Home / Blogs

The EFF and Hanlon’s Razor

The EFF has just posted a shallower than usual deeplink alleging an “email encryption downgrade attack” by ISPs intent on eavesdropping on their customers.

They, along with VPN provider Golden Frog, have additionally complained to the FCC reporting this.

Here, they’ve just noticed something that’s common across several hotel / airport wifi networks—routing outbound port 25 (SMTP) traffic through a spam / malware filtering proxy such as the “inspect” aka “fixup” feature in a Cisco ASA device.

Outbound port 25 blocking is a best practice, which is enforced by several large providers around the world and is recommended, for example by M3AAWG. Port 587, the SMTP submission port, has been recommended for outbound SMTP since it was first defined in 1998, in RFC 2476 (now obsoleted by RFC 6409). An older but still relevant Best Practice document from 2007 is RFC 5068. These RFCs are explicit that port 587 is to be used for mail submission, and that it MUST NOT (capitals as used in the RFCs) be subject to port blocking.

However, airport and hotel wifi networks, and other networks with a large number of transient users, tend to filter outbound port 25 rather than follow the commonly accepted best practices of blocking port 25 outbound traffic, a large part of which is malicious, originating from virus infected hosts on a network. This might be a well intentioned measure (possibly to decrease tech support costs) but it is certainly not a best practice, this is well on the “ignorance” rather than “malice” side when you slice it with Hanlon’s razor.

It is certainly not appropriate to conflate this, as the EFF has done with their FCC filing, with other practices allegedly adopted by ISPs to track their users or slow down sites they see as competitors. And it is certainly not new, in fact it is about a decade old, for the EFF to equate spam filtering of any sort with censorship or worse.

That said, it does appear to be high time to update existing best practices on port 25 management to explicitly recommend that proxy filtering port 25 by turning off TLS to allow content inspection is not a privacy friendly alternative to blocking port 25 outright. That blocking rather than suppressing port 25 will avoid frivolous FCC filings targeting an ISP is perhaps an additional icing on the cake.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Suresh Ramasubramanian, Antispam Operations

Filed Under

Comments

So where does STARTTLS filtering belong? Alessandro Vesely  –  Nov 19, 2014 7:57 PM

When I first heard about this subject, I thought filtering was being applied between the MSA and the MX.  How would we rate it in that case?  Of course, it is not granted that TLS is available at each intermediate hop.  It is a best effort attempt.  However, the ease with which it is possible to circumvent it brings out a weakness in RFC 6409.  What if backbone routers on national borders do the same? Perhaps, standardizing port 465 was not such a bad idea after all.  I welcome the EFF complaint, in this respect.

Later on, reading the details, I learned filtering happens between the MUA and the MSA.  For it to work, a client must be configured to use TLS only if possible.  I don’t think such configurations make sense, and I’d blame them at least as much as the filtering operators.  IOW, one good thing of STARTTLS filtering is to educate users to get aware of what they do.  For an even better effect, they could swap MAIL and RCPT addresses.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com