[Cryptography] IAB Statement on Internet Confidentiality

[Viktor Dukhovni]

On Tue, Nov 18, 2014 at 04:53:59PM -0800, Abe Singer wrote:

> > These were mobile networks with consumer users, not backbones with
> > fixed MTAs.  The ony mail software you find on mobile consumer
> > networks is MUAs, which are doing submission, not SMTP.  These days,
> 
> Um, not SMTP? Then what protocol does the MUA use for submission?

SMTP used for submission is called submission, when one wants to
be more specific.  This is appropriate here.

> So what am I missing here? if a device is botted, it doesn't matter
> whether the submission port is 25 or 587; The attacker can use the
> credentials stored on the device, and send spam via either port.  So why
> is it okay for the ISP to break TLS on port 25 and not on port 587?

With submission they're attacking a single system that often quickly
shuts down the compromised account, and many such systems impose
prior rate ceilings to limit future damage.

Port 25 blocking and filtering from consumer devices is simply
sound network management, it would be nice if we also had near
universal egress filtering of spoofed network addresses.  Would
sure help avoid many a DDoS attacks.

> And if the user has valid credentials to send mail via the remote MSA,
> what business is it of the ISP to decide whether or not it's spam?
> It's between the user and the MSA.

The ISP has a network to operate for the benefit of all users on
the Internet, theirs and remote.  Abuse prevention is part of that
duty.  Given the spam problem, restricting port 25 access from MUA
users is best practice.  MUAs have long used port 587 to reach
their favourite non-ISP submission service.

> While the ISPs intentions may have been noble (and I'm not convinced)
> there are all kinds of ways that ISPs *could* combat nefarious
> activity that are neither appropriate nor legal.

I'm afraid the real world crushed that dream long ago.  Over and out.

-- 
	Viktor.