Slashdot Mirror
Comcast Thinks About Stopping Zombies
LehiNephi writes "Comcast has finally admitted that its users are responsible for a large amount of spam, and they are thinking about how to stop it. Apparently they haven't been turning a blind eye to the problem after all. The simple, blanket approach of blocking all traffic on port 25 would have too many side effects, particularly for users running their own mail servers. However, they can block that port on individual cable modems-a sort of surgical strike. As far as I'm concerned, the sooner they implement this, the better!"
Comcast cable modem customers aren't allowed to run mail servers anyway, so I doubt the side-effects would bother them
This clearly violates the right to maintain your own SCO-attack zombie.
All I can say is "It's about damn time!"
All they nned to do is to restrict SMTP outbound connections to their own mailservers. Forcing traffic through their won machines will qucik;ly point out who the abusers are, and they can likewise filter for viruses and worms preventing propogation.
I think it's a good idea. But why stop there? Disconnect the zombies until they fix the problem on their computer.
Had a user come into our help channel last night, unable to send email through his account with us since that morning (yesterday Sun 05/23) and I confirmed the server was working fine so I had him telnet to port 25 - no luck, had him telnet to port 25 on the server I use for email - no dice, had him use port 2525 - SMTP connection opened up fine.
He was using comcast for his cable modem. Said it just started that day.
We accept incoming smtp on port 2525 also since my OWN isp at home blocks port 25 (knology) so I have ot use 2525 to send email through my company email server myself.
--- www.f-theocean.com
There's a real easy way to tell the difference between a zombie and somebody running a home mail server...
The zombie will be sending an insane number of e-mails to an insane number of users constantly. No home mail server should be used to run a listserve with anything more than a hundred people or so. Therefore, bursts of port 25 are okay, camping on port 25 is a sign of trouble.
Is there an easy way to tell if your own computer is a zombie spambot?
What if they had a *simple* process for registering your mail server with them? 5 minutes, maybe $20 and that's it?
People who run their own mail servers are control freaks and had better be technically minded enough to call the Admins at Comcast in order to register their mail server.
Otherwise, who'd notice or care?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
"We're the biggest spammer on the Internet," network engineer Sean Lutner said at a meeting of an antispam working group in Washington, D.C., last week.
Seconds later, bangs, thrashes, and pleads for mercy in a very Lutner-like voice could be heard from outside the conference room.
The coolest voice ever.
who says you have to use port 25 to run a mail server? wouldn't a spammer use a less obvious port?
He makes a good point
As a mail admin stop the shit yourself.
:-)
Ban - client.comcast.net, and client2.comcast.net
Since the spammers can't forge the reverse DNS on the IP you can trust your blocking Comcast's dynamic ranges. Their business customers are not on any of the IP's that reverse to client.comcast.net or client1.comcast.net, and residential customers in the blocked dynamic ranges can relay mail to you through comcast's mail servers like they are supposed to.
There is absolutely no reason in this day and age of spam to run a legit mail server off of a dynamic IP address.
Incoming mail servers are arguable, though not allowed in Comcast's EULA, but outgoing- I can't think of a single good reason why a user needs to run their own outgoing mail server and not relay through the Comcast server.
Yes, the Comcast tech support people are complete morons, I'm a Comcast subscriber myself. I hate them too, but I can't think of a good reason to allow outbound port 25 mail. One could possibly make an argument about authenticated SMTP relays with silliness like POP before relay, but IMHO such systems are broken (and I've used them- I should know). It's better to use SASL and encrypt the whole thing.
When Comcast starts monitoring indivudal users though- I do get more than a little concerned.
nyuk nyuk
I say the best way to stop spammers is to post their home addresses to the public, that way we know where they live >=). Ahh, yes. Yes, excellent idea.
However, they can block that port on individual cable modems-a sort of surgical strike.
Bit like Whack-A-Mole, then?
The coolest voice ever.
Why don't they block it on ALL cable modems and let people unblock it if they wish? The majority of users who go through the trouble to unblock it are going to run secure machines. Even if they don't, it's going to reduce the number of spam bots.
And they won't have the privacy advocates all over them...
Drop the users. Stop the problem
Won't someone please think of the zombie child processes?
Yeah because spammers aren't known for finding other ways. Hell most of these cases are because people installed something. You don't think that would happen on any other OS? Get rid of users and the spam problem will stop.
DSLExtreme out here in California blocks port 25 natively across the board.
they have a registration webserver you can use to whitelist your account/address for such purposes, and monitor port 25 to make sure that you're not all about the open relay after being opened up.
why can't comcast do the same? doesn't seem that difficult to me.
better yet, why can't people patch their damn servers. if you're running an open relay, i say you're fair game. not to mention violating the draconian ToS of a massive media conglomerate. no thanks.
rawr.
There is actually an 'official' alternate port for this purpose. See:
http://www.ietf.org/rfc/rfc2476.txt
According to slashdot it breaks down something like this:
1. If your running Windows it is a spambot that is not only spamming everyone but it is also responsible for all the evil the world.
2. If your running Linux it is fairly secure and have too much time on your hands.
3. If your running Mac it is fairly secure and you like pretty colors.
4. If your running BSD your invisible and a l33t hax0r.
5. If your running Gentoo your a zealot! Hooray for the zealots!
If the block outgoing port 25, but not incoming, then it shouldn't mess up people who are running their own mail servers, provided they configure them to use the ISP's mail server as a relay. That's how the whole system was originally supposed to work in the pre-spam days, anyway.
On the other hand, there's no need to block incoming port 25 unless they're afraid of people running unsecured open relays. Fortunately, that's rarely the case, right? Or are the virus zombies really turned into raw open relays? I'm under the impression that they're controlled more directly, presumably through some different port.
...they're concerned about having adverse effects on people running mail servers???? I could have sworn we weren't allowed to run any type of server (HTTPd, IRCd, anything) through their connections. My friend runs a HTTP server through his, but I've never run one through mine for more than a day at a time, being the good customer I am.
It always seemed to me that if they didn't want people hosting servers, they'd block the ports from the beginning. Don't get me wrong though, I'm glad to see they're finally cracking down on spam, and I'm glad they're not going to just block port 25. Maybe Comcast isn't as horrible as everyone says they are.
Unfortunately Comcast won't [i]actually[/i] do anything about it. Go look at their corporate information page sometime. The Umbrella Corporation is their largest stockholder :(
We in the anti-spam community have been yelling this for a while. Since early 2004, most spam is sent through unwitting zombies (compromised Windows hosts) that are remotely controlled spam bots. This is not just an open relay issue. These hosts are hacked in an automated fashion and loaded with spamming software.
Now obviously, there's a lot an ISP can do about this and it doesn't have to be as drastic as blocking port 25 outright. Users which generate suspicious amounts of TCP port 25 traffic could be reassigned IP addresses from a probation-class pool. That is, hosts within that netblock might not be allowed to make port 25 connections, or might be advertised to the world as block-on-sight.
Nah, we love having even the tiniest amount of usabilty. (I'm assuming parent was a Linux troll.)
I meta-mod all positive moderation Unfair, because it's abuse of the system.
2. If your running Linux it is fairly secure and have too much time on your hands.
:)
I"m running linux and I have no idea WHAT to secure. yay for newb linux users
Just like squid proxying, why not redirect port 25 transparently to a Comcast mail proxy. This proxy could queue mail and essentially throttle outgoing mail or reject if spam is detected.
But imagine if you administrate a beowulf cluster...then you must be able to fly/leap tall buildings in a single bound or something similar.
The area you're referring to is
For example, take a look at this quote, which makes my browser's caching of Slashdot's GNAA posts illegal:
Try reading this one: Subscriber Agreement. This section, in particular, gives Comcast permission to view any information transmitted over the network from or to you: Section 9's cool too. It says that you waive the right to sue them in a real court, but instead will have a hearing before a "neutral arbitrator". Anyhow, you should read all that stuff. Some of it's absolutely unique.
If I don't get modded up for this, I'll be amazed
My Systems
Should we also surgically break the legs of everyone who walks around passing flyers out ?
GoatPigSheep, the 3 most important food groups
I have two primary requirements for an ISP. (1) must not block any ports for any reason. (2) must provide at least one static IP.
AOL blocks game ports, so they can charge you $5 more per month for opening the ports. They were one of the first to change the role of ISP from utility to controlled collector of optimal revenue. I have for at least 5 years told everyone to get rid of AOL. Unfortunately, today, people have come to accept the idea that it's ok for an ISP to block ports.
As for the zombies, the ISPs should try:
Open Standards Portal
Just make sure to stock up on green herbs and shotgun ammo. Don't forget to burn those corpses either!
"... Comcast's network engineers would like to be more aggressive. But the marketing department shot down a ban on port 25 because of its circa $58 million price tag--so high partially because some subscribers would have to be told how to reconfigure their mail programs to point at Comcast's servers, and each phone call to the help desk costs $9."
It's interesting how such a simple technical change can wind up costing so much money. It's amazing how such small, seemingly innocent details add up to be monstrous problems!
"You shot the zombie flanders!"
"He was a zombie?"
What did the vegetarian zombie say?
"Graaiiiinnnnsssss"
http://www.brains4zombies.com
Old unix hackers don't die, they just turn into zombie processes.
I'm sure I'm missing a ton.
no
This is really a dumb idea because you can send mail on any port you want. The packets don't even need to be assembled until they reach their destination. The only solution is to certify mail servers. Any server caught sending spam is responsible on the certified network.
Is it so hard for all the "private mailserver users" to register, just click "please unlock port 25 for my IP" while all the rest is blocked?
Comment removed based on user account deletion
ISP's can do something about this. We currently call every customer we get a complaint about (almost always through spamcop) and have them run windows update and anti-virus scans. It's a 5-10 minute call and, luckily enough, not only does it get rid of viruses but the customers always thank you because their computer had - inevitably - been running slow.
Comcast, and the other mega-ISP's, simply don't want to bother with something like this unfortunately.
I've seen some different approaches to block mail.
The one my ISP (a University) use it to black any incoming tcp connection with dst port 25. This stops spammers to use any badly configure mail server from beeing used as a relay. I can still use any mail server i want to send mails though, i can even run one of my own. What i can't do is handle incoming emails for my own domain. They also monitors how much mail is sent, and if your computer seems to send out "too much" mails, you'll get an email from the sysadmins asking you to explain what's up.
The other approach I've seen used by xDSL providers here is to block any outgoing connections to dst port 25. This way you could run you own mail server for you domain, but you must relay all sent email through the ISP's smtp server.
I think both solutions offers some protection against spammers, without putting to mych restrions on the users. Not sure which one is most effectiv e though, if any.
...was quoted as saying, "Just shoot them in the head! Then burn them!"
I hope he's referring to the idiot Windows users who don't secure their machines!
By default, the ISP should block inbound ports. All of them. The user should be able to selectivly disable the blocking on individual ports through their account management page. Why is this not done? It's so simple!
Research has shown that stopping zombies requires blowing their brains out. It's them or you, so don't hesitate. BTW, more recent research suggests that the FZVA is a front for the vampires, so you're on your own when you stake 'em and bake 'em. We've got a SOLASER to destroy the biters, but the shamblers still require brute force.
--
make install -not war
Doesn't every ISP known to man block port 25? Why does Comcast think that they are special? Wouldn't Cox, and others get a lot of calls too?
:(
Port 25 blocking is a common sense way to block lots of spam. Comcast is responsible for making the net a bad place for the rest of us with this policy.
A landmine system would be relatively easy to implement - you set up a few hundred landmines and block any customer IP who sends a spam to a landmine. It's similar to honeypots, although you treat the accounts like mines where even a single email will get an address temporarily blacklisted. Once blacklisted, you can shut off port 25 for that IP, disconnect their session for 30 minutes, or do whatever you want. The Streamlined Blackhole List server could be used to create a landmine database with a spread of 1 to instantly identify new hosts.
It took me three days to figure out why I couldn't connect to my domain server (which is hosted by my ISP).
Much as I disliked the idea, if Cox did it then Comcast should, too. If anything that would take care of about 90% of all the zombies. The ones in the business customer base are probably counted in the few hundreds and can be dealt with on a case-by-case basis.
And I don't see why it sucks if you're running your own email server - inbound 25 should no be closed, and you can send through Comcast's relays anyway. Or at least that's how it works with Cox.
Unless you pay about $85 a month for a "commercial" account, Cox has been blocking port 25 to anything but their own mailservers for more than a year now.
It sucks, but nobody can match their speed in my area... certainly not DSL.
Don't forget port 80. They certainly did'nt. No web serving on Cox connections. Not like you could get much data out with 19KB/s though...
Every occurance of "your" in your post should be replaced with "you're" except for one. As a fun exercise, try to figure out which one.
By the way, grammar aside, you're an idiot.
one reason I don't block port 25 for the users on my network is that so many of my customers want to use other email servers. This might be unique to my service, but just blocking port 25 doesn't seem a viable option. any other ideas shashdotters?
Up until now, ISPs have been able to hide behind their status as a common carrier for anything illegal that their customers do. They don't monitor, thus, they can't do anything about it. Comcast is admitting their ability and willingness to monitor the types of traffic their customers are producing, and block undesirable traffic. How long before this gets turned around and smacks Comcast (and their customers) with problems?
Why they just don't replace (or begin to replace) all those fucking cable modems which place whatever PC attaches to it DIRECTLY ON THE INTERNET!
....
I mean Jesus - How hard (or how much more money would it have cost) to simply fucking NAT these idiot soccer moms running Windows ME.
Just check out Internet Storm Center and you will see one of the traffic generators is NETBIOS for Christsake!
If on top of that - they'd run any kind of rudimentary basic virus screener on their mail servers they could single handedly wipe out 80% of spam!
Now ask me how I really feel about Comcast
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
I mean, couldn't we use all those cycles for something more productive?
I would be pretty po'd if they blocked port 25. I don't want my internet access handicapped.
The ISP I work for (name withheld to protect the proactive) has what I consider to be a good policy for handling bots. I think it is good because I came up with it myself. Any host that we get a complaint about is portscanned (all ports are scanned). The output from nmap is then fed into amap for application fingerprinting and mothra to grab banners. We then suspend the customer's internet access until they clean up the computer. On the whole port 25 thing, ever day we find systems that are running SMTP servers on bizarre, very high ports.
