Slashdot Mirror


Comcast Thinks About Stopping Zombies

LehiNephi writes "Comcast has finally admitted that its users are responsible for a large amount of spam, and they are thinking about how to stop it. Apparently they haven't been turning a blind eye to the problem after all. The simple, blanket approach of blocking all traffic on port 25 would have too many side effects, particularly for users running their own mail servers. However, they can block that port on individual cable modems-a sort of surgical strike. As far as I'm concerned, the sooner they implement this, the better!"

26 of 592 comments (clear)

  1. read your usage agreement by lseltzer · · Score: 4, Insightful

    Comcast cable modem customers aren't allowed to run mail servers anyway, so I doubt the side-effects would bother them

    1. Re:read your usage agreement by thedillybar · · Score: 3, Insightful
      Comcast cable modem customers aren't allowed to run mail servers anyway, so I doubt the side-effects would bother them

      Who are you kidding? Just because they aren't allowed to doesn't mean they're not.

      No one is allowed to download copyrighted material without the necessary license either. So I doubt anyone would be bothered by the RIAA implementing a plan to go after music downloaders...

    2. Re:read your usage agreement by wo1verin3 · · Score: 4, Insightful

      technically speaking as per the terms of service (usage agreement) you can't even choose to be the host in a two player online game because that is a service.

      However, ComCast also lives in the real world. While on paper they could make an argument, they're trying NOT to upset the technical folks in their customer base.

    3. Re:read your usage agreement by Anonymous Coward · · Score: 3, Insightful

      The point being that Comcast is well within their rights to block inbound 25.

    4. Re:read your usage agreement by Aaden42 · · Score: 5, Insightful

      There's an aweful lot of people missing the point here. To cause trouble for people running their own mail server, they'd need to block INBOUND traffic coming to port 25. That wouldn't stop any of the zombied machines since they're all trying to make OUTBOUND connections going to port 25.

      If you block outgoing 25 (thus stopping zombies) what you also accomplish is preventing any of your customers from using anyone else's SMTP server as their outgoing SMTP server. My web host supports TLS encryption which I prefer to use so at least my neighbors aren't reading my mail.

      Requiring everyone to use the ISP SMTP server is the wrong solution, and it's a complete pain for laptops. I can take my laptop anywhere, plug it in, and know that I can send mail (using authenticated SMTP) through mail.myhost.com. If everybody starts blocking OUTBOUND 25, then whereever I plugin my laptop, I need to ask, "Hey, what's your SMTP server???" A very poor solution to the problem.

      Block 25 for known zombies or just disconnect them completely. When they call ("My Internet's broken!") let 'em know they've gotta patch their box and get some antivirus software (and stop clicking on those damn attachments!!!) before they get their pr0n0 feed turned back on.

    5. Re:read your usage agreement by ajs · · Score: 3, Insightful

      So, indiscriminate blocking of outbound port 25 will have side-effects.

      Both inbound and outbound blocking will cause problems for users like myself. In particular, it will cause those members of Comcasts user-base (like myself) who are looked at by our friends and family as an expert in such matters to not only choose a different ISP for ourselves, but to recommend that those we care about not use the service either. After all, an ISP that tries to choose which parts of the Internet you have a right to talk to is no better than a fancy BBS, and software that my mother might want to run tomorrow could be hampered by that kind of short-sitedness (e.g. if she wanted to host a mail server that I set up for her home business, which I'll be doing next month).

      No, Comcast knows their customers because the people who set all of this up for them are a fair bit like me...

      Besides, customers like me are gold to Comcast. We do all the right things to protect our systems from compromise, we evangelize new users, we test out new services and build future markets for them. Early adopters are exactly what Comcast wants.

    6. Re:read your usage agreement by PygmySurfer · · Score: 4, Insightful

      Yeah, and pop is 110. My point is still valid, I just have an IMAP server in my situation.

      Uhh, no you don't. POP/IMAP only transfer email between your client and your email provider's mail server. SMTP is used to transfer email between hosts on the internet.

      Parent was talking about configuring his/her own SMTP server on their cable connection, and having issues sending mail to specific domains. In this case it was probably because his cable IP was part of some blacklist which says any dynamic IP must belong to a spammer, as there's obviously no use for someone to be running his/her own SMTP server on a lowly dialup or cable connection.

