Slashdot Mirror
Comcast Cuts Infected PCs' Network Connections
fidget42 writes "I just noticed this article over at Infoworld. It seems that Comcast is finally doing something about the machines on their network that are being used by spammers. They are now cutting off service to those customers who have computers that have been hijacked by spammers. Now, if only other broadband ISPs would start policing their user base ..."
Now, if only other broadband ISPs would start policing their user base ..."
ATTBI (back in 2002) was disabling people's account for being infected with worms... People's modem CFG file would be set to disabled.cfg and they would have block sync but wouldn't be permitted onto the network.
If Comcast took over from ATTBI and is using parts of their existing network, I just can't understand why modems were not being disabled recently for infection by worms.
Because we all know Corporations policing is a VERY GOOD THING!tm
You'd be first in line to moan about them 'infringing' on your interweb right!
which side of the fence are we on? We don't like bandwidth limits, but we do like automatically triggered cutoffs, because we all know there is no such thing as a false positive.
also, say grandma gets infected. She is best off downloading updated definitions for her old version of symantec, and letting AV take care of it. how do you do that with no intarweb?
One down, one to go. Just think of all those logs your firewall generates that show time 300,000 connections from the SAME IP with the SAME VIRUS SIGNATURE... and Time Warner won't do anything about it (say, for instance, shutting off their cable).
Comcast has taken the right steps here. So again, thank you... maybe that'll be enough to get other providers to start 'assisting' in preventing the continued harassment of my router.
Doesn't this force those users to go out to CompUSA and buy a copy of McAfee or Norton antivirus?
Blocking web access also means that those users aren't able to download good, free virus scanners like Grisoft's AVG.
I have been pwned because my
For example, I administer a mail server, and occasionally have to mail a virus or spam to myself to check that the filters are operating correctly. It would be very inconvenient if I got my connection pulled each time that happened.
completely at random, just in case they might be infected!
They do the same with phone lines, in case you might be using that line to dial an infected machine up!
Ahh, Qwest... thine spirit of service doth truly amaze.
I know anecdotal evidence is pretty much worthless, but my friend got infected with all sorts of nasty ad/malwares, along with Blaster and a couple other worms. Cox deactivated his cable modem, he had to call them and go through phone hell to get his service back. So I'm not really sure it's only Comcast doing this.
I'm on top of my game like I'm standin' on Xbox.
Are these guys even allowed to do this based on the user agreement they get their subscribers to sign? I'm sure most of these computers that get hijacked are used by Joe Somebody who probably has no idea that his computer has been hijacked. If Comcast and other ISPs are so keen on cutting off access to spammers, why not provide a firewall and antivirus programs along with their subscriptions? I'm sure it'd cost them a pidly amount and wouldn't really be all that hard to work out a deal with these software vendors to bundle them into the deal. Maybe I'm way off base here but it just doesn't sound right to just cut off acess.
Although a lot of of the spammer are not spammers but people with infected computers. But they wont do anything unless they have to. Cutting net access to them will force them to fix the problem one way or an other. Most people who are hacked will go well it is not affecting me so I wont fix it. But with their connection gone then it is affecting them. Now they can fix it them self or hire someone to do it. But this is a good first step.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I applaud this decision. Even though it will possibly cost them customers or cost them additional tech support time, they will be cutting off peoples owned windows boxes.
Lets hope they hold to this once the calls start coming in from people who have everything from Bagle to Netsky (along with probably a heavy dose of spyware too)
wtf? How is this going to benefit the people who're running the machines?
Try sending out an ISP bulletin with the simple tips on how to avoid getting exploited in the first place. It's dead simple.
1. install patches regularly
2. virus scan
3. don't open attachments
4. don't install spyware.
If people used these 4 simple techniques, while it wouldn't be perfect, it would by my thoughts drop the number of infected machines down by three quarters, which will DRAMATICALLY reduce the efficiency and productivity of running a spamming business, and spammers won't have any choice but to leave you alone.
Cutting people off is just going to get them to take infected machines somewhere else.
... would be to put the network connection onto a quarantined sub-net where all the necessary virus removal tools were available. Once the machine was cleaned up, it would be allowed general network access again.
Fine, stop the infected machines from DDOs'ing. But hey, can the SERVICE be a little more SERVICE friendly ? Like this: DHCP Message comes up: "Dear Comca$t customer. Your computer seems to be infected with a computer virus. We will only allow you access to our FREE antivirus tools site until you have resolved this problem. Please contact us at blah,. blah, blah". Then let 'em into a site that they control with standard tools to detect and blow away those worms." Might make the customers happy instead of ticked off.
I had a machine on AT&T (now Comcast) that was infected by a worm. Bummer. I'll tell you, you have to keep up with those service packs even if you're going to directly connect to the network for "just a few hours".
Anyhow, my friends at AT&T Broadband (the ones that never answered their phone) sent me a nastygram telling me that I was doing a bit too much port scanning for their liking (duh...)
So I ripped the machine of the network and poked around. Yep, it turned out that my machine was infected a few hours after I installed the OS, and it was doing it's bad thing for WEEKS.
At the time, AT&T just "informed me" that I should stop doing bad things. I think it would have been prudent for them to kill my service until I took corrective action.
Of course, this was 3 years ago or so... a more innocent time...
That explains why I haven't been spammed by a Comcast box for ... 36 minutes :(
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Now, if only other broadband ISPs would start policing their user base ..."
I'm not sure ISP should be 'policing' their users. This could lead to them 'policing' for many things. i.e. P2P, content, blogs....
It sounds like a slippery slope.
I for one welcome our new connection blocking ISP overlords?
First time for me...
I agree that this should be done in extreme cases where the customer is CONTACTED before so that information and education can be PROVIDED. Simply clipping the wire does not fix the issue for anyone but the ISP.
Second, Backroads.net implemented the policy above with much success. I was happy as a customer of theirs.
It is unfortunate that this has to be done, but wouldn't a more effective solution be to block all ports but 80 or maybe even force all their traffic to a URL with an explaination of the virus and let them know that they can not do anything on the web until it is fixed?
SP
Why disable the account when they could just block certain ports?
Code Red showed up in August of 2001. Anti-virus vendors, and even Microsoft, released detection and cleaning tools. To this day, two and a half years later, I am still getting Code Red hits from infected machines.
It is about bloody time that a large provider has become willing to proactively cut off infected machines. Now if only UUNet would do the same, as most of the Code Red hits I receive come from within my own NSP's network.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
How is an infected user supposed to resolve the issues that they have if they can't get to an update or patch?
This reminds me of the idea of putting people in jail for debt. Bankruptcy amounts to a life sentence, since there was no possible way a person could make up the sum of money while in jail, away from the work force.
How can these people fix the problem without access to up-to-date patches and virus scans?
I would hope that Comcast would start providing anti-virus software. If for no other reason that its DSL competitors are doing so, and advertising that fact!
Mail Admins do yourself a favor.
Just nuke the following -
client.comcast.net
and
client2.comcast.net
And for good measure - client.attbi.com
That should take care of most of the zombie / virus / idiot mail. None of their residential customers should be sending email directly from a dymamic IP address. This will seriously cut a good bite of the spam / viruses you are receiving, and you don't have to worry about missing email because they should be relaying through central mail servers.
how are they supposed to update their virus definitions ? I find this a very narrow sighted policy.
When will I end this grieving ? When will my future begin ?
Or have an automated computer call the customer, and inform them they need to clean their computer.
If they are mainly targetting "hijacked" computers that are spam engines, this sort of problem may be more difficult for the average user to fix than say a virus. If a spamhaus is remoting maybe 200 computers, is that enough to catch Symantec's attention and make a definition for? Possibly not. Removal of this sort of "low incidence" non-viral back door would then require the user to nuke and pave their system unless they were/knew someone familiar with registry editing etc.
I work for the Department of Redundancy Department.
don't cut them off
send them an email saying something like "type ftp://blah.blah.blah in your internet explorer (would they be using any other browser?) and run the virus remover exe you see there"
then dump them into a quarantine subnet with access to nothing else except that ftp address
that email would be the last email in their inbox
just cutting them off leaves them no recourse
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
They should fine them as well. The great unwashed who think all there is to opersting a computer is pressing the start button and firing up their email program should be scared into GETTING A CLUE. I have to say, the number of PC's I see full to the brim with viri, trojans, spyware, adware etc is frightening. These machines are almost grinding to a hault because of all the malware on them. Its pathetic.
To me, this sounds like an OK idea, because I bet this will be the ONLY way that many users FIND OUT that their computers have become zombie spambots.
There is a certain responsibility that comes with being a part of the internet, one that has become greatly understated since the commoditization and commercialization of the 'net as a whole: do not become a danger or a malfeasance to the rest of the machines that are also connected.
Unfortunately, this is something that seems to be lost on the clients of broadband always-on connections, especially those that are used by folks with little or no proficiency. While they have no intention of becoming spam-hosts, or DDOS platforms, by not keeping their machines protected against the various evils that lie in waiting out there, they unwittingly become part of the problem.
This does not reduce the hassles and costs to other sysadmins and users of the 'net as a whole. That said, it seems only fair for an ISP to mitigate the problem by pulling the connection of a user whose systems(s) are spewing out malware.
There are reasonable precautions one should take, that is, having a good firewall, keeping the machine patched and having good virus protection. No, this does not come without some effort and not always without cost. But, to be connected to the internet full-time, it is a cost of doing business, not unlike having insurance for your car in case you cause an accident. Liability insurance is to protect the public, and you from losing everything should you do harm to others. Keeping worms, trojans and viruses off of your machine also protect not only you but others as well.
So, it is really a matter of responsibility.
Require the installation of a "personal firewall" when the users sign up for an account. Hell, everything else and the kitchen sink was on that CD when I signed up for Comcast... This would probably cut 99% of the problems out. If not a software based solution, how about a hardware based one? How hard would it be to put a firewall in the router they charge 4.95/m to use? Hell, tech support could configure it for grandma, grandpa, mom, dad, ...
But I guess it is easier to just shut them off, and then charge a reconnection fee... eh?
--ryan
Lets put it another way: the ISP states in their terms & conditions something like: "Subscribers are not allowed to distribute spam or worms over their connection, nor are they allowed to carry out DDOS attacks.". Doesn't sound too unreasonable, does it? Not even if the user breaks this rule unwittingly, because his computer is infected with something nasty.
A rule like this puts the responsibility for the cleanliness of the subscriber's computer firmly with that subscriber. Rightly so, since that user is in an excellent position to do something about it. It sucks being disconnected because of a worm on your machine, but the alternative is to allow the worm to continue to spread.
The only things I worry about is the accuracy of the detection mechanism used on the ISP's side, and the promptness with which they reconnect you after you fix the problem on your machine.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
The fundamental conflict here is freedom.
Freedom of access no matter what the activity.
The problem with that, is some activities infringe on the freedoms of others. In my humble opinion (and I really mean that), once you start infringing on the freedoms of others on the Internet by your activity (or inactivity to solve your virus problem), you lose your access.
The biggest problem with all these worms is that they don't just infect a single computer, they spread, threatening thousands of people per computer infected (if not more). That's not fair to the others on the Internet.
Bottom Line: If you can't keep your computer from pounding mine, AND reducing the total amount of bandwidth available to me on the network and on our node, then you don't deserve access until you've rectified the situation.
If it's poor grandma who gets cutoff... she wouldn't be able to solve the problem herself even if she did have Internet access. Do you really expect her to update her virus definitions, grab the necessary Windows Updates, boot into safe mode, disable System Restore, run the VirusScan, remove everything, then run the Windows Updates, THEN reboot into regular mode?
That's a lot to expect of -anyone- unfortunately. It's not a hard process to follow, but computers intimidate the most intelligent people out there... (sigh)
As some have pointed out, cutting off someone's connection can be too drastic (no more antivirus updates, for example). Instead, why not reduce it to "barely usable", maybe even gradually tightening? Here are some ideas:
1) Throttle traffic, especially outbound.
2) Increase latency.
3) Disable ports.
4) Restrict IP addresses.
Any suggestions? Problems?
Now we only need SCO to start sueing spammers, cause spam is their patented source code. But honestly, good job from ComCast, but yes there might be a problem fixing the whole damn thing when you need the tools from the net. But again "Format C:" usually takes care of that.
So much for only supporting Windows. They just added some more non-depreciable costs to their bottom line.
Until they fix their computer, just block their ability to send email except to their ISP and bounce all spam back to the email address registered with the ISP. Of course, this would simply end up being a DDOS against MSN and Yahoo.
I make my face look like this and concerned words come out.
Do your ISPs use bogus antivirus counter-measures?
Mine:
-disallows attachments with
-disallows connections not-through-proxy and does some filtering there
-disallows mail with From: other than their own mailserver
-requires written permission for starting your own mailserver
-allows connections matching your IP against your MAC address (despite lack of DHCP) - you need to "register" your new network card
-limits ICMP to 2/s so if 3 people (out of hundreds) launch ping at the same time, packets start vanishing.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
Here is Comcast's Terms Of Service.
From the AUP:
Note: Comcast reserves the right to immediately terminate the Service and the Subscriber Agreement if you engage in any of the prohibited activities listed in this AUP or if you use the Comcast Equipment or Service in a way which is contrary to any Comcast policies or any of Comcast's suppliers' policies. You must strictly adhere to any policy set forth by another service provider accessed through the Service.
So they can terminate service, based on violation of the subarticles:
(vii) restrict, inhibit, or otherwise interfere with the ability of any other person, regardless of intent, purpose or knowledge, to use or enjoy the Service, including, without limitation, posting or transmitting any information or software which contains a worm, virus, or other harmful feature, or generating levels of traffic sufficient to impede others' ability to send or retrieve information;
And transmitting a virus is definitely a violation. Still, it would be nice if there was more information on what will cause them to pull the plug.
