Comcast Thinks About Stopping Zombies

LehiNephi writes "Comcast has finally admitted that its users are responsible for a large amount of spam, and they are thinking about how to stop it. Apparently they haven't been turning a blind eye to the problem after all. The simple, blanket approach of blocking all traffic on port 25 would have too many side effects, particularly for users running their own mail servers. However, they can block that port on individual cable modems-a sort of surgical strike. As far as I'm concerned, the sooner they implement this, the better!"

Nope.

There is actually an 'official' alternate port for this purpose. See:

http://www.ietf.org/rfc/rfc2476.txt

Re:Nope.

[hpa]

Correct (the port is 587.) It's a really nice thing to have on the road - set it up on your home server to *only* accept TLS+SMTP AUTH, and you don't have to deal with blocking.

Re:Nope.

3.1. Submission Identification

Port 587 is reserved for email message submission as specified in this document. Messages received on this port are defined to be submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with additional restrictions as specified here.

While most email clients and servers can be configured to use port 587 instead of 25, there are cases where this is not possible or convenient. A site MAY choose to use port 25 for message submission, by designating some hosts to be MSAs and others to be MTAs.

Block outgoing, not incoming

[crow]

If the block outgoing port 25, but not incoming, then it shouldn't mess up people who are running their own mail servers, provided they configure them to use the ISP's mail server as a relay. That's how the whole system was originally supposed to work in the pre-spam days, anyway.

On the other hand, there's no need to block incoming port 25 unless they're afraid of people running unsecured open relays. Fortunately, that's rarely the case, right? Or are the virus zombies really turned into raw open relays? I'm under the impression that they're controlled more directly, presumably through some different port.

Re:why port 25

[gnuman99]

They meant destination port - from X port on comcast to port 25 elsewhere..

Re:why port 25

[Caradoc]

If the spammer wants to *send* spam out, they're going to aim at port 25 on the target box.

If they aim at any other port, they're very likely to see nothing but "Connection denied" messages.

I've already got most of Comcast simply blocked from my mailservers, simply because I never see anything but spam coming from them: /^.*\.client\.comcast\.net/ 550 comcast direct-to-mx

If they REALLY want to send me e-mail, they need to send it through a non-client address (for example, through Comcast's own mailservers...)

It's nice to see that someone at Comcast is waking up, though. I'd been reporting spam coming from a triplet of IP addresses for approximately four months before I simply blackholed the entire /24 there.

Now, to see if they can actually *do* anything about the problem they just noticed...

Re:Screw Comcast!

[lessthanjakejohn]

I am running plenty of servers off of a dynamic IP from the SBC DSL residential package at $29.99 :) Although it sucks, and my upload is maxxed at 20kB/s, it is free and I have learned a lot.

Lets see...
I'm running Apache, sshd, sendmail, proftpd, mysql... Its perfectly fine for personal and a few friends

Re:Big difference between zombie and server...

[gnuman99]

I better tell the users of my 800-person list and my 500-person list that it's been a great 8-year run, but we shouldn't be using a home mail server for this.

Just set up the mail server to forward all traffic though your ISP's mail server. Not a big deal.

Comcast's Agreements

[Roguelazer]

Anybody here ever read a Comcast Usage & Subscriber Agreement? I have. They're quite... chilling to read. Lots of people have posted about the forbidding of running a server of any kind, so here it is: Acceptable Use Policy

The area you're referring to is

(xiv) run programs, equipment, or servers from the Premises that provide network content or any other services to anyone outside of your Premises LAN (Local Area Network), also commonly referred to as public services or servers. Examples of prohibited services and servers include, but are not limited to, e-mail, Web hosting, file sharing, and proxy services and servers;

For example, take a look at this quote, which makes my browser's caching of Slashdot's GNAA posts illegal:

(ii) post, store, send, transmit, or disseminate any information or material which a reasonable person could deem to be objectionable, offensive, indecent, pornographic, harassing, threatening, embarrassing, distressing, vulgar, hateful, racially or ethnically offensive, or otherwise inappropriate, regardless of whether this material or its dissemination is unlawful;

Try reading this one: Subscriber Agreement. This section, in particular, gives Comcast permission to view any information transmitted over the network from or to you:

Comcast shall have no obligation to monitor postings or transmissions made in connection with the Service. However, you acknowledge and agree that Comcast and its agents shall have the right to monitor any such postings and transmissions, including without limitation e-mail, newsgroups, chat, IP audio and video, and web space content

Section 9's cool too. It says that you waive the right to sue them in a real court, but instead will have a hearing before a "neutral arbitrator". Anyhow, you should read all that stuff. Some of it's absolutely unique.

