Slashdot Mirror
Comcast Thinks About Stopping Zombies
LehiNephi writes "Comcast has finally admitted that its users are responsible for a large amount of spam, and they are thinking about how to stop it. Apparently they haven't been turning a blind eye to the problem after all. The simple, blanket approach of blocking all traffic on port 25 would have too many side effects, particularly for users running their own mail servers. However, they can block that port on individual cable modems-a sort of surgical strike. As far as I'm concerned, the sooner they implement this, the better!"
Comcast cable modem customers aren't allowed to run mail servers anyway, so I doubt the side-effects would bother them
All they nned to do is to restrict SMTP outbound connections to their own mailservers. Forcing traffic through their won machines will qucik;ly point out who the abusers are, and they can likewise filter for viruses and worms preventing propogation.
I think it's a good idea. But why stop there? Disconnect the zombies until they fix the problem on their computer.
What if they had a *simple* process for registering your mail server with them? 5 minutes, maybe $20 and that's it?
People who run their own mail servers are control freaks and had better be technically minded enough to call the Admins at Comcast in order to register their mail server.
Otherwise, who'd notice or care?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Why don't they block it on ALL cable modems and let people unblock it if they wish? The majority of users who go through the trouble to unblock it are going to run secure machines. Even if they don't, it's going to reduce the number of spam bots.
And they won't have the privacy advocates all over them...
But how long will that hold true? If comcast users really are a large percentage of the zombie boxes out there, and if Comcast just looks for bursts of activity on port 25, then it won't be long before spammers/scammers/virus writers start writing viruses that send mail in a way that looks like a real person.
find / -name "*.sig" | xargs rm
They now have a choice - how much is it going to cost them if they do NOT implement some policy that prevents their users from spamming the entire world, and they end up getting all of their e-mail blocked?
And how much money could have been saved if they'd implemented such a policy when people started telling them it was a problem (it's been several years since people started telling Comcast that their users were a load of USDA Prime Clue-Free Spam Zombies...)
It's interesting how much money can be saved by paying attention to the small, seemingly innocent details before they add up to be monstrous problems.
Specialization is for insects. - R.A.H.
From the comments so far I've seen "I don't have the money to pay for a static IP address.", I know that it sucks that not everyone can have static IP addresses, but that's something you should take up with your provider. Why should the rest of the Internet Service Providers out there pay for your ability to send email from a dyanmic IP address? You can't begin to imagine how much spam we are able to drop because of those two simple blocks (client.comcast.net and client2.comcast.net)... It's to the point where we would need to add at least another mail server to accept the email coming from those ranges. That's simply not something we are willing to do when 99.9999% of all email from those dynamic ranges are spam.
:-)
You can blame me and the other ISP's out there that refuse to accept mail from dynamic ranges, but you should be blaming the spammers for ruining email as we know it, and you should blame your provider for not allowing you to have a static IP address.
The ISP I work for only does Static IP addresses (except for dialup customers), all of our DSL customers are allocated a static IP address. This is common if you shop around. From what I understand there are many bigger providers that will allow you to have a static IP address for a few more dollars a month if you can show that you are not using it for commerical purposes, furthermore ISP's like SpeakEasy offer static IP addresses as a part of their typical DSL offerings (no i don't work for them).
Also, if you're running a server on those dynamic ranges with Comcast you are clearly violating their TOS. Again vote with your wallet and find a provider that is more reasonable with their TOS and IP space. Or get a few friends together and pitch in for a virtual server somewhere. You can find a decent virtual server that will suit all of your needs for less then $50 a month, hell get 5 friends together and it's only $10 a month, surely you can afford that. Plus you can say you have your own server somewhere.
Up until now, ISPs have been able to hide behind their status as a common carrier for anything illegal that their customers do. They don't monitor, thus, they can't do anything about it. Comcast is admitting their ability and willingness to monitor the types of traffic their customers are producing, and block undesirable traffic. How long before this gets turned around and smacks Comcast (and their customers) with problems?
Speakeasy lets us run whatever the heck we want. Then again, every month or so I see their relay testing in my Postfix logs. It's a strange concept: innocent until found guilty.
My local ASP has a good solution to this. By default, port 25 is blocked, but customers can ask for it to be allowed through. The presumption is that if you know enough to ask for port 25, then you can take proper responsibility for your machines.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
Just because you can't think of a reason to not use the Comcast server does not mean there are not good ones. I've recently been put in the same boat by BellSouth, and I assure you there are good reasons for not wanting port 25 blocked.