    7. Re:read your usage agreement by SillyNickName4me · · Score: 3, Insightful

      comcast may not allow it but they are not the only player in town. (and the ISP I am using explicitly allows it for example) so I really doubt you will see a 'blanket solution anytime soon.

      Besides, whats next? blocking all traffic to known p2p related ports? and then filter USENET?

      People should start thinking a lot more about the consequences of 'solutions' they propose, esp those
      involved in spam prevention have a strong tendency to go for measures that are way worse then the problem they try to solve while missing the obvious (the smtp protocol being broken)

  2. Port 25 by thrillseeker · · Score: 3, Insightful

    All they nned to do is to restrict SMTP outbound connections to their own mailservers. Forcing traffic through their won machines will qucik;ly point out who the abusers are, and they can likewise filter for viruses and worms preventing propogation.

    1. Re:Port 25 by bigberk · · Score: 4, Insightful
      All they nned to do is to restrict SMTP outbound connections to their own mailservers.
      Ummm.... no, that alone won't do it. They also have to have vigorous spam and virus controls on their mail server. Otherwise the ISP's mail servers will just relay the spam and viruses. SWEN for instance sends itself via the ISP's "proper" relay.

      For example, ISPs that send me plenty of spam and viruses relayed through their main mail servers are: arnet.com.ar, bigpond.com, btinternet.com, libero.it, singnet.com.sg, videotron.ca, wanadoo.fr

      Case in point. Blocking port 25 doesn't stop spam. Booting your spamming customers does.
    2. Re:Port 25 by Have+Blue · · Score: 4, Insightful

      This story is about compensating for users who are unaware that their computer has been trojaned and is emitting spam. Is getting kicked off your ISP a suitable punishment for that? Comcast is doing the minimum necessary to keep the most people possible happy (except the spammers, and apparently you).

  3. First! by Anonymous Coward · · Score: 5, Insightful

    I think it's a good idea. But why stop there? Disconnect the zombies until they fix the problem on their computer.

  4. Registering mail servers? by mcrbids · · Score: 5, Insightful

    What if they had a *simple* process for registering your mail server with them? 5 minutes, maybe $20 and that's it?

    People who run their own mail servers are control freaks and had better be technically minded enough to call the Admins at Comcast in order to register their mail server.

    Otherwise, who'd notice or care?

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  5. Wrong approach? by thedillybar · · Score: 4, Insightful
    However, they can block that port on individual cable modems-a sort of surgical strike.

    Why don't they block it on ALL cable modems and let people unblock it if they wish? The majority of users who go through the trouble to unblock it are going to run secure machines. Even if they don't, it's going to reduce the number of spam bots.

    And they won't have the privacy advocates all over them...

    1. Re:Wrong approach? by LostCluster · · Score: 5, Insightful

      What I would love to see somebody come out with is a provider-side web configurable firewall. Basically, a way to tell my ISP "If you're getting incoming port 80 requests coming my way, don't bother me with it."

      In the default configuration, all ports below 1024 should be blocked, and there should be some explanation to the user that if they want to offer a home-based webserver, they have to visit the designated area on the provider's site to indicate that they want port 80 incoming traffic. That way, ISS-worm-of-the-week traffic will not bother your last mile bandwdith if there's no web server home.

      Outgoing ports can be restricted the same way. Outgoing port 25 should only be allowed to official mail servers, unless the user specifically requests otherwise. That way, if a Spam-bot gets in, most users will already be set to not let it out...

  6. Re:An expensive problem. by Caradoc · · Score: 5, Insightful

    They now have a choice - how much is it going to cost them if they do NOT implement some policy that prevents their users from spamming the entire world, and they end up getting all of their e-mail blocked?

    And how much money could have been saved if they'd implemented such a policy when people started telling them it was a problem (it's been several years since people started telling Comcast that their users were a load of USDA Prime Clue-Free Spam Zombies...)

    It's interesting how much money can be saved by paying attention to the small, seemingly innocent details before they add up to be monstrous problems.