If I don't get modded up for this, I'll be amazed

Re:Comcast's Agreements

[canon006]

Not so much as a defense of Comcast, just part of my experience with their service. My friend wanted to fool around on a unix command line, learn about permissions, basic commands, stuff like that but he didn't want to do a full Linux install and we didn't know about Knoppix, so our solution was an ssh server on my end and PuTTy on his.

I read through Comcast's agreements trying to find something that explicitly forbode or allowed this, I couldn't find anything explicit, so rather than risk it, I emailed Comcast customer service. About a day later I received a very nice email explaining that as long as I was aware of possible security issues and capable of setting this up without any support it was perfectly fine.

I think when it really comes down to it, as long as you're not hurting/effecting anyone else, Comcast doesn't really seem to care what you do. Their agreement(s) just gives them the option to shut you down should you start causing trouble.

Re:How to tell?

[deacon]

Probably.

If your modem activity light is on all the time.

If your network activity box (on your gnome pop up tool bar) is showing traffic even when you are not deliberately doing any network activity.

If your other network traffic monitors are showing activity when you are not doing any traffic.

Your modem activity light is, I suppose, the most foolproof method.

You can always wire up a bell which rings when the modem activity light goes on, so you will have an idea of what is going on.

Salivation optional.

;)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:How to tell?

[bigberk]

Is there an easy way to tell if your own computer is a zombie spambot?

Yes, there is! If your IP is sending spam, believe me, we will have noticed via our extensive spam traps. Just query your IP at OpenRBL or at dnsstuff to see if you're blocked due to spam received from your IP.

Note that you can also appear on blocklists for various other reasons. So look into why you're blocked. If you're listed on AHBL, CBL, SpamCop, WPBL for example then your host is probably infected.

Re:Registering mail servers?

[Sarojin]

AT&T Worldnet (dialup) did exactly that, and since they shared mail servers with ATTBI, I would assume that the feature was there too. Unfortunately Comcast did not get that technology when they purchased ATTBI.

Re:Port 25

[93+Escort+Wagon]

The problem with this is Comcast's SMTP servers will cough up a "relaying denied" at times when they shouldn't - and I've given up trying to get hold of someone competent at their end to point out this problem.

I used to use the Comcast SMTP servers with my three e-mail accounts (two of them non-Comcast) if I was connected through their cable. But at times when I'd send from my university e-mail account, mail would get blocked with "relaying denied".

So now I use the university's SMTP server for everything - as long as I authenticate they'll pass it through.

I love my cable modem - it's been very reliable. So obviously there are SOME competent folks at Comcast. But they seem to be saving money by hiring their tech support folks from the shallow end of the gene pool.

Block outgoing port 25 - Yes!

[The+Bungi]

Why would blocking outbound 25 be a problem?? Cox did it a couple of months ago. Blanket block to all its residential customers, with no advance warning. Just like that.

It took me three days to figure out why I couldn't connect to my domain server (which is hosted by my ISP).

Much as I disliked the idea, if Cox did it then Comcast should, too. If anything that would take care of about 90% of all the zombies. The ones in the business customer base are probably counted in the few hundreds and can be dealt with on a case-by-case basis.

And I don't see why it sucks if you're running your own email server - inbound 25 should no be closed, and you can send through Comcast's relays anyway. Or at least that's how it works with Cox.

Cox Communications already does this... big whoop

[Radi-0-head]

Unless you pay about $85 a month for a "commercial" account, Cox has been blocking port 25 to anything but their own mailservers for more than a year now.

It sucks, but nobody can match their speed in my area... certainly not DSL.

Re:Registering mail servers?

[swordfishBob]

In Australia, Telstra have restricted outgoing port 25 for ADSL customers. Anyone with a static IP isn't blocked. Given you have to ask for static IP and pay a little extra, people who bother are probably more aware of the implications.

Re:Big difference between zombie and server...

[LostCluster]

That'll at least dent the problem. Because right now, the zombies are blasting at full speed. If they had to throttle themselves to only using 1% of the potential outbound bandwidth, that'd solve 99% of spam being sent this way...

Re:Not only not allowed- shouldn't

[Phexro]

If it's outgoing mail, it's a mail client.

I doubt that their TOS disallows one to use a mail client.

Re:read your usage agreement

[gad_zuki!]