First of all, if you, like me, have a notebook and actually move frequently from location to location (home, work, family and friends houses, public sites with wireless access) then you want to be able to configure your mail client so that it will reach a mail server that you can log into and not have to change settings every time you change location. If you have a mail server outside of a "me only" mentality ISP then this is simple and straight forward. But when the ISP blocks port 25 (as well as not letting you use their meil servers whenever you're not originating from their network), it's a royal pain in the ass to reconfigure all the time.
Also, if you, like me, administer or help maintain a valid mail server off of the Comcast network, you may well find it important to actually send mail through this server. Or you might even have a company policy that states that all business mail must be sent through the compnay mail server. No problem if port 25 isn't blocked and you log into the server you want. Big problem if some short sighted system administrator at your ISP insists that everyone should be expected to use the Internet in exactly the same way.
And I can't speak about quality of service at Comcast, but at BellSouth the mail server is frequently down. This was not a significant problem if I had to send time critical information out as long as I had port 25 open and could log into one of the other servers I use. Now it's a problem even from my desktop system.
Fighting spam is great, but fighting stupidity is even more important.
I'm an American. I love this country and the freedoms that we used to have.
Sorry, sparky, but you're in the vast minority of people.
It is extraordinarily rare for a residential user to desire outbound traffic destined for TCP port 25 except to that ISP's SMTP servers. Personally, I would welcome ISPs making it standard policy to implement these blocks for all their residential customers.
Most ISP's SMTP servers work regardless of what you put in the From: line, meaning you gain nothing by running your own server. Some do restrict that all From: lines have their own domain name, however, this can typically be avoided either by using a Reply-To: address or simply getting an account on one of many public sendmail servers that function on ports other than 25 and require username/password authentication to operate properly.
If every residential ISP blocked outbound port 25, you'd see a *vast* decrease in the amount of spam overnight. That's a *fact*.
What's more important to you?
The vast amount of mail coming from dynamic IP addresses is spam. Users like you are few and far between. As for the P2P services... they SHOULD be shut down as well. 99% of P2P users are stealing software, music, and movies. For everybody that legitimately downloads Linux ISO images off of a P2P network there are 10,000 who steal music, videos and software.
Also, on many networks you will also find that IRC is banned as well because of all the kiddies launching DDoS attacks against IRC servers and clients. Is it a bad protocol? No.. it's quite nifty, but the assholes of society infected it and turned it into an evil protocol, just like P2P networks and SMTP unfortunately.
Comcast could and should have gone ahead user-runtime-reversably blocked all of the common low service ports (1-1024) a long time ago.
By user-runtime-reversable I mean:
Put up a web page that I can connect to from my served address only, that lets me check-mark the common ports I want to allow in/out/both. And, most importantly, *NOT* change billing or pricing by check-box etc.
The default map would never be changed by users that don't care, and thus zombie-spam would be greatly reduced.
The custom map would be useful for those who do care.
Keying this on the "hostname" a paying customer sends with their DHCP requests, or by IP address and giving out nearly-static leases by default and clearing the map when a lease is lost, would be child's play. It is no harder technologically than dynamic DNS.
It could be instanciated anonymously one day and the only legitamate users who cared would even notice. As long as there was an obvious "so your ports were just locked on a service you were running at home and you don't like that? here's how to open them" link obviously placed on an "expert users" page on the corporate web site everythign would be self-healing.
Of course that implies that they have rationally segmented their network so that the routers can leverage this information in reasonable time.
Eveidence suggests that they have-not so segmented. (You would not *beleive* the amount of cyclic arping across multiple address ranges I see from their servers on my cable modem segment...)
Heck, the simple intelegence-test-effect created by requiring a user to find their own hostname string from inside either their active configuration or their setup invoice would be enough to stop all sorts of shenanagans... 8-)
So anyway Comcast, get a nice firewall box, set up a permiable wall, with a nice default mask, and let users instanciate a private mask if they so desire by visiting their service settings web page.
Not that hard, unless you bought your infrastructure *really* cheap... 8-)
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Apparently they haven't been turning a blind eye to the problem after all.
Yes, yes they have. They ignore complaints. If they weren't turning a blind eye to the problem, it wouldn't be necessary to totally block Comcast's IP space on mail filters.
They have the ability to take action when they receive abuse reports regarding zombie machines. They have thus far done nothing. It seems as though the volume of users bitching about being firewalled from the rest of the 'net as a result of their ISP's total inaction has finally reached a critical point.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
-
Or just sign up with Speakeasy, that gives you all of the above except an SLA, and doesn't meddle with what you do with your connection and justify it with the misdeeds of hojillions of clueless newbies on their network.
Another proud carrier of the $rtbl flag
If they notice enough traffic to be of a concern (probably not only quantity, but it being sustained) they ring you and ask. IF you reply "Uhhh, what's SMTP?" they tell you you have a virus and send you to a page to get it diagnosed and fixed. If it's legit, they drop it.
Also most of the viruses are scanning/spamming other ports (looking for hsots to infect). There is NO legitimate reason I can think for a host to randomly and intensly scan for port 445 (the Windows fileshare port) on the Internet. You are either virused, and should be cut off, or cracking, and should be cut off and beaten. Thus if you notice 445 scanning, it's a pretty safe bet to shut down the pipe because you've caught a virused host, or a script kiddie.
It's perfectly possible to watch for abnormal traffic and react accordingly. Some of it is just clearly right out (like random, sustained venerability scanning of hosts on the Internet) and you need no further investigation. Some is suspect, but nothing a simple phone call can't clear up.
It isn't difficult to allow people like yourself to exist, while proactively cutting off virused users.
No biggie. Every MTA provides a feature to use a "SMART HOST." This is exactly the point of this. INBOUND port 25 does not need to be blocked, just outbound for this to have an effect. Home user's running their own mail server should have nothing to fear assuming they set their servers up to use a smart host.
Honestly, whats one more hop? Play nice and let your ISP know you are doing it. If your not a hastle to them, I bet they won't care. I've been doing it for years.
Just my 2cents.
Don't waste time... procrastinate now!
I'm happy to see that they're planning to do something non-drastic. RCN opted to simply block all outbound 25 and inbound 80, which is asinine. Fortunately I'd already moved from them to Comcast by that point, and Comcast wasn't misbehaving. If they start blocking ports, though, I'll go elsewhere.
:-) If they see a shitload of mail flooding out of my mail server constantly, then either I'm a spammer (in which case they should kill my account) or my SMTP server has been hacked, in which case they can notify me and I can fix it, saving everyone in the world a huge hassle. If I don't fix it, then they can turn the port off until I do.
Biggest advantage of running my own mail server? I can run IMAP there as well with squirrelmail, then receive AND send mail from any terminal in the world on my own account. No screwing around with finding the local SMTP server on whatever ISP I happen to be on. That's far more useful than you realize! And no, I do not accept the idea that just because some people abuse SMTP to send spam that we should slam everyone for it. I also run my own DNS server behind my firewall to let me centrally control aliases to various hosts. That's a perfectly benign act. I also make NTP requests, although I don't serve NTP to anyone else.
Someone else suggested a good compromise, I think. Default block anything below 1024 (in the appropriate direction, depending on the port), but let anyone explicitly request any given port to be opened, no questions asked. Quick signup on a web form, no long delay. That automatically keeps 99% of the zombies in check (since zombified users, most likely, won't know what a port is) and allows people like me to make full use of an always-on connection. Anyone who has requested a port be opened, however, is monitored not for content but for volume. OK, they'd get cranky if my home web server were slashdotted. Well so would I.
Makes everyone happy, and kills most zombies in the process.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
so you fire off 1300 mails a day/week? That shouldn't trigger an alarm. When you start sending out 100 mails/min constantly, then they shopuld take notice. 1300 mails is nothing compared to what spam zombies send out.
Who the hell thinks that Comcast is going to do a surgical strike? What is the criteria? What if your port is accidentally blocked? And you call up Comcast, put on hold for 10 seconds and "Sorry, sir! Our mistake! We'll re-enable it right now!"
It is more like blanket block, 100 minute phone muzak, and "You are spamming! Company policy! Nope, can't do that! You are mistaken, it is not blocked. check your configuration. We only support Windows."
Well, I guess being optimistic is all one can do given the crap that is going around the world these days.
CHeers,
e.
The system lets the user out of isolation 30 minutes after the reason for isolation has disappeared. Though there are some users who get into isolation, out of it, back again all day long. One has to wonder what the users is doing with the computer? Just having it on, warming the house? Cause they can't surf the net, they can't send email...
This system has reduced outbound spam drastically! And the best part is, we don't have to find out who is infected (dynamic IPs) and then try to contact the end user (many times not the one who pays..).
here's the manufacturer's slide show (don't slashdot him to death..)
I blocked most of Comcast's DUL SMTP traffic a long time ago. I don't care what they do now. It's too late. Any good mail admin at this point, has a very decent list of IP blocks for DUL/Broadband that shouldn't be allowed to send port 25 traffic. Comcast can bite me.
RBLs like Sorbs have been great at shutting down the Comcast zombie army. And now a year later they finally want to do something about it? Screw 'em. If you are using Comcast for business internet, you're still going to be screwed because nobody wants to deal with the crap traffic that Comcast can't control, and I'm certainly not un blacklisting their IP space.
Them: "How may we help you?"
Me: "Please unblock TCP port 25, both ways"
Them: "OK" , we could do it for 5$ a month
After all, why should millions of people have not to pay for ten of thousands of needed ports ?