Home / Blogs

The EFF and Hanlon's Razor

Suresh Ramasubramanian

The EFF has just posted a shallower than usual deeplink alleging an "email encryption downgrade attack" by ISPs intent on eavesdropping on their customers.

They, along with VPN provider Golden Frog, have additionally complained to the FCC reporting this.

Here, they've just noticed something that's common across several hotel / airport wifi networks — routing outbound port 25 (SMTP) traffic through a spam / malware filtering proxy such as the "inspect" aka "fixup" feature in a Cisco ASA device.

Outbound port 25 blocking is a best practice, which is enforced by several large providers around the world and is recommended, for example by M3AAWG. Port 587, the SMTP submission port, has been recommended for outbound SMTP since it was first defined in 1998, in RFC 2476 (now obsoleted by RFC 6409). An older but still relevant Best Practice document from 2007 is RFC 5068. These RFCs are explicit that port 587 is to be used for mail submission, and that it MUST NOT (capitals as used in the RFCs) be subject to port blocking.

However, airport and hotel wifi networks, and other networks with a large number of transient users, tend to filter outbound port 25 rather than follow the commonly accepted best practices of blocking port 25 outbound traffic, a large part of which is malicious, originating from virus infected hosts on a network. This might be a well intentioned measure (possibly to decrease tech support costs) but it is certainly not a best practice, this is well on the "ignorance" rather than "malice" side when you slice it with Hanlon's razor.

It is certainly not appropriate to conflate this, as the EFF has done with their FCC filing, with other practices allegedly adopted by ISPs to track their users or slow down sites they see as competitors. And it is certainly not new, in fact it is about a decade old, for the EFF to equate spam filtering of any sort with censorship or worse.

That said, it does appear to be high time to update existing best practices on port 25 management to explicitly recommend that proxy filtering port 25 by turning off TLS to allow content inspection is not a privacy friendly alternative to blocking port 25 outright. That blocking rather than suppressing port 25 will avoid frivolous FCC filings targeting an ISP is perhaps an additional icing on the cake.

By Suresh Ramasubramanian, Antispam Operations
Related topics: Censorship, Email, Net Neutrality, Spam
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

So where does STARTTLS filtering belong? Alessandro Vesely  –  Nov 19, 2014 12:57 PM PDT

When I first heard about this subject, I thought filtering was being applied between the MSA and the MX.  How would we rate it in that case?  Of course, it is not granted that TLS is available at each intermediate hop.  It is a best effort attempt.  However, the ease with which it is possible to circumvent it brings out a weakness in RFC 6409.  What if backbone routers on national borders do the same? Perhaps, standardizing port 465 was not such a bad idea after all.  I welcome the EFF complaint, in this respect.

Later on, reading the details, I learned filtering happens between the MUA and the MSA.  For it to work, a client must be configured to use TLS only if possible.  I don't think such configurations make sense, and I'd blame them at least as much as the filtering operators.  IOW, one good thing of STARTTLS filtering is to educate users to get aware of what they do.  For an even better effect, they could swap MAIL and RCPT addresses.

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias