How does blocking port 25 prevent spam (but not 587)?

email smtp

It is common practice for ISPs and cloud providers to block outgoing traffic on port 25.

I understand this is to prevent spam; e.g. a person could launch an Amazon EC2 instance, and send a million emails.

But for example, port 587 can be used to send email as well, and it is not commonly blocked. So why can't a person send a million emails through port 587?

Basically, I'm asking, what is special about port 25 that makes it more prone to abuse than 587?


Solution 1:

You are right it does not completely prevent spam, but from a business perspective what matters for the cloud provider is something slightly different than trying to prevent all spam.

Cloud hosters do not have strong incentives not to take money from spammers. The thing that hurts them is being the owner of the IP space the spam is delivered from. They do not want to be that cloud hoster everyone blocklists. That would be a less useful & thus less profitable cloud hoster!

For spammers, these are just two paths to the same goal:

  1. abusing some random companies cloud servers to send spam via port 25, potentially directly to the victim
  2. abusing some random companies mail (service provider) credentials to send spam via an authenticated smtp session on port 587, relayed by some other party

But for the cloud hoster, there is a huge difference:

  1. in option 1, the complaints and mitigations are directed at the company providing the server, the cloud hoster
  2. while in option 2 people will blame & take action against the person having their smtp credentials compromised and/or the last relay that accepted the compromised credentials. The cloud hoster does not lose (as much) credibility&reputation in that case.

Someone spamming port 25 is someone I can put on a blocklist. If the cloud hoster recycles network addresses quickly, my mitigation will cause collateral damage for his next customer, and thus for him.

If someone is spamming me via abused smtp logins on port 587, his spam will enter my systems mixed with other, clean mail. I can less effectively use network-level blocking there - and if I do, I will more likely target a later relaying party.

Solution 2:

TCP port 587 is used for authenticated SMTP access (with TLS) for client applications or devices; this is useless for spammers, whose need to send spoofed messages really doesn't go hand-in-hand with enforced authentication.

Solution 3:

This question is off-topic for this forum: Business environments don’t suffer from this issue.

But in short: the block isn’t there to prevent you from sending email at all, but to prevent people from setting up potentially misconfigured mail servers: If server-to-server traffic is blocked, the adverse effect of an open relay is negligible.

Related

Postfix to Spamassassin, then to PHP script
Proper rsyslog configuration
Where can I see all emails send by my Windows 2012 Server?
Having startup messages on virtual tty (monitor) AND serial console
nginx master process running as root but complaining that it is not
Redirect/tunnel (Tight)VNC traffic over (Open)VPN connection? (Windows)
How to configure subnets/VLANs to restrict access to WAN/other VLANs?
A new logical volume appearing after reducing the size of another
How can I check the outgoing HELO name of my sendmail server?
Using certbot DNS authorization with multiple API accounts?
How to view all the steps involved in ldapsearch operation?
Zabbix doesn't run custom alert script