No, outbound or inbound port 25 are not blocked. What's probably happening is that the recpient's mail server saw that the IP was from Comcast's IP block and either deleted it outright or labeled it as spam.

For instance, I can send messages my mail server on comcast and it'll get to most places just fine but both Yahoo and Hotmail will just delete it. Or Comcast already has a system to block these messages to popular domains like yahoo or hotmail. So perhaps there is limited filtering.

Re:read your usage agreement

[steve+buttgereit]

I just realized. The solution isn't for carriers (which is all I view comcast as) to block any services. A better email infrastructure is what is required.

We've now heard tales of domain keys, SPF what have you. These types of measures are the only ones that will really solve for the problem.

There is no reason for mail servers to be anonymous or blindly relay. Mail admins should also decide whether to accept email from anonymous sources or not. By bringing to bear some sort of digitial signature solution for servers and even users, you would be able to put a serious speedbump for spammers.

Punishing independent minded people such as myself is not correct.

Re:Not only not allowed- shouldn't

[Corbets]

Simple. I want to send mail with a return address of @lancemcgrath.com, which is my domain.

Comcast's mail servers won't let me "forge" the headers like that.

Reason found.

Re:read your usage agreement

[v01d]

Time Warner doesn't officially allow mail servers either, but they actively probe you for being an open relay and warn you to fix it before they cancel your account. Pretty good policy I think. After I moved I had to switch to Wide Open West, which also doesn't allow mail servers but also doesn't enforce the rule.

The only problems I have with my mail server is that I can't send to AOL, and really why would I want to do that?

MediaOne and AT&T used to filter

[PDG]

Before Comcast bought it out (though technically the same people and service, I had my broadband service temp. shutdown because they detected an open relay mail server on my line.

Once I shut off relaying, they had no problems turning the service back on.

IAAMCCNE

[papasui]

I am a major cable company network engineer... and while the idea of allowing certain people access to having the ports open is nice in theory, it would be nearly impossible to implement on a large scale operation. With existing infrastructure all restrictions are placed in the access control list on the CMTS router. Without purchasing additional firewall equipment that can service a 1/2 million customers, which would run upwards of hundreds of thousands of dollars. The only way to selectively allow individual ip addresses to be able to use outbond would be to have individual allow statements for each customer who requested it placed on the ACL. Since nobody but the network group is allowed access to these systems we would need individual people dedicated to simply adding ip addresses to the ACL. And of course since each time a packet on port 25 is sent the entire outbound port 25 ACL is processed the load on the routers would be so high that additonal upgrades would be necessary. The entire reason to block all outbound port 25 connections is to stop those with viruses/spam relays from causing the isp's email server from ending up on blacklists from the likes of AOL, earthlink, and other very large isps. So the trade off is you inconvince those customer's who are already violating the acceptable use policy by running a prohibited email server or force them to use your outgoing smtp server. In the end the vast majority of customers are much happier because their email works better, has less spam and garbage and the isp has less work to do by contacting and disabling the service of those customer's spreading viruses or spam via email. If your the type that needs a service that allows servers, static ips, 4 hour service resolutions, higher upload then you can pay extra for those things and get a business class connection. That's really what it boils down to.

Re:Port 25

[Maserati]

According to the article, "Comcast users send out about 800 million messages a day, but a mere 100 million flow through the company's official servers." so until the zombies get updated this'll stop 700 million spam a day.

About fucking time a provider started doing something about their users.

Re:Registering mail servers?

[c0bw3b]

Well, as nice as that would be, it's most certainly going to be an all or nothing type thing. The way Comcast support is structured, the customer has absolutely no way to get contact with someone that can just "switch on" a particular port.

Comcast has no intention of empowering their Phone techs, either. We lowly phone monkeys can't even CREATE a fricking email address anymore, THAT has to be escalated to our 2.5 support.

Alternate ports

[KalvinB]

Cox blocks port 25 inbound and outbound. It used to be an outbound block only until MyDoom showed up.

This is why Indie-Mail (which is colocated with another ISP) runs the SMTP server on ports 25 and 28. I didn't care to have to run my mail through Cox.

Other people who run public mail servers would be smart to offer that feature. It allows their legitmate customers a way to avoid having to run all their mail through their ISP and doesn't do anything to help spammers.

Unless everybody used the same alternate port enough that e-mail viruses just started using the alt port and the standard.