"Who's going to believe a talking head?" - Herbert West
My local ASP has a good solution to this. By default, port 25 is blocked, but customers can ask for it to be allowed through. The presumption is that if you know enough to ask for port 25, then you can take proper responsibility for your machines.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
"I don't see how I should be banned from running my own mail server because some people abuse it. With that wonderful logic, it's time to shut down every P2P service, because most people are abusing them."
I think the phrase you're looking for is "A few bad apples spoil the barrel".
Even if Comcast goes forth with this, it's just a drop in the bucket. Maintaining an open database of websites known to propogate spam, then blacklisting them would do more.
Of course, that'd require *real* work and verification, as those sites move all the time. Still, it's possible.
The point is, this is lipstick on a pig. No amount of port blocking is going to stop dumbass users from being turned into zombies, short of pulling the plug or blocking their access to a database of known-to-be-harmful sites.
Here's an idea: how about disabling it like they are considering, and then putting them on a probationary term? They'd be able to continue with Comcast, but their traffic would have to be filtered through the blacklist for, say three months?
I know it's not popular to talk about censoring sites, but it's wasteful in terms of productivity and economics to have to clean up after these zombies all the time. Perhaps the "denial of service" should be applied to those infected, say after two incidents?
Just thoughts. I applaud Comcast for thinking about it, but can't help but shake my head as to the likely effectiveness.
...this will only lead to malware writers choosing other random ports for their zombie programs. I know this is expensive, but why not have an OSI Layer 4 or 5 level firewall checking for this type of activity?
$DEITY bless $NATION
being blocked by all of AOL for 48 hrs straight etc. Their
postmaster declared as much at MOG in DC last week.
Full of sh*t. Nice PR job.
What you suggest is a good idea.
SBC did this to me using the 2wire modem setup... took a little while to figure out that the modem had a builtin nat/firewal and wireless . Figured it out when I started getting 172.16 addresses popping up on my linksys router when my linksys uses 192.168
Damn those annoying creeps.
Given the gigantic expansion of broadband, I'm surprised that cable / dsl modems don't just do NAT and other firewalling techniques by default. It certainly seems like something the industry should push. Sure, today it's spam everyone's worried about, but when WindowsProcessX on port whatever is compromised next Comcast will have to start all over again blocking ports, unless the hardware each user had prevented this. As an added bonus, your "technical" users could configure things to their hearts' content too.
Now, now. Don't you know it's some kind of divine right to have your own server. If you're educated and all it's OK. You know what you're doing. It's the OTHER people that are at fault. Blame them, Joe and Jane "We have unlimited service. We can do whatever we want". I even think it's in the Constitution somewere. If not? Well all the geeks can organize (something like a union) and get a majority of the states to make it OK to have your own server on a consumer-grade (at consumer prices) broadband connection. WE ARE GEEKS, HEAR US ROAR!
I mean Jesus - How hard (or how much more money would it have cost) to simply fucking NAT these idiot soccer moms running Windows ME.
You have any idea what kind of problems this would cause? Many servers only allow one connection per IP address...now imagine if several separate accounts on an ISP were behind a NAT. They'd all have the same IP, and their connections to so many sites would be blocked if even one person under the same NAT was downloading from them.
I support the Center for Consumer Freedom
".....you cockbiting fucktard."
And you could have made your point but instead you threw in something that made you an obvious troll who probably is jerking off in their parents bedroom as you refresh slashdot to try and post GNAA first posts.
Just because you can't think of a reason to not use the Comcast server does not mean there are not good ones. I've recently been put in the same boat by BellSouth, and I assure you there are good reasons for not wanting port 25 blocked.
First of all, if you, like me, have a notebook and actually move frequently from location to location (home, work, family and friends houses, public sites with wireless access) then you want to be able to configure your mail client so that it will reach a mail server that you can log into and not have to change settings every time you change location. If you have a mail server outside of a "me only" mentality ISP then this is simple and straight forward. But when the ISP blocks port 25 (as well as not letting you use their meil servers whenever you're not originating from their network), it's a royal pain in the ass to reconfigure all the time.
Also, if you, like me, administer or help maintain a valid mail server off of the Comcast network, you may well find it important to actually send mail through this server. Or you might even have a company policy that states that all business mail must be sent through the compnay mail server. No problem if port 25 isn't blocked and you log into the server you want. Big problem if some short sighted system administrator at your ISP insists that everyone should be expected to use the Internet in exactly the same way.
And I can't speak about quality of service at Comcast, but at BellSouth the mail server is frequently down. This was not a significant problem if I had to send time critical information out as long as I had port 25 open and could log into one of the other servers I use. Now it's a problem even from my desktop system.
Fighting spam is great, but fighting stupidity is even more important.
I'm an American. I love this country and the freedoms that we used to have.
actually i hear that works equally well on spam zombies as well...
To provide services (such as incoming SMTP, SSH, etc.), one can rent a co-located box (or a User Mode Linux virtual colo) offsite, drive an outbound encrypted tunnel to that, and pass packets through the outbound connected pipe for all the ports and services blocked by Comcast. Linux servers can stay completely within the TOS. Dynamic IP addresses can change with no changes to the DNS tables. The best part of this is that if Comcast ever gets fiesty and NATs their users, there will be no interruption of service. Since you can choose whatever ports you want, an outbound tunnel will always work. At the user level, you can still use the web, download files, etc. without using bandwidth at the colo.
I am currently setting this up now with a local UML colo service, www.pdxcolo.net. $20/month, which is admittedly not free as in beer, but the cost is less painful than the enormous amount of Comcast zombie spam. And the colo can be shared, so real cheapskates can reduce the colo cost further.
I am glad Comcast is finally removing their heads from their posteriors about this. Maybe with some oxygen to their brains, they can make even more smart decisions. :-)
Keith Lofstrom server-sky.com
Comcast actually did something I agree with. I'm stunned.
Surgical strikes are a good idea--they stop the damn zombies without screwing over everyone else. Tho I think only blocking port 25 for zombies isn't going far enough.
IMO, Comcast should block the MAC addresses of spyware/virus infected zombies and send letters to these people, telling them that they'll only be unblocked if they can present proof that the virii/spyware are off their computers and that they've taken measures to ensure that it never happens again.
I support the Center for Consumer Freedom
Comcast could and should have gone ahead user-runtime-reversably blocked all of the common low service ports (1-1024) a long time ago.
By user-runtime-reversable I mean:
Put up a web page that I can connect to from my served address only, that lets me check-mark the common ports I want to allow in/out/both. And, most importantly, *NOT* change billing or pricing by check-box etc.
The default map would never be changed by users that don't care, and thus zombie-spam would be greatly reduced.
The custom map would be useful for those who do care.
Keying this on the "hostname" a paying customer sends with their DHCP requests, or by IP address and giving out nearly-static leases by default and clearing the map when a lease is lost, would be child's play. It is no harder technologically than dynamic DNS.
It could be instanciated anonymously one day and the only legitamate users who cared would even notice. As long as there was an obvious "so your ports were just locked on a service you were running at home and you don't like that? here's how to open them" link obviously placed on an "expert users" page on the corporate web site everythign would be self-healing.
Of course that implies that they have rationally segmented their network so that the routers can leverage this information in reasonable time.
Eveidence suggests that they have-not so segmented. (You would not *beleive* the amount of cyclic arping across multiple address ranges I see from their servers on my cable modem segment...)
Heck, the simple intelegence-test-effect created by requiring a user to find their own hostname string from inside either their active configuration or their setup invoice would be enough to stop all sorts of shenanagans... 8-)
So anyway Comcast, get a nice firewall box, set up a permiable wall, with a nice default mask, and let users instanciate a private mask if they so desire by visiting their service settings web page.
Not that hard, unless you bought your infrastructure *really* cheap... 8-)
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
The value of not using the official alternate port is that an ISP that is going to block 25, and who isn't stupid, is going to block the official alternate port too.
Of course, how many arn't stupid... 8-)
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Before Comcast bought it out (though technically the same people and service, I had my broadband service temp. shutdown because they detected an open relay mail server on my line.
Once I shut off relaying, they had no problems turning the service back on.
"Where is my mind?"
I am a major cable company network engineer... and while the idea of allowing certain people access to having the ports open is nice in theory, it would be nearly impossible to implement on a large scale operation. With existing infrastructure all restrictions are placed in the access control list on the CMTS router. Without purchasing additional firewall equipment that can service a 1/2 million customers, which would run upwards of hundreds of thousands of dollars. The only way to selectively allow individual ip addresses to be able to use outbond would be to have individual allow statements for each customer who requested it placed on the ACL. Since nobody but the network group is allowed access to these systems we would need individual people dedicated to simply adding ip addresses to the ACL. And of course since each time a packet on port 25 is sent the entire outbound port 25 ACL is processed the load on the routers would be so high that additonal upgrades would be necessary. The entire reason to block all outbound port 25 connections is to stop those with viruses/spam relays from causing the isp's email server from ending up on blacklists from the likes of AOL, earthlink, and other very large isps. So the trade off is you inconvince those customer's who are already violating the acceptable use policy by running a prohibited email server or force them to use your outgoing smtp server. In the end the vast majority of customers are much happier because their email works better, has less spam and garbage and the isp has less work to do by contacting and disabling the service of those customer's spreading viruses or spam via email. If your the type that needs a service that allows servers, static ips, 4 hour service resolutions, higher upload then you can pay extra for those things and get a business class connection. That's really what it boils down to.
yeah cox communications in Virginia has been blocking 25 for a while. Not only that but regardless of which REMOTE pop server you check, you still have to send thru the COX SMTP server and have SMTP outbound blocked to any other server.
"It's better to be a pirate then join the Navy"
Common carriers aren't responsible for the content that their users place on their networks, BUT they are responsible to themselves and other for maintainig a level of quality and performance, and if their end-users actions are affecting the network? Then they can indeed take steps against them. For example if I put a very large load on the power grid and that affects the entire network? Then not only can they cut me off (remember no business is obligated to do business with you to it's or others detriment). They can prosecute me as well. This same idea holds for any service you use, from water to gas, to cable. The only thing that will "smack" Comcast is why didn't they do this sooner, not that they did something you don't like.
"However, ComCast also lives in the real world. While on paper they could make an argument, they're trying NOT to upset the technical folks in their customer base."
Oh yeah! Technical folks. The same one's that can't even form a union to keep their jobs in the US. I'm certain the corporate world is trembling in fear. When I can vote Geek come November then we'll talk.
Apparently they haven't been turning a blind eye to the problem after all.
Yes, yes they have. They ignore complaints. If they weren't turning a blind eye to the problem, it wouldn't be necessary to totally block Comcast's IP space on mail filters.
They have the ability to take action when they receive abuse reports regarding zombie machines. They have thus far done nothing. It seems as though the volume of users bitching about being firewalled from the rest of the 'net as a result of their ISP's total inaction has finally reached a critical point.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I would dearly love it if Comcast (nee any and every ISP) offered a spesific /dev/null address that I could use with icmp-redirect like clarity.
When I see a bunch of bogus packets slam into my box that have no reason to exist, I would like to be able to automagically do the IP equivalent of call blocking.
Sending an ICMP-REDIRECT-like message out in response to a bogus packet should be snuffled up by the ISP equipment and taken as a "call block" request against a particular peer address.
So if I rig up my firewall to icmp-redirect to some magic address (say 0.0.0.0, which is never legal in a redirect), the upstream router should process it as, say, a 24 hour ban of packets from that address to my address.
Were such a thing to become common, the ISP could forward that ban on to the next upstream peer and so on until the "well behaved" router closest to the miscreant would be keeping the wastage off of the backbones entirely.
Since it is a poit-to-point ban it would be rather effective without letting malicious third parties do too much damage unless they could get common-segment with one of the parties.
Talk about killing a DDOS at the diverse roots.
Anyway, it would need a little refinement to keep the haxors next door from pretending to be me and cutting all of the sites they sniff me using, you know, check mac addresses or require me to use an activation squib from my firewall from time to time....
But it should be easy and safe enough once the nearest "Real" router got the do-not-call packet.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
I have been suffering through 3000ms pings for the last week or so, and I want Comcast to do just about anything they can to neutralize the problems their braindead users are causing. Block inbound, outbound, whatever, I am so pissed off, I could care less. We pay for web surfing and access to their email system if we choose to use it. STOP RUNNING SERVERS AT HOME PEOPLE. Yes, I know well-configured servers probably aren't causing the problems -- look at my UID before replying -- but your constant abuses of the TOS are contributing to the overall detriment of the system.
Intelligent Life on Earth
Speak for yourself. For years I helped run a 2,000 member strong mailing list off a sun axil 320...first off an ISDN line, then home DSL.
Given the costs of hosting, we might very well be back on a home DSL line soon. We're now at 3,000 members and 12+ lists, with well over a gigabyte of text archives spanning 12+ years. 'Course, we also traded up to a P4 3ghz...
Please help metamoderate.
Not necessarily port 25 (as mentioned elsewhere) but certainly ports used by worms like Sasser, Blaster etc. Windows Filesharing ports also.
If they notice enough traffic to be of a concern (probably not only quantity, but it being sustained) they ring you and ask. IF you reply "Uhhh, what's SMTP?" they tell you you have a virus and send you to a page to get it diagnosed and fixed. If it's legit, they drop it.
Also most of the viruses are scanning/spamming other ports (looking for hsots to infect). There is NO legitimate reason I can think for a host to randomly and intensly scan for port 445 (the Windows fileshare port) on the Internet. You are either virused, and should be cut off, or cracking, and should be cut off and beaten. Thus if you notice 445 scanning, it's a pretty safe bet to shut down the pipe because you've caught a virused host, or a script kiddie.
It's perfectly possible to watch for abnormal traffic and react accordingly. Some of it is just clearly right out (like random, sustained venerability scanning of hosts on the Internet) and you need no further investigation. Some is suspect, but nothing a simple phone call can't clear up.
It isn't difficult to allow people like yourself to exist, while proactively cutting off virused users.
Bah, I'm already doing this. Due to the amount of spam coming from Comcast zombies, my sendmail access file has the following:
client.comcast.net REJECT "Mail from dynamic Comcast hosts not allowed"
I've blocked many o-spams this way. Around 1000 a week.
It's better to burn out than to fade away
That's a clever idea, and it might even work.
Seriously, who lowered the bar this far. Since when is blocking the port such an awesome and creative idea? Maybe their automation is something to talk about but come on.. why does cnet pat itself on the back every time someone publishes something obvious.
They aren't the only ones though. (Patent office). The same thing happens all over the net. For instance remember the vulnerability that security focus screamed about a few weeks ago? The "vulnerability" is a function of any CSMA/CA system that anyone with a cursory understanding of the protocol would recognize. Why is this a "new" vulnerability?
Again, the "internet is going to crash" stuff about tcp sequence windows; All of this stuff is obvious to anyone who read the RFC. To me that seems a bit different than finding an obscure overflow, or unpublished error. Finding obvious aspects of a protocol is not.
My opinion is that it's part of the "alarm" mentality that we seem to love, and that the press jumps all over. But I'm curious what other opinions on the subject are.
My father had BellSouth DSL, and they've started blocking Port 25 for outgoing mail. This means that he couldn't send mail through the third-party mail server that he's been using for years. I don't want to have to change his settings (and he doesn't want to give people a new address) every time he has to change ISPs, so he pays a bit of money to use NetIdentity.com for his mail.
Since BellSouth wouldn't use some sort of reasonable measure of WHO was abusing the service instead of treating everyone as a spammer, we switched him to another DSL carrier. I think it's unreasonable to expect everyone to have to use ONLY the mail server of the ISP.
BTW, BellSouth said they WOULD open Port 25 if my father would pay double the money for a "business-class" DSL account, which shows me that it's more of a marketing distinction on their part than a distinction with a truly technical justification.
Is it technically possible for an ISP (ANY ISP, not just Comcast) to watch incoming email and forbid identical outgoing email? Perhaps calculate a quick checksum for the inbound and block (before it is even sent) that checksum (based on the body text, not the headers) from exiting?
That seems like it would stop a good percentage of spam from ever exiting the zombied hosts.
This is a great idea - I've been checking spam headers and e-mailing Comcast (and other broadband ISPs) for a while now.
... but it would help a lot more if China and Korea were Comcast customers.
It will help to cut down spam
No biggie. Every MTA provides a feature to use a "SMART HOST." This is exactly the point of this. INBOUND port 25 does not need to be blocked, just outbound for this to have an effect. Home user's running their own mail server should have nothing to fear assuming they set their servers up to use a smart host.
Honestly, whats one more hop? Play nice and let your ISP know you are doing it. If your not a hastle to them, I bet they won't care. I've been doing it for years.
Just my 2cents.
Don't waste time... procrastinate now!
Cox blocks port 25 inbound and outbound. It used to be an outbound block only until MyDoom showed up.
This is why Indie-Mail (which is colocated with another ISP) runs the SMTP server on ports 25 and 28. I didn't care to have to run my mail through Cox.
Other people who run public mail servers would be smart to offer that feature. It allows their legitmate customers a way to avoid having to run all their mail through their ISP and doesn't do anything to help spammers.
Unless everybody used the same alternate port enough that e-mail viruses just started using the alt port and the standard.
Ben
Work Safe Porn
I've been using Earthlink (cable) for over a year and run a mailserver. Earthlink does not block port 25 as the article states.
And by application i mean the form kind. Why not block all traffic, then if power-users want it open, they can fill out a form and the ISP can open it up.
Aim for the head.
I'm trying to convince the powers that be to redirect outbound SMTP from all but our business customers and our own server farms to our local SMTP servers. That way we'd force all our normal customers into a mandatory Smarthost configuration. The only problem I've found while trying to get this going is a problem with redirection on Ciscos. It's been a few weeks since I stumbled across it. It's something about the redirected packet using the wrong source IP when dumped onto the wire facing the target of the redirection. Something like that. With a simple Linux firewall this wouldn't be a problem. I vote for redirection personally. Still this adversely affects users using SMTP authentication.
They can't block port 25 unconditionally - they have no dialup support.
What this means is that if you travel with a laptop, the only way you are going to be able to get connectivity while on the road is to have a separate dialup service.
What this effectively means is that in order to avoid having to switch your configuration around between home and not home, and to maintain a single email address, you ignore Comcast's mail service, and user your dialup ISP's mail servers all the time (via SMTP AUTH), and use the dialup ISP's mail account as our primary email address.
At which point, Comcast's value to you is nothing more than "IP dialtone" at a higher speed than you get via dialup (too bad they don't charge less for this type of usage).
Yeah, it's relatively trivial to export a couple of configurations on Windows with regedit, which would let you double-click to change the settings, but it takes someone with some knowledge to do that (for example, knowing it can be done).
OutLook has some features for doing this as well, but OutLook is one of the reasons blocking is an issue in the first place.
The bottom line is that an ISP that doesn't offer alternate access not tied to your physical location can't afford to effectively block access to the servers of ISPs who don't have that same problem, if they want to attract customers.
Of course, this problem is much reduced, if they start offering dialup access for their cable Internet service subscribers who happen to be on the road, but they show no signs of doing that.
-- Terry
port 25 has been blocked since i first got comcast installed sometime last year (i'm bad with dates).
I checked my IP just for fun, and got a 1/31 hit ratio. It looks like the entire ADSL network for Xtra (NZ's largest/virtual-monopoly DSL supplier) is listed on BLARS for semi-obscure reasons. Nothing actually SPAM related of course... "private block list, WARNING: Lists /16 and /24 netblocks instead of single IP addresses". Is this gent's dislike for the way records are presented the reason my email server can't send anything to AOL addresses? If so, people put WAY too much faith in public block lists.
Forget thrust, drag, lift and weight. Airplanes fly because of money.
an ISP that is going to block 25, and who isn't stupid, is going to block the official alternate port too
Uh, no. The traffic the ISP is trying to stop is traffic from their users directly to a receiving MX of a domain. That traffic MUST go over port 25.
Port 587 is for use in initial mail submission, e.g. users sending work email from home via their work email servers. Generally, those work email servers are going to require TLS+AUTH before random Internet users can send mail, and aren't going to be useful for spamming (unless they are open relays, but that's rare these days, and they will get blacklisted). There is no reason for Comcast to block that port, since it's not associated with abuse, and would needlessly alienate customers (including many of my users).
So, the result of blocking outbound port 25 is that, instead of being able to send mail from a Comcast cable modem to any server on the planet, you can only send it via the Comcast servers or your work servers, and you have an existing relationship with both of those parties. The admins of either of those servers will therefore have a much easier time dealing with abuse than some random third party getting stuffed with spam.
What I meant was - yes give each user a single public IP address
...
- but -
NAT each user BEHIND that IP - i.e. overload it
Or think of it as giving everyone there own super basic Linksys SOHO cable router thingy dealy
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
As far as I'm concerned, the sooner they implement this, the better
Exactly opposite for me.
I run my own mail server for my personal domain and send/receive about 10-20 emails per week. If they block the SMTP port, it would suck. One thing I learnt when I signed up for comcast was that as far as sending mail goes, my mail server was unable to deliver email until I configured my mail server to connect to comcast SMTP server using my comcast account and password....