It's about the easiest thing ion the world for the ISP to and it's _very_ effective. Another option would be for ISP's to force all SMTP traffic through their own mailserver and virus scan it. They could easily spot a home user sending a couple of thousand messages in an hour or one spreading infected email everywhere.
If you want unfettered access you can pay for a co-lo box and take the responsibility too. People can't keep hiding behind their ISP and dynamic IPs. I'm all for personal freedoms on the net, but with freedom comes responsibility. Deal with it.
Oh come on now...
As much as I love OS X (sitting on it right now), it is not "infection-proof".
BSD/OS X is just as vulnerable to hacking as any other Unix system if left unpatched and unmaintained.
Just because there hasn't been a working worm written for BSD/OS X doesn't mean there won't be one.
PLUS, -just- having an updated AntiVirus doesn't solve the problem! It's the patch level too, it's the non-configured software or hardware firewalls, it's the complete dearth of knowledge of the basics of computer security! Everyone has to learn to drive, so everyone has to learn to keep things at a baseline level of security.
Why don't you do your part and instead of calling people stupid, educate those you know, and tell them to educate others?
Some ISPs periodically scan their users' computers to see if they are exhibiting open relay behaviour, then inform the user that they will be disconnected unless they fix the problem. Now I'm sure it can't be difficult for them to test for a whole load of possible infections/configuration problems on their networks and take an appropriate action. If they all did this, then the spam problem would be dramatically reduced.
43 - For those who require slightly more than the answer to life, the universe and everything.
Now that would be a ' Good Thing !
As a whole, this is a very good move by Comcast, and, should other ISPs pick up the slack, could make the internet a much more civil place for me and my inbox. However, I certainly hope that they are giving forwarning to the people who are having their accounts disabled. There are many tech inepts out there that have no idea that their computer is laden with viruses and such. So when Comcast disables their account, you get the "Oh no! The Internet is broke!" Hopefully, Comcast gives these people warning and has a good help service for those who don't know how to purge their computers of the viruses.
Skill is successfully walking a tightrope over Niagara Falls. Intelligence is not trying. -- Anonymous
Put these users on their own vlan. Give them access to their web email servers and send them a message with a download link to fprot or whatever virusscan package is out there. Let them download it. Once the spamming stops, put them back on the regular internet.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
I remember, I was too poor to pay $300 for business cable, and when code red rolled around they blocked my webserver and mailserver. I tried explaining to the technical support that I wasn't GNU/Linux is not vulnerable to Code Red but to no avail. This made my customers (our family business really happy.
The worst part is they had said I was allowed to run a server.
Wouldn't this be better served by simply blocking egress port 25 (eg, users can't send email out on port 25 to anything other than the ISP's own email server) and also enable SMTP auth on the ISP's server?
That way, any SMTP engine isn't going to be able to connect at random to various mail servers, and if they try to connect to the user's ISP mail server, it will have to know the username/password. And if it happens to get that info (or uses the user's own mail client) the ISP should be able to log large scale email traffic based on username.
I was concentrating on your last statement and forgot your comment about downloading the definitions....
Carpe Canem - Seize the Dog
You can't send a message with DHCP- thats a network assignment protocol. As in, you get your IP from them with that.
It would be even better to send them a "Net Send " but thats been disabled due to viruses and spam.
Frankly those users have ignored all the obvious aspects of being infected (100% cable light flashing) and have probably consumed more bandwidth than an army of teenagers downloading MP3s. That cable *should* be cut and I stand by my comments about desiring cable access being denied to them UNTIL they remove their virus.
Frankly, they AREN't running a virus scanner because... obviously... the logs go on for days. Weeks. A few for months. So how exactly do you want to make them call in for more information? Why, you cut out their access. Very quickly they call in. If they don't, well, they weren't using the service and they will call in when they want to... at which point a qualified technician can 'walk them thru' downloading a virus scanner and installing it.
Because lets face it- if they are spamming the net with a virus thats been on their machine for months, a little DHCP message (hah) ain't gonna do nothing to stop them.
Now, if only other broadband ISPs would start policing their user base
TDC (Danish telco) started doing this and it really pisses me off! I mean my Linux machines will never get infected (I'm way to paranoid) yet they've blindly cut port 25 for all ADSLs! I have to use now their stupid mail relay with 10MB limit, tinfoil hat required etc.
I'm a little hazy on the details as it was a while ago, and I don't boot into windows that often these days, but they sent an email to my NTL email account asking me to install virus software, as they thought I may be infected. Which was nice of them!
I used to kick users off of the dial-up ISP I managed when I'd catch them running the Back Orifice client. I made a few kids cry. One of them said his mom was going to beat the crap out of him when she found out why their Internet service didn't work anymore.
If you're running Windows without a firewall or antivirus software on Comcast's network, getting the plug pulled on your access should be the least of your concerns. What you really deserve is a serious flogging.
So all of the sudden a music lable can enter my home and search the place becuase I might have an illegal mp3 or I might have burned a CD for a friend. Wow! is it me or does it seem like the goverment is a big fan of the book 1984? I don't understnad why you have to use commandos aremd to the teeth with army choppers to get a 12 year old to stop downlaoading Hillary Duff. I think that my rights on-line shoudln't be sold out for profit, and I shouldn't have to spend life in jail all because I sampled a CD.
let's not flame but instead celebrate our love of technology
from harming others, yes it is a good thing.
I hope you weren't trying to compare this to the RIAA version of policing; that would be ridiculous.
I want to drag this out as long as possible. Bring me my protractor.
Tell me about it. During the NIMDA virus hysteria, my ISP cut off my internet connection because it said I had the NIMDA virus. Since I was running Linux, that was impossible but it tooks weeks to settle the issue.
The really irony was that one of the support agents suggested that this whole mixup wouldn't have happened if I was just using a "normal" operating system like Windows or the Mac!
a problem is that spammer are nasty and if you're a geek you would do anything to stop them and so on. but what about people who trade copyrighted material? If you're an ip lawyer for the MPAA your position would be to ask comcast to block internet access to those pc (because morals aside, it's illegal in the US).
A major issue in spam is the credit card processing facilities. actually visa and mc have an immense power to stop spammers. they could simply block the processing of credit cards of companies engaging in spam. amex did it for porn and no-one complained.
Ironclad Security only exists when you have Chuck Norris on the shift. Do we really have to discuss this? (Plutonite)
Those lousy, no good, ignorant users deserve to have their service cut off! How stupid do you have to be to get your self infected with a spamming viruses **AND** **THEN** not do anything about it?!?! Sending online greeting cards would be SOOOO much easier if I didn't have all these stupid popup ads and 350 pieces of spam in my inbox every day! Why I think they oughta take all these people and tie them up by their eX###vcrs and bludg))f*&893####89fjvnv0q3 )*((@)#@)RFF)
))(A*U+_FCI_)WGFU {@WFJ'w3Vs
*** NO CARRIER ***
[/feh, it's prolly already been done today, but I'm too lazy to cheX0r!]
"Lawyers are for sucks."
- Doug McKenzie
Other ISPs do this already under the guise of bandwidth abuse and aceptable use policy. If the traffic sent by spammers is high or there are complaints pointing back to a specific user they drop the connection until they call in to fix their connection.
The problem is explained and fixed or if its virus related they are pointed at a few good antivirus software titles. If the problem returns they get warned that its happened before and the next time they will be turned off completely.
3 steps until they go entirely offline and it makes them aware that they are responsible for what goes on with their Internet connection. Even without their knowledge they could be exploited to hurt/bother others.
The internet has a lot of potentially damaging aspects to it for users who don't know anything about it. Its best if the companies try in some small way to educate the users on their system so that the problems are reduced not just punished. It would be difficult, for example, to explain to my mother that shes responsible for some bulk emailer who routes through Singapore, abusing her connection by spamming through it after she picked up a virus that turns her system into an open relay. Its the users responsibility to control acess to their systems, and the only way it can be controlled at the ISP level is if thats the way it remains.
"Quando Omni Flunkus Moritati" -- Red Green
Blocking the whole internet access won't help anyone.
Much better would be to block all besides HTTP and redirect all HTTP accesses to a ISP information page that informs about viruses and offers downloadable virus scanners and OS updates
Don't punish - Help!
Nice to see some companies caring about their customers by notifying them there's a problem. I wish Sprint/Earthlink was as good as Comcast in the customer service, hell the one tech guy who came out to work on our line even recomended Comcast over his company. oO
Here's a little story about Sprint/Earthlink you may all enjoy. Last year at around Febuary. They got a hold of my home and said that DSL was available. We signed up and they called a month later saying the 1.5 DSL was available so we signed up for that.
Well for 7 months we had no problems. Everything worked perfectly. Then they decided that individual computers at a home must now go through a router and switched the system over to that. This caused regular disconnects at my house because they neglected to send us any notification of the service change.
After the router was installed and we went through it, we still got regular disconnects from the service. After about 3 month, 3 Sprint technicians, and 1 Earthlink tecnician.
Finally the conclusion was reached that the 1.5 DSL was the problem cause we were about 24,000 feet from the office or just outside the bubble. And we could only get the lower speed. Which doesn't explain why it worked for 7 months w/out a hitch before their connection policy change.
We asked if it was possible to be switched to a closer office, they said there was one closer but it wasn't ready to handle connections. We asked if they could notify us of when it will be ready so we can switch and have better service. The technician said they wouldn't and no reason was given.
At this point your probebly wondering why we didn't switch to Comcast. Well they neglected to send us a bill for about 3 months and repeated calls were getting nowhere so switching was on hold. A carrier pigeon would have been more of an option.
Finally in Febuary another Sprint tecnician came out. This guy knew exactly what he was doing and said that the office closer to use was ready to take connections after he heard our story. He hooked us right up to the closer office thats only 10,000ft away and we've been picture perfect since. I'd like to thank that fellow, but I didn't get his name cause I was at work when he stopped out.
Anyway, it's fellows like that and the ones that take the time to call people about problems that should get the good pay checks. Not the idiots who could careless and leave you hanging.
Sorry for the long winded story. But seeing this article made me think of what happened to me and especially of that one tech guy recomending Comcast over their company.
~~ Behold the flying cow with a rail gun! ~~
The University of Texas has been filtering infected systems at the border routers for over a year now. It helps immeasurably.
The best filter is to eliminate Windows. Install Linux. Better yet, swap that silly Dell for a Mac!
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
The one I use to work for did this sort of thing all the time. It's nice to see the rest of the world is trying to catch up to the little guys.
In our case though we'd contact the customer first (if possible) and try to get it resolved before shutting them down. For a BIG company I guess this is at least a start.
Like I'd trust tools from Cox. When those idiots took over from Excite@home, they sent everyone a crappy win32 CD that rooted your machine with remote access tools and other spyware, obstensively to help their customers fix their broken PCs. It did not work, of course, because it simply introduced a new hole to exploit. The customer is better off at the local computer store where there's someone who has experience using the tools and is not interested in your surfing and TV watching habits.
Anti-virus tools for Windoze only go so far anyway. When a machine is rooted, the only answer is wipe and reload. It's impossible for anti-virus people to keep up with the worm writers and all the places they hide crap in the registry. A real solution is to simply move people to free software.
Friends don't help friends install M$ junk.
Unlike the insane suggestion that would say it was ok for an ISP to come in and make changes in my equipment.
But to cut off an offending user, that is ok to do....
---- Booth was a patriot ----
2 days ago a friend sent me a link to some SCO page (for comic value, nothing is actully usefull in there), the moment I hit go on my browser, my connection dies and the red led on the modem goes on (indicates a disconenction). I never thought that my ISP actully dropping the connection of anyone who requests anything from SCO.com.
;)
if you are a sympatico.ca subscriber, try it
ciao
Won't somebody please think of the Karma!
ISP could set up captive portal (like on WLANs) with information and pointers to AV software updates. Either all traffic is relayed through proxy or then packets are allowed to AV sites.
But false positives are the problem, of course. But once you get confirmed spam, virus or worm traffic, then you can be quite sure.
It's your responsibility to take care of your own computer. You think the cops should pull you over when your car is billowing smoke and offer to fix it for FREE for you?
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
This may sound like flamebait, but I don't allow Windows boxen on my network, period. While I'm not an ISP, I do do some limited hosting, provide e-mail services etc. Quite simply, if you have a Windows box, you're not coming in. No-one's been spamming through my network, and nor are there any "0wnz0red" boxen connected to it.
Bob
Listen to my latest album here
The ISP I work for (Adelphia, thus Anon :) ) is working on a way to handle customers like these.
-First, the customer is identified, then placed into a 'walled zone'.
-This walled zone will route/allow the cable modem to go only to one specific location, a certain web page in this case.
-Said web page will include downloads for virus fixes and such. Customer goes there, downloads, and cleans up his computer.
-When it has been verified that the customer has gone there and cleaned up, they check his system, then reactivate his account.
To me it seems like a pretty nifty way of stopping virus spreading while keeping the customer informed of what's going on.
If you have a comcast account, sign into comcast.net and you download mcafee free (only for 1 year, but it is there)
That's all well and good, but . . .
I work for one of the largest meta-ISPs. To put things simply, my employer operates the back-end of of a few hundred interest services. Said employer shall remain nameless, and no, my email address does not reflect said employer.
Anyway. I'm a graveyard shift network operator. There isn't a whole lot to do on the graveyard shift except make sure nothing bursts into flames. So I'm pretty bored until about 5am when our authentication logs gets rolled into the database.
And this is when i can go through all the complaints about spam, viruses, port scans, and whatever else our teeming masses of end users have perpetrated, and figure out exactly who's computer is doing what. And then shut 'em off.
I agree completely that it would be great if there were some way i could efficiently get the end user to disinfect or secure their systems without having to resort to strong-arm tactics, but the truth is that, for 99.99999% of home users, disabling their supply of email and porn is the only way we can get them to sit up and pay attention.
Think about it. If you got some popup on your screen that said you have a virus and your internet connection is at risk, you'd just close it and go about your business. Unless your connection didn't work, and then you'd call customer service and try and get it 'fixed'.
Heck, most people get popups that tell them that sort of thing all the time.
Would a smart person trust that the 'free' antivirus tools are indeed what they claim to be without some way of independently verifying that? I sure wouldn't.
Would an *average end user be able to use them effectively? That joke isn't even funny. I did my time in tech support - the sheer number of people who have asked me what a comma is while I'm trying to help them disable call waiting on their phone line are shadowed only by the monumental stupidity of the woman who was overheard - on several calls - shouting at her husband - over and over - "IT'S THE A IN THE CIRCLE! THE *A* IN THE *CIRCLE*!!!". It would be funnier if it didn't make one lose all faith in the future of humanity.
Furthermore, have you considered the liability issues here? You want a corporation to tell a user to run a program that proports to remove a virus from their system? a FREE program? What happens when it runs across some new variant of some virus, thinks it's the old variant, does the wrong thing to remove it, and ends up rendering the whole system inoperable? I'll tell you what, some arm-chair attorney is going to threaten legal action. You have no idea how frequently this really happens. Even if you so much as recommend third party software.
So we cut 'em off. Just to force them to call us. And then we tell them, essentially, "Look, buddy. Your computer has this problem. And your computer's problem is our problem. And that makes it your problem. We don't care what you do to solve this problem, but you better do it. We suggest antivirus software as a first step. We hear that you can get a free version of something called AVG."
And then, if they seem to understand, we turn their connection back on, so that they can update their norton or download avg or whatever.
And every week, there's two or three end users who get their accounts totally closed because we've been over this with them three times already and they haven't managed to get the picture.
I wish there were a kinder, gentler way to do it. So far, I don't think there is.
This is just like television, only you can see much further.
instead of cutting off net access entirely, why not provide a means to actually fix the problem instead of alienating their customers?
why not (say) decrease the dhcp lease time from whatever to an hour or so. when whatever mechanism they're using to detect spam/whatever infection (hope to god they're not just listening for smtp traffic, that'd be evil but sadly likely) goes off, it would tell the cable modem ot use a different config which would then allow the user to get a different dhcp lease. this lease would set their router to something different, which would then pipe a single page to the user - similar to what many universities install for when users try and access pr0n or something like that from a school computer.
some mechanism ('m not familiar with routing protocols unfortunately) would then be provided to drop all traffic at the router except for http traffic through a specific gateway, possibly to specific hosts such as mcaffee, symantec, windowsupdate.microsoft.com, and the vairous other free virus and malware scanning packages.
This is a bit more complex, but surely it's possible - I've seen and/or read about all the various mechanisms I mentioned above.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Am I the only one who thinks a particular port should be blocked off from inter-ISP and inter-client access and used exclusively for ISP -> client and Client -> ISP communications, add support to new operating systems and provide a patch to all old OS's It would have to be intrusive enough that a user would not ignore it and somewhat persistant in case a message was recieved right before a system crash on the client side... It would allow ISP's to securely communicate with Clients/customers and allow people to not be "in the dark" about sceduled network downtime even if they never check their ISP email address, somewhat like a MOTD for the ISP. If killing access to a port is unacceptable then perhapse setting up a new installed protocol for this exclusive purpose.
Snowden and Manning are heroes.
I administer a large DSL/dialup userbase and I monitor upstream bandwidth as much as I can. If I notice a DSL customer that has 100% of their upstream bandwidth used I usually check the traffic to see if its email. I will notify the customer and give them a day or two to rectify the problem. If the problem is not fixed within 48 hours I will disable that PVC which will effectively drop sync from the users modem. When the customer comes home, they are now forced to fix the problem. I try to explain to them as politely as possible that they are contributing to the junk mail problem that they are always complaining about and that we had to disable their connection to prevent this. Most people understand and the lack of internet connection gives them the initiative to get up and go purchase some AV software and to run Spybot or some similar program. They phone back once their computer is clean and I turn the circuit back on.
You create your own reality - Leave mine to me.
the parallel i see here is when my credit card cuts off my card b/c they suspect it may be being used by others. I like this even if I have to call them when at a computer show racking up component purchases. a little conveinence is acceptable espically when shutting down infected pc's helps everyone else on the network.
Sooner or later, mail admins, the target will be you. Today, it's the "clueless" home user. Tomorrow, it will be the clueless admin at a small company. In the end it will be everyone but AOL/M$N/McDisneyNet.
All praise for Comcast. Comcast's actions will make blocking their clients redundant. This makes it so you won't, in the future, need a license to send email. As a cable subscriber, I want the ability to send my own mail, encrypted, by direct connection, just like IM can, thank you.
Doing things the other way fragments the net and sets up 99% of the world's "mail admins" for being fired because their company lost it's license to email.
Friends don't help friends install M$ junk.
When an employee's home machine was infected with one of the recent viruses, Time Warner (roadrunner) eventually shut down his service - to the tune of 'blinking connect light'. Made it terribly difficult to download new virus definitions. At least they're still willing to turn it back on if you tell them why.
Linux: Free if your time is worthless.
STFU about free software you GNU/fag!
You ask why we don't like bandwidth limits and like automatically triggered cut offs, like the two are equal. I don't mind bandwidth limits as long as they are clear, since you pay for your usage, if you use more, you pay. You're generally not pestering other people when you use more and the burden falls on you as well.
With cut offs it is different. An infected machine is a pain to the entire internet community except (often) the person whose machine got infected. If such a machine gets blocked from the internet, the community benefits and the burden is returned to the owner of the machine. It is all about who carries the burden of the unprotected machine.
Now I do have some experience in working with cut offs, since helped run a campus network when I was a student. Abusers of the network, be they bandwidth hoggers or unprotected systems could get kicked of the network if they didn't update their behaviour. It had in general a good effect on the behaviour of people.
When you do a cut off I would love to see a proper implementation of it. That would mean that a persons connection is not cut off outright, but that only certain services will be available for instance on a private, non-routable subnet. In this way the luser can get the updates nescessary, will be automagically guided through the right steps and then once a scan is done of the system released onto the wild internet again. This doesn't require much human assistance.
As a side note I would also like to mention that I wouldn't mind filtering of users connections for instance on port 25 as long as the user him/herself can disable that feature too... It would be like the speedlimiter on cars which limit them to 250km/h. You can remove it and go faster, but for most people 250 is good enough.
Use Adsense for Charity
I'm one of the sysadmins for a company with a large number of remote employees. Recently, one called me saying Comcast told them they had a trojan. Well, I couldn't fly out to look at the laptop and the employee couldn't exactly just send the computer and work from nothing. I had this person seek local help, and after several attempts Comcast still shut down internet service.
I understand that techies across the world think this is super-fantabulous, but this is horrendous for the average end-user. Comcast doesn't (I will refrain from saying can't or won't) say what a user's system is infected with, or what exactly it's doing...just that there's some "illicit traffic" coming from that IP. That's great, now how am I supposed to diagnose the problem? It wouldn't be that difficult if the machine were in front of me, but how to I walk Mary End User through complicated tasks over the phone while she's already frustrated? If Comcast were doing more - i.e. they told you what the problem was and the steps you can take to remedy it - I would be more supportive of this. As it stands, it's just going to make a lot of end-users get cheated by shady local PC repair places while they get the run-around from fifteen different vendors. Make jokes about virus scans all you want, but nothing is fool-proof...and since any fool is equipped with a computer these days, infections will happen and malicious attacks will succeed. So +1 to Comcast for taking some initiative, and -2 for crappy execution and not giving half as much of a flying foo as they'd leave their customers to believe.
This is a very bad idea! The best source for antivirus and spyware-removal software is on the internet. To me, it looks like they're burring the problem instead of fixing it.
Now, here's my humble suggestion for a better solution. If a PC is identified as a compromised machine, it's added to a pool of machines that all gets a special IP and special DNS servers (I assume they run DHCP - if they don't they should). Now, the new DNS servers resolve all addresses to a special page dedicated to downloading anti-spyware and virus checkers. Maybe even an online scanner like housecall. So, when Joe Luser fires up his web browser, he reaches this page no matter what he types. Once he's machine is cleaned, he will be removed from the compromised pool.
Underholdning.info
Finally they're doing something about a problem which has been causing the rest of the 'net serious grief for months upon months as the great Spewcast botnet vomited forth v1agra spam upon the world.
Let's not forget these are *not* innocent users. They're morons who don't update their PCs or click unsolicited attachments with abandon.
I have a suggestion.
Write up a small business plan based around these knocked-off-the-network infected PCs.
You can charge "$50 + travel fees. Usually under $100" to clean their computer, and get them back online. Yeah. It's a fee, and many people wont be happy about paying it. But, at the same time, it'll teach them a lesson about security on their pc. If they dont want to pay it again, theyll have to do their own security stuff.
You see politics, I see opportunity.
The only real trick to this would be streamlining with comcast, which is next to impossible.
no
Seriously!
Several ISPs are blocking e-mail from Qwest, because Qwest leaves their mail servers wide-open for spammers.
Same here brother!!!
(Excessively long and sappy hug goes here)
And if you're unlucky the cable provider will shut him down because he's using a VPN to connect to your company..
Learn about pinball machines on www.flippers.be
I sent one here.
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
As an aside to my previous comment - you have to understand that most internet services don't own the whole path between you and the internet. They own a bunch of important pieces of it, but there's a lot of cooperation involved. There usually isn't a really effective way to proactively detect if a user's computer is pulling some crap or other online.
So we depend on complaints.
A lot of those - largely, the most effective of those - come through SpamCop and through a comany called MyNetWatchman.
SpamCop isn't perfect, but it's effective when it works properly, and relatively innocuous when their header parsing is wrong. And yes, i've seen it be demonstrably wrong.
I am in no way affiliated with MyNetWatchman. I've never seen their product. I dunno how much it costs, if anything. All I know is, aparantly, their product/service collects incident reports from end user systems running their software, traces them to the originating network, and notifies whoever is responsible for them. When they tell us that one of our dialup users has a computer spreading MyDoom, we pretty much believe them. It always lines up nicely with what we know about when our users were online and with what address. It's effective.
The MyNetWatchman concept is a good one - someone should come up with something free-as-in-freedom that does the same thing. Having a centralized clearinghouse for incident reports helps a lot.
Wouldn't that be great? just let it parse through your firewall logs, run the data by you just in case you want to edit out some auditing you did for your own security, and then funnel it off to something like spamcop to be aggregated.
Anyway, I'm done.
This is just like television, only you can see much further.
this last round of worms came in an email that pretty much said exactly that.
"Hi, I'm the admin from [YourISP]. We think you have a virus. Please run the attached program, and blah blah blah."
The next round will have something like "Please type in [EvilURL].com and run the 'virus remover' you see there."
How is Joe Averages' Grandma supposed to tell the difference?
Apparently someone trusts their ISP a great deal if they're going to let them govern your internet connection!
Personally I find the concept quite troublesome - as someone above pointed out, where are they going to stop? Turn off all ports below 1024 becuase they're "not needed"? Just give me a connection, and let me do with it what I please! Even if this means being a spam-bot, I don't care - it's not the ISP's place to say how I used my bandwidth.
and kill you if your connection is used more than 30% more than your neighbors..
Or
Immediately break your connection when you view porn, right wing web pages (or left wing, as case may be) or anything related to Martha Stewart
Or
Notify the FBI whenever you check out The Catcher in the Rye... (wait, they already do that)
Point: do you really want your ISP to "police" your connection?
Just look at some ISP's EULA and service agreements and whatnot.
A large number of them have started putting in a (rather breif and fuzzy) comment about things that can get you cut off (short of not paying your bills)
Many of them are starting to include refrences to 'unathorized use of account' in such a way that would most easily be pointed at trojans and backdoors and other such nasties.
Now comes the funny part:
These are the same ISP's who nolonger bundle browsers with their products on a CD. How many times have I run across people who have become infected by these nasties due to IE and outlook? I'v lost count!
Nevermind the fact none of them have any virus protection what so ever. (And the mail servers for their provider doesnt even filter the bugs out, either.)
Truth of the matter is, users who end up getting cut off because they are too lazy, stupid, or completely without clue, would benifit from having a CD filled with safer software.
I personaly can't hand out copys of mozilla or thunderbird fast enough.. Every time I get calls from a user about viri, its the same routine. VNC in, fix and upgrade, install moz, remove IE/outlook shortcuts (all with the users permission)
Most of them are more than happy once they see that 'those other browsers' are no harder to use than the one they already know.
Cutting access, granted, is half the fix, not all of it. ISP's need to make a little more effort in protecting its uers. And why not? Plenty of NICE and FREE alternatives out there they could hand out!
Now, I would go and edit this post a few more times, but I'm going to go watch clam eat viri-mails for breakfest. (Yummy!)
My new top secret key -> C>N|KB
DSLnet has done this to us in the past. We've got a bunch of static IPs with our dsl account. They informed us of the problematic IP and told us they would disable just that IP (not the entire modem) until we informed them that the PC on that IP was cleaned. Considering we have a bunch of non-firewalled boxes on the net through this modem, I was grateful they didn't shut the whole modem off. They even told me what port they detected a problem on and what virus was associated with that port.
"I forgot my mantra."
I've been begging for Charter to do this too. We get thousands of attacks a week because too many nimrods are infected with everything from Code Red to MyDoom. It is not the ISP's responsibility to inform you that your machine is fubar, it's called personal responsibility!
The analogy I use to explain this to EU's is: Would you drive a car without knowing what type of fuel it takes? Where the pedals are? If it's an automatic or a manual? Then why would you use a computer without at least the most basic knowledge like antivirus software, or knowing NOT to open unknown attachments, or doing something so simple as running Windoze Update a couple of times a month?!
You don't leave your front door wide open when you go on vacation, so don't leave your computer bent over and grabbing it's ankles in the prison shower!
