Restrict Port 25

Don't allow your network to pollute the internet

Is port 25 open on your network? You may be enabling a torrent of spam without knowing it. Restricting port 25 is a simple solution. It won’t stop you from sending authenticated emails, but it will significantly reduce the spread of spam and malware, while strengthening your network integrity. Explore our FAQs, best practices, and expert blogs to understand and address this escalating issue.

Port 25: A problem resurfaced

In 2005 the industry collectively breathed a sigh of relief because an agreement was reached that leaving port 25 open on a mail server was a bad thing, and open relays were no longer a large-scale problem. By closing port 25 to unauthorized users, the largest spam problem had been solved - with an easy solution. However, today that problem has resurfaced, and is bigger than ever.

Why is this happening?

Due to the shortage of IPv4 addresses, many networks are using Network Address Translation (NAT) to get the most out of their limited IPs resources. However, many networks have not configured their NATs to block outbound traffic on port 25 to end users.

The ever-increasing use of smartphones and other internet-connected devices allows cybercriminals to exploit weaknesses in them to run proxy software, spread malware, and send spam.

The result is that every infected device can send spam, and a wide-open port 25 on dynamic and Carrier-Grade NAT (CGNAT) IP pools means there is nothing to stop the spam. Consequently, a significant amount of abusive port 25 traffic comes from devices that have been infected with proxyware or malware, which are sending spam without the user’s consent or knowledge. Allowing it to exit your network unchecked contributes to the overall problem, and pushes the costs of dealing with that abusive email onto other networks.

The solution is simple - it is the same as it was 25 years ago: networks must limit port 25 to SMTP server access only and deny access to all others.

Networks currently affected

The networks identified as having a problem with proxy malware abuse caused by leaving port 25 open are listed below:

AT&T, https://www.att.com/
Three Ireland (02ireland UK), https://www.three.ie/
Bluehost, https://www.bluehost.com/
Double Square Networks, https://www.dsnetworks.net/
Norlys, https://www.eniig.dk
Bouygues Telecom, https://www.bouyguestelecom.fr/
Giganet, https://www.giganet.uk/
HostZealot, https://www.hostzealot.com/
IBT, https://www.ibt.uk.com/
Leste Telecom, https://www.lestetelecom.com.br/
LeVPN, https://www.le-vpn.com/
SFR (Neuf.fr), https://www.sfr.fr/
Sunrise, https://www.sunrise.ch/
Telus, https://www.telus.ca
ThreeUK, https://www.three.co.uk/
Tele2, https://www.tele2.com/
Virgin Media, https://www.virginmedia.com/
Vodafone DE, https://www.vodafone.de/
WOWnet, https://wownetworkslimited.net/

This is by no means a complete list; it is based on what our removals team sees, which is a limited view. If your network is not listed here, please do not assume there is no problem.

What action do you need to take now?

Check with your networking team, and make sure port 25 is closed to end users. It takes a minute to ask the question. It takes five minutes to restrict port 25. But the reduction in the amount of unwanted email will be huge, and you will be helping to strengthen trust and safety on the internet.

Thank you.

Further information

Network owners and operators, the role you play in addressing this issue is crucial.

You can find frequently asked questions, best practices, blogs and more here to understand why restricting port 25 outbound is essential for protecting against the spread of spam and malware, and maintaining network integrity for users.

