What's my ISP up to?
April 10, 2008 11:49 AM   Subscribe

Starting this week, we had to "register" our non-@mybigtimeserviceprovider.com email addresses in order to be able to send out email.

Both my wife and I have our own domains that we use for web sites and our personal email addresses.
When those domains were initially set up, we were able to simply point our email clients to our remote domain email servers (mail.domainname.com) for outgoing and inbound email. We happily sent and received our email through that remote server, over our home connection.
Then our ISP put a block on that kind of activity: though we were still able to receive email from mail.domainname.com, we had to use our ISP's SMTP server (we'll call it smtp.mybigtimeserviceprovider.com) to send our mail. This was annoying. It also seemed to me that despite the ISP's assurances that this was for our protection, it actually increased the likelihood that my outbound emails would look like spam to people I sent them to, as they arrived from one SMTP server, bearing an email address from another server. (correct me if this is wrong thinking)

Last week, my wife, in whose name our household ISP account is held, received an email informing her that (paraphrased here, I don't have the email at work):
"We have noticed that you often use non-@mybigtimeserviceprovider.com email addresses for your outgoing mail** and want you to know that, due to certain new security features we've installed for your protection you will need to add these addresses to a list of verified addresses through our webmail panel. Failure to add these addresses will result in you getting a 503: unable to send error message from our servers for your outbound mail."
Is there any good reason that they would need to have a record of my personal, non-@mybigtimeserviceprovider.com email addresses "for security reasons?"

This is feeling like the straw that breaks my back where this service provider is concerned...

** WTF? they're spying on my email addresses? what else are they scanning for?
posted by I, Credulous to Computers & Internet (17 answers total) 2 users marked this as a favorite
Response by poster: oh, should add:
last year they dropped their USENET service, forcing me to pay an extra fee for access through another provider;
recently, in the Canadian media, they admitted they're "shaping" their internet traffic, scaling back the throughput of certain kinds of data (P2P, basically). Though I don't use P2P programs, I support Net Neutrality, and this makes me fear the thin-edge-of-the-wedge where control of my internet usage is concerned.
posted by I, Credulous at 11:53 AM on April 10, 2008

Best answer: They're trying to prevent their users from spamming other people; if you can send mail with arbitrary envelope or From: header addresses then you - or a zombie machine on your network - can be used to send spam, which will eventually lead to your IP or your whole ISP being blackholed so you can't send mail to some other ISPs at all - it's by preventing that result that this is done "for your protection".

A better solution would be for them to require you to list their SMTP server in an SPF text DNS record for your domain - but they'd have to do a lot of user education and hand-holding and write something to verify that you had that record set up correctly, so they are just taking the easy way and blocking all outgoing addresses that haven't been registered with them. It's a bit rude, but perfectly legitimate.

Can you set up TLS or SSH tunnel your SMTP connection back to your own mail server? That would solve your problem completely.
posted by nicwolff at 12:00 PM on April 10, 2008

My office's ISP just did this too. Very irritating. We are completely bypassing the ISP now and using an alternative port (80, which seems weird but will never be blocked by our ISP) on our domain's SMTP server.

I assume they just want a list of your email addresses so they can mark them as not-spam as they go through.
posted by Plug Dub In at 12:01 PM on April 10, 2008

I would also be alarmed by these changes. Were I in your shoes, I'd be shopping for a new hosting service.

For me, authenticated SMTP is a deal-breaker. If they used to provide this and then unilaterally decided to discontinue the service, I'd be walking.

My current host disallows "catchall" emails accounts for my domains, under the argument that is dramatically reduces spam. However, I can configure as many "forwarders" as I like. I'm not sure if this is the same situation you're facing with your wife's email usage or not.

Do you feel comfortable sharing the name of the provider you're using currently?
posted by browse at 12:02 PM on April 10, 2008

You're dealing with ******, right? (Six letters, big Canuck name, may have evoke fond associations in our American cousins.) That is one inept, ass-sucking excuse for an ISP. I was getting a series of 553 server errors, as were many other people, after they made the switchover, and it took several visits to their voicemail hell to get things set up correctly. They told me that this was a security measure in order to prevent spammers from emulating my email addresses (although, as nicwolff says above, that sounds like corporate bafflegab and they really suspect us of spamming) and that it would also reduce spam. I'm getting as much spam as ever, so I hope that it really is more secure.

So I'm leaving soon, once I get some new domains set up. I'd suggest you do the same. And as far as the ISP knowing what email addresses you use: once you send mail through their servers, it's theirs to look at (theoretically). I'm not concerned about that as much as their basic lack of transparency and competence.

posted by maudlin at 12:02 PM on April 10, 2008

They're not really "spying" on your e-mail addresses - your mail client tells them the From address when it sends mail - that's normal. TLS or SSH would prevent them from knowing what From addresses you're using, although of course whoever's running your mail server would still know.
posted by nicwolff at 12:06 PM on April 10, 2008

Best answer: I'm guessing you're using BT, since they've just implemented this feature.

It is actually for your protection; or more strictly, speaking the protection of everyone else. A computer that gets infected with a spambot by any of various methods will sit spewing out spam to legitimate email servers around the globe, going out to port 25 directly on the destination server, filling up spam boxes.

You sit on your legitimate, uninfected computer, sending out email directly to port 25 on a destination server, i.e. your @personaldomain.com server who then legitimately relays your email.