Ben

Re:Alternate ports

[JofCoRe]

Comcast blocks port 25 outbound. Simple fact

Not quite that simple. In fact, when I emailed comcast last November regarding some other issues I was having w/port 80, they told me:

The only ports that may be actively blocked on the Comcast network are
67, 68, 137, 138, 139, 512, 520, and 1080 at this time. Any ports that
are blocked will not be unblocked. Please also be advised that Comcast
reserves the entitlement to block any ports on the network without prior
notice. We thank you for understanding this security policy.

Could've changed since then, but I don't think so... otherwise I wouldn't be getting any email :) They may have different rules and policies for different markets/sections of the country though, so just because that's how it is for me doesn't neccessarily mean it's company-wide.

Re:read your usage agreement

[dchamp]

143 is imap, 993 is imaps. That's not "outbound" email. IMAP (like POP) is a client protocol for accessing email (or news) servers. See the imap web site for info.

These people are talking about SMTP - port 25 - which is how email servers send / receive email messages between servers.

Re:read your usage agreement

[muckdog]

Correct, The group that this would effect most directly is telecommuters. The ones that use authenticaion with their company's smtp server. Broadband is almost a requirement if you are telecommuting.

Re:read your usage agreement

[Red+Alastor]

My ISP don't allow servers by default but it is said in the Terms of Service that they will judge on a case by case basis and you can contact them to get a permission. My ISP is Globetrotter, in Quebec / Canada

Collective Nouns

[APDent]

AC: Comcast IS proposing... Damn illiterate fuck.
saforrest: Maybe ey's British.

The AC IS provincial and ignorant.

As you (saforrest) point out, collective nouns in British English are usually treated as plurals.

Re:Offer a /dev/null machine address too

[eswierk]

A student at Stanford is working on a technique called Active Internet Traffic Filtering that works in a similar way to what you describe, blocking malicious traffic as close to its source as possible.

Re:Port 25

[TarpaKungs]

As to the privacy issue, simply by the way smtp works you're data is going to be forwarded through someone's smtp server(unless you happen to be really close network wise to the person you're mailing)

This is misleading. In practical terms, SMTP store an forward very rarely invoked these days. Your outbound mail server will do an MX lookup on the domain of the recipient address and contact the recipient's SMTP server directly.

Likely scenarios where store and forware may be used:

a) Big corporation/military. The mail *may* be gated into an internal network by their public facing SMTP server then routed halfway round the world on the internal network.

b) Backup SMTP server - if it's impossible to contact the main MX entries, someone may have a backup SMTP service provided by an ISP or something which will store the mail until it can (eventually) contact your main SMTP servers.

Technically I use store an forward at work where one machine does all the processing (virus, spam, mailing lists etc) and forwards it to the machine that has the user's home directoy on local disk just to avoid using NFS. But that is a local setup so it's doesn't really count here.

Re:proxy everything until asked

[Bob+Uhl]

I do hope that you're being facetious. TCP ports are not physical entities which must be paid for; they aren't even really logical entities. A packet (actually, IP is packets; I think TCP is frames or datagrams or something) simply has a header field which notes the port it's for: it could be 25, or 80 (HTTP) or 14,062.

If you are being facetious, you're quite right. The companies will always make one pay, on a recurring basis, for things which should at most be covered by a setup fee (it takes a tech all of 30 seconds to remove the block, and thereafter takes no maintenance at all).

I read the usage agreement - then I experimented.

[Medievalist]

I'm a comcast customer with a mailserver. I also have an IPtables firewall and a zoned defense with an IDS (running no IP address) in the "dirty" zone.

All these things are true on my connection:

Incoming port 25 is not blocked from the outside world.

Incoming port 25 is blocked from other Comcast IP addresses.

Outgoing port 25 is not blocked to the outside world (but is often filtered out by other networks. Widespread adoption of SPF will make this problem worse).

Outgoing port 25 is blocked to other comcast addresses - except to the comcast mailservers.

The comcast mailservers will relay anything that comes from a comcast IP, unfortunately they do this without even the most cursory scanning, so there are several virii (including at least one variant of klez) that are constantly being relayed out into the world at large by the comcast mailservers.

Blocks and tarpits come and go on other ports; mostly on NetBIOS ports. I block all netbios, but occasionally nmapping from outside comcast will show those ports as "open" (needless to say, my logs at home show the nmap packets never reached me).

This is the empirical truth, based on actual observation, in my section of the comcast net. There may be different conditions elsewhere.

I offered to fix comcast's problems for them, using excessed equipment and OSS (I figure it'd take about a week to implement a permanent solution to all virii and most spam on comcast) but their phone support guys were incapable of understanding what I was saying.