>The "nicest" solution that I can see is for the ISPs to transparently >proxy port 25 to their MTA. They should offer STARTTLS. Assuming you're not pulling my leg, I couldn't disagree more strongly. This is even worse than blocking port 25 outright. I actually encountered an ISP that does this. I can't remember their name, but they provide many of the DSL Ethernet hookups in hotel rooms. I discovered only after I had sent a few messages that they were hijacking (the only correct word) my outbound connections to port 25 and redirecting them to their own mailservers. They didn't support STARTTLS, and even if they did there is no reason I should trust them. It did teach me the importance of protecting against the man-in-the-middle attack. This is not often done, at least not by default, in many STARTTLS implementations. I do agree with you about the utility of IPsec and IPv6 tunneling as ways around this braindamage. TCP connection tunneling over SSH is another good approach. Phil