FAQs

SMTP stands for Simple Mail Transfer Protocol – the protocol by which emails are sent. Message data are sent out via SMTP and the traffic is directed into ports for ease of handling.
Think of a port like an old fashioned telephone switchboard, with a operator plugging the incoming call into a jack, to connect it to a specific phone: an SMTP port is designed to direct email through a network, to the recipient.
The original port that was created to deal with SMTP traffic was port 25, and it continues to be used primarily for SMTP relaying: the transmission of email from email server to email server.
It is only needed for use by mail servers.
Limit outbound port 25 to SMPT servers only
Networks should close outbound port 25 for end users, and limit port 25 access to SMTP servers only. This is transparent to end users, who are using port 587 or 465 for authentication.
No end user needs port 25 open for their mobile phone. Only SMTP servers need port 25 open. Routers and firewalls should be shipped with port 25 disabled.
Why should networks do that?
Port 25 is heavily abused and is the spammer's choice port of call.
In the 90s, spammers discovered that port 25 allows people to connect to a mail server and send mail through it, no matter where they were physically located, or whether or not they had any right to access that machine. This "open relay" feature of port 25 was cheerfully abused by criminals until network administrators had had enough, and made some changes.
Port 25 is only needed for use by SMTP servers. If it is left open and accessible, it WILL be abused: spamming is a very lucrative business, and all the more so if the spammers can use other people's infrastructure to send their spam, instead of paying for their own - free "postage"!
In 1998, port 587 was created. Using 587 allows an end user to supply a username and password to the mail server for authentication. If they pass authentication, they can send mail - there is no open relay. By 2005, the open relay issue was essentially solved, and the criminals moved on to other vectors for their spam.
A new version of open relays
Fast forward 20 years, and that new vector is mobile phones.
Despite the recommendations by industry leaders and despite the work that was done to close port 25 on mail servers, many of today's mobile networks have declined to limit port 25 on their IP pools.
On the mobile phone side, a proxy is embedded in (many) apps, the app is installed by an unknowing user, access to the proxy is sold by one or more residential proxy resellers, and the spam is once again flowing freely over open port 25. Of course, the costs of transporting and dealing with all the spam are absorbed by the recievers.
We strongly advise that networks limit port 25 and help clean up the spam.
An SMTP port is the port designated for use by SMTP - this can be ports 25, 465 or 587.
The replacement for ends users to port 25 is 465 or 587.
Port 587 is the default port for SMTP submission on the modern web. It requires that a user authenticate with a username/password combination, and also supports TLS.
Port 465 was originally registered for SMTPS (SMTP over SSL). It was quickly reassigned for a different use and deprecated, but in spite of that many ISPs and cloud hosting providers still support port 465 for SMTP submission.
End users should be using 587 or 465 with SMTP AUTH.
Leaving port 25 open on IP pools that are shared causes your customers to suffer disruptions that are every annoying and can be expensive, especially when 90% of the time the individual affected by the listing is not the person with the infected device.
This policy also pushes the support costs on to the recievers, who must transport and filter the resulting spam.
In some cases it is even worse, since some networks filter against CSS and XBL on their outbound mail servers. The result is that if someone's shared IP is listed because of a proxy, they cannot send email even if they are using port 465/587. This breaks email and is extremely disruptive to conducting business, and makes people really angry.

Help and recommended content

See below for industry best practices and recommended content

M3AAWG | Best Common Practices for Managing Port 25 for IP Networks

Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) document outlining best practices for managing port 25, the default port for email transmission via Simple Mail Transfer Protocol (SMTP), in IP networks.

External

Best Practice • August 2023 • M3AAWG

Spammers Love Mobile Phone IP Space. Here’s How to Fix That.

Mobile phone companies are leaving the door wide open for spammers. They’re hurting their own customers (and the rest of the Internet) - but there’s still time to fix this.

Compromised

Service providers

Blog • April 19, 2024 • The Spamhaus Team

Amazon Web Services - thwarting spam with a decade-old best practice

When things move to the "cloud", sadly, good things don’t always follow. Miscreants of various sorts have long recognized that they too can benefit from the same advantages as regular users: scalability, abstraction and pay-per-use. It was thus no surprise that spamming operations set-up shop on the biggest of all...

Network security

Email security

News • February 28, 2020 • The Spamhaus Team

The conundrum that is the modern use of NAT at a carrier grade level

Modern NAT, including Carrier Grade NAT (CGNAT), complicates tracking by hiding multiple devices behind one IP, akin to a circus full of clowns. This anonymity facilitates spamming and malware distribution. ISPs can mitigate this by clarifying CGNAT usage and filtering outbound port 25, reducing support costs and spam.

Network security

Service providers

Blog • January 08, 2024 • The Spamhaus Team

When doorbells go rogue!

Here's a story of doorbells, specific software development kits (SDKs), proxies, and miscreants using your home network to send spam.

Compromised

Abused

Blog • October 19, 2021 • The Spamhaus Team

Let's talk about the danger of residential proxy networks

In our experience, residential proxies are an often overlooked security threat; one that can be very difficult to remediate for the end user who -in our experience- is entirely unaware of its existence.

Compromised

Abused

Blog • May 25, 2022 • Carel Bitter

Home

Resources

Restrict Port 25

Home

...

Restrict Port 25