    --
    Specialization is for insects. - R.A.H.
  7. Re:Screw Comcast! by jchawk · · Score: 4, Insightful

    From the comments so far I've seen "I don't have the money to pay for a static IP address.", I know that it sucks that not everyone can have static IP addresses, but that's something you should take up with your provider. Why should the rest of the Internet Service Providers out there pay for your ability to send email from a dyanmic IP address? You can't begin to imagine how much spam we are able to drop because of those two simple blocks (client.comcast.net and client2.comcast.net)... It's to the point where we would need to add at least another mail server to accept the email coming from those ranges. That's simply not something we are willing to do when 99.9999% of all email from those dynamic ranges are spam.

    You can blame me and the other ISP's out there that refuse to accept mail from dynamic ranges, but you should be blaming the spammers for ruining email as we know it, and you should blame your provider for not allowing you to have a static IP address.

    The ISP I work for only does Static IP addresses (except for dialup customers), all of our DSL customers are allocated a static IP address. This is common if you shop around. From what I understand there are many bigger providers that will allow you to have a static IP address for a few more dollars a month if you can show that you are not using it for commerical purposes, furthermore ISP's like SpeakEasy offer static IP addresses as a part of their typical DSL offerings (no i don't work for them).

    Also, if you're running a server on those dynamic ranges with Comcast you are clearly violating their TOS. Again vote with your wallet and find a provider that is more reasonable with their TOS and IP space. Or get a few friends together and pitch in for a virtual server somewhere. You can find a decent virtual server that will suit all of your needs for less then $50 a month, hell get 5 friends together and it's only $10 a month, surely you can afford that. Plus you can say you have your own server somewhere. :-)

  8. Good for customers - Bad for Comcast? by LaForce · · Score: 3, Insightful

    Up until now, ISPs have been able to hide behind their status as a common carrier for anything illegal that their customers do. They don't monitor, thus, they can't do anything about it. Comcast is admitting their ability and willingness to monitor the types of traffic their customers are producing, and block undesirable traffic. How long before this gets turned around and smacks Comcast (and their customers) with problems?

  9. Re:some ISP's already do this by Rick+Zeman · · Score: 4, Insightful

    Speakeasy lets us run whatever the heck we want. Then again, every month or so I see their relay testing in my Postfix logs. It's a strange concept: innocent until found guilty.

  10. Port 25 for those who request it by Charles+Dodgeson · · Score: 3, Insightful

    My local ASP has a good solution to this. By default, port 25 is blocked, but customers can ask for it to be allowed through. The presumption is that if you know enough to ask for port 25, then you can take proper responsibility for your machines.

    --
    Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
  11. What you can't think of is not the issue by frovingslosh · · Score: 4, Insightful
    I can't think of a single good reason why a user needs to run their own outgoing mail server and not relay through the Comcast server.

    Just because you can't think of a reason to not use the Comcast server does not mean there are not good ones. I've recently been put in the same boat by BellSouth, and I assure you there are good reasons for not wanting port 25 blocked.

    First of all, if you, like me, have a notebook and actually move frequently from location to location (home, work, family and friends houses, public sites with wireless access) then you want to be able to configure your mail client so that it will reach a mail server that you can log into and not have to change settings every time you change location. If you have a mail server outside of a "me only" mentality ISP then this is simple and straight forward. But when the ISP blocks port 25 (as well as not letting you use their meil servers whenever you're not originating from their network), it's a royal pain in the ass to reconfigure all the time.

    Also, if you, like me, administer or help maintain a valid mail server off of the Comcast network, you may well find it important to actually send mail through this server. Or you might even have a company policy that states that all business mail must be sent through the compnay mail server. No problem if port 25 isn't blocked and you log into the server you want. Big problem if some short sighted system administrator at your ISP insists that everyone should be expected to use the Internet in exactly the same way.

    And I can't speak about quality of service at Comcast, but at BellSouth the mail server is frequently down. This was not a significant problem if I had to send time critical information out as long as I had port 25 open and could log into one of the other servers I use. Now it's a problem even from my desktop system.

