Slashdot Mirror
Comcast Cuts Infected PCs' Network Connections
fidget42 writes "I just noticed this article over at Infoworld. It seems that Comcast is finally doing something about the machines on their network that are being used by spammers. They are now cutting off service to those customers who have computers that have been hijacked by spammers. Now, if only other broadband ISPs would start policing their user base ..."
Now, if only other broadband ISPs would start policing their user base ..."
ATTBI (back in 2002) was disabling people's account for being infected with worms... People's modem CFG file would be set to disabled.cfg and they would have block sync but wouldn't be permitted onto the network.
If Comcast took over from ATTBI and is using parts of their existing network, I just can't understand why modems were not being disabled recently for infection by worms.
Because we all know Corporations policing is a VERY GOOD THING!tm
You'd be first in line to moan about them 'infringing' on your interweb right!
which side of the fence are we on? We don't like bandwidth limits, but we do like automatically triggered cutoffs, because we all know there is no such thing as a false positive.
also, say grandma gets infected. She is best off downloading updated definitions for her old version of symantec, and letting AV take care of it. how do you do that with no intarweb?
Doesn't this force those users to go out to CompUSA and buy a copy of McAfee or Norton antivirus?
Blocking web access also means that those users aren't able to download good, free virus scanners like Grisoft's AVG.
I have been pwned because my
For example, I administer a mail server, and occasionally have to mail a virus or spam to myself to check that the filters are operating correctly. It would be very inconvenient if I got my connection pulled each time that happened.
completely at random, just in case they might be infected!
They do the same with phone lines, in case you might be using that line to dial an infected machine up!
Ahh, Qwest... thine spirit of service doth truly amaze.
I know anecdotal evidence is pretty much worthless, but my friend got infected with all sorts of nasty ad/malwares, along with Blaster and a couple other worms. Cox deactivated his cable modem, he had to call them and go through phone hell to get his service back. So I'm not really sure it's only Comcast doing this.
I'm on top of my game like I'm standin' on Xbox.
Are these guys even allowed to do this based on the user agreement they get their subscribers to sign? I'm sure most of these computers that get hijacked are used by Joe Somebody who probably has no idea that his computer has been hijacked. If Comcast and other ISPs are so keen on cutting off access to spammers, why not provide a firewall and antivirus programs along with their subscriptions? I'm sure it'd cost them a pidly amount and wouldn't really be all that hard to work out a deal with these software vendors to bundle them into the deal. Maybe I'm way off base here but it just doesn't sound right to just cut off acess.
Although a lot of of the spammer are not spammers but people with infected computers. But they wont do anything unless they have to. Cutting net access to them will force them to fix the problem one way or an other. Most people who are hacked will go well it is not affecting me so I wont fix it. But with their connection gone then it is affecting them. Now they can fix it them self or hire someone to do it. But this is a good first step.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I applaud this decision. Even though it will possibly cost them customers or cost them additional tech support time, they will be cutting off peoples owned windows boxes.
Lets hope they hold to this once the calls start coming in from people who have everything from Bagle to Netsky (along with probably a heavy dose of spyware too)
wtf? How is this going to benefit the people who're running the machines?
Try sending out an ISP bulletin with the simple tips on how to avoid getting exploited in the first place. It's dead simple.
1. install patches regularly
2. virus scan
3. don't open attachments
4. don't install spyware.
If people used these 4 simple techniques, while it wouldn't be perfect, it would by my thoughts drop the number of infected machines down by three quarters, which will DRAMATICALLY reduce the efficiency and productivity of running a spamming business, and spammers won't have any choice but to leave you alone.
Cutting people off is just going to get them to take infected machines somewhere else.
... would be to put the network connection onto a quarantined sub-net where all the necessary virus removal tools were available. Once the machine was cleaned up, it would be allowed general network access again.
Fine, stop the infected machines from DDOs'ing. But hey, can the SERVICE be a little more SERVICE friendly ? Like this: DHCP Message comes up: "Dear Comca$t customer. Your computer seems to be infected with a computer virus. We will only allow you access to our FREE antivirus tools site until you have resolved this problem. Please contact us at blah,. blah, blah". Then let 'em into a site that they control with standard tools to detect and blow away those worms." Might make the customers happy instead of ticked off.
I had a machine on AT&T (now Comcast) that was infected by a worm. Bummer. I'll tell you, you have to keep up with those service packs even if you're going to directly connect to the network for "just a few hours".
Anyhow, my friends at AT&T Broadband (the ones that never answered their phone) sent me a nastygram telling me that I was doing a bit too much port scanning for their liking (duh...)