I can forge tepples@sp_mc_p.n_t just fine through a Comcast mail server in Fort Wayne, Indiana. Where do you live again?
What about someone who's not running a prohibited email server, but is using a legal email client to send SMTP traffic to a legal SMTP server outside the Comcast domain? An SMTP server is something that receives incoming traffic on port 25. An SMTP client is something that sends outgoing traffic to port 25.
Comcast may be within their rights to block inbound port 25 __IF__ you assume that it's fair for an ISP to unilaterally impose blanket restrictions on service.
When a software company is willing to sit down and negotiate EULA terms with an individual end user, or Comcast is willing to sit down and negotiate a TOS with an individual user, then maybe it will be fair. Until then, a usage agreement involves no agreement at all.
I'm happy to see that they're planning to do something non-drastic. RCN opted to simply block all outbound 25 and inbound 80, which is asinine. Fortunately I'd already moved from them to Comcast by that point, and Comcast wasn't misbehaving. If they start blocking ports, though, I'll go elsewhere.
:-) If they see a shitload of mail flooding out of my mail server constantly, then either I'm a spammer (in which case they should kill my account) or my SMTP server has been hacked, in which case they can notify me and I can fix it, saving everyone in the world a huge hassle. If I don't fix it, then they can turn the port off until I do.
Biggest advantage of running my own mail server? I can run IMAP there as well with squirrelmail, then receive AND send mail from any terminal in the world on my own account. No screwing around with finding the local SMTP server on whatever ISP I happen to be on. That's far more useful than you realize! And no, I do not accept the idea that just because some people abuse SMTP to send spam that we should slam everyone for it. I also run my own DNS server behind my firewall to let me centrally control aliases to various hosts. That's a perfectly benign act. I also make NTP requests, although I don't serve NTP to anyone else.
Someone else suggested a good compromise, I think. Default block anything below 1024 (in the appropriate direction, depending on the port), but let anyone explicitly request any given port to be opened, no questions asked. Quick signup on a web form, no long delay. That automatically keeps 99% of the zombies in check (since zombified users, most likely, won't know what a port is) and allows people like me to make full use of an always-on connection. Anyone who has requested a port be opened, however, is monitored not for content but for volume. OK, they'd get cranky if my home web server were slashdotted. Well so would I.
Makes everyone happy, and kills most zombies in the process.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
That's because many are more concerned with the possibility of your PC taking a dive in the middle of a customer service directed windows update than if your PC has a bot.
I am a Comcast customer, and I'd hate to have all
my connections proxied or blocked, but I don't see
the harm in making people like myself call a phone
number to supply a list of ports to unblock/unproxy.
Them: "How may we help you?"
Me: "Please unblock TCP port 25, both ways"
Them: "OK"
After all, why should millions of people have tens
of thousands of unneeded ports available for abuse?
AC: Comcast IS proposing... Damn illiterate fuck.
saforrest: Maybe ey's British.
The AC IS provincial and ignorant.
As you (saforrest) point out, collective nouns in British English are usually treated as plurals.
I know you're kidding, but SCO is grasping at straws here. I seriously wouldn't be surprised to see Darl or someone spinning this comment as though it represents some "vast conspiracy funded by IBM" against them or similar nonsense... It's not like they have serious arguements to put before the jury...
:/
;)
Hell, Daniel Lyons of Forbes has already printed random comments from discussion boards in his "articles." Methinks he needs to retake Journalism 101...
(Why yes, I do bash Lyons a lot. My personal, biased opinion of him is that he's a scolecophagous scorbutical scoundrel. That expression, of course, is a horribly contrived Google-bomb which means 'a worm-eating scoundrel with scurvy' -- there are lots of fun words that start with 'SCO'
Optus (Australia) has a very good system.
Blanket block of all outgoing port 25 traffic. If you want your port 25 enabled, you go to a specific section of the Optus website, enter your login/pass and click "I Accept" on an agreement type thing, and click "Unblock my port 25".
Done. Techies who want their own mail dealies get them, and people who get infected and deployed as spambots go nowhere.
--
The last digit of pi is four.
Getting past your method:
1. have zombie load the page
2. send captcha to india, china, etc.
3. get back human-decoded captcha
4. submit web page
Alternately, post the captcha as a password for
a free porn site. Then you have real web surfers
helping you to bypass it.
If you're running your own mail server (or running one for your employer, for that matter), you should configure it to use SSL and authentication, via port 465. No need for ugly hacks like POP-before-SMTP or nonstandard ports, and you get encryption to boot, at least for your link to the server.
Oh, no! You have walked into the slavering fangs of a lurking grue!
Lots of MUDs (text-based online games) have people connect to their game by telnetting to their server via port 25. If they blocked port 25 to stop mail servers would this also stop people telnetting to port 25?
Off topic but what the hell. The new drive is full after 3 months. I love broadband. I love um sharing, yeah thats it.
Who the hell thinks that Comcast is going to do a surgical strike? What is the criteria? What if your port is accidentally blocked? And you call up Comcast, put on hold for 10 seconds and "Sorry, sir! Our mistake! We'll re-enable it right now!"
It is more like blanket block, 100 minute phone muzak, and "You are spamming! Company policy! Nope, can't do that! You are mistaken, it is not blocked. check your configuration. We only support Windows."
Well, I guess being optimistic is all one can do given the crap that is going around the world these days.
CHeers,
e.
The system lets the user out of isolation 30 minutes after the reason for isolation has disappeared. Though there are some users who get into isolation, out of it, back again all day long. One has to wonder what the users is doing with the computer? Just having it on, warming the house? Cause they can't surf the net, they can't send email...
This system has reduced outbound spam drastically! And the best part is, we don't have to find out who is infected (dynamic IPs) and then try to contact the end user (many times not the one who pays..).
here's the manufacturer's slide show (don't slashdot him to death..)
Blocking port 25 (surgically or otherwise) wouldn't prevent zombies DDoS attacks.
The problem is that the machine is infected. Blocking just hides the infection from the rest of the internet.
I think most people would remove the zombies if they knew it was there, and they knew how.
And it's often the case that somebody knows a machine is infected and someone probably knows how to fix it too.
The key is to get that information to the user.
Imagine if most of the web sites visited checked your IP against a central server of infected IPs,
and redirected them to a "your computer is infected, get it fixed - here's how" web page when appropriate.
-- this is not a
Comcast will come out of my local block list someafter the heat death of the universe.
May they rot in hell, up to their necks in viagra and penis cream.
For the most part, if Comcast leaves a port 25 outbound connection open, the spammers will exploit it. You want/need port 25 open, post a bond and you will be under the microscope. You let it get taken over, we keep your money.
If you need to access a corporate mail server outside of comcast's ip space, plumb up an ssh/vpn connection. Most corporate policies don't want you using rogue mail servers.
I am too tired, saying the same thing at the beginning and end of my post
Snowden and Manning are heroes.
I certainly agree that such unilateral action as blocking all port 25 traffic is not necessary to stop zombies. Everybody knows it takes only two things to stop them:
A boom stick in one hand, and a chainsaw on the stump of the other arm.
