Slashdot Mirror


Comcast Thinks About Stopping Zombies

LehiNephi writes "Comcast has finally admitted that its users are responsible for a large amount of spam, and they are thinking about how to stop it. Apparently they haven't been turning a blind eye to the problem after all. The simple, blanket approach of blocking all traffic on port 25 would have too many side effects, particularly for users running their own mail servers. However, they can block that port on individual cable modems-a sort of surgical strike. As far as I'm concerned, the sooner they implement this, the better!"

21 of 592 comments (clear)

  1. Hmm I think they just started... by Grimster · · Score: 4, Interesting

    Had a user come into our help channel last night, unable to send email through his account with us since that morning (yesterday Sun 05/23) and I confirmed the server was working fine so I had him telnet to port 25 - no luck, had him telnet to port 25 on the server I use for email - no dice, had him use port 2525 - SMTP connection opened up fine.

    He was using comcast for his cable modem. Said it just started that day.

    We accept incoming smtp on port 2525 also since my OWN isp at home blocks port 25 (knology) so I have ot use 2525 to send email through my company email server myself.

    --
    --- www.f-theocean.com
  2. Big difference between zombie and server... by LostCluster · · Score: 5, Interesting

    There's a real easy way to tell the difference between a zombie and somebody running a home mail server...

    The zombie will be sending an insane number of e-mails to an insane number of users constantly. No home mail server should be used to run a listserve with anything more than a hundred people or so. Therefore, bursts of port 25 are okay, camping on port 25 is a sign of trouble.

    1. Re:Big difference between zombie and server... by winkydink · · Score: 4, Interesting
      Uh-oh. I better tell the users of my 800-person list and my 500-person list that it's been a great 8-year run, but we shouldn't be using a home mail server for this.

      Time to move it to the garage, I guess.

      --

      "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    2. Re:Big difference between zombie and server... by YankeeInExile · · Score: 3, Interesting

      The point I was making, in addition to the parent poster was, a blanket Nobody should be running a mail server at home statment is prima facie false. There may be very good reasons -- such as "wanting to have email".

      For what it's worth, I am very happy with my broadband vendor, both on price and performance, and they sell me a pipe in which I transport bits. No application layer services, no restrictions, no bullshit.

      --
      How does the Slashdot Effect happen given that no slashdotters ever RTFA?
  3. Screw Comcast! by jchawk · · Score: 4, Interesting

    As a mail admin stop the shit yourself.

    Ban - client.comcast.net, and client2.comcast.net

    Since the spammers can't forge the reverse DNS on the IP you can trust your blocking Comcast's dynamic ranges. Their business customers are not on any of the IP's that reverse to client.comcast.net or client1.comcast.net, and residential customers in the blocked dynamic ranges can relay mail to you through comcast's mail servers like they are supposed to.

    There is absolutely no reason in this day and age of spam to run a legit mail server off of a dynamic IP address. :-)

    1. Re:Screw Comcast! by Erwos · · Score: 3, Interesting

      "There is absolutely no reason in this day and age of spam to run a legit mail server off of a dynamic IP address. :-)"

      Speak for yourself.

      For someone like myself, who does a lot of hopping between networks, using the "ISP's SMTP server" is a collossal pain in the ass, forcing me to constantly change the SMTP server settings.

      OTOH, running my own sendmail is fast, effective, and pretty much always works. I don't see how I should be banned from running my own mail server because some people abuse it. With that wonderful logic, it's time to shut down every P2P service, because most people are abusing them.

      -Erwos

      --
      Plausible conjecture should not be misrepresented as proof positive.
  4. Re:Registering mail servers? by MalleusEBHC · · Score: 5, Interesting

    It doesn't even have to be that difficult. Just block port 25 by default. If someone calls up and asks for it to be enabled, do it free of charge, no questions asked. Now everyone who wants to run a mailserver can do so painlessly, but the average joe zombie wouldn't be able to spread spam because port 25 would be off for him by default. I bet this would stop 90%+ of all the nasty zombie spam.

  5. Re:read your usage agreement by MikeXpop · · Score: 3, Interesting

    My friend tried to run a mail server off of his comcast connection awhile back. He could recieve mail fine, but anytime he tried to send mail it would fail. I always assumed 25 was off anyway.

    --
    Etiquette is etiquette. He kills his mother but he can't wear grey trousers.
  6. People still don't understand the zombie situation by bigberk · · Score: 4, Interesting

    We in the anti-spam community have been yelling this for a while. Since early 2004, most spam is sent through unwitting zombies (compromised Windows hosts) that are remotely controlled spam bots. This is not just an open relay issue. These hosts are hacked in an automated fashion and loaded with spamming software.

    Now obviously, there's a lot an ISP can do about this and it doesn't have to be as drastic as blocking port 25 outright. Users which generate suspicious amounts of TCP port 25 traffic could be reassigned IP addresses from a probation-class pool. That is, hosts within that netblock might not be allowed to make port 25 connections, or might be advertised to the world as block-on-sight.

  7. Re:Port 25 by gnuman99 · · Score: 4, Interesting

    Yeap. This is the only way to stem the traffic. People can still run their own mail servers, but all outbound connections should go though the ISP. Afterall, it is not like it is a privacy issue (they can sniff the packets anyway, so bypassing their SMTP server does not help you!)

  8. Port blocking by Openstandards.net · · Score: 5, Interesting
    I don't believe any ISP should block ports. It's a slippery slope. The ISPs should be utilities, like electric companies, providing you an unhindered connection to the Internet.

    I have two primary requirements for an ISP. (1) must not block any ports for any reason. (2) must provide at least one static IP.

    AOL blocks game ports, so they can charge you $5 more per month for opening the ports. They were one of the first to change the role of ISP from utility to controlled collector of optimal revenue. I have for at least 5 years told everyone to get rid of AOL. Unfortunately, today, people have come to accept the idea that it's ok for an ISP to block ports.

    As for the zombies, the ISPs should try:

    • Informing their customers that their machines are infected. Seems obvious, but it's obviously rarely done, as most users don't know they are infected.
    • Provide links to free virus detection and spyware removal software. There is a lot of it out there. If the users don't want to by Norton, they could at least try a free one. I bet most don't know that there are free options available.
    • Offer free Linux CDs.
    1. Re:Port blocking by MBCook · · Score: 5, Interesting
      If I set some large device to store energy and then send it back into the grid wrong (lets say it comes into my house at 220v, 60hz so send it at 1500v 300hz) therby screwing everything up for everyone else on my section of the grid, don't you think the power company would come and cut me off?

      In fact, thanks to safties in the power system, if you tried that you'd probably blow up the transformer outside your house. This would cut off you from the rest of the grid and protect everyone else.

      It's the power company's job to give me good service. Steady power, clean, no problems. My ISP (who actually IS Comcast) should be the same way. Fast, reliable, no problems. Instead ISPs often follow your "we're just the middle man" theory. This leads to my 'net connection getting wasted by downloading tons of spam for every real message that should get through.

      The power company won't let you scew up THEIR network. The phone company doesn't look kindly to people hijacking phone lines and using them for free, and ISPs should be no different. They should FIGHT these zombies.

      After all, zombies cut into the bottom line in traffic that has to be passed (both outgoing spam and incomming spam), storage (storing spam on their e-mail servers), and other such things.

      Knock the zombies off the network. This is no slippery slope, this is climbing back UP the "you can do whatever you want even when it makes the internet worse for 99% of people" hill that a blind eye has slid us down.

      I won't lose sleep, and neither should you.

      --
      Comment forecast: Bits of genius surrounded by a sea of mediocrity.
    2. Re:Port blocking by Hays · · Score: 4, Interesting

      You should not make an analogy between ISPs and traditional utilities like the electric company. Electricity is one way. Internet is two way. No matter what you do with your electricity, it won't destroy the rest of the grid. (barring extreme things for which you WILL receive a visit from the electric company). On the other hand, it's easy for one internet costumer to ruin the experience for many others (by sending thousands of spam a day, for instance).

      A better analogy might be a phone company. They sure as heck don't give you freedom to use your phone however you want.

      But anyway, I agree that ISPs should be unhindered connections to the internet, but only in one direction- to the client.

  9. How to block? by Granis · · Score: 3, Interesting

    I've seen some different approaches to block mail.

    The one my ISP (a University) use it to black any incoming tcp connection with dst port 25. This stops spammers to use any badly configure mail server from beeing used as a relay. I can still use any mail server i want to send mails though, i can even run one of my own. What i can't do is handle incoming emails for my own domain. They also monitors how much mail is sent, and if your computer seems to send out "too much" mails, you'll get an email from the sysadmins asking you to explain what's up.

    The other approach I've seen used by xDSL providers here is to block any outgoing connections to dst port 25. This way you could run you own mail server for you domain, but you must relay all sent email through the ISP's smtp server.

    I think both solutions offers some protection against spammers, without putting to mych restrions on the users. Not sure which one is most effectiv e though, if any.

  10. Re:read your usage agreement by steve+buttgereit · · Score: 3, Interesting

    Actually, their reps have said during calls that mail servers are not officially supported, but that they willingly turn a blind eye.

    Given that they are the only broadband I can get and I do run a mail server for any host of reasons; the targeted approach would be the only acceptable method.

  11. Bot hunting by Enoch+Zembecowicz · · Score: 4, Interesting

    The ISP I work for (name withheld to protect the proactive) has what I consider to be a good policy for handling bots. I think it is good because I came up with it myself. Any host that we get a complaint about is portscanned (all ports are scanned). The output from nmap is then fed into amap for application fingerprinting and mothra to grab banners. We then suspend the customer's internet access until they clean up the computer. On the whole port 25 thing, ever day we find systems that are running SMTP servers on bizarre, very high ports.

    --
    "Who's going to believe a talking head?" - Herbert West
  12. Offer a /dev/null machine address too by IBitOBear · · Score: 4, Interesting

    I would dearly love it if Comcast (nee any and every ISP) offered a spesific /dev/null address that I could use with icmp-redirect like clarity.

    When I see a bunch of bogus packets slam into my box that have no reason to exist, I would like to be able to automagically do the IP equivalent of call blocking.

    Sending an ICMP-REDIRECT-like message out in response to a bogus packet should be snuffled up by the ISP equipment and taken as a "call block" request against a particular peer address.

    So if I rig up my firewall to icmp-redirect to some magic address (say 0.0.0.0, which is never legal in a redirect), the upstream router should process it as, say, a 24 hour ban of packets from that address to my address.

    Were such a thing to become common, the ISP could forward that ban on to the next upstream peer and so on until the "well behaved" router closest to the miscreant would be keeping the wastage off of the backbones entirely.

    Since it is a poit-to-point ban it would be rather effective without letting malicious third parties do too much damage unless they could get common-segment with one of the parties.

    Talk about killing a DDOS at the diverse roots.

    Anyway, it would need a little refinement to keep the haxors next door from pretending to be me and cutting all of the sites they sniff me using, you know, check mac addresses or require me to use an activation squib from my firewall from time to time....

    But it should be easy and safe enough once the nearest "Real" router got the do-not-call packet.

    --
    Innocent people shouldn't be forced to pay for inferior software development.
    --"Code Complete" Microsoft Press
  13. Re:Wrong approach? by nfsilkey · · Score: 3, Interesting

    What I would love to see somebody come out with is a provider-side web configurable firewall.

    While I am a student at utexas.edu, I must speak up about https://firewall.tamu.edu/. Apparently the resnet team in College Station filters the heck out of their residents' hosts, but allows them to open their boxes up interactively on the fly without having to call tech support. This is all based on what I have gleaned from the TAMU CIT online writeups, so of course dont quote me on it. While I do not have access, maybe some kind A&M soul will offer forth what is contained inside? :)

    Hooray for BSD and Snort inline! Apparently TAMU also doing some really cool IDS work and dynamically switching ACOs to non-routable VLANs and providing fixes via a web interface for compromised hosts. I heard about RIT doing something similar with their homebrewed ActiveX-based development during last July/August during the big RPC craze. I wish more universitys would implement similar solutions.

  14. BellSouth blocks Port 25, so we ditched them by DavidinAla · · Score: 3, Interesting

    My father had BellSouth DSL, and they've started blocking Port 25 for outgoing mail. This means that he couldn't send mail through the third-party mail server that he's been using for years. I don't want to have to change his settings (and he doesn't want to give people a new address) every time he has to change ISPs, so he pays a bit of money to use NetIdentity.com for his mail.

    Since BellSouth wouldn't use some sort of reasonable measure of WHO was abusing the service instead of treating everyone as a spammer, we switched him to another DSL carrier. I think it's unreasonable to expect everyone to have to use ONLY the mail server of the ISP.

    BTW, BellSouth said they WOULD open Port 25 if my father would pay double the money for a "business-class" DSL account, which shows me that it's more of a marketing distinction on their part than a distinction with a truly technical justification.

  15. Re:How to tell? by ShaunC · · Score: 4, Interesting
    Your modem activity light is, I suppose, the most foolproof method.
    Back when I had my old Motorola CybrSurfr cable modem, this was a decent way of judging network activity. That modem had a "Send" LED and a "Receive" LED, and while the "Receive" light was typically flashing most of the time, the "Send" light was only blinking if someone on the network was doing something. Unfortunately, when Nimda struck, this method became totally unreliable and has stayed so ever since. The "Send" light was on solid, as my machine dealt with the flood of incoming traffic in one manner or another.

    My Motorola Surfboard's orange "Activity" light (this model doesn't have separate LEDs for TX/RX) is almost always solid, even when I'm not doing anything at all. As if the constant flood of ARP traffic over the cable system wasn't enough, the constant hammering of any number of worms brings the traffic to a steady buzz. I still get Nimda and Code Red attempts on a daily basis, and lots of hits to 3306, which I presume are Slammer. In fact, here's the most recent attempt,
    24.[..].224.119 - - [24/May/2004:23:07:43 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 65 "-" "-"
    About 8 minutes ago. From a worm that came out in, what, 2001?

    tcpdump or Ethereal are probably the best ways to determine if you've been turned into a zombie. tcpdump | grep smtp, or leave Ethereal running for awhile and scan the output for connections to port 25. If either comes up with a shitload of outbound SMTP traffic, you've probably got a trojanned box.
    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  16. proxy everything until asked by r00t · · Score: 3, Interesting

    I am a Comcast customer, and I'd hate to have all
    my connections proxied or blocked, but I don't see
    the harm in making people like myself call a phone
    number to supply a list of ports to unblock/unproxy.

    Them: "How may we help you?"
    Me: "Please unblock TCP port 25, both ways"
    Them: "OK"

    After all, why should millions of people have tens
    of thousands of unneeded ports available for abuse?