    Fighting spam is great, but fighting stupidity is even more important.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  12. Re:Screw Comcast! by AKnightCowboy · · Score: 3, Insightful
    OTOH, running my own sendmail is fast, effective, and pretty much always works. I don't see how I should be banned from running my own mail server because some people abuse it. With that wonderful logic, it's time to shut down every P2P service, because most people are abusing them

    The vast amount of mail coming from dynamic IP addresses is spam. Users like you are few and far between. As for the P2P services... they SHOULD be shut down as well. 99% of P2P users are stealing software, music, and movies. For everybody that legitimately downloads Linux ISO images off of a P2P network there are 10,000 who steal music, videos and software.

    Also, on many networks you will also find that IRC is banned as well because of all the kiddies launching DDoS attacks against IRC servers and clients. Is it a bad protocol? No.. it's quite nifty, but the assholes of society infected it and turned it into an evil protocol, just like P2P networks and SMTP unfortunately.

  13. Shoud have done vvv this vvv years ago by IBitOBear · · Score: 3, Insightful

    Comcast could and should have gone ahead user-runtime-reversably blocked all of the common low service ports (1-1024) a long time ago.

    By user-runtime-reversable I mean:

    Put up a web page that I can connect to from my served address only, that lets me check-mark the common ports I want to allow in/out/both. And, most importantly, *NOT* change billing or pricing by check-box etc.

    The default map would never be changed by users that don't care, and thus zombie-spam would be greatly reduced.

    The custom map would be useful for those who do care.

    Keying this on the "hostname" a paying customer sends with their DHCP requests, or by IP address and giving out nearly-static leases by default and clearing the map when a lease is lost, would be child's play. It is no harder technologically than dynamic DNS.

    It could be instanciated anonymously one day and the only legitamate users who cared would even notice. As long as there was an obvious "so your ports were just locked on a service you were running at home and you don't like that? here's how to open them" link obviously placed on an "expert users" page on the corporate web site everythign would be self-healing.

    Of course that implies that they have rationally segmented their network so that the routers can leverage this information in reasonable time.

    Eveidence suggests that they have-not so segmented. (You would not *beleive* the amount of cyclic arping across multiple address ranges I see from their servers on my cable modem segment...)

    Heck, the simple intelegence-test-effect created by requiring a user to find their own hostname string from inside either their active configuration or their setup invoice would be enough to stop all sorts of shenanagans... 8-)

    So anyway Comcast, get a nice firewall box, set up a permiable wall, with a nice default mask, and let users instanciate a private mask if they so desire by visiting their service settings web page.

    Not that hard, unless you bought your infrastructure *really* cheap... 8-)

    --
    Innocent people shouldn't be forced to pay for inferior software development.
    --"Code Complete" Microsoft Press
  14. Re:Big difference between zombie and server... by Unregistered · · Score: 3, Insightful

    so you fire off 1300 mails a day/week? That shouldn't trigger an alarm. When you start sending out 100 mails/min constantly, then they shopuld take notice. 1300 mails is nothing compared to what spam zombies send out.

  15. One solution by japa · · Score: 4, Insightful
    I work at a Finnish ISP and we have an automated system that monitors user traffic. Not the content, but the amount. There are lots of rulesets, which may trigger the action. For example scanning X amount of ports in second (like some viruses do). When users computer is determined to be infected/owned by the system, all outbound http connections are directed to a page telling their system is infected and general information on what to do next. All outbound smtp connections are replied by similar kind of error message (and 500 series reply). Besides getting those replies, the customer is basically disconnected from the net. (s)he can't connect anywhere and can't be connected to.

    The system lets the user out of isolation 30 minutes after the reason for isolation has disappeared. Though there are some users who get into isolation, out of it, back again all day long. One has to wonder what the users is doing with the computer? Just having it on, warming the house? Cause they can't surf the net, they can't send email...

    This system has reduced outbound spam drastically! And the best part is, we don't have to find out who is infected (dynamic IPs) and then try to contact the end user (many times not the one who pays..).

    here's the manufacturer's slide show (don't slashdot him to death..)

  16. Re:proxy everything until asked by Chatterton · · Score: 4, Insightful

    Them: "How may we help you?"
    Me: "Please unblock TCP port 25, both ways"
    Them: "OK"
    , we could do it for 5$ a month

    After all, why should millions of people have not to pay for ten of thousands of needed ports ?