Thank you, I'll be here all week.
N4st0r, trixx0r h0bb1tz0rz! Th3y st0l3 0ur pr3c10uzz!
Well, that would require other changes that I suspect Comcast does not want to make. Comcast assigns IP addresses with a life of about 1 week. I don't know why they use such a long period, but I assume there is a good reason.
A lot of SPAM can go out in the space of a week.
The real "Libtards" are the Libertarians!
Get an axe.
That's right. All your base.
The equivalent of an Internet Death Penalty needs to be levied on them. Too long they've been reported to about their problems and only NOW they're gonna do soemthing about it? No, twidling their thumbs in all of this was more than enough. Block everything by Comcast at your ports. Let their customers worry about where to get connection from.
but you're still blocking zombies on the >95% (a wild guesstimate) of hosts who don't run mail servers (and would thus not have any interest in being unblocked). Even if every single unblocked host were compromised, you would still be blocking a huge number of zombies.
HAND.
This has already been covered. Comcast allows VPNs.
With port 25 open, there is a profit motive for spammers to buy these zombie networks from virus-writers. If port 25 is closed, that hurts the spammers directly, and it makes it a lot harder to make money from writing and spreading viruses. (It's one thing to have to patch against script children, but it's quite different if there are professionals trying to take over large numbers of systems.)
I blocked most of Comcast's DUL SMTP traffic a long time ago. I don't care what they do now. It's too late. Any good mail admin at this point, has a very decent list of IP blocks for DUL/Broadband that shouldn't be allowed to send port 25 traffic. Comcast can bite me.
RBLs like Sorbs have been great at shutting down the Comcast zombie army. And now a year later they finally want to do something about it? Screw 'em. If you are using Comcast for business internet, you're still going to be screwed because nobody wants to deal with the crap traffic that Comcast can't control, and I'm certainly not un blacklisting their IP space.
This is also very effective in the /etc/access:
n nect:24.1. 4
connect:68.40 550 Comcast sucks
connect:68.41 "
connect:68.42
connect:68.43
connect:24.0
co
connect:24.2
connect:24.3
connect:24
connect:24.13
connect:24.18
(On windows,) I run WallWatcher to monitor my Linksys router log, with MyNetWatchman reporting the intrusions (all incoming traffic is firewalled here). Over the last few months, the Linksys has rejected over 1,000 incoming attempts each day, mostly the typical popular target ports 135/137/139/445/1026/1680/5000 (etc. etc.), and mostly from dynamic cable IPs. Now, in just the last day or two, I am seeing maybe 1/3 to 1/2 less incoming zombie-like traffic on these ports.
Hopefully other large residential broadband providers will become as belatedly proactive.
Why not hire the mafia family of your choice and let them take care of spammers? That way, organized crime is busy elsewhere, and spammers will suffer greatly. Everybody wins.
I'm clearly not a sysadmin, but I do have a quick question.
Couldn't I write some code called "UberFooSpammingScript.pl" [notably in Perl], and send out email on another port? I'm sending email to port 25 on the remote machine. I'm not piggie-backing an email server at this point.
What do you mean my sig is repetitive? What do you mean my sig is repetitive? What do you mean....
Comcast has been one of the leaders in writing Terms of Service policies that ban anything resembling a server, because they don't want to figure out what really is or is not an abusive traffic hog - better to ban the baby as well as the bathwater because otherwise you need tech support people better than what you get for the wages they want to pay, and you have to arbitrate disputes rather than cutting people off if they don't obey you. It's fun being a quasi-monopoly, after all (:-) Many of the DSL carriers try to follow Comcast's lead, and many of them try to compete by providing actual better service (e.g. Speakeasy and Sonic).
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The majority of "normal users" just set up their mail client the way the ISP tells them to, so they are already sending all their legitimate mail through Comcast's SMTP servers. They wouldn't notice the block.
The small number of power users, on the other hand, would know how to smarthost their MTAs. They wouldn't need help doing it but they would be justifiably p***ed off so that would involve some support time as they sound off.
Blocking port 25 may have undesirable side effects.
Sigs. We don't need no steenking sigs.
I run my own mail server on my comcast system.
It does no redirects and is as tight as any commercial site.
I have been getting tons of spam lately, and none of
it is from comcast customers.
It comes from overseas, AOL, Yahoo, etc. but not comcast.
Just my experience.
If your the type that needs a service that allows servers, static ips, 4 hour service resolutions, higher upload then you can pay extra for those things and get a business class connection. That's really what it boils down to.
Or (for everything but the static IP) you can just pay less and get DSL. Which is what I'm doing now, having dumped Comcast.
I know htis would take a certein amount ofscripting, but if ISP's already use ACL's on their CMTSs, why not have a script automagically add addresses that have been picked up by common spam-lists. All the script would need to do is pick up the list, find out what IP's on there belong to their customers (subnet mask check) and dump the ist in the ACL. Seeing as these lists are usually automagically generated, this would only introduce an extra step in the pre-existent system.
I know my machine's not a spam-spewing zombie, since I use a Mac...
I have a list of ISP's which i have banned their Cable/DSL connections from sending to my server, this is because though i might get only 2 or 3 messages a day from each cable/dsl site, they are all spam. The way alot work is to distribute the load across a high number of these so you don't see alot of connections from one IP, but instead it all clusters around an ISP. This doesn't set of anti-spam triggers as we aren't getting flooded from one site.
.. just point the relay in your mail server settings properly.. big deal.
I think banning outbound port 25 from the ISP level is a good idea. Least they still let you unban, or use their service. Bell Sympatico has done this here in canada, and you know what, I don't get any spam from a sympatico domain. They filters all mail thru their own servers which i'm sure cuts down a good portion of the messages, if someone does start spamming i'm sure they just delete the access or trash all messages. I thought it was a pain in the ass, since I do have my own mailserver at an ISP. All the users would connect to that natively, which was a pain having to run Auth service for this, now I don't worry.. it goes out of Bell. The mail still goes back to our server, and they pick it up fine.. no problems.
If they block port 25 it won't be entirely, it just won't let it leave the local network for the rest of the internet and you must relay your mail thru the ISP mail servers big deal
If you want to stop zombies, use your clout to get Microsoft to fix its POS operating system. Stop supporting Windows, and maybe Microsoft will fix it instead of relying on other companies to fix their own problems.
Sincerely,
A Customer Who Could Ruin you in the Harrisburg Market, not that you'd care
I'm in the hole of the broadband donut.
Why not just transparently redirect port 25 the ISPs MTA? Just like a transparent Squid Proxy. That's what I do here at work. As long as the MTA is configured to relay for that IP range there shouldn't be any problem. Yes, the mail headers will have an extra hop; but that hop can scan for mass mailings, viruses or whatever. That way it is controllable in one central location.
Punish the guilty instead of just whacking everybody? Genius, sheer genius!
So the spam-zombie equivilent would be either:
SPAAAAAAAAAM
or
Maaaaaaaail
I wonder if I could modify the little AOL voice into zomebieism. You've got maiiiiiil.
