Spammers need IP addresses in order to originate mail. Without a  machine on the internet, a spammer can not inject spam into the system.

Spammers in the old days used to purchase large address spaces and bandwidth to send mail, but antispammers got very good at blocking the subnets. So spammers turned to masking their actual connectivity by "creating" millions of IP addresses that could be used to send spam. These machines are referred to as zombies or bot nets but are 
basically a windows PC infected with a virus that allows the machine to act as a proxy which is in the control of the spammer. Spammers now send the spam through one of these compromised machines 
(typically a Windoze PC on a always on broadband connection) which masks their true network identity.

Most (>99%) of these infected PCs have no legitimate requirement to transmit unauthenticated email data on port 25. In an improved world,  Port 25 should only be used for sending unauthenticated email data from mail server to mail server (Mail Transmission Agents - MTAs).   
Mail Clients (MSAs) should always authenticate before being allowed to submit (originate) mail. Even if the client is on the server's "trusted internal network", it should be a requirement for the client  to always authenticate before sending mail. Period. Clients always authenticate to read mail, why do we allow anonymous submission of mail?

http://mipassoc.org/spamops/draft-hutzler-spamops-05.txt

I know blocking port 25 from end-user machines works well and without major side-effects. did it for a large ISP and saw the sustainable results. We then did it on behalf of most of the other ISPs in the world...we did it on our side even if the other ISPs were unable or  not competent enough to do it themselves. And the result was nothing less than spectacular and sustainable.

What are the downsides to blocking Port25?
1. People on consumer broadband networks trying to run mail servers on their DHCP addresses
2. People who have web hosting (or similar) accounts that need to submit mail "off network" and their hosting company does not provide an alternative port (e.g. 587)
3. People who are using POP3 before SMTP as their authentication method (John, who created that anyway ;-)

All of the downsides are solvable:
1. ISPs can whitelist their members who run mail servers to allow port25 outbound from those hosts. Remember, this is <<1% of the population.
2. Web hosting companies can start listening for authenticated email traffic on alternative ports, like 587
3. Anyone using POP3 before SMTP should be migrating to SMTP AUTH standards. Period.

******

I am an engineer. And while system designs always strive for the perfect, we never let the good enough get in the way of fielding a workable solution. So if I could reduce spam by 80% and not have any impact on 99%++ of the population of internet users, I would do it. 
And for the <<1% of the people who do run mail servers on their broadband connection, lets whitelist them and let them have port25 
access. Have a sign-up page for the user and let them say "I need 
port 25 access, please open it for me". Done.

I think everyone would be a lot happier.

Carl Hutzler

 

RESOURCES

• Approved Scanning Vendors - Companies with the authority to evaluate your system.
• Clone Systems® is your PCI Authorized Scanning Vendor (ASV) for all DSS Requirements. Our in-house Certified Information Systems Security Professionals (CISSP) launch your official PCI Scan, and then collaborate to generate the most comprehensive and accurate PCI report, including an Executive Summary.
  Complete your own pre-PCI Scan with our FREE Online Vulnerability Scanning. Our smart VSCAN tool gives you the ability to scan, detect, and resolve any vulnerabilities before your official PCI Scan.
• InterMapper 5.0.1 is available