So I ripped the machine of the network and poked around. Yep, it turned out that my machine was infected a few hours after I installed the OS, and it was doing it's bad thing for WEEKS.
At the time, AT&T just "informed me" that I should stop doing bad things. I think it would have been prudent for them to kill my service until I took corrective action.
Of course, this was 3 years ago or so... a more innocent time...
That explains why I haven't been spammed by a Comcast box for ... 36 minutes :(
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
I for one welcome our new connection blocking ISP overlords?
First time for me...
I agree that this should be done in extreme cases where the customer is CONTACTED before so that information and education can be PROVIDED. Simply clipping the wire does not fix the issue for anyone but the ISP.
Second, Backroads.net implemented the policy above with much success. I was happy as a customer of theirs.
It is unfortunate that this has to be done, but wouldn't a more effective solution be to block all ports but 80 or maybe even force all their traffic to a URL with an explaination of the virus and let them know that they can not do anything on the web until it is fixed?
SP
Why disable the account when they could just block certain ports?
Code Red showed up in August of 2001. Anti-virus vendors, and even Microsoft, released detection and cleaning tools. To this day, two and a half years later, I am still getting Code Red hits from infected machines.
It is about bloody time that a large provider has become willing to proactively cut off infected machines. Now if only UUNet would do the same, as most of the Code Red hits I receive come from within my own NSP's network.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
How is an infected user supposed to resolve the issues that they have if they can't get to an update or patch?
This reminds me of the idea of putting people in jail for debt. Bankruptcy amounts to a life sentence, since there was no possible way a person could make up the sum of money while in jail, away from the work force.
How can these people fix the problem without access to up-to-date patches and virus scans?
Mail Admins do yourself a favor.
Just nuke the following -
client.comcast.net
and
client2.comcast.net
And for good measure - client.attbi.com
That should take care of most of the zombie / virus / idiot mail. None of their residential customers should be sending email directly from a dymamic IP address. This will seriously cut a good bite of the spam / viruses you are receiving, and you don't have to worry about missing email because they should be relaying through central mail servers.
To me, this sounds like an OK idea, because I bet this will be the ONLY way that many users FIND OUT that their computers have become zombie spambots.
There is a certain responsibility that comes with being a part of the internet, one that has become greatly understated since the commoditization and commercialization of the 'net as a whole: do not become a danger or a malfeasance to the rest of the machines that are also connected.
Unfortunately, this is something that seems to be lost on the clients of broadband always-on connections, especially those that are used by folks with little or no proficiency. While they have no intention of becoming spam-hosts, or DDOS platforms, by not keeping their machines protected against the various evils that lie in waiting out there, they unwittingly become part of the problem.
This does not reduce the hassles and costs to other sysadmins and users of the 'net as a whole. That said, it seems only fair for an ISP to mitigate the problem by pulling the connection of a user whose systems(s) are spewing out malware.
There are reasonable precautions one should take, that is, having a good firewall, keeping the machine patched and having good virus protection. No, this does not come without some effort and not always without cost. But, to be connected to the internet full-time, it is a cost of doing business, not unlike having insurance for your car in case you cause an accident. Liability insurance is to protect the public, and you from losing everything should you do harm to others. Keeping worms, trojans and viruses off of your machine also protect not only you but others as well.
So, it is really a matter of responsibility.
Require the installation of a "personal firewall" when the users sign up for an account. Hell, everything else and the kitchen sink was on that CD when I signed up for Comcast... This would probably cut 99% of the problems out. If not a software based solution, how about a hardware based one? How hard would it be to put a firewall in the router they charge 4.95/m to use? Hell, tech support could configure it for grandma, grandpa, mom, dad, ...
But I guess it is easier to just shut them off, and then charge a reconnection fee... eh?
--ryan
Lets put it another way: the ISP states in their terms & conditions something like: "Subscribers are not allowed to distribute spam or worms over their connection, nor are they allowed to carry out DDOS attacks.". Doesn't sound too unreasonable, does it? Not even if the user breaks this rule unwittingly, because his computer is infected with something nasty.
A rule like this puts the responsibility for the cleanliness of the subscriber's computer firmly with that subscriber. Rightly so, since that user is in an excellent position to do something about it. It sucks being disconnected because of a worm on your machine, but the alternative is to allow the worm to continue to spread.
The only things I worry about is the accuracy of the detection mechanism used on the ISP's side, and the promptness with which they reconnect you after you fix the problem on your machine.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Here is Comcast's Terms Of Service.
From the AUP:
Note: Comcast reserves the right to immediately terminate the Service and the Subscriber Agreement if you engage in any of the prohibited activities listed in this AUP or if you use the Comcast Equipment or Service in a way which is contrary to any Comcast policies or any of Comcast's suppliers' policies. You must strictly adhere to any policy set forth by another service provider accessed through the Service.
So they can terminate service, based on violation of the subarticles:
(vii) restrict, inhibit, or otherwise interfere with the ability of any other person, regardless of intent, purpose or knowledge, to use or enjoy the Service, including, without limitation, posting or transmitting any information or software which contains a worm, virus, or other harmful feature, or generating levels of traffic sufficient to impede others' ability to send or retrieve information;
And transmitting a virus is definitely a violation. Still, it would be nice if there was more information on what will cause them to pull the plug.
It's about the easiest thing ion the world for the ISP to and it's _very_ effective. Another option would be for ISP's to force all SMTP traffic through their own mailserver and virus scan it. They could easily spot a home user sending a couple of thousand messages in an hour or one spreading infected email everywhere.
If you want unfettered access you can pay for a co-lo box and take the responsibility too. People can't keep hiding behind their ISP and dynamic IPs. I'm all for personal freedoms on the net, but with freedom comes responsibility. Deal with it.
Oh come on now...
As much as I love OS X (sitting on it right now), it is not "infection-proof".
BSD/OS X is just as vulnerable to hacking as any other Unix system if left unpatched and unmaintained.
Just because there hasn't been a working worm written for BSD/OS X doesn't mean there won't be one.
PLUS, -just- having an updated AntiVirus doesn't solve the problem! It's the patch level too, it's the non-configured software or hardware firewalls, it's the complete dearth of knowledge of the basics of computer security! Everyone has to learn to drive, so everyone has to learn to keep things at a baseline level of security.
Why don't you do your part and instead of calling people stupid, educate those you know, and tell them to educate others?
Now that would be a ' Good Thing !
Because the "Little Old Granny" wouldn't have a clue that she was being throttled. Blocking is a good idea. However, the blocked message should be something like "We have detected your machine has a virus. Please CALL Comcast at..." Then, the customer support person could help out. cb
Remember, licking doorknobs is illegal on other planets.
You can't send a message with DHCP- thats a network assignment protocol. As in, you get your IP from them with that.
It would be even better to send them a "Net Send " but thats been disabled due to viruses and spam.
Frankly those users have ignored all the obvious aspects of being infected (100% cable light flashing) and have probably consumed more bandwidth than an army of teenagers downloading MP3s. That cable *should* be cut and I stand by my comments about desiring cable access being denied to them UNTIL they remove their virus.
Frankly, they AREN't running a virus scanner because... obviously... the logs go on for days. Weeks. A few for months. So how exactly do you want to make them call in for more information? Why, you cut out their access. Very quickly they call in. If they don't, well, they weren't using the service and they will call in when they want to... at which point a qualified technician can 'walk them thru' downloading a virus scanner and installing it.
Because lets face it- if they are spamming the net with a virus thats been on their machine for months, a little DHCP message (hah) ain't gonna do nothing to stop them.
Nice to see some companies caring about their customers by notifying them there's a problem. I wish Sprint/Earthlink was as good as Comcast in the customer service, hell the one tech guy who came out to work on our line even recomended Comcast over his company. oO
Here's a little story about Sprint/Earthlink you may all enjoy. Last year at around Febuary. They got a hold of my home and said that DSL was available. We signed up and they called a month later saying the 1.5 DSL was available so we signed up for that.
Well for 7 months we had no problems. Everything worked perfectly. Then they decided that individual computers at a home must now go through a router and switched the system over to that. This caused regular disconnects at my house because they neglected to send us any notification of the service change.
After the router was installed and we went through it, we still got regular disconnects from the service. After about 3 month, 3 Sprint technicians, and 1 Earthlink tecnician.
Finally the conclusion was reached that the 1.5 DSL was the problem cause we were about 24,000 feet from the office or just outside the bubble. And we could only get the lower speed. Which doesn't explain why it worked for 7 months w/out a hitch before their connection policy change.
We asked if it was possible to be switched to a closer office, they said there was one closer but it wasn't ready to handle connections. We asked if they could notify us of when it will be ready so we can switch and have better service. The technician said they wouldn't and no reason was given.
At this point your probebly wondering why we didn't switch to Comcast. Well they neglected to send us a bill for about 3 months and repeated calls were getting nowhere so switching was on hold. A carrier pigeon would have been more of an option.
Finally in Febuary another Sprint tecnician came out. This guy knew exactly what he was doing and said that the office closer to use was ready to take connections after he heard our story. He hooked us right up to the closer office thats only 10,000ft away and we've been picture perfect since. I'd like to thank that fellow, but I didn't get his name cause I was at work when he stopped out.