They're not going to do that. They'd have to write/buy software to track every users's port 25 usage, then have people switch those users into a lock-down pool. It's just not going to happen, not with 5 million customers or whatever. It's a whole lot easier to block all port 25 traffic. Set static IP's and open ports for those that specifically request it. Then they have a nice short list of people that are hopefully using it for good instead of evil.
I can't really blame them for going this route - the problem I do have is charging people extra for this. My Cable ISP (Starpower) charges $20 a month extra for a static IP. Great business plan to sell people the right to use a service that used to be included.
I have heard several people mention "informing the customer" as part of the solution. However, with viral/worm e-mail messages masquerading as such notices, it becomes very difficult.
I have had to look over my mother-in-laws machine several times, because she had recieved fake alerts in e-mails, claiming that they were from the "mail server", and that she had a virus. She didn't, but I am sure that if she had clicked on any of the links in the message she would have been infected. (I at least trained her not to click on unexpected notices, etc.)
McFly777
- - -
"What do people mean when they say the computer went down on them?" -Marilyn Pittman
Use port 587 instead. That's the message submission protocol. It's a subset of SMTP-AUTH+TLS over a different port designated for this very purpose. Outlook and other mail agents support it (if you can enable TLS and specify a port number, you can use it). Any 3rd party mail provider destined to stay in business has this available.
now we need to go OSS in diesel cars
Six score characters.
Brevity being wit's soul
I have enough space.
I automatically block anything registered as a Comcast dynamic IP because it's always spam. Without question. If it's legit, it should go through the Comcast mail server. Keep in mind that this only blocks dynamic IPs if it's registered as a dynamic IP; I assume if you're smart enough to run your own nameserver and fill out all the ICAN'T-related paperwork, you're smart enough not to click on the file somebody "send you to have your advice".
Let's face it, the people who on here who use different networks, run their 5000-person listserv from home, etc are few and far between and could be whitelisted by Comcast. The vast majority of mail senders are schmucks who expected the computer to be a new kind of TV and now pollute the Internet with hundreds of spam mails.
Complaining about not being able to use a mail server on a Comcast dynamic IP is like complaining about getting blocked by the majority of the Internet because your mail server is an open relay, or getting kicked off IRC because you use AOL. If you want mail access to the Internet and not just the ISP mail gateway, you should do three things: STFU, move to a static IP, and get yourself a hostname that doesn't look like "ip55643234-luser-65-43-231-30-hugecablegiant.com" .
There's no sig like this sig anywhere near this sig, so this must be the sig.
One should also restrict end-user submission to using authenticated SMTP. (Again, Red Hat has the hooks for this, and there are HOWTO's on the net explaining the details.)
Anything coming in from a stranger over unauthenticated SMTP should go into a "slowboat" low-priority queue for extensive spam and virus scanning.
Note that sending mail outbound to port 25 is not a violation of most TOS, because that's not running a server, that's "direct to MX" submission, and most TOS don't say anything about that.
I'm a comcast customer with a mailserver. I also have an IPtables firewall and a zoned defense with an IDS (running no IP address) in the "dirty" zone.
All these things are true on my connection:
Incoming port 25 is not blocked from the outside world.
Incoming port 25 is blocked from other Comcast IP addresses.
Outgoing port 25 is not blocked to the outside world (but is often filtered out by other networks. Widespread adoption of SPF will make this problem worse).
Outgoing port 25 is blocked to other comcast addresses - except to the comcast mailservers.
The comcast mailservers will relay anything that comes from a comcast IP, unfortunately they do this without even the most cursory scanning, so there are several virii (including at least one variant of klez) that are constantly being relayed out into the world at large by the comcast mailservers.
Blocks and tarpits come and go on other ports; mostly on NetBIOS ports. I block all netbios, but occasionally nmapping from outside comcast will show those ports as "open" (needless to say, my logs at home show the nmap packets never reached me).
This is the empirical truth, based on actual observation, in my section of the comcast net. There may be different conditions elsewhere.
I offered to fix comcast's problems for them, using excessed equipment and OSS (I figure it'd take about a week to implement a permanent solution to all virii and most spam on comcast) but their phone support guys were incapable of understanding what I was saying.
I relay all my outgoing mail through comcast's mailservers with a sendmail "Smart Host" relay... all my return addressing uses my vanity domain name.
No problems!
Hell, comcast allows Klez, Swen and Dumaru through their mailservers, why do you think they'd block your legitimate domain name?
That's why there is more than one wire, Kapische?
You are wrong.
You are using the same specious argument that's used against egress and ingress filtering every time.
Repeat after me: "The cost of delivering the bad packets is higher than the cost of controlling them."
You just need to engineer your system correctly. Yes, I know they don't teach you how in CCNE school, that's why old farts make more money.
If you don't want to pay for the hardware that will serve your customers properly, you will be driven out of business by the competent providers... oh, wait, I forgot, there aren't any, since your cheapskate millionaire employers have a monopoly.
My bad! You don't need to be competent when you have the customer by the cojones.
Um, those people are not running their own mail servers they are running somebody else's mail server.
And typically, they are running spamblowers, not mailservers, anyway. I guess you could say that a spamblower is a sort of a optimized crippled mailserver, but it's a bit of a reach, like calling a motorcycle a type of car.
Yeah Probation-class pool! That would work nicely.
All they need to do is implement some monitoring tools to watch for excessive email traffic and if they see that then automatically dump the user into a restricted ip address pool where everything is blocked in and out except for a single Comcast web page and the ability to reach Windows Update along with Symantec and McAfee anti-virus sites.
The single Comcast page which would be the only page the user would be able to get to (except for anti-virus and Windows update sites) would explain that their computer may have been hijacked that they need to remove the trojans and clean their computer before they can rejoin the rest of Comcast's user base.
Universities implemented this when schools re-opened in the middle of several Worm wars. They would connect to the network and get immediately blocked until they were virus scanned and proven to be clean.
The difference being that the University just blocked everyone by only allowing known MAC addresses on the network at first. Comcast would have to flag people differently by monitoring for excessive email traffic.
After all, Campbell's alter ego Ash doesn't like zombies (Deadites) either, and he's rather magnificent at dispatching them...
"Right now, somewhere in this world, Scott Baio is plowing a woman he doesn't love," - Peter Griffin, *Family Guy*
Once we start giving up certain abilities we are currently allowed the spammers have won (this is different to running mail servers).
I couldn't agree more. I was just talking about this with a co-worker yesterday. In fact, I'd go one better - license computer users. If you can't understand and pass a test on basic security procedures, you don't get to buy a computer.
There's a good rationale for this, too, and it's about the same as that behind driver licensing. Insecure boxen don't just affect the user - they screw things up for everyone else, and they cost IT pros money and time. Imagine your work life without spam and viruses...
Interestingly, every person I've evang^H^H^H^H^H introduced to this idea has agreed with it after hearing the arguments - including clueless lusers. Maybe the time has come.
Corruptissima re publica plurimae leges.
It's incorrect, as noted in the replies.
The current whack-a-mole cycle depends on people tracing spam and sending complaints to abuse@ which never bothers answering, so the spammer can pump out 100K-1M spams before getting caught, or more if they're on dialup. This is something you can automate and keep their numbers under 1000 before getting caught, and as another poster points out, once these moles get whacked, they stay whacked.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks