Port 25 blocking and ISPs in Pakistan

Block everyone’s email?

A few days ago, we did the unthinkable (at least unthinkable for Pakistan). We (as in Dancom’s network operations team) blocked all the outgoing email of our customers and not just for a limited time period. This is permanent. If that sounds extreme, then it was, but this is where things are headed, judging by the current state of email and we’re probably the first to implement something like this in Pakistan.

Lately, there has been an explosive increase in spam (or unsolicited email) and this is causing problems not just for those on the receiving end of things. Gone are the days when we had to explain to customers sending out bulk marketing emails that this was a bad practice and not business as usual. Or convince those running open relays to fix their servers. These days, spammers employ hundreds or thousands of infected user systems to do their bidding, usually without the user knowing there is anything wrong apart from the hefty bandwidth bill and the subsequent blocking of all their outgoing email.

Pakistan is already notorious for being a source of spam and the long term effects of letting this continue would be devastating. Services such as Spamcop regularly list our customers’ IP addresses and the abuse reports sent to us are becoming too numerous to act upon in an effective manner. With limited IP pools, this poses a threat of rendering whole blocks of them as blacklisted and the possibility (remote as it may be) of one day having the whole country’s email traffic blocked by the rest of the world due to the overwhelming spam.

A brief description of what we have done can be found on this excellent Wikipedia resource about anti-spam techniques and the Beeb published a couple of articles some time back on the surge in the number of hijacked systems and malicious code rise driven by web. Most of the users we encounter, however, do not understand any of these and fight tooth and nail to put the blame on the vendor or service provider instead of managing their own security properly.

So if we are blocking everyone’s outgoing email, do we expect customers to stick to using Yahoo and Gmail? No, they set our state-of-the-art SMTP server, with some excellent anti-spam features, as their outgoing server. Seems simple enough, but the main problem arises when people just refuse to change their settings or are running their own mail server, yet lack the knowledge of configuring it properly. Something that I am getting tired of hearing is exempt me from this change or I’ll switch to another service provider. We can off course make the exemption, especially for corporate customers, though we also have to make it clear to them that they themselves are responsible for their own IP address or pool of addresses.

Internet Service Providers

This brings me to my rant about ISPs in Pakistan. Policies, like the one above, happen to be common in a number of European and East Asian countries where best practices generally take precedence over temporarily pleasing the customer. Unfortunately, in this country, customers are usually ignorant of anything that contains even a slight touch of technicality, yet hate to admit that they don’t know something and that it is best to trust in the judgement of the experts. Then there is a lack of real collaboration and cooperation between ISPs which causes some serious issues.

While in other places, large service providers form consortiums to have their demands met and to agree upon policies and standards, here they are divided and weak. Despite a potential customer base of at least tens of millions of users, we are forced to stick to low speed packages that charge by the Megabyte and are only within reach of a tiny percentage of the population. The customer and our upstream provider have the say in everything and there is little that the ISP can do about it.

If we could join forces and make important decisions (like the one above) together, it would eradicate the common threat that customers give about switching to another ISP as well as increasing the integrity of Pakistan’s overall Internet infrastructure. Both the commercial and technological long-term benefits of this type of collaboration could be huge.

I have already talked to one technical head from another ISP with positive results and am planning on getting in touch with the others. At the minimum, we can start off with a mailing list to discuss these things and move forward from there. Tee Em? The rest? Hope to hear from you soon.

15 thoughts on “Port 25 blocking and ISPs in Pakistan

  1. You are not the first Pakistani ISP to block port 25. Up until a few months ago I used to rely heavily on Supernet prepaid cards and I can tell you they block port 25 as well. Unlike most consumers in Pakistan who prefer webmail, I use pop3 email and so port 25 blocking was a real pain.

  2. Sajjad, go ahead. Make a google group for ISP technology people fro Pakistan. Let us discuss this and other issues and come up with collective decisions and implementations. I am all for it.

  3. I suggest using SANOG as the platform. A number of industry veterans contribute to the mailing list and starting a discussion on this platform can invite some very interesting feedback/tips from these people.

    My $0.02

  4. The need of the day is to have people from different ISPs come to a single platform so that we can discuss such issues in detail and implement policies in consortium way. This would help immensely with formation of standards and regulations.

  5. what you need is EDUCATION. Best of look at it. Everyone (practically) run pirate software in Pakistan. Virus Scanner? whats one of them. Most people are probably zombie bots and have no clue.

  6. The group (currently empty) is at here.

    Let’s invite relevant guys from across the country to the group. I suggest that we start meaningful thread only after we have at least 8 to 10 network representatives on board.

  7. First of all, excellent topic!

    Secondly, Brain ISP has been doing this for many months now at least in Lahore.

    But I have 2 questions:

    – What about those businesses who have their own domain? If my email’s FROM address has a different domain than the SMTP domain, wouldn’t it be a problem at the receiving end server when it does the SPF & Sender Verification test?

    – What about hotels and larges businesses who have lots of foreign visitors who want to use their own domain SMTP to send out their emails even when traveling?

    Isn’t it irritating from the business perspective? I can, in parallel, understand the need to combat SPAM but there needs to be more realistic and practical approach to it.

    Can an hourly # of SMTP connections limit/IP be an alternative?

    Any other suggestions?

  8. Fyi, am not a techie so plz don’t expect too much from my side…

    But on a second thought, can SMTP over SSL (port 465 or 587) be the most plausible solution for those who want to use their own domain’s out-going mail server to avoid ‘sender verification’ mis-match?

  9. We at Maxcom have already done this since a year ago. But I’ll appreciate your concern on this matter coz previously ISPs were not taking this matter serously and as a result a frustration was also developed among clients due to different policies of ISPs.

    Anyway its a nice step and we should have to find a common platform for discussing these matters.

  10. Guys!

    There is a “GOOD” reason for ISPs to block the port 25. Asking your hosting providers to open SMTP on different ports is a temp work-around but not a solution, also it kills the whole purpose of ISP’s efforts. Also what happens if you have alternative port opened and your ISP find out and block that alternative port also, would you each time keep bugging your hosting providers to open another new port? Is this a right solution?

    We have been facing this issue for the last 3-4 years or longer here in USA when first time AT&T started doing it. There is a very solid reason and goal to achieve for ISPs to do this and that is why all over the world now most of ISPs have started following this practice.

    Permanent Solution would be any one of these two (or someone can help me if there could be another):

    1. Use your ISP SMTP as your Out-going mail server in your Outlook settings (or whatever mail client software you are using) rather than using your own mail.yourdomain.com or using your hosting providers like mail.pakhost.com etc. It will not affect anything and your reply-to or from email address will not get changed to that of ISP’s email address. It is like if you want to go to Islamabad from Lahore and rather than using your own car, you are getting a free ride or using available public transport. Anyway the whole purpose is to reach Islamabad (and hopefully safely).

    2. If you really need to use your own SMTP server due to any reason, the right way would be to request your ISP to add your domain/mail server to the allowed-list for port 25. Mostly ISPs will honor the request if there is a good reason.

    Hope my 2 cents will help to put you all in a right track rather than finding a wrong or temp work-arounds which will one way or other create a new problem.

    Best regards.

  11. Hmmm…. SMTP is dead…

    The ‘simple’ in SMTP served us well, but the internet has grown such that we need a more sophisticated solution… I am up to 100-1 ratio on spam to e-mail these days.

    I think some solution based on encryption and authorization certificates & etc. (to be figured out by much smarter people then me), is needed.

    There was some talk a while back of some of the big ISPs moving off SMTP, has anything happened with that?

  12. In the US, my port 25 is not blocked, but I still don’t send myself because too many servers refuse email from my “dynamic” IP address. So, I use MailHop Outbound, which is not free, but very reasonable at $10/year.

  13. Certainly a good move, but should have told the customers about it first. Maybe the tech support guys should be in the loop also…

    🙂

    We installed a mailserver and it went live a few hours before you guys blocked the port. Took us 4 hours to figure out why our shiny new machine suddenly stopped working. The Dancom tech support guys didnt know anything about the blockage.

Comments are closed.