You know that looks exactly like a spam mail I get every now and again. It usually leads to a site bristling with trojans. Jos
'Don't worry' said the trees when they saw the axe coming, 'The handle is one of us.'
"I couldn't fly out to look at the laptop and the employee couldn't exactly just send the computer and work from nothing. I had this person seek local help, and after several attempts Comcast still shut down internet service....this is horrendous for the average end-user." What's horrendous for the end user you speak of is not that Comcast acted responsibly by cutting off a spam zombie's access, but that your IT department has not provided adequate support for remote users.
My other machine is a lever.
Nothing like having all the ISPs think it's OK to monitor every packet you send. It's like TIA in the name of virus prevention.
Comcast is, hands down, the largest spam source of the Internet with approximately 640 million messages every day. Personally, 25% of the spam I receive comes from the Comcast network. Of course, users are unaware that the latest virus has turned their computer into an open proxy sending millions of messages every day. I hope other major ISPs such as Road Runner (180 million), AT&T (150 million), and AOL (140 million) follow suit, and disconnect open proxies and zombies when they are found.
> Recently, one called me saying Comcast told them they had a trojan. ... and a bit further on ...
> Comcast doesn't (I will refrain from saying can't or won't) say what a user's system is infected with, or what exactly it's doing...just that there's some "illicit traffic" coming from that IP.
It might be me but it seems you are contradicting yourself here.
Maybe they are not sayign what trojan it is infected with, could be.
Matter of fact is however that if Comcasts cuttign of the connection affected your business in this specific case, you have a huge problem. Why? Because you were obviously intending to let this user work with a trojaned PC. Have you any clue whatsoever what that means?
No, if you had a business user there on the other end, Comcast may actually have saved you from breach of security and intergity of your company, and possible liability for damage done by this infected PC.
That said, of course it is possible to do this a lot better then Comcast do.
Now, if only other broadband ISPs would start policing their user base ...
Score: -1, Troll
SpamNet - a spam blocker that really works
It's the screams of 10,000 Banzai Buddy fans wondering why their downloads of Southpark Divx's were suddenly cut off.
Don't park drunk, accidents cause people.
it would be very simple for [insert ISP here] to simply block outbound SMTP in their DSL pool from their core routers, except from their designated mail server ip(s). then, if a user required outbound SMTP (like a business), they would simply need to ask for it, having met certain requirements set by the ISP, including that the port will be terminated upon location of an open relay.
I work in the Network Operations Center for an ISP in the midwest. Trying to police these types of things isn't near as easy as you would think. We are considered a "mid-sized" ISP with around 15,000 customers. Unless we happen to notice an increase in traffic from one of the customers, it's not easy to catch when a user's PC is infected with one of these worms. With the increasing amount of Spam out there, and the fact that the average internet user can't figure out how to dig through the headers to find out for sure where an email originated, we just don't get hear about our users "spamming". When a case is brought to our attention, either through a complaint or by us noticing the increased mail traffic from a user, we immediately take action to get the problem resolved. However even with a properly documented abuse address, we just don't get feedback. There have been at least three different occasions when the first feedback we had that one of our users was "spamming" was when another ISP blocked mail coming from our IP's. We can't track the infected users down if we don't know about them...
To err is human, but to really foul things up requires a computer
I get scanned from hosts within Cox's IP block all the time, and it's often the same IP doing it.
I sent cox an Email about it (I have their business service) and never received a reply.
So no, it's not just you... incidently, their phone support folks have been pretty reasonable when I've talked with them. They even knew what linux was... and they ceased to ask me the entry-level support tree questions when I began reading them the logs from Snort and TCPdump.
They're not all clueless... dunno, maybe I got the only good one.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
same situation with a neighbor... I cleaned Mydoom, Netsky, and Beagle (the J variant) out of his computer... his computer was slower and more unstable than usual, so he asked me to look at it for him (it's a win98 box... 'nuff said).
I've already set them up with a good firewall... controlling what they do with their Email attachments is a bit more problematic.
I support cutting off accounts for abuse, whether intentional or simply clueless/negligent. Hell, I'd be delighted if somebody warned me that something was up with my connection, for a couple of reasons. One: I have more than a passing interest in net security, so if my box just got pwned, I want to know about it, including how they did it. Two: I try to be a good netizen, and just like I'd expect one of my neighbors to call me if he noticed my house was on fire, I'd hope somebody would tell me if I was polluting the 'net.
This is comcast doing the user and their fellows a favor.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
I definately disagree with spam, but if an isp can cut an account for that, then couldn't they cut an account for a virus that creates spam? Then, couldn't they also cut an account for piracy? Then, couldn't they cut an account for anything else they want?
Just a thought.
JJ
But the 55 megs of web space they give you is broken -- it doesn't interpret PHP, and execution of CGI scripts is disabled. Yes, even if you try using a .htaccess file to turn it back on -- they have put AllowOverride none in their httpd.conf. Oh, and their DHCP server goes T.U. at inconvenient times. And the modem is combined in with my CATV receiver {they put the ADSL over the TV cable} so unplugging it to get my channel guide back messes up the internet.
/29 to myself.
That being said, I have kept the same IP address long enough to dare to register a domain name to point at it {though not the MX, which is set to a different ISP's POP3 server; I don't mind losing inbound web/ftp for 48 hours while the changes propagate through DNS, but not my e-mail}. And I suppose I should be grateful that they follow vaguely-RFC-compliant standards, unlike some ISPs who only provide software for Windows. Still, if they annoy me one more time, I'm going to go with Andrews and Arnold and get a
Here, here. When we have users with serious laptop problems they just FedEx it in same or next day. The problem gets fixed sent back to them again same or next day. Time without laptop is usually 3 days, basically a long weekend.
Anyone that has allowed their PC to get infected will just have to live without it for a couple days or walk through all the steps over the phone.
I submitted a story on this last week, but it was rejected (as an aside, it would be really nice to know WHY articles are rejected by the staff, so if it's something as stupid as poor spelling, it could be corrected). RoadRunner is offering free firewall/AV software to all its customers. Not a perfect solution, but a nice start.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
My computer has never *once* been infected or set up to relay mail, but they suspended my account yesterday because I simply had a few ports open that they considered a violation of their acceptable use policy. I think they were particularly focused on port 81 being open. I've run a web server on port 81 for almost 3 years as a Cox subscriber and it's never been a problem.
They refused to re-activate my service until they were able to do a full port scan on my computer while I was on the phone with them and saw that all of my ports were closed. I checked my firewall logs and sure enough, they've been hitting my system multiple times a day scanning ports like crazy.
I think it's pretty retarded if you ask me. If they seriously don't want "servers" on their @home network, than they could simply block all incoming port requests - such as they've been doing on port 80 for 2 years now.
But nooooo, apparently they're requiring that I...the customer, block the ports myself, and if I don't, BAM - no more service for you. All I know is I'm paying $140 a month to those bastards, they should give me a little more respect.
Comcast is actually playing catch-up right now. Charter Communications has been doing this since last november.
-- 4 8 15 16 23 42
The govenrment/ISP provides the roads/pipe, they don't provide car/PC maintenance. On the other hand, the goverment (through the police) / ISP (through detection software) tells me to fix my car/PC. They can and will suspend my ability to use my vehicle/PC, even though I pay my taxes/fees.
Without ANY sarcasm - this IS a GOOD THING.
Clear enough?
This has been company policy for Cablevision's Optimum Online for quite some time. Back when I was working tech support for them we'd get calls from users who lost their internet access for one reason or another. Upon opening their case files we'd find out the reason and everyone once in a while the reason was 'virus'. This meant automatic elevation to second level support. We'd get off with the user, send email to second level and they would then call them back, reactivate their service and then work with them to get rid of the anti-virus. Note: They only did this for worm based viruses that had easy removal tools from symantec.
I have often regretted my speech, never my silence.
-Xenocrates
No, this can't be done. DHCP doesn't issue messages like that, and it's impossible to guess in advance what tools or sites the customer will need access to to fix their machine. And rebuilding the router/filter tables to provide such restricted access is an administrative nightmare, prone to failure.
They're already blocking the popular virus ports, and they do email and call the customer before cutting them off, giving them plenty of time (days!) to get their system fixed.
The customers are *thrilled* with this, over all.
It seems to me that a substantial solution to the zombie problem on "home" machines would be for ISPs to limit the number of e-mails a user can send per day (counting all addressed recipients). For upwards of 95% of customers a limit of, say, 25 or 50 would never be noticed unless they were infected. If they were infected, they would almost always be unable to mail, and would quickly address the problem. Customres who hit their limit could easily be identified by the ISP for special help in dealing with their problems. (Even better, provide a "fuzzy" limit, where customers can go over it somewhat, on occasion, but not regularly.) For people who need more, they would just call the helldesk and get their limit raised - at least up to a certain value, there should be no charge for more (although that would be the ISP's business decision). The limit isn't intended to restrict usage, it is just meant to serve as a simple check that the machines are behaving normally. It would also make the zombie concept nearly useless - the number of spams an infected machine could send, and the amount of time it would remain infected, would both be so low as to not be worth the effort. This would also stop a lot of other spammers' abuses of ISP accounts. This can be implemented locally by ISPs without affecting mail protocols, and with almost no impact on their customers or anyone else.
A few weeks ago, I got a warning from RR saying "you are doing a DDOS attack and are probably infected with a trojan"
Considering a) I'm running Linux and b) I do forensics on trojans at work, I'm not going to be infected.
I checked my wife's box which was Windows at the time, and it was clean. I checked mine and it was clean.
A little more digging and the "attack" comes down to SpamAssassin. Anyone who was running SpamAssassin or MailWasher got these warnings because RR couldn't manage their freaking DNS servers correctly.
I for one do not want to get cut off because of the incompetence of the ISP.
Screw stupid users. There is a perfectly excellent Free antivirus solution on the net, its Trend Micro's Housecall.
And of course, there are the favorites, McAfee and Symantec, but although it appears that these stupid people would be too stupid to update their definitions, and wouldn't benefit from McAfee and Symantec without those updates (in fact, these stupid stupid people would probably feel a false sense of security). Therefore, a once a month check at Trend Micro would be better than these solutions because they don't have to check the virus definition dates, update it themselves, etc.
And of course, these stupid stupid people should stop opening up mail from unknown senders, should stop trusting Microsoft and should buy a goddamn router!
Trend Micro Housecall: $Free, Linksys Router: $50, not pissing off every technically competent person they bring their stupid problems to: $Priceless
How are they notifying their customers that they are infected? I hope it's not by email since a lot of the newer worms masquarade(sp?) as legitimate admin messages.
(S(SKK)(SKK))(S(SKK)(SKK))
Speakeasy has been doing this for years. Now, if only other broadband users would get a real ISP and a real OS.
Now, if only other broadband ISPs would start policing their user base
Catch me where I err, But is it really a good thing when ISPs go around watching what you do? Don't make me put on my tin-foil hat. I'd rather use a spam-filter or an anti-virus program than know that my packets are being monitored for anything short of an FBI subpoena.
Honestly, you're an ISP and some of your customers are filling your pipe with spam from some script kiddie and you're getting complaints. What do you do? Kill the hostages? They'll just find more helplessly stupid broadband users. All you're doing is kicking off legal customers and outright telling the rest of your customers that you are monitoring them.
The problem here is that Comcast is doing shutting down people's connections with no recourse to find out why or to re-enable it.
I received an email and an automated phone call from Comcast stating that I had an infected computer and I must clean it up. I was immediately pleased that they noticed, but frustrated that I could be infected. 5 PCs with varying OSs, all with firewalls and/or antivirus software, so I thought it was unlikely but possible. After doing a full scan I found no viruses.
So I called Comcast's 800 number. They said I need to call a different long-distance number. That number is an automated system with nothing but dead ends. If I select the option about "Viruses and spam emails" then it tells me to email abuse at comcast.net if I get a bad email. But I don't want to report a spam, I received a report. All the options did approximately the same thing: Told me something I already know then hung up. Several calls later, I used the "leave a message" option. A week goes by and I received no call back. I replied to the email but received no response. Nobody on the service number would talk to me about it.
So I receive another email telling me that my service may be disabled if I don't fix the problem. So what do I do now?
To top it off, this isn't the first time. About 8 months ago, Comcast calle and told me I was reported for sending spam. When the read me part of the SpamCop report (which they refused to do many times) it turned out to be a SpamCop report that my roommate made! We _reported_ the spam, we didn't _send_ it! After much arguing, the guy finally got it and left us alone. Mistakes happen, but what irks me the most is that they wanted to tell me I sent a spam, and make sure I corrected my behavior, but refused to tell me the source of the report, or what the email was, or when it was sent, or anything!
Below is the email Comcast sent me. It looks like a form email, with no specific statement about what went wrong.
no, my email address does not reflect said employer.
True, but a WHOIS on your domain identifies an ISP. Of course, there is no way of knowing if this is who you work for.
Would a smart person trust that the 'free' antivirus tools are indeed what they claim to be without some way of independently verifying that? I sure wouldn't.
Good question. Here's one for you: Would a smart person trust a corporation whose raison d'etre is profit, and whose profits depend on a steady stream of new viruses making it into the public domain? How exactly do you know that Symantec doesn't have a department, or secret links to one, that does what is necessary to ensure continued profit?
Your approach sounds good though. If you just popup a message, it will be ignored. A previous poster suggested redirecting people to a sandbox where they could only download virus killers, and otherwise do no harm - is that approach feasible?
I want to start by saying what Comcast has done is great. However, I think in doing something like this, they also have a responsibilty to their users. Their service should include access to free spyware, spamware and antivirus software. Technicians should install the software when they install the modem/service. The software should auto-update and also be availble for download to existing users.
You can't assume everyone understands computers. Offer a way to help everyone.
If they FAIL to block a user? And said user infects, oh, I dunno, the Home Land Security Dept. orso?
Just wondering...
