The Spam Superhighway

What’s “Port 25,’ and what does it have to do with Internet junk mail?

Illustration by Robert Neubecker. Click image to expand.

A set of guidelines, published last week, for how to crack down on spam e-mail recommends that Internet service providers block outgoing traffic from customers on “Port 25,” a major conduit for unwanted e-mail. (Read the guidelines here.) What is Port 25, anyway?

The virtual pathway that most e-mail traffic follows when it travels from your computer to a server. Because there are so many different kinds of information being transferred on the Internet—Web pages, e-mail, and database requests, to name a few—data are divided into separate streams, called ports. A given packet of information will have a number attached to it that tells the receiving computer what kind of information it’s receiving. This allows the receiver to deal with it accordingly. For example, normal Web traffic will arrive at your desktop tagged for Port 80, while secure Web data often uses Port 443. (These “ports” are purely virtual, not to be confused with the physical ports on the side or back of your computer that connect it to other devices.) Most e-mail is sent on Port 25.

When you send an e-mail to a friend, your computer will typically use Port 25 to route the outgoing message to a local server has been especially designated for handling e-mail by the network operator. That pre-approved e-mail server then finds the server that handles your friend’s incoming e-mail and sends along your message.

Port 25 can get clogged with thousands of spam e-mails when computers on a network become infected with a virus or other malicious software. Security experts believe armies of these infected computers are responsible for sending the vast majority of spam. (See the Explainer’s take on these “botnets.”) Instead of using Port 25 to route their messages internally to an approved mail server the way they’re supposed to, these “zombie” computers use it to send spam directly to the recipients’ servers. This enables them to send large quantities of e-mail without being easily detected by the network operator.

The anti-spam guidelines propose shutting down Port 25 for only this particular type of traffic—which goes straight from an individual computer to the destination server and skips over the middleman of the local mail server. In other words, only those local mail servers would be allowed to use Port 25 to send e-mail to external locations.

In fact, most major Internet service providers in North America are already doing this, and they generally report a decrease in spam originating from their users. Blocking traffic out of Port 25 from computers not recognized as designated mail servers does, however, have the potential to block legitimate traffic as well. Small businesses that don’t have the resources to maintain a designated mail server may send out e-mail in the same way an infected computer does. There are also some tech-savvy users who don’t want to route their messages through their service provider’s mail server, sometimes out of security concerns. Nonetheless, the recent guidelines outline some alternatives (PDF) for ISPs that don’t want to cut off such customers.

Most anti-spam researchers acknowledge that blocking Port 25 wouldn’t snuff out spam altogether and may provide only a temporary fix. In the last year, spammers have succeeded in breaking CAPTCHA systems—those tests with distorted numbers and letters meant to determine whether you’re human—and registered for thousands of Web mail accounts. That lets them send out their spam without using infected machines.

Got a question about today’s news? Ask the Explainer.

Explainer thanks Matt Bishop of the University of California, Davis; John Levine of the Messaging Anti-Abuse Working Group; and Joe Stewart of SecureWorks.