attacks. Yet this method of blocking is not common practice in the ISP industry today.
Some ISPs, including SBC, EarthLink and midsize ISP Jumpline.com, also block inbound traffic through Port 25 as well. Tripp Cox, CTO at EarthLink, claims this less-common tactic is done to prevent infected computers from becoming part of a botnet, which is used to send spam and infect other computers to spread destruction.
To make sure all mail servers are legitimate, EarthLink and others force users to upgrade to a more substantive business account for the privilege of running SMTP servers from inside the network. ISPs say this helps them keep inadvertent open mail relays to a minimum, further reducing the risk of a spam zombie attack.
“Blocking Port 25 is the first step toward stopping DDoS attacks as a whole,” says Cox. “It’s the very least an ISP can do behind the scenes to make the connection more secure.”