From your ISP's point of view, these two cases are very hard to tell apart, so to cut down on the spam problem, they stop users sending out from their network to port 25, the SMTP port.
Thus you end up having to use your ISP relay. This doesn't make your email look like spam btw, as other people have no idea what server your personal domain should actually be sending via anyway, unless you use domainkeys or SPF to say so - and in that case, you'd just specify your ISP smtp server as a legitimate relay (SPF prevents a different kind of problem, called a joe-job which is a whole 'noth ball of wax)

Now, using your ISP relay sucks if it's rubbish, and as you've discovered, they can also force you to only send email via them with an @bigISP address. The reason for making you register your @personaldomain.com address with them is a middle ground; they don't ban nonISP From: addresses entirely, but they require them to be registered.

The reason for this is again, fighting users infected PCs sending spam. The trojan on the user PC is smarter, and looks in the usual email clients for the smtp server of BIG isp, and send via that, thus circumventing the first outbound port 25 block. Now bigISP is spewing spam via it's legitimate email servers, they get blacklisted, and all the email from bigISP gets blocked by hotmail for a week, making a lot of very unhappy customers.

So they make you use an actual login account with password to login to the bigISP SMTP server. This goes down like a lead balloon as most customers aren't logging in, and now they can't send email and don't know why. Much pain for big ISP. They back off, and only require a biGISP email address in the From: tag, or one they know is not coming from a spam bot sending out lots of fake spam with fake From: addresses. Eventually, they'll block all non-registered from: addresses from relaying via the email server.

Thus the need for you register your personal domain as a real one, and prove you're not a spam-spewing zombie!

The simplest solution, bar far, is to see if your personaldomain SMTP server supports SSL encryption + SMTP on a port other than 25, usually 465 or sometimes 587. Then your email can be sent directly to your personal domain server as before, and all encrypted so your password isn't being broadcast in the clear to every server and network between you and your personal domain mailserver. Your ISP should still allow that without difficulty.

Option B is to suck it up, register your domain and carrying on jumping through hoops to use your own domain with your ISP's mailservers.

Option C is to find a less restrictive ISP. Most ISP's are starting to block outbound port 25 traffic though, because of the vast number of spam-spewing home PCs - the days of open port 25 may well be nearly at an end.
posted by ArkhanJG at 12:11 PM on April 10, 2008 [1 favorite]

PlugDub's suggestion of running your own remote mail server on port 80 (of another interface if you're already running a Web server at that IP, or at 443 if you're not listening for HTTPS) is also good if setting up TLS or the SSH tunnel is difficult.
posted by nicwolff at 12:12 PM on April 10, 2008

Best answer: A lot of SMTP servers are opening port 527 as a (semi-)standard SMTP port alternative. Try it on your hosting company's SMTP server; it may work.
posted by CommonSense at 12:13 PM on April 10, 2008

As a spam-blocking measure, a lot of ISPs simply block outbound traffic on the usual SMTP port (whatever that is) bound for mailservers other than their own. That's probably what they're threatening to do to you. See if your domain host lets you use a different port. That's probably the easiest solution.
posted by adamrice at 12:16 PM on April 10, 2008

TLS encryption on port 25 of your personal mail server probably won't work, BTW, as port 25 is likely blocked for outbound regardless of what the traffic actually is.
posted by ArkhanJG at 12:21 PM on April 10, 2008

Er, correction: It's port 587, not 527.
posted by CommonSense at 12:22 PM on April 10, 2008 [1 favorite]

I'm also assuming you don't actually mailadmin your personaldomain mail server, you just host your domains with a company and they provide an SMTP server as part of the deal. Popping the tech support of your hosting company or checking the FAQs should tell you if you can send email via their mailserver on a non-standard port, encrypted or otherwise. Most email clients support SSL SMTP these days, it's just a tickbox and specifying a different port to sent to.
posted by ArkhanJG at 12:24 PM on April 10, 2008

Response by poster: thanks all for the kind support.

for those curious, our ISP is Rogers. Yes, they suck, but not as much as Bell (Canada's reigning example of monolithic corporate suckitude).

All these TLAs getting batted around got my head spinning, but I was intrigued by talk of using other ports to actually access my own mail.personaldomain.com mail server.

A quick trip over to my domain hosting company's** wiki filled me on the joys of port 587.
I'll implement that course on our home computers tonight, and skip around rogers "rude but legitimate" steps to curb mail zombies.

**(Dreamhost, for the curious. Been using them since forever now, and quite happy with the service and value)

Since I use thunderbird at work to read & respond to my personal email (to keep it separate from my work email, to keep my personal email from travelling through my company's exchange server, etc.) it was already configured to send to port 465 (secured by SSL) to mail.personaldomain.com.

thanks, again, now to put the fix into action.


I, Credulous.
posted by I, Credulous at 12:54 PM on April 10, 2008

How about a tunnel?

On windows, set up a tunnel between your system and the smtp server using putty. other OS's will have other solutions.

With a tunnel they have no way of knowing what traffic is passing through their network.
posted by w.fugawe at 1:58 PM on April 10, 2008

They're trying to prevent their users from spamming other people;

I think they are both trying to prevent spammers AND trying to encourage people to use their *@bigisp.com email addresses. It is very good marketing to have the public see a lot of *@bigisp.com, and it is very good business to hold dissatisfied customer's emails hostage. Of course big ISPs think about the business case when they make this kind of decision.
posted by Chuckles at 12:01 AM on April 11, 2008

I'm also with Rogers and have quite a few non @rogers email addresses. My outgoing smtp for these addresses is still working fine on port 587 after adding them to the rogers webmail interface. I'm still switching to teksavvy next week though.
posted by Umhlangan at 7:28 AM on April 11, 2008

« Older Photos printed during Passover?   |   Where can I find an Asus EEE Laptop in the... Newer »
This thread is closed to new comments.