Anyway, it's fellows like that and the ones that take the time to call people about problems that should get the good pay checks. Not the idiots who could careless and leave you hanging.
Sorry for the long winded story. But seeing this article made me think of what happened to me and especially of that one tech guy recomending Comcast over their company.
~~ Behold the flying cow with a rail gun! ~~
ISP could set up captive portal (like on WLANs) with information and pointers to AV software updates. Either all traffic is relayed through proxy or then packets are allowed to AV sites.
But false positives are the problem, of course. But once you get confirmed spam, virus or worm traffic, then you can be quite sure.
The ISP I work for (Adelphia, thus Anon :) ) is working on a way to handle customers like these.
-First, the customer is identified, then placed into a 'walled zone'.
-This walled zone will route/allow the cable modem to go only to one specific location, a certain web page in this case.
-Said web page will include downloads for virus fixes and such. Customer goes there, downloads, and cleans up his computer.
-When it has been verified that the customer has gone there and cleaned up, they check his system, then reactivate his account.
To me it seems like a pretty nifty way of stopping virus spreading while keeping the customer informed of what's going on.
That's all well and good, but . . .
I work for one of the largest meta-ISPs. To put things simply, my employer operates the back-end of of a few hundred interest services. Said employer shall remain nameless, and no, my email address does not reflect said employer.
Anyway. I'm a graveyard shift network operator. There isn't a whole lot to do on the graveyard shift except make sure nothing bursts into flames. So I'm pretty bored until about 5am when our authentication logs gets rolled into the database.
And this is when i can go through all the complaints about spam, viruses, port scans, and whatever else our teeming masses of end users have perpetrated, and figure out exactly who's computer is doing what. And then shut 'em off.
I agree completely that it would be great if there were some way i could efficiently get the end user to disinfect or secure their systems without having to resort to strong-arm tactics, but the truth is that, for 99.99999% of home users, disabling their supply of email and porn is the only way we can get them to sit up and pay attention.
Think about it. If you got some popup on your screen that said you have a virus and your internet connection is at risk, you'd just close it and go about your business. Unless your connection didn't work, and then you'd call customer service and try and get it 'fixed'.
Heck, most people get popups that tell them that sort of thing all the time.
Would a smart person trust that the 'free' antivirus tools are indeed what they claim to be without some way of independently verifying that? I sure wouldn't.
Would an *average end user be able to use them effectively? That joke isn't even funny. I did my time in tech support - the sheer number of people who have asked me what a comma is while I'm trying to help them disable call waiting on their phone line are shadowed only by the monumental stupidity of the woman who was overheard - on several calls - shouting at her husband - over and over - "IT'S THE A IN THE CIRCLE! THE *A* IN THE *CIRCLE*!!!". It would be funnier if it didn't make one lose all faith in the future of humanity.
Furthermore, have you considered the liability issues here? You want a corporation to tell a user to run a program that proports to remove a virus from their system? a FREE program? What happens when it runs across some new variant of some virus, thinks it's the old variant, does the wrong thing to remove it, and ends up rendering the whole system inoperable? I'll tell you what, some arm-chair attorney is going to threaten legal action. You have no idea how frequently this really happens. Even if you so much as recommend third party software.
So we cut 'em off. Just to force them to call us. And then we tell them, essentially, "Look, buddy. Your computer has this problem. And your computer's problem is our problem. And that makes it your problem. We don't care what you do to solve this problem, but you better do it. We suggest antivirus software as a first step. We hear that you can get a free version of something called AVG."
And then, if they seem to understand, we turn their connection back on, so that they can update their norton or download avg or whatever.
And every week, there's two or three end users who get their accounts totally closed because we've been over this with them three times already and they haven't managed to get the picture.
I wish there were a kinder, gentler way to do it. So far, I don't think there is.
This is just like television, only you can see much further.
instead of cutting off net access entirely, why not provide a means to actually fix the problem instead of alienating their customers?
why not (say) decrease the dhcp lease time from whatever to an hour or so. when whatever mechanism they're using to detect spam/whatever infection (hope to god they're not just listening for smtp traffic, that'd be evil but sadly likely) goes off, it would tell the cable modem ot use a different config which would then allow the user to get a different dhcp lease. this lease would set their router to something different, which would then pipe a single page to the user - similar to what many universities install for when users try and access pr0n or something like that from a school computer.
some mechanism ('m not familiar with routing protocols unfortunately) would then be provided to drop all traffic at the router except for http traffic through a specific gateway, possibly to specific hosts such as mcaffee, symantec, windowsupdate.microsoft.com, and the vairous other free virus and malware scanning packages.