"/Dread"
So what you are saying is that you have a lot of remote employees you can't support effectively. This goes largely unnoticed because the lack of support hasn't resulted in complete work stoppage before.
If "several attempts" at local help failed, it sounds like enough time passed before the connection was cut that the user could have downloaded VNC. Or you could use remote assistance unless your users are really behind on their OS (assuming an infected PC is a windows PC). No need to walk the user through anything.
But, users are dumb, and I'll agree with that. Last summer when the blaster worm came out, we emailed out customers ahead of time telling them they need to download the microsoft patch.
On top of that, the Microsoft Windows Update popup that comes up by default, once a week, users still continue to ignore it because they don't know what it does.
Personally, I'd like to see more type of this internet policing by ISP's. They should also be blocking people who have open SMB shares on their Windows Networks. I cant count the number of times I've purposely went in Someones SMB share and dropped a text file telling them how to fix it.
I, however, disagree with the Government policing of the internet. I believe the internet should be policed by the people who pay for it to be there. That would be us and the ISP's
I think I'm in love. With your employer.
Clever signature text goes here.
If the average Joe's computer is cut off, how will they then get the "stuff" needed to fix the computer? Go to a neighbor and ask "Sorry but I was cut off the Internet cuz my PC has some virus, can I use your connection to get the needed update?" that is if they even know how to do it.
Sure there needs to be some control on everyone part, how about making a system the if an infection is detected then an email service will notify the person on how to correct the the problem and if after 15 days no action is done-then cut them off.
This SIG pulled due to lack of funding. (This damn war is costing too much!)
On the other hand, I have a friend who was cut off when somebody complained to Cox claiming he was infected. The "infected" box in question was a Linux machine. (This was on a business - not residential class line.)
So, it's a nice idea until you get your own systems cut off because the cable company can't tell an infected box from an uninfected one.
After the cut off, you could have used a dial up ISP to do the same.
If you really are the sys admin for a large number of remote employees, then you need to re-evaluate your policies.
You need to be able to offer some form of remote assistance, either via remote desktop, ssh or whatever.
You need to have decent virus and spyware tools installed on all laptops to make sure your network isn't exposed to trojans when remote users attach.
If you have large numbers of remote employees, then having a dial up number in emergencies seems prudent.
You need some kind of fed-ex overnight policy for last resort return to base fixes, either to repair hardware or to reinstall a hosed system.
I don't think you can blame Comcast for your problems, your company needs a long hard look at the remote user policy.
However your point about lack of support is well made. If comcast are going to cut people off they need to offer people a CD with the fixes on it. Informing someone they have a virus and then cutting them off from the means of downloading a new signature file is irresponsible.
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
It isn't the function of the ISP to support every workstation's unpatched buggy operating system(s), diganose your virus infections, or determine why you keep getting whacked in CounterStrike. Running an ISP is a support-intensive affair, and the admins and engineers at Comcast have more than enough work to do keeping their own infrastructure running to be expected to also admin your eMachines box running Windows ME. A more appropriate (and effective) course of action would be to train their techs in the operation and config of two or three basic internet firewalls and package them with the cable modems they deploy to their customers.
This would be responsible on Comcast's part and, combined with the fact that most consumer PCs come bundled with some sort of virus protection would start to stem the nightmare tide of crapola that flows out of the cable modem subnets...
If you're expecting Comcast to do your work for you, you'll get no sympathy from me. If your story of your customer/user having a warning before service was cut-off was true, why didn't you use PC Anywhere, RAdmin, VNC, or Remote Desktop to update her virus defs and scan the machine? Or run AdAware personal on the workstation using VNC to look for known spamware/crapware that might be generating nefarious traffic?
Your points ring hollow with this Network Admin who deals with dozens of remote users on a daily basis. It isn't always as easy as having it on my desk, but the business reality is that some functions only require one person, and require very little or no face to face interaction with co-workers. Economically, it doesn't make sense to move these people back to the office just because you can't or won't google for "Windows VNC Server."
I'm not trying to insult you, troll, or start a flame-war here, but the things you're complaining about are a standard part of my business day that I have little difficulty with.
Who did what now?
Personally i'd be more concerned about the hoops that one would have to jump through to get my access restored. i'd bet it's not a simple, quick call to customer service to get the shit cut back on after resolving the problem.
i have enough problems w/ my isp if i have a new MAC address to be added.
They block spam seperately with a port 25 filter if it detects you're sending a large amount of emails. I think it's > 500/day.
They also cut the entire connection if it detects a virus/worm trying to use the network to spread. They haven't got the system setup to automaticly inform the user WHY their connection is down though.
When I was doing support there I had this one customer call in who expected us to pay for her down time (which we would if it had been something like a network outage) AND what she paid to have some "technicians" (probably the neighbors' kids) look at her machine and try and figure out what the problem was for 2 weeks. I was like "Why did you wait 2 weeks before calling if your connection was down?"
I know that the internet is the primary place to get virus updates, but most people who run into this problem are running NO antivirus at all, so they need to go out and buy it anyway. In the rare case someone has AV that just wasn't updated, they need to bring the machine to someone else or go download the update somewhere else and bring it to the machine. I think the inconvenience goes a long way to giving them incentive to keep up to date in the future.
Introducing the new Occam Fusion! Now with sqrt(-1) fewer blades!
Remember, this "responsibility" can take form in paying someone to secure their pc. That person could be you.
If anything, this action is great for out-of-work tech people. Theres money to be made.
no
I'm one of the sysadmins for a company with a large number of remote employees. Recently, one called me saying Comcast told them they had a trojan.
So you work for a company that has a large base of remote users and you don't provide any anti-virus or firewall solutions? And you feel that it is Comcast's responsibility to provide this support for you? Shame on your user for getting infected. Double shame on your deparment for not taking any action to prevent or correct the infection.
I saw McAfee Antivirus for $9.99 after rebate last weekend. If that is too expensive or complicated for your client, "Mary End User" probably shouldn't be on the internet. If it is too expensive or complicated for your IT support staff, you might consider asking for a refund on your MCSE.
Viv
Gmail invites for ip
I'm on the same side as comcast.
If someone was sending spam and you reported it you would hope that they would lose their connection. This is no different except comcast is detecting who's sending the virus out and taking care of it without forcing the person to be reported.
Three cheers for comcast, I wish every ISP did this.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
"Look, I'm sorry, but we don't let mentally retarded people do a lot of dangerous things in "real" life, why should we let the Internet equivalent do the equivalent things on the net? It's not exactlyl a matter of freedom, it's a matter of truly incompetent people repeatedly failing to live up to even the most basic obligations of owning a broadband connection."
Maybe they're doing it under the "It's a tool. I don't have to understand my computer, you insensitive clod" excuse.
They do this same thing at the college where my son is, they shut down the entire dorm building and go from room to room with a clipboard and a walkie-talkie to manually certify each machine clean. (When they came in and found my son is running Linux they said "Oh, never mind" and moved on :)
Once the building is certified "clean" they turn it back on. They had to do this because the entire building (as all the others on campus too) had become massive petri dishes and choked the entire university offline.
Now, Road Runner is virus scanning my incoming email, which for joe average is fine but it pisses me off. I have people all the time trying to forward email to me for "autopsy" but RR deletes it before it gets to me. I NEED to have those viruses sent to me so I can examine them for the people that I support. I've had to find a third party email provider that does not filter email and it costs me extra each month.
I've asked RR to cease and desist on filtering my email.
One last thing that RR does that pisses me off is that they blacklist email. I have people that send from certain locations that are 100% legit but because that service may host someone that is a spammer, RR blocks ALL email coming from that domain(s) and RR does not even having the freaking courtesy to notify me they are blocking my email. I had to find out when people call me on the phone and complain that RR is bouncing all their mail back as "rejected due to policy violations"...
I want an OPT OUT of the BIG BROTHER / NANNY policy. I don't need them to protect me from the big scary internet..
I know for a fact that other broadband companies do this. Viruses create all kinds of problems with the routers since they create a lot more traffic.
Hello user of Comcast.com e-mail server,
Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean up
your computer software.
For more information see the attached file.
For security purposes the attached file is password protected. Password is "37546".
Sincerely,
The Comcast.com team
Why is it that this story (http://slashdot.org/article.pl?sid=04/01/29/22572 59&mode=thread) regarding internet 'abusers' seems to me to tie into this.
Comcast: Oh, well the usage of this person is incredibly high. They must have an infected computer. Disconnect them.
User: Uhm...no. My computer isn't infected, I'm 'streaming video' instead of watching cable tv.
Comcast: Account...DELETED.
Cox Cable (used to be @home) recently cut off one of their users that had a worm. It was one of the nice ones that sends out spam. They gave her a few days to fix the problem, or be disconnected. Funny thing is she did have NAV installed, someone just clicked 'leave alone' to the dialog when it came up. Ah, the joys of spending 2 hours cleaning up spyware, viruses, and gigs of pr0n of 'questionable' tastes that the wife did not know about.
"Wow, you make it sound like a conspiracy theory as if your rights are being taken away. What they're doing is right. It's THEIR network, they can do whatever you want. It's not like you have a right to use the internet."
And yet such an attitude is propogated every time we have a story on Slashdot about people who abuse P2P.
"They sold me an unlimited pipe. By God I'm going to run it 24/7 at maximumn. Fuck the rest of you."
Or my favourite when the ISP's turn over the info on copyright violaters. Yeah! It's their network.
Now, if only other broadband ISPs would start policing their user base ...
Did I really just read that on Slashdot? The sky is falling and I want my mommy!
While you get no argument from me that cutting off infected machines is a good thing, I'm afraid that ISP's will start cutting off your service for all sorts of reasons they don't like.
Although it is their network, it's not like you're hijacking it, or they're letting you use it. You're paying for it. That does give you the right to use the internet and there's definitely a line they can cross.
In the ideal world, people wouldn't be morons and they'd take basic precautions to prevent their machines from getting infected. In an ideal world, corporations wouldn't abuse their power and screw their customers...I want a ticket to that world, I really do.
Warning: Opinions known to be heavily biased.
I spoke with a customer who got emailed the message "Is it true?" and the attachment nakedpicsofyou.zip and they immediately opened because they thought someone took their picture through the monitor. I swear to god this is why turning off peoples internet for having a virus needs to be done. 98% of the PC users only know something is wrong when either A.) the mouse pointer won't go or B.) They can't check their email.
I own a small ISP in the bay area with national dialup access and bay area DSL. I've been doing this for YEARS. And I mean YEARS. Ever since the first MM virus came out.
Users get informed twice when I detect viruses coming from their machines, They even get pointed to Norton's removal tools if I happen to know which virus they have. If they fail to take care of it by either self removal or bringing it in to me to remove it, then I will disable their account until they fix the problem. I've only had to do that twice now.
There's this little thing called customer care. Most ISPs don't have it, I specialize in it. It's one of the biggest reasons why once we get a customer, they don't leave. Not only do we help keep their machines in good running order, we also try to educate them about things such as spam, spam reporting, viruses, and phishing.
The problem is determining who is infected. I've run nmap from my home machine to test some servers at work; this might be classified as "infected". Or a mailing list manager running on a home machine might be judged to be a spammer just because it makes a lot of outgoing port 25 connections. Even if you base things based on human complaints, people might still try to cause you trouble by claiming incorrectly that your machine spams. I'm not convinced that turning off spammers and other network abusers can be done correctly.
But necessary, provided they give users reasonable warning and help. Let a person know there's a problem, if they ignore it, cut the connection. It's all you CAN do in some cases. We have to do that where I work (university department). Some people just insist on ignoring what we tell them. Not for viruses actually, those we just go and fix (we are computer support after all) and then lecture them about opening attachments. It's for things like open servers and IP misconfigurations.
For example one group is ALWAYS assigning static IPs from the DHCP range. This causes the DHCP server to trip over them and a professor to have an IP conflict. The inital resolution was to talk to them about it. The response was, predictably "ok, we'll fix it", followed by them NOT fixing it. So we pulled the net access to their lab. Amazing how fast shit gets fixed when that happens. They did it again, we pulled access again. They've finally stopped doing it.
The problem is that people are often just apathetic and/or uncaring about viruses, trojans, hacks, etc. They don't want to have to spend the time to fix it, or be bothered to learn how. Well it is NOT far to ISPs or the Internet community at large to have to put up with this shit. ISPs shouldn't have to shell out for extra bandwidth because your computer is spewing blaster traffic all over. Likewise, people shouldn't have to put up with SPAM because you can't be bothered to keep your system up to date and are running an open mail relay.
If the user won't respond, the only option is to terminate service.
It takes ISPs long enough to wake up. Users in general *are* clueless - now that the ISPs are finally wielding the cluebat, perhaps some of these users will finally get a clue!
Yeah, one can dream...
A few years ago my MS SQL server was cracked into by a worm going around then. (I don't remember which...it was my fault for using really stupidly lax security.)
Speakeasy quite quickly cut my connection and pleasantly provided me information on how to fix it. I applaud providers who do this sort of thing.
I have comcast for my home network. The speed was clocked at 4.1 Mbps 2 days ago in the speed test from bandwidthplace.com. If one of the 6 machines I have on my personal network got infected, all of that beautiful bandwidth would be at the disposal of spammers.
I take the necessary (and some unnecessary) steps to keep it clean, but my neighbors may not be so vigilant. If someone on my node of the comcast network gets infected it pulls down the usable range for all of us.
Think of how many viruses, worms, trojans and spam messages can be sent in a day with that much available bandwidth. Now imagine they are all aimed at your parents' inbox with your email address as the reply-to.
When you are repeatedly reckless with a car, they take it away from you. The same should be true of community technologies like an Internet connection. I know the analogy is a stretch but there is a very real community impact to taking a lax stance on security for broadband-connected machines.
--KS
1) They could call the ISP and ask the line be reactivated, so they can download it. Worked in my case. Roomate got blaster, Cox shut off our line (they couldn't get a hold of me since my cellphone was broke and that was their point-of-contact). I called them, they told me the problem. Guy turned on the line, with the understanding I'd fix the system. Told me if I didn't, it'd get turned off again.
2) They could ask a friend/co-worker/IT group/kid for help. There are things called "floppies" and "CD-ROMS" and "USB drives" all of which can have the fix loaded on them, and then installed on their computer. If any of the users where I worked asked for a fix on CD-ROM, for home we'd happily provide it to them, we'd even offer advice on how to prevent this in the future.
3) They could pay for tech support. Yes, GASP!, spend MONEY! Plenty of tech places willing to clean up their system. Of course you probably see this as evil as paying for something like, say, car repair since god forbid someone should have to spend money to get service they lack the skills to perform themselves.
4) Along the horrible money-spending lines, they could go buy a commercial virus scanner. There are only tons of them on the shelves of every major software store.
There are PLENTY of solution, many of them no cost ones. However even if they have to pay, how is this so problematic? If I need my car or heater or plumbing fixed, I get charged for the service. I lack the skills to do it myself, which is why I have someone else come and do it. Are they ripping me off just because they want money for their time?
I'm not sure why there is the expectation that computer service should be free for clueless users. It's not for anything else you're clueless in. They can either learn how to do it themselves, find a friend willing to do it for free, or pay someone to do it. Just like you do with anything else.
You take it to a service centre like any of the hundreds of local mom and pop shops or a big chain like CompUSA and pay them to fix it. Most mom and pop shops even do house calls. Just like with any other service that you lack the skills, tools, time, or will to do, you can elect to pay someone else to do it.
Also you could always get a CD-R or USB key, drive to your local university or library, and use their net access to get the patch.
I've been getting just under a dozen or so abuse@ messages a day thanks to our infected customers. I REALLY want to redirect all outbound tcp/25 to our own mail server where we can disinfect and log all outbound mail. That's my grand goal. I wouldn't mind just cutting the customers off though. I wish we'd had the foresight to require customers to purchase an AV utility as part of their signing the AUP. That would have been nice.
It's a reference to the Blues Brothers, one of the greatest movies ever made. If you haven't seen it then you just don't understand the blues.
Jake: "Hey what's goin' on?"
Cop: "Oh those bums won their court case so they're marching today"
Jake: "What bums?"
Cop: "The fucking Nazi party!"
Jake: "Illinois Nazis"
Elwood: "I hate Illinois Nazis!"
Maybe we DID take the blue pill. You wouldn't remember anyway.
So I can't check my mail to find out why my connection has been cut off, I can't download a virus scanner or remover, and I HAVE to call them to get anything done.
Wouldn't it be a lot easier and efficient for them to put you on a redirect list so that every page you visit takes you to the same comcast page that explains what is happening? It could restrict the IPs you can visit to only some limited ones and block all other traffic. It would drastically reduce calls, make patching far easier, and solve the spamming problem.
$5 / month hosted VPS on linux = awesome!
Knowingly infected internet users are like the kids that keep coming to school sick. They're not getting better, and at some point you have to send them home because they keep coughing on the other kids.
These people are blocked for a reason: think of it more like a quarantine for the safety/comfort of other net users. They pay too, and nobody wants your bugs.
Here's one for you: Would a smart person trust a corporation whose raison d'etre is profit, and whose profits depend on a steady stream of new viruses making it into the public domain? How exactly do you know that Symantec doesn't have a department, or secret links to one, that does what is necessary to ensure continued profit?
Does that tinfoil hat mess up your hair?
It's "no one," not "noone." Who the hell is noone anyway?
A few minutes before I found this thread today I received an automated message from lafn.org. In that message it stated very clearly that it was an automated process that was blacklisting a /24 around a machine on one of our dialup netblocks that was caught sending mail to one of their spamtraps. That user is of course infected as are probably 50% IF NOT MORE of our customers. Our customers, no matter how big they are, no matter how big a customer they *think* they are, no matter what service they pay for have the right to cause 252 other customers at any given moment to be blacklisted. If they think they are that important then we sure as hell don't need them as a customer.
Cut off the users from outgoing port 25 connections... and perhaps other virus ridden ports. Allow general web traffic... or restrict it but all it to major antivirus sites.
There are lots of way to partially block out he users while still allowing core functionality
Adelphia forces people to call the abuse department if users' cable modem service was disabled.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
When Comcast cuts people off for using too much bandwidth, trading child porn or stealing music, movies and software everyone screams 'BIG BROTHER! THIS IS EVIL!'
Comcast cuts of a worm and everyone says 'Good show Mr Comcast Corporate Citizen! I wish everyone would do this.'
Worm or warez, its the same thing in my opinion. You either support Comcast's right to mess with your connection without warning or you do not.
Maybe I WANTED to run the worm, maybe I am a scientist experiementing, maybe its my hobby to watch worm traffic. You don't know, just like you don't know if I am REALLY stealing music and movies and if that girl in the picture is REALLY under 18...
If comcast are going to cut people off they need to offer people a CD with the fixes on it. Informing someone they have a virus and then cutting them off from the means of downloading a new signature file is irresponsible.
It's not comcast's responsibility to provide patches. Are they going to support OSX, Debian, RH, Win98, win2K, winxP, os/2, Xbox, etc.? How often do they need to release this CD, every day? No. That's insane. You are not thinking this through.
If you get your machine compromised because you are too lazy to keep it updated, run AV or a firewall, it's YOUR problem. Not Comcast's. If they cut you off, you are going to have to get off your ass and visit a computer store, friend, or get dialup somewhere to get patches. After all, how long should they wait for you to get your machine fixed before cutting you off? 24 hours? 48? a week? Your system can inflict massive damage on others in just a few minutes. They need to cut you off ASAP.
Comcast is selling INTERNET CONNECTIVITY, not OS support. If you need OS support, you need to go elsewhere. I don't want MY rates to go up to pay for support personel troubleshooting clueless people's virus problems.
Just use a dialup account for that. It can even be within your own IP space, or if you are not an ISP, one from that same ISP (explain to them what you are doing and why you need a wide open access). Then just don't include that IP address in the list of those that the mail server accepts mail from for relaying (to test incoming).
now we need to go OSS in diesel cars
Suppose there was a virus or worm which looked up the IP address to see which major ISP's netblocks the machine was part of, and launched a DDoS on the appropriate ISP's main customer web site.
I think we'd see the rest of the major ISPs start to take an interest in cleaning up their dozer customers' computers.
On my boxen, it would be (and I'm sure that there's non-linux equivilents):
Assign special DHCP address to known infected machines:
IPTABLES -A PREROUTING -s $INFECTED_IP_BLOCK -p tcp --dport www -j DNAT --to $REDIRECT_MACHINE
IPTABLES -A PREROUTING -s $INFECTED_IP_BLOCK -p tcp --dport smtp -j DNAT --to $REDIRECT_MACHINE
Then, at $REDIRECT_MACHINE, have a www page that basically says: You are infected with a virus. Please go here for cleaning/removal instructions, and information on protecting your PC.
And of course, the SMTP server would just be a dead address that will cause their email client to visible bork on any sending operation.
Comcast already sent out clear instructions, both as an e-mail bulletin, and as a booklet included with the bill for people who weren't reading their e-mail.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
If you want to drive your car on the roads, it has to pass a roadworthiness test. If the brakes are defective, or the steering is not straight, or the clutch is slipping, or a light bulb is out, or any one of a long list of things are wrong with it, then it might cause a danger to others, so it is not allowed on the Queen's highway until you get it fixed. Nobody has a problem with that. If you want to drive a death trap, you have to do it on your own property where you aren't causing a hazard for other people.
I don't think it's inherently unreasonable to impose a "networthiness" test on PCs. OTOH, this should be done by a properly accountable body; otherwise it's not policing, just vigilantism. Insisting on specific items of closed-source commercial software, for instance, is unacceptable. Nobody should ever be forced to be tied to a particular software product: I should always remain free to write my own software as long as I am able to prove that it meets the regulations, just as I am free to build my own road-going vehicle as long as I can prove that it meets the regulations. I am also free to challenge the regulations through the democratic process. I'm saying regulate the ends, not the means, and have the regulators know for sure that we, the public, pay their wages.
The real, long-term solution will begin when all forms of unsolicited commercial advertising on the Internet are forbidden {no more spam, no more popups; not even banner ads unless the user chooses to see them}; and when software vendors are legally obliged to offer either a guarantee that their software will perform as stated and only as stated or the complete source code.
Je fume. Tu fumes. Nous fûmes!
I've been forwarding a LOT of spam coming from Comcast.net, Adelphia, net and a couple of other cable operators. It seems to take these crackers DAYS to do something about it. At least they're nice enough to tell me the problem with specific user has ben dealt with.
Makes you wonder if it's really possible to get even the dumbest of PC users to patch their machines. I mean, how difficult is it to do? It's like 3 mouse clicks. Yet, even the lowest common denominator sits there and says, "Uhhhhhhhhhhhhh..."
I'm sure the cable companies loath having more customers calling support, and that this is why they've been reluctant to do this until now. But the fact remains that 95% of people won't do anything at all about the problem for various reasons:
- Their computer still works fine (if it ain't broke, don't fix it)
- They simply don't understand (they know that they aren't spamming)
- Friends have told them to never install unknown software
Of course it would help if the provider gives them some support, and I think they should. But the provider is not obligated to do so. This is all probably already in the terms of service. It is the customer's responsibility to do whatever it takes to ensure that they are not enabling abuse on the internet. Just because they are ignorant about how this happens only means someone has to help them out; but it is not the provider's obligation to compensate for ignorance.So, if you switch to Comcast, would you be doing anything stupid like letting your machine be used for abuse by others? Would you run an unsecured OS? The very fact that you are posting to /. suggests the probability of that is a lot lower for you than for the general population. So maybe you don't have to worry about it. As to those you live with ... if any of them fit the category described above, then maybe it is you who need to provide that support.
now we need to go OSS in diesel cars
Start an ISP which offers reduced prices to people who can pass a basic competency test on Internet security and computer usage. Give them an extra bonus discount if they're not running Windows.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
... Or you maintain a pool of loaners and send one out same / next day. Down time even less. Then you pop-out the HD, stick in as a second into your analysis machine, scan it or what ever. Or just image the thing back to a known state.
Laptops are Very prone to problems by nature, and your users need to know that they need to backup their documents to a CD, zip, network, etc. on a very regular basis. Any IT department that isn't totally clueless knows this, and maintains stock images that they can just blast out with ease.
You can also provide users with a "rescue" cd that can boot the machine into a known state where you can remotely troubleshoot.
All things that Good IT people know about and can do.
Let's see about
.... done.
How about he retail boxes ship secure and go thru a very simple startup, something between OSX and Eddie in demeanor and attention to detail...
1. Do you want to surf the web on this computer? Great. I'll enable that for you.
2. Do you want to send and receive mail on this computer? Great. I'll do that - I'm going to ask you for some info from your online service. You can click "later" if you don't have that right now.
3. Lots of viruses get sent by email. You have a trial version of (something) you can use for 30 days. Do you want to start that now (it's a very good idea...)? Great. This could take a minute...
4. I can make sure you have all the security and viirus updates that may have changed since they packed this computer back at the factory. Do you want me to do that now?
Etc...
This links to the 'mom's computer' article a little ways back - My mom headed over to Staples and bought a journeyman Compaq with XP on it. She wants to surf, email her 6 kids and their families, balance her checkbook, listen to CDs and write her life story. She does not want to be a sysadmin, she wants it to work.
It needed a fair amount of work just to make sure it was current out of the box. Dialup & Window updates - Mmmmm! After spending an afternoon doing my impersonation of Side Show Bob stepping on an near-infinite number of rakes, I tied it to a cable modem and
I run a small campus with an assortment of Macs and PCs - I'm no uber-anything, but I can keep the place running and occasionally can make stuff sign and dance and stand on its head. I try and keep up.
So just like with my staff and kids, there's the calls for the win-skinned popups & emails that claim there's something wrong with her computer - and the lovely answe is that the things that tell you there's something wrong are wrong - and when there IS something wrong, well, you won't know it until someone releases a patch for it waaaay after the fact ( where 0sec waaaay 30day ) and you're already screwed.
If mom had cable service, and barring the availablilty of decent wizards, she'd be more at risk of infections, trojans, with no real way to know how much tropuible she was getting into (BTW roll the clock back 20 years and try to explain THAT sentence). And should she?
We (by which I mean the professional OS, coding, support, Very Clever Problem Solvers community) should be able to make this more mal-proof.
Here I have to side with the Volvo survey that said 'weld the hood shut' - and to invoke an old analogy, my mother needs no more to know why she has to even think about what's under the hood than she does the car. Make sure it works, and stay ahead of things. For instance - how about the cable companies or major ISPs or OS vendors to put a x-number of machines completely unprotected (inbound) which would look like user systems to honeypot the next new malware? Is this how the virus vendors already operate (you know, if you want to catch a mouse, make a noise like cheese...)
Anyhoo...
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
No responsible hobbyist or scientist would do something as idiotic as testing a worm on a net-connected machine.
As for cutting off the connections of those who download warez 24/7, I say fucking go for it. More bandwidth for my legitimate uses.
Lawrence: Hey Peter! Watch out for your corn hole ok?
Fed-ex priority overnight.
One night to get it to you, one day for you to fix it, one night back to the user. Total end-user downtime = 1 day.
If even one day of downtime is to much then you need a hotswap system in place. Send them a replacement system.
Exactly. Every machine I own or work (except where workplace policy prohibits) on has UltraVNC server installed. On some of them, I've never used it, but as a minimum it's always there. It's been a really rare situation where one of these machines can't be accessible.
For machines where it might be a security problem to have it accessible, I also install OpenSSH (yes, even on Windows) and only allow VNC connections from localhost via port forwarding.
Basically, if a machine is company-owned, it should already be locked down as far as firewall and virus protection goes and if that machine is roaming the world, it should also have some way to remotely administer it.
The Glass is Too Big: My Take on Things
" ...what does P2P have to do with spreading worms/viruses? Using the bandwidth you pay for vs. needlessly bringing down a network because you knowingly or not help spread of worms/viruses are two completely different things."
From a "consumption of resources" standpoint they are not. P2P 'abuse' can affect others on a shared network (which the Internet is), just as virus can.
Magnitude 6 = 1 million emails/day
You know it is!
No, Earthlink will not unblock your port 25 if you call and threaten to drop -- and this is a Good thing. Allowing open port 25 on consumer (and most other classes of users too) is a BAD thing. I believe that if all dialup and broadband consumer users had port 25 blocked that it would stop almost all viruses that are spread via email. Tough titties if somebody doesn't want to use their ISP's mail server -- I don't want to drive 55 either.
I absolutely love how the Slashdot community (And the tech community as a whole) seems to suffer from MPD about topics such as this.
When it's convenient to us, we *love* for Big Brother to step in and clean things up. That's the case here. No one likes viruses or spammers, so we're happy to let the big ISPs lock things down.
But, as soon as people start enforcing policies that we don't like, you see these forums all ablaze with how unethical and **evil** commercial internet providers are. This is the case where the ISPs do port blocking or connection speed throttling and the like.
Make up you damned minds, people! You can't have it both ways.
[move
Well, there is more to the story that hasn't been said, namely problems we've had with this particular end-user. I don't have any remote access tools installed because the user is adamant about not sending back the pc, and had this position long before it was infected with anything, let alone before I had even started with this company. It has NAV Corporate installed and LiveUpdate configured properly...thus my frustration with the Comcast diagnosis of "trojan". For all I know, she has a FunFunBackstreetBoys.exe game that hits a port they don't like. Again, something I do not and cannot know without access to the machine.
My point is simply that this user's pc was reasonably-well protected, perhaps not against anything self-inflicted (I will certainly own that the tools I normally have availible are not availible on this laptop, but it's a machine that pre-dates my employment), but how is the average home user going to stand a chance against a policy like this? You (and several replies under my parent) somewhat skirted the issue...my dissent lies in the fact that saying "you might be doing something bad, so I have to make sure you can't do it" is on par with impounding a driver's car because they run a curb when pulling a turn. If a home user is told "you have a trojan" and told to fix it or get the boot, what do they do? This user went to four different repair vendors (several mega-conglomerate shops as well) and came back clean. I can't trust work I don't do myself, but I'm pretty sure at least one of them should have fixed whatever the problem was, assuming there was one at all. How is the average home user going to be able to check this/deal with this/ensure their safety?
Have the end user call into a modem at your office. That way your coworker gets to pollute your intranet rather than the internet, and not only will you be able to VNC into the box to fix it without cooperation from Comcast, you will have an excellent incentive to do so!
--
E_NOSIG
If subscribers paid for the bandwidth that they use instead of paying flat monthly fees, they would receive a message that even the most technically unsophisticated user would understand: a higher cable/DSL bill. Not doing something about it is like not fixing a leaky faucet and paying exorbitant water bills. Imagine what sending 100,000 or even a million e-mails would cost.
wow! It only took Comcast two years to deal with this problem, when they were made aware of it within seconds.
Congrats Comcast! I look forward to hearing about your customers getting decent DVRs with Tivo some time in 2137.
This company has been doing it since blaster. They probably weren't the first, but this is hardly a new idea.
Nothing to see here at all, this isn't even news. Every ISP, whether dial up or one leasing OC-3's has an abuse desk. When a customer generates enough abuse complaints and does not respond, you get cut off. They ALL do that.
I think this is a role that the ISP is necessarily forced to do to prevent their entire netblock from getting blackholed eventually.
But I would do it like phone service. In the US, if your phone service is cut off for whatever reason, you can still dial 911. This was mandated by the FCC some time ago. Same with cell phones.
I would have all ports closed to them and whenever they tried to go out on port 80, return an html page that tells them what is going on. Let them get to web-mail to corospond with tech support, and tech support pages, FAQs, cleaning instructions, etc.... but block everything else.
You're right. It would be nice if there was a kinder, gentler way to do it, but at some point, people have to accept responsibility. With the purchase of a computer and a broadband connection that's always on, you have to stay on top of things like virus software and security patches.
Being the network administrator for a school district, we got hit hard and are still getting hit by computers on the local cable companies subnets (Cablevision's OptimumOnline). Luckily, they've been working with us. We supply the IP of the offending machine and they make contact for us. Believe it or not, but most of the machines in question have been from district employees! We've been logging offending IP's and if we call again on a repeat offender, CV (like other cable companies) is turning off their modems, until the customer calls and reports that they've corrected their problem.
LRC, the best-read libertarian site on the web
True, but a WHOIS on your domain identifies an ISP. Of course, there is no way of knowing if this is who you work for.
Sure aint. But thanks for playing.
How exactly do you know that Symantec doesn't have a department, or secret links to one, that does what is necessary to ensure continued profit?
I wouldn't put that past Peter Norton, actually. I'm old enough to remember when downloaded a bunch of public domain programs from BBSes and called it "Norton Utilities". This was not illegal at the time.
I certainly wouldn't put it past John McAfee either, there's even allegations that he did just that in the early days, which i have no way of substantiating.
But these two shysters still also depend on their antivirus apps Actually Working, and if they wrote the virus, we can be pretty sure they know how to remove it.
Your approach sounds good though. If you just popup a message, it will be ignored. A previous poster suggested redirecting people to a sandbox where they could only download virus killers, and otherwise do no harm - is that approach feasible?
It's trickier than it sounds. For ComCast, it's probably possible, since like the old days of independent ISPs, they control the pipe until it reaches their router.
In the world of aggregate dialup - and if you use a national dialup ISP that isn't also a telco, you're using aggregate dialup - it's pretty much impossible.
By 'aggregate' I mean, the modem that answers when you dial up probably doesn't belong to the company that bills you each month. And someone the next town over probably dials into one owned by a different company still. There are dozens of these companies. And most telcos fit into this category as well.
Not only that, the route it takes usually doesn't belong to them either. SOME - but not all - dialup equipment supports some sort of filtering, but it's generally port based. My employer's radius server requests of the NAS (the equipment you dial into) that it block port 25 inbound on your connection, for example. But support for this sort of feature is spotty at best, and you can't get very fancy with it.
In some cases the IP you get assigned is owned by the company you pay to be your ISP, but the ISP generally doesn't control the routing.
AT&T Worldnet is probably the only national dialup isp that owns an actual world-wide dialup network, because they bought one from IBM some years back. I dunno if they still own all of it, though.
National DSL services are in much the same boat, but I'm not sure to what extent. There's issues like the legality of inter-LATA atm fabric going over state lines that I don't comprehend at all. This is something my employer does, that's a few too many eschelons of engineering above me for me to osmote - at least during the graveyard shift.
This is just like television, only you can see much further.
But how do people with infected machines then download software to become uninfected? Comcast better be sending them free software in the mail.
Read my short stories - You won't regret it.
If Comcast is selling INTERNET CONNECTIVITY then they shouldn't interfere when users start sending out RPC blaster packets, or tons of data on port 25. Once you decide that mail server = OK, trojaned spambot = blocked, then you aren't just selling connectivity, you have crossed the line and are diagnosing individual machines on your network, and by monitoring them are offering a limited form of support.
All ISPs offer some OS support anyway, how do most people figure out how to connect to the pop3 or news servers for example if they don't?
If you decide to start blocking people who appear to have a virus, then it takes far less time and money to send out a CD with basic free tools and a FAQ sheet, or lock them into a walled off subnet with only a free AV tools ftp server for company than it does to field the thousands of irate calls which you will get and which will have people demanding your help to clean the PC.
You may as well be proactive and help, because it is going to cost you money and time even if you don't.
Rates will only go up if you annoy enough virus infected users that they leave, economies of scale will slowly reduce and prices will rise. If paying for support bothers you so much, you shouldn't be with a generic ISP like comcast/AOL and so on anyway. Find a more tech friendly provider that presumably has reduced rates due to the limited number of "lusers" subscribing.
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
... to get the new virus definitions from where exactly? What are they expecting people to do call symantic and have them snail mail them a floppy. Why don't they do the responsible thing, and partner with someone like sophos, and have free virus software as part of their install/update procedure.
That's like in Britten when they used to put paupers in jail for not paying their taxes. Not a lot of people got a lot of high paying jobs in prison, so they never paid the taxes.
RandomAndInteresting.comdefending the world from stupidity since 1979
The problems with all of this comes into play how I run things at home. Fortunately I refused to go w/ Comcast (or more to the point wait for them -- this month they are now available in my area). My ISP knows what I run (Linux, BSD, and OS X) and doesn't take much issue w/ me on a fixed IP -- I send my own mail directly and don't use their relay as my 'smarthost' (yet?). I may be forced to do this -- but will of course do whatever becomes the "norm" out there and apply those changes to my own domain (@ home as well).
:)
... about the time I figured out what was really happening out there (Windows boxes being infected and used as their relays). The mechanism now in place is rather simple and effective -- sure bayesian filtering @ the clients (fed into the system for blocking) as well as many harvesting address' peppered about. When the spam does hit the entire subnet that IP is at is blocked. Typical dialup/dsl type infected boxes may re-connect, but usually at a very close IP (already blocked).
:). Advanced type end users with fixed IP's are usually on other subnets and not a problem either. Once in a blue moon there is a conflict (about 1 in every 10,000 spams processed) ... and I have to manually "OK" a IP in the access file which otherwise dynamically takes care of itself and moves subnets into larger block groups as identified and looked up. My 'squelch' is set to 15 /24 subnets being blocked before a potential /16 block is done.
I use my home connection/domain as my first place test bed before rolling anything out to the networks @ the offices. Thankfully I don't sit in the normal seat a end/home user does -- as my job _is_ IT admin.
Just FYI -- due to the simple volume of spam I personally gave up on reporting a long time ago
The normal end users email (even on a infected box) would go through their ISP email server (probably not blocked
Real problem children were easy to identify as well -- 210., 211., and 212. ring a bell?
But without notification you just got blocked. Sorry...
Those that KNOW ME and are blocked can usually just pick up the phone and say WASSSUUUPPPP??? 1 per 10,000 spam comes to two calls a year for my networks. Ok...
Take a look at Speakeasy. They offer a number of different packages for residential DSL, and they cater to the sysadmin and gamer crowd. (multiple static IPs, allow NAT, allow servers, etc)
Build it, and they will come^Hplain.
no you tool, it forces users to get a fucking clue and not open 12_YR_OLD_NUDE.JPG.EXE
Yes, I'm all for getting people who are infected by viruses and spammers and thus make the Internet suck for the rest of us, but this is setting a bad PRECEDENT.
Comcast has already gotten lambasted here for cutting off "abusive" downloaders who have "unlimited" access. If Comcast not only is allowed to but also is *encouraged* to handle this problem simply by dropping the users' access, then there's no reason they won't feel like they can address the other problem by continuing to cut off those using a large amount of bandwidth under unlimited plans.
Back when I was a clueless newbie, years ago, I set up a server, innocently leaving it as an open relay (this was the base configuration for Sendmail at that time). Within a few weeks, I got irate messages from people being spammed, some of whom, fortunately, included an informative snippet from one of the blackhole servers that told me what the problem was. I secured my servers, and I have learned to periodically check the open relay testers when I do reconfiguration (to make sure I didn't miss anything).
What most cable modem people don't realize when they connect to a broadband line is that every one of them is potentially a server, capable of spewing all kinds of crap. They see a machine on their desk, not really grokking its connectedness to the rest of the world, and that that connectedness is a two-way street.
As for rights, it's no different from using the public highways, except that the possible consequence to the public of ignorance is only monetary, not fatal. If they won't take the responsibility to educate themselves, then somebody else has to do it for them, or "take them off the road."
While cleaning up my spam traps this morning, about 1/3 of it was from attbi.com and comcast.com. They need to climb down the ladder a ways, and start looking seriously at those who are only sending out maybe 10,000 emails a day. It should be easy to identify and whitelist those who are legitimately running very busy mailing lists, and detect which are unwitting spam fountains.
Maybe not, but many many users would request the port be unblocked and then run an insecure mail server (ie, open relay).
If you want to run a mail server, spring for a static IP address. Mail servers shouldn't be run on temporary connections anyway. If you're just sending mail out and not receiving it, smarthost through your ISP's SMTP servers. If you want to use some other off-site SMTP server for whatever reason, either use a VPN or SMTP AUTH on a different port. Problem solved.
I like my women like my coffee... pale and bitter.
FYI, I am posting AC for a reason. The company I work for does roll-outs and tech support for small cable companies. Scripts are in place to automatically deactivate accounts with high upload/download bandwidth (meaning trojan p2p programs) and techs monitor e-mail usage. Problem with an account? Notify account holder and de-activate account. If the account holder can't be notified, the account is de-activated anyways.
/. know this, but we need to spread the word.
It's time people start taking responsibility for their actions when using a computer. Computers need to be patched frequently with Windows Update. AntiVirus programs such as Norton Antivirus, Mcafee VirusScan, or Trend Micro PC-Cillin (my personal favorite) are needed with updates and scans run, at the very least, weekly. Computers also need anti-trojan programs such as The Cleaner and anti-spyware programs such as Spybot Search & Destroy and Adaware. Even go as far not to use the default Internet programs, Internet Explorer and Outlook Express. Instead, use free, open source programs such as Mozilla Firefox (browser) and Thunderbird (e-mail).
Naturally, the majority of people on
I think the difference between responsible gun owners and slack-jawed, wild-eyed goobers like you is the fact that the responsible owners can tell the difference between a car and a gun, whereas you whackjobs keep drawing irrelevant parallels between the two.
Unless, of course, Honda has been building consumer vehicles specifically meant to kill things or crash into targets and I haven't heard about it...
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
why not conference in with the customer and Comcast's abuse team? Surely there are better ways to go about supporting the customer...
||:|::
Seems everyone is attacking this sysadmin for his remote IT management tactics or lack there of, but his post in my opinion was focused more on the END USER at home... These are people who ordered broadband internet connections from their provider and just want to use the internet... They are not techies, and I totally sympathise with them...
Maybe the INTERNET as a whole needs to be policed and the people creating the trojans or viruses and spammers should be held responsible... Ofcourse since being an Anonymouse Coward on the internet is so easy, that's hard to do... You can only go after the suckers (basic end users)...
Maybe the internet should be shut down as a public service since no good method for keeping it safe has been developed...
This whole situation bugs me it's as if someone planted a self detonating bomb on my car, and when that bomb explodes and kills a few people I am to be responsible... ? Because I didn't check under my car, under my seat, in the trunk etc... NO... I think that's wrong... Just my opinion...
Now I know some of you are saying; Well the End-User is installing the virus voluntarily by clicking on the *.pif attachment... I wonder if you'd be equally as hard on those people that opened letters filled with anthrax...
Lata
u
k
a
The same people who couldn't fix, delete, or recreate my mailbox which they screwed up because (and I qoute), "Nobody in tech support has a superuser account or authorization to do that."?
Yep, they won't get no false positives alright - after our sun turns itself into diamond, that is...
So how's this:
Instead of cutting off ALL internet access, why don't they do this?
Block all incoming service ports & all outgoing mail ports.
When they try to visit the web, use the "walled garden" concept posted by another user to direct them to a page explaining things, including links to free anti-virus scanners for Windows.
Doing this should also let them download anti-virus updates, right?
I'm a Comcast subscriber and a supporter of DShield, so I have a pretty good idea of the problems at Comcast and I'm glad to see Comcast getting more aggressive about stomping infected machines.
However, SenderBase says Yahoo's 6 MTA's are all in the top 10 senders of e-mail. Only XO Communications and thehdhd.com out-send them. thehdhd.com (at #6) seems to be openly dedicated to producing spam.
So, when will Yahoo clean up its act? Is it even possible for them to take the same kind of stance that Comcast is?
You omitted an option. 2.5: peer policing. Other networks deciding they're not going to put up with your sh*t and drop your packets. Viz: SPEWS, SpamCop, Spamhaus, etc.
SPEWS listed over 9 million Comcast IP addresses a few weeks ago due to ongoing mishandling of network abuse (the entry reads "Poster child of how not to run a broadband network company". This may have had some impact.
I've been going rounds myself with an indivdual manning a /16 for which no postmaster or abuse record exists, and IP WHOIS contacts fail. He still doesn't seem to understand just why this is a problem. However several of the issues were cleared up after customer mail started being blocked by sites referencing RFC-Ignorant.
What part of "gestalt" don't you understand?
speakeasy.net has done this for years.
I'm a bit surprised by the criticism you received on this point, and I can totally understand your point of view, being on the receiving end of crap like this.
I wonder in honesty how many laptops are really Fedexed all over the place for something which, given correct information (for example, by the ISP) could be solved in under twenty minutes, depending on the end-user.
How some people expect "IT" solve problems when blindfolded with one arm behind their backs, and given dodgy descriptions of what is wrong fascinates me.
We were also informed once by our ISP that one of our 100-or so PC's was infected with "something" by a remote network admin, although our firewall logs and a subsequent remote-virus scan (machines already all equipped with AV) never brought anything up.
They're wasting our time sending us looking for alleged needles in supposed haystacks.
Comcast certainly isn't the only ISP doing this and newer viruses/spam trojans are starting to show a trend that spammers are aware that they will be disconnected if they are obvious in their spamming behaviour. So instead of a lot of messages from a lot of machines all at once, it's a lot of machines sending a bit of mail at a constant steady rate but low enough to stay under the radar.
Brian Seppanen
Minister of Information and Propaganda
Area 54 The Secret Government Disco Labs Provo
So long as Comcast is quick to inform the customer as to why they have been cut off, and helpful about getting them back on. I think this is a excellent first step.
(If at first you don't succeed, do it different next time!)
cheated by shady local PC repair places
If you call charging money to fix the problem cheating, and if you mean not part of a franchise to be shady, then this is probably what will happen.
Why the hell would any PC shop give someone the run around for a simple virus/spyware clean? $100 bucks, or $50 if you buy the virus scanner.
Seems fair enough to me, so long as they actually fix the problem.
I'm posting this so that you (the moderator) have some context to consider twitter and not mod him up whenever he posts his filler preformatted rants about installing Knoppix or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.
If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than twitter. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.
For example, in this recent post twitter not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "GNU". Yes, if you're confused, you're not alone. The reply (modded +4) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.
More? Just read though this post and the subsequent replies. I guess this stands on its own.
More? Bad spelling in astounding conspiracy theories, more offtopic FUD and uninformed "I'm right, look at me" rants, promptly proven wrong. Worse even, twitter wants to be RMS, apparently (that first one is a winner). I mean, really. You think?
FUD, FUD, FUD, FUD, offtopic FUD, and more FUD. This guy is like the Monty Python SPAM skit, but with FUD and more FUD instead of canned meat. Amazed
Replace: they pay for have the right
With: they pay for DO NOT have the right
Whoops! Now that's better. Read what I meant to say and not what I actually wrote. :)
I work tech support for a major cable ISP and my employer, at least DOES police it's customers (albeit with a light hand). There are four basic ways an account gets disabled or throttled. (aside from the obvious non-payment) 1. an e-mail account attempts to send more than a certain, but undisclosed, number of e-mails within a 12 hour period. result : smtp server rejects all further e-mails from source for 24 hours. 2. infected e-mails are traced back to a customers computer. result: customer given a warning e-mail from the security dept and a very short deadline. failure to get cleaned results in ALL internet access being disabled 3. if a customer keeps maxing out bandwidth, the local office has the choice of either dialing down the access or disabling the modem completely 4. if a technician spots the fact that a customers modem is not using a bin file appropriate to the account. ( a fact which can be scanned for automatically with DOCSIS 2.0 compliant modems) When the ISP decides to disable an account, the most common way is indeed to send an updated disabled.bin file to the modem, however, it is possible to "de-provision" a modem. Essentially, the CMTS at the headend gets told that the MAC ID does not have permission to get on the network. One final note, most DOCSIS 2.0 compliant modems, will NOT accept a updated .bin file from the ethernet side....
I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
i am a comcast customer in DFW area and i was shut off for having a trojan setup a spam server. (i have wiped my drive and reloaded everything and loaded antivirus and firewall software since and do recognize myself as an idiot) i must say that comcast was exceptionally understanding and went out of thier way to help me BEFORE shutting off my service. (which i agreed to while i went and picked up some antivirus software)
any fears about this being some machiavelian form of corporate control are unfounded....
Except that the viruses and trojans violate the AUP and are damaging others. It's not legit usage.
Second, telling people how to setup their software to use the internet is a far cry from offering patches and troublshooting worm infestations.
Finally, the excess bandwidth used and problems caused by infected machines far outweighs the money received. It's a no brainer. You actually may get MORE users if the service isn't as worm and spam infested.
Your logic just doesn't make sense.
I can't believe the slashdot crowd thinks this is a good idea. If they can knock you off the net at all they can knock you off for any reason they choose. Running BitTorrent to download the latest ditro ISOs? "Your connection has been terminated as we have decided you are a pirate!"
gees!
You can have a Windows box. Just don't connect it directly to the Internet. Use a consumer router with NAT (what I call an Internet condom) to effectively hide the Windows box's open ports and vulnerable services from outsiders.
This won't protect you from Trojans you get via email, but it at least protects your box long enough to download necessary patches and a copy of Mozilla or Opera.
If you're smart enough to run SpamAssassin, shouldn't you also be running your own copy of BIND with root hints and skipping your ISP altogether? At most, forward only queries for your ISP's domain to its internal nameservers, just to get any special addresses that are only available to customers.
When ATTBI first acquired part of @Home's network, I was one of the fortunate few not plagued by ATTBI's misconfigured backup name servers, because I had BIND running with root hints on my LAN. (Win2k has a habit of failing over when a reply packet is missed and locking on to a backup server.)
My girlfriend's net connection has been cut off multiple times, without *any* notification, due to her brother's computer having Kazaa running on it. Another time it was disconnected, also without any notification to them, because one of the computer had a single worm on it. They finally called the cable company after three days of non-connection to figure out wtf was going on with the network, to see if maybe the ISP was having issues, etc. only to find out their acount has been suspended due to one of the the computers supposedly being used by hackers.
This wouldn't have been such a big deal if the company had actually contacted them to tell them about their account suspension.
If major ISPs in other areas ever implement this kind of retardedness, the least they can do is ensure they properly notify customers when they are disconnected, including all information relating to the case...
When I used to work for Tech Support for BellSouth FastAccess DSL, we would get calls of people loosing sync. After further investigation, it turns out BellSouth suspected them of spamming via email and they would cancel people's accounts if they thought they were spamming. The only way to get your connection back would be to speak with a rep in the abuse dept. It happended to a friend of mine when a glitch in a Beta version of trillian hit the BellSouth mail servers 1,000,000 times in an hour to check his mail. They still practice this to my knowledge. It's been going on with them for 3 years I think.
They had a big push on Code Red and Nimda, and disconnected a colleage for being infected.
Unfortunately, he was running Linux, and they'd simply screwed up. Which kind of highlights the problem. What's an acceptable rate of friendly fire, and at what point does the cost of pissing off your own customers (infected or otherwise) outweigh the benefits of doing so?
If you were blocking sigs, you wouldn't have to read this.
Comcast is doing something about their Windows infected users who have been infected with virus', worms, and trojans (oh my!) and used to relay spam spam spam? Really? I have to wonder...
3 5.client.comcast.net c-67-163-212-62.client.comcast.net4 4.client.comcast.net c-67-165-36-98.client.comcast.net1 .client.comcast.net c-67-166-36-12.client.comcast.net8 .client.comcast.net c-67-168-221-55.client.comcast.net1 .client.comcast.net c-67-170-233-139.client.comcast.net8 8.client.comcast.net c-67-170-252-250.client.comcast.net1 70.client.comcast.net c-67-170-31-53.client.comcast.net1 .client.comcast.net c-67-171-17-151.client.comcast.net3 4.client.comcast.net c-67-172-156-210.client.comcast.net5 .client.comcast.net c-67-172-160-14.client.comcast.net3 2.client.comcast.net c-67-172-204-10.client.comcast.net. client.comcast.net c-67-172-48-34.client.comcast.net2 .client.comcast.net c-67-172-64-245.client.comcast.net9 0.client.comcast.net c-67-173-126-210.client.comcast.net1 79.client.comcast.net c-67-173-238-235.client.comcast.net3 9.client.comcast.net c-67-173-251-246.client.comcast.net6 .client.comcast.net c-67-173-25-77.client.comcast.netc lient.comcast.net c-67-174-68-215.client.comcast.net. client.comcast.net pcp01011096pcs.mplsnt01.sc.comcast.net1 -240.client.comcast.net pcp01156604pcs.newhav01.mi.comcast.net- 9.client.comcast.net pcp01502078pcs.coatsv01.pa.comcast.net- 172.client.comcast.net pcp01555191pcs.gdlett01.fl.comcast.net0 -65.client.comcast.net pcp01559252pcs.nftmyr01.fl.comcast.net5 -148.client.comcast.net pcp02678389pcs.ewndsr01.nj.comcast.net- 242.client.comcast.net pcp035458pcs.aberdn01.md.comcast.net2 6.client.comcast.net pcp03910323pcs.summit01.tn.comcast.net- 161.client.comcast.net pcp04095933pcs.mtsano01.ga.comcast.net- 30.client.comcast.net pcp04096552pcs.mtsano01.ga.comcast.net3 -90.client.comcast.net pcp04098763pcs.neave01.pa.comcast.net- 49.client.comcast.net pcp04301582pcs.prtmry01.nj.comcast.net9 -103.client.comcast.net pcp04386886pcs.nromeo01.mi.comcast.net1 -32.client.comcast.net pcp05184350pcs.salsbr01.md.comcast.net- 20.client.comcast.net pcp06586966pcs.nrockv01.md.comcast.net- 143.client.comcast.net pcp09045523pcs.rocsth01.mi.comcast.net3 -191.client.comcast.net pcp424540pcs.naugus01.ga.comcast.net7 1.client.comcast.net pcp690755pcs.rtchrd01.md.comcast.net5 -149.client.comcast.net pcp780241pcs.gnscrp01.va.comcast.
I was curious -- as I just got a email, no problem, from a Mac (regardless) subscriber who has DSL. Their email, of course, went through Comcast's mailhost on a different subnet with no problem.
I just happened to look a day after this article -- and TODAY here's the infected Comcast machines trying to contact me:
bgp01395060bgs.parads01.nm.comcast.net c-67-162-123-56.client.comcast.net
c-24-10-149-2
c-24-10-175-2
c-24-11-186-20
c-24-11-227-17
c-24-11-235-6
c-24-1-196-1
c-24-12-199-
c-24-12-232-21
c-24-13-137-2
c-24-13-89-2
c-24-14-222-1
c-24-14-39-97
c-24-15-101-21
c-24-15-145-1
c-24-17-206-
c-24-19-18-1
c-24-19-81-6
c-24-20-8-120.
c-24-21-196-1
c-24-2-25
c-24-2-57
c-24-2-80
c-24-3-10
c-24-3-23
c-24-3-33
c-24-3-41-1
c-24-3-43
c-24-3-45
c-24-6-15
c-24-6-175
c-24-7-14
c-24-7-24
c-24-7-32
c-24-8-33
c-24-9-15
c-24-9-233-
c-67-160-21
Super-genius.