Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comcast Thinks About Stopping Zombies

Posted by timothy on from the get-to-it-fellas dept.

LehiNephi writes "Comcast has finally admitted that its users are responsible for a large amount of spam, and they are thinking about how to stop it. Apparently they haven't been turning a blind eye to the problem after all. The simple, blanket approach of blocking all traffic on port 25 would have too many side effects, particularly for users running their own mail servers. However, they can block that port on individual cable modems-a sort of surgical strike. As far as I'm concerned, the sooner they implement this, the better!"

16 of 592 comments (clear)

  1. Nope. by Anonymous Coward · · Score: 5, Informative

    There is actually an 'official' alternate port for this purpose. See:

    http://www.ietf.org/rfc/rfc2476.txt

  2. Re:why port 25 by Caradoc · · Score: 4, Informative

    If the spammer wants to *send* spam out, they're going to aim at port 25 on the target box.

    If they aim at any other port, they're very likely to see nothing but "Connection denied" messages.

    I've already got most of Comcast simply blocked from my mailservers, simply because I never see anything but spam coming from them: /^.*\.client\.comcast\.net/ 550 comcast direct-to-mx

    If they REALLY want to send me e-mail, they need to send it through a non-client address (for example, through Comcast's own mailservers...)

    It's nice to see that someone at Comcast is waking up, though. I'd been reporting spam coming from a triplet of IP addresses for approximately four months before I simply blackholed the entire /24 there.

    Now, to see if they can actually *do* anything about the problem they just noticed...

    --
    Specialization is for insects. - R.A.H.
  3. Comcast's Agreements by Roguelazer · · Score: 5, Informative
    Anybody here ever read a Comcast Usage & Subscriber Agreement? I have. They're quite... chilling to read. Lots of people have posted about the forbidding of running a server of any kind, so here it is: Acceptable Use Policy

    The area you're referring to is
    (xiv) run programs, equipment, or servers from the Premises that provide network content or any other services to anyone outside of your Premises LAN (Local Area Network), also commonly referred to as public services or servers. Examples of prohibited services and servers include, but are not limited to, e-mail, Web hosting, file sharing, and proxy services and servers;

    For example, take a look at this quote, which makes my browser's caching of Slashdot's GNAA posts illegal:
    (ii) post, store, send, transmit, or disseminate any information or material which a reasonable person could deem to be objectionable, offensive, indecent, pornographic, harassing, threatening, embarrassing, distressing, vulgar, hateful, racially or ethnically offensive, or otherwise inappropriate, regardless of whether this material or its dissemination is unlawful;


    Try reading this one: Subscriber Agreement. This section, in particular, gives Comcast permission to view any information transmitted over the network from or to you:
    Comcast shall have no obligation to monitor postings or transmissions made in connection with the Service. However, you acknowledge and agree that Comcast and its agents shall have the right to monitor any such postings and transmissions, including without limitation e-mail, newsgroups, chat, IP audio and video, and web space content
    Section 9's cool too. It says that you waive the right to sue them in a real court, but instead will have a hearing before a "neutral arbitrator". Anyhow, you should read all that stuff. Some of it's absolutely unique.

    If I don't get modded up for this, I'll be amazed
    --
    My Systems
  4. Comment removed by account_deleted · · Score: 5, Informative

    Comment removed based on user account deletion

  5. Re:How to tell? by bigberk · · Score: 5, Informative
    Is there an easy way to tell if your own computer is a zombie spambot?
    Yes, there is! If your IP is sending spam, believe me, we will have noticed via our extensive spam traps. Just query your IP at OpenRBL or at dnsstuff to see if you're blocked due to spam received from your IP.

    Note that you can also appear on blocklists for various other reasons. So look into why you're blocked. If you're listed on AHBL, CBL, SpamCop, WPBL for example then your host is probably infected.
  6. Block outgoing port 25 - Yes! by The+Bungi · · Score: 3, Informative
    Why would blocking outbound 25 be a problem?? Cox did it a couple of months ago. Blanket block to all its residential customers, with no advance warning. Just like that.

    It took me three days to figure out why I couldn't connect to my domain server (which is hosted by my ISP).

    Much as I disliked the idea, if Cox did it then Comcast should, too. If anything that would take care of about 90% of all the zombies. The ones in the business customer base are probably counted in the few hundreds and can be dealt with on a case-by-case basis.

    And I don't see why it sucks if you're running your own email server - inbound 25 should no be closed, and you can send through Comcast's relays anyway. Or at least that's how it works with Cox.

  7. Re:Big difference between zombie and server... by LostCluster · · Score: 3, Informative

    That'll at least dent the problem. Because right now, the zombies are blasting at full speed. If they had to throttle themselves to only using 1% of the potential outbound bandwidth, that'd solve 99% of spam being sent this way...

  8. Re:read your usage agreement by gad_zuki! · · Score: 3, Informative

    No, outbound or inbound port 25 are not blocked. What's probably happening is that the recpient's mail server saw that the IP was from Comcast's IP block and either deleted it outright or labeled it as spam.

    For instance, I can send messages my mail server on comcast and it'll get to most places just fine but both Yahoo and Hotmail will just delete it. Or Comcast already has a system to block these messages to popular domains like yahoo or hotmail. So perhaps there is limited filtering.

  9. Re:Not only not allowed- shouldn't by Corbets · · Score: 3, Informative

    Simple. I want to send mail with a return address of @lancemcgrath.com, which is my domain.

    Comcast's mail servers won't let me "forge" the headers like that.

    Reason found.

  10. IAAMCCNE by papasui · · Score: 4, Informative

    I am a major cable company network engineer... and while the idea of allowing certain people access to having the ports open is nice in theory, it would be nearly impossible to implement on a large scale operation. With existing infrastructure all restrictions are placed in the access control list on the CMTS router. Without purchasing additional firewall equipment that can service a 1/2 million customers, which would run upwards of hundreds of thousands of dollars. The only way to selectively allow individual ip addresses to be able to use outbond would be to have individual allow statements for each customer who requested it placed on the ACL. Since nobody but the network group is allowed access to these systems we would need individual people dedicated to simply adding ip addresses to the ACL. And of course since each time a packet on port 25 is sent the entire outbound port 25 ACL is processed the load on the routers would be so high that additonal upgrades would be necessary. The entire reason to block all outbound port 25 connections is to stop those with viruses/spam relays from causing the isp's email server from ending up on blacklists from the likes of AOL, earthlink, and other very large isps. So the trade off is you inconvince those customer's who are already violating the acceptable use policy by running a prohibited email server or force them to use your outgoing smtp server. In the end the vast majority of customers are much happier because their email works better, has less spam and garbage and the isp has less work to do by contacting and disabling the service of those customer's spreading viruses or spam via email. If your the type that needs a service that allows servers, static ips, 4 hour service resolutions, higher upload then you can pay extra for those things and get a business class connection. That's really what it boils down to.

  11. Re:Port 25 by Maserati · · Score: 3, Informative

    According to the article, "Comcast users send out about 800 million messages a day, but a mere 100 million flow through the company's official servers." so until the zombies get updated this'll stop 700 million spam a day.

    About fucking time a provider started doing something about their users.

    --
    Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
  12. Alternate ports by KalvinB · · Score: 3, Informative

    Cox blocks port 25 inbound and outbound. It used to be an outbound block only until MyDoom showed up.

    This is why Indie-Mail (which is colocated with another ISP) runs the SMTP server on ports 25 and 28. I didn't care to have to run my mail through Cox.

    Other people who run public mail servers would be smart to offer that feature. It allows their legitmate customers a way to avoid having to run all their mail through their ISP and doesn't do anything to help spammers.

    Unless everybody used the same alternate port enough that e-mail viruses just started using the alt port and the standard.

    Ben

    --
    Work Safe Porn
  13. Re:read your usage agreement by dchamp · · Score: 3, Informative

    143 is imap, 993 is imaps. That's not "outbound" email. IMAP (like POP) is a client protocol for accessing email (or news) servers. See the imap web site for info.

    These people are talking about SMTP - port 25 - which is how email servers send / receive email messages between servers.

  14. Re:read your usage agreement by muckdog · · Score: 3, Informative

    Correct, The group that this would effect most directly is telecommuters. The ones that use authenticaion with their company's smtp server. Broadband is almost a requirement if you are telecommuting.

  15. Re:Offer a /dev/null machine address too by eswierk · · Score: 3, Informative

    A student at Stanford is working on a technique called Active Internet Traffic Filtering that works in a similar way to what you describe, blocking malicious traffic as close to its source as possible.

  16. I read the usage agreement - then I experimented. by Medievalist · · Score: 3, Informative

    I'm a comcast customer with a mailserver. I also have an IPtables firewall and a zoned defense with an IDS (running no IP address) in the "dirty" zone.

    All these things are true on my connection:

    Incoming port 25 is not blocked from the outside world.

    Incoming port 25 is blocked from other Comcast IP addresses.

    Outgoing port 25 is not blocked to the outside world (but is often filtered out by other networks. Widespread adoption of SPF will make this problem worse).

    Outgoing port 25 is blocked to other comcast addresses - except to the comcast mailservers.

    The comcast mailservers will relay anything that comes from a comcast IP, unfortunately they do this without even the most cursory scanning, so there are several virii (including at least one variant of klez) that are constantly being relayed out into the world at large by the comcast mailservers.

    Blocks and tarpits come and go on other ports; mostly on NetBIOS ports. I block all netbios, but occasionally nmapping from outside comcast will show those ports as "open" (needless to say, my logs at home show the nmap packets never reached me).

    This is the empirical truth, based on actual observation, in my section of the comcast net. There may be different conditions elsewhere.

    I offered to fix comcast's problems for them, using excessed equipment and OSS (I figure it'd take about a week to implement a permanent solution to all virii and most spam on comcast) but their phone support guys were incapable of understanding what I was saying.