This is a bit more complex, but surely it's possible - I've seen and/or read about all the various mechanisms I mentioned above.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I administer a large DSL/dialup userbase and I monitor upstream bandwidth as much as I can. If I notice a DSL customer that has 100% of their upstream bandwidth used I usually check the traffic to see if its email. I will notify the customer and give them a day or two to rectify the problem. If the problem is not fixed within 48 hours I will disable that PVC which will effectively drop sync from the users modem. When the customer comes home, they are now forced to fix the problem. I try to explain to them as politely as possible that they are contributing to the junk mail problem that they are always complaining about and that we had to disable their connection to prevent this. Most people understand and the lack of internet connection gives them the initiative to get up and go purchase some AV software and to run Spybot or some similar program. They phone back once their computer is clean and I turn the circuit back on.
You create your own reality - Leave mine to me.
Sooner or later, mail admins, the target will be you. Today, it's the "clueless" home user. Tomorrow, it will be the clueless admin at a small company. In the end it will be everyone but AOL/M$N/McDisneyNet.
All praise for Comcast. Comcast's actions will make blocking their clients redundant. This makes it so you won't, in the future, need a license to send email. As a cable subscriber, I want the ability to send my own mail, encrypted, by direct connection, just like IM can, thank you.
Doing things the other way fragments the net and sets up 99% of the world's "mail admins" for being fired because their company lost it's license to email.
Friends don't help friends install M$ junk.
You ask why we don't like bandwidth limits and like automatically triggered cut offs, like the two are equal. I don't mind bandwidth limits as long as they are clear, since you pay for your usage, if you use more, you pay. You're generally not pestering other people when you use more and the burden falls on you as well.
With cut offs it is different. An infected machine is a pain to the entire internet community except (often) the person whose machine got infected. If such a machine gets blocked from the internet, the community benefits and the burden is returned to the owner of the machine. It is all about who carries the burden of the unprotected machine.
Now I do have some experience in working with cut offs, since helped run a campus network when I was a student. Abusers of the network, be they bandwidth hoggers or unprotected systems could get kicked of the network if they didn't update their behaviour. It had in general a good effect on the behaviour of people.
When you do a cut off I would love to see a proper implementation of it. That would mean that a persons connection is not cut off outright, but that only certain services will be available for instance on a private, non-routable subnet. In this way the luser can get the updates nescessary, will be automagically guided through the right steps and then once a scan is done of the system released onto the wild internet again. This doesn't require much human assistance.
As a side note I would also like to mention that I wouldn't mind filtering of users connections for instance on port 25 as long as the user him/herself can disable that feature too... It would be like the speedlimiter on cars which limit them to 250km/h. You can remove it and go faster, but for most people 250 is good enough.
Use Adsense for Charity
I'm one of the sysadmins for a company with a large number of remote employees. Recently, one called me saying Comcast told them they had a trojan. Well, I couldn't fly out to look at the laptop and the employee couldn't exactly just send the computer and work from nothing. I had this person seek local help, and after several attempts Comcast still shut down internet service.
I understand that techies across the world think this is super-fantabulous, but this is horrendous for the average end-user. Comcast doesn't (I will refrain from saying can't or won't) say what a user's system is infected with, or what exactly it's doing...just that there's some "illicit traffic" coming from that IP. That's great, now how am I supposed to diagnose the problem? It wouldn't be that difficult if the machine were in front of me, but how to I walk Mary End User through complicated tasks over the phone while she's already frustrated? If Comcast were doing more - i.e. they told you what the problem was and the steps you can take to remedy it - I would be more supportive of this. As it stands, it's just going to make a lot of end-users get cheated by shady local PC repair places while they get the run-around from fifteen different vendors. Make jokes about virus scans all you want, but nothing is fool-proof...and since any fool is equipped with a computer these days, infections will happen and malicious attacks will succeed. So +1 to Comcast for taking some initiative, and -2 for crappy execution and not giving half as much of a flying foo as they'd leave their customers to believe.
This is a very bad idea! The best source for antivirus and spyware-removal software is on the internet. To me, it looks like they're burring the problem instead of fixing it.
Now, here's my humble suggestion for a better solution. If a PC is identified as a compromised machine, it's added to a pool of machines that all gets a special IP and special DNS servers (I assume they run DHCP - if they don't they should). Now, the new DNS servers resolve all addresses to a special page dedicated to downloading anti-spyware and virus checkers. Maybe even an online scanner like housecall. So, when Joe Luser fires up his web browser, he reaches this page no matter what he types. Once he's machine is cleaned, he will be removed from the compromised pool.
Underholdning.info
I have a suggestion.
Write up a small business plan based around these knocked-off-the-network infected PCs.
You can charge "$50 + travel fees. Usually under $100" to clean their computer, and get them back online. Yeah. It's a fee, and many people wont be happy about paying it. But, at the same time, it'll teach them a lesson about security on their pc. If they dont want to pay it again, theyll have to do their own security stuff.
You see politics, I see opportunity.
The only real trick to this would be streamlining with comcast, which is next to impossible.
no
Don't you mean swap about 3 dells for 1 mac? :-P
I sent one here.
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
this last round of worms came in an email that pretty much said exactly that.
"Hi, I'm the admin from [YourISP]. We think you have a virus. Please run the attached program, and blah blah blah."
The next round will have something like "Please type in [EvilURL].com and run the 'virus remover' you see there."
How is Joe Averages' Grandma supposed to tell the difference?
"I couldn't fly out to look at the laptop and the employee couldn't exactly just send the computer and work from nothing. I had this person seek local help, and after several attempts Comcast still shut down internet service....this is horrendous for the average end-user." What's horrendous for the end user you speak of is not that Comcast acted responsibly by cutting off a spam zombie's access, but that your IT department has not provided adequate support for remote users.
My other machine is a lever.
Comcast is, hands down, the largest spam source of the Internet with approximately 640 million messages every day. Personally, 25% of the spam I receive comes from the Comcast network. Of course, users are unaware that the latest virus has turned their computer into an open proxy sending millions of messages every day. I hope other major ISPs such as Road Runner (180 million), AT&T (150 million), and AOL (140 million) follow suit, and disconnect open proxies and zombies when they are found.
> Recently, one called me saying Comcast told them they had a trojan. ... and a bit further on ...
> Comcast doesn't (I will refrain from saying can't or won't) say what a user's system is infected with, or what exactly it's doing...just that there's some "illicit traffic" coming from that IP.
It might be me but it seems you are contradicting yourself here.
Maybe they are not sayign what trojan it is infected with, could be.
Matter of fact is however that if Comcasts cuttign of the connection affected your business in this specific case, you have a huge problem. Why? Because you were obviously intending to let this user work with a trojaned PC. Have you any clue whatsoever what that means?
No, if you had a business user there on the other end, Comcast may actually have saved you from breach of security and intergity of your company, and possible liability for damage done by this infected PC.
That said, of course it is possible to do this a lot better then Comcast do.
I work in the Network Operations Center for an ISP in the midwest. Trying to police these types of things isn't near as easy as you would think. We are considered a "mid-sized" ISP with around 15,000 customers. Unless we happen to notice an increase in traffic from one of the customers, it's not easy to catch when a user's PC is infected with one of these worms. With the increasing amount of Spam out there, and the fact that the average internet user can't figure out how to dig through the headers to find out for sure where an email originated, we just don't get hear about our users "spamming". When a case is brought to our attention, either through a complaint or by us noticing the increased mail traffic from a user, we immediately take action to get the problem resolved. However even with a properly documented abuse address, we just don't get feedback. There have been at least three different occasions when the first feedback we had that one of our users was "spamming" was when another ISP blocked mail coming from our IP's. We can't track the infected users down if we don't know about them...
To err is human, but to really foul things up requires a computer
same situation with a neighbor... I cleaned Mydoom, Netsky, and Beagle (the J variant) out of his computer... his computer was slower and more unstable than usual, so he asked me to look at it for him (it's a win98 box... 'nuff said).
I've already set them up with a good firewall... controlling what they do with their Email attachments is a bit more problematic.
I support cutting off accounts for abuse, whether intentional or simply clueless/negligent. Hell, I'd be delighted if somebody warned me that something was up with my connection, for a couple of reasons. One: I have more than a passing interest in net security, so if my box just got pwned, I want to know about it, including how they did it. Two: I try to be a good netizen, and just like I'd expect one of my neighbors to call me if he noticed my house was on fire, I'd hope somebody would tell me if I was polluting the 'net.
This is comcast doing the user and their fellows a favor.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
A few weeks ago, I got a warning from RR saying "you are doing a DDOS attack and are probably infected with a trojan"
Considering a) I'm running Linux and b) I do forensics on trojans at work, I'm not going to be infected.
I checked my wife's box which was Windows at the time, and it was clean. I checked mine and it was clean.
A little more digging and the "attack" comes down to SpamAssassin. Anyone who was running SpamAssassin or MailWasher got these warnings because RR couldn't manage their freaking DNS servers correctly.
I for one do not want to get cut off because of the incompetence of the ISP.
The problem here is that Comcast is doing shutting down people's connections with no recourse to find out why or to re-enable it.
I received an email and an automated phone call from Comcast stating that I had an infected computer and I must clean it up. I was immediately pleased that they noticed, but frustrated that I could be infected. 5 PCs with varying OSs, all with firewalls and/or antivirus software, so I thought it was unlikely but possible. After doing a full scan I found no viruses.
So I called Comcast's 800 number. They said I need to call a different long-distance number. That number is an automated system with nothing but dead ends. If I select the option about "Viruses and spam emails" then it tells me to email abuse at comcast.net if I get a bad email. But I don't want to report a spam, I received a report. All the options did approximately the same thing: Told me something I already know then hung up. Several calls later, I used the "leave a message" option. A week goes by and I received no call back. I replied to the email but received no response. Nobody on the service number would talk to me about it.
So I receive another email telling me that my service may be disabled if I don't fix the problem. So what do I do now?
To top it off, this isn't the first time. About 8 months ago, Comcast calle and told me I was reported for sending spam. When the read me part of the SpamCop report (which they refused to do many times) it turned out to be a SpamCop report that my roommate made! We _reported_ the spam, we didn't _send_ it! After much arguing, the guy finally got it and left us alone. Mistakes happen, but what irks me the most is that they wanted to tell me I sent a spam, and make sure I corrected my behavior, but refused to tell me the source of the report, or what the email was, or when it was sent, or anything!
Below is the email Comcast sent me. It looks like a form email, with no specific statement about what went wrong.
But, users are dumb, and I'll agree with that. Last summer when the blaster worm came out, we emailed out customers ahead of time telling them they need to download the microsoft patch.
On top of that, the Microsoft Windows Update popup that comes up by default, once a week, users still continue to ignore it because they don't know what it does.
Personally, I'd like to see more type of this internet policing by ISP's. They should also be blocking people who have open SMB shares on their Windows Networks. I cant count the number of times I've purposely went in Someones SMB share and dropped a text file telling them how to fix it.
I, however, disagree with the Government policing of the internet. I believe the internet should be policed by the people who pay for it to be there. That would be us and the ISP's
It's a reference to the Blues Brothers, one of the greatest movies ever made. If you haven't seen it then you just don't understand the blues.
Jake: "Hey what's goin' on?"
Cop: "Oh those bums won their court case so they're marching today"
Jake: "What bums?"
Cop: "The fucking Nazi party!"
Jake: "Illinois Nazis"
Elwood: "I hate Illinois Nazis!"
Maybe we DID take the blue pill. You wouldn't remember anyway.
A few minutes before I found this thread today I received an automated message from lafn.org. In that message it stated very clearly that it was an automated process that was blacklisting a /24 around a machine on one of our dialup netblocks that was caught sending mail to one of their spamtraps. That user is of course infected as are probably 50% IF NOT MORE of our customers. Our customers, no matter how big they are, no matter how big a customer they *think* they are, no matter what service they pay for have the right to cause 252 other customers at any given moment to be blacklisted. If they think they are that important then we sure as hell don't need them as a customer.
If comcast are going to cut people off they need to offer people a CD with the fixes on it. Informing someone they have a virus and then cutting them off from the means of downloading a new signature file is irresponsible.
It's not comcast's responsibility to provide patches. Are they going to support OSX, Debian, RH, Win98, win2K, winxP, os/2, Xbox, etc.? How often do they need to release this CD, every day? No. That's insane. You are not thinking this through.
If you get your machine compromised because you are too lazy to keep it updated, run AV or a firewall, it's YOUR problem. Not Comcast's. If they cut you off, you are going to have to get off your ass and visit a computer store, friend, or get dialup somewhere to get patches. After all, how long should they wait for you to get your machine fixed before cutting you off? 24 hours? 48? a week? Your system can inflict massive damage on others in just a few minutes. They need to cut you off ASAP.
Comcast is selling INTERNET CONNECTIVITY, not OS support. If you need OS support, you need to go elsewhere. I don't want MY rates to go up to pay for support personel troubleshooting clueless people's virus problems.
Exactly. Every machine I own or work (except where workplace policy prohibits) on has UltraVNC server installed. On some of them, I've never used it, but as a minimum it's always there. It's been a really rare situation where one of these machines can't be accessible.
For machines where it might be a security problem to have it accessible, I also install OpenSSH (yes, even on Windows) and only allow VNC connections from localhost via port forwarding.
Basically, if a machine is company-owned, it should already be locked down as far as firewall and virus protection goes and if that machine is roaming the world, it should also have some way to remotely administer it.
The Glass is Too Big: My Take on Things
Magnitude 6 = 1 million emails/day
No, Earthlink will not unblock your port 25 if you call and threaten to drop -- and this is a Good thing. Allowing open port 25 on consumer (and most other classes of users too) is a BAD thing. I believe that if all dialup and broadband consumer users had port 25 blocked that it would stop almost all viruses that are spread via email. Tough titties if somebody doesn't want to use their ISP's mail server -- I don't want to drive 55 either.
... to get the new virus definitions from where exactly? What are they expecting people to do call symantic and have them snail mail them a floppy. Why don't they do the responsible thing, and partner with someone like sophos, and have free virus software as part of their install/update procedure.
That's like in Britten when they used to put paupers in jail for not paying their taxes. Not a lot of people got a lot of high paying jobs in prison, so they never paid the taxes.
RandomAndInteresting.comdefending the world from stupidity since 1979
Back when I was a clueless newbie, years ago, I set up a server, innocently leaving it as an open relay (this was the base configuration for Sendmail at that time). Within a few weeks, I got irate messages from people being spammed, some of whom, fortunately, included an informative snippet from one of the blackhole servers that told me what the problem was. I secured my servers, and I have learned to periodically check the open relay testers when I do reconfiguration (to make sure I didn't miss anything).
What most cable modem people don't realize when they connect to a broadband line is that every one of them is potentially a server, capable of spewing all kinds of crap. They see a machine on their desk, not really grokking its connectedness to the rest of the world, and that that connectedness is a two-way street.
As for rights, it's no different from using the public highways, except that the possible consequence to the public of ignorance is only monetary, not fatal. If they won't take the responsibility to educate themselves, then somebody else has to do it for them, or "take them off the road."
While cleaning up my spam traps this morning, about 1/3 of it was from attbi.com and comcast.com. They need to climb down the ladder a ways, and start looking seriously at those who are only sending out maybe 10,000 emails a day. It should be easy to identify and whitelist those who are legitimately running very busy mailing lists, and detect which are unwitting spam fountains.
I'm a Comcast subscriber and a supporter of DShield, so I have a pretty good idea of the problems at Comcast and I'm glad to see Comcast getting more aggressive about stomping infected machines.
However, SenderBase says Yahoo's 6 MTA's are all in the top 10 senders of e-mail. Only XO Communications and thehdhd.com out-send them. thehdhd.com (at #6) seems to be openly dedicated to producing spam.
So, when will Yahoo clean up its act? Is it even possible for them to take the same kind of stance that Comcast is?
You omitted an option. 2.5: peer policing. Other networks deciding they're not going to put up with your sh*t and drop your packets. Viz: SPEWS, SpamCop, Spamhaus, etc.
SPEWS listed over 9 million Comcast IP addresses a few weeks ago due to ongoing mishandling of network abuse (the entry reads "Poster child of how not to run a broadband network company". This may have had some impact.
I've been going rounds myself with an indivdual manning a /16 for which no postmaster or abuse record exists, and IP WHOIS contacts fail. He still doesn't seem to understand just why this is a problem. However several of the issues were cleared up after customer mail started being blocked by sites referencing RFC-Ignorant.
What part of "gestalt" don't you understand?
Comcast certainly isn't the only ISP doing this and newer viruses/spam trojans are starting to show a trend that spammers are aware that they will be disconnected if they are obvious in their spamming behaviour. So instead of a lot of messages from a lot of machines all at once, it's a lot of machines sending a bit of mail at a constant steady rate but low enough to stay under the radar.
Brian Seppanen
Minister of Information and Propaganda
Area 54 The Secret Government Disco Labs Provo
I work tech support for a major cable ISP and my employer, at least DOES police it's customers (albeit with a light hand). There are four basic ways an account gets disabled or throttled. (aside from the obvious non-payment) 1. an e-mail account attempts to send more than a certain, but undisclosed, number of e-mails within a 12 hour period. result : smtp server rejects all further e-mails from source for 24 hours. 2. infected e-mails are traced back to a customers computer. result: customer given a warning e-mail from the security dept and a very short deadline. failure to get cleaned results in ALL internet access being disabled 3. if a customer keeps maxing out bandwidth, the local office has the choice of either dialing down the access or disabling the modem completely 4. if a technician spots the fact that a customers modem is not using a bin file appropriate to the account. ( a fact which can be scanned for automatically with DOCSIS 2.0 compliant modems) When the ISP decides to disable an account, the most common way is indeed to send an updated disabled.bin file to the modem, however, it is possible to "de-provision" a modem. Essentially, the CMTS at the headend gets told that the MAC ID does not have permission to get on the network. One final note, most DOCSIS 2.0 compliant modems, will NOT accept a updated .bin file from the ethernet side....
I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj