Comcast Thinks About Stopping Zombies
LehiNephi writes "Comcast has finally admitted that its users are responsible for a large amount of spam, and they are thinking about how to stop it. Apparently they haven't been turning a blind eye to the problem after all. The simple, blanket approach of blocking all traffic on port 25 would have too many side effects, particularly for users running their own mail servers. However, they can block that port on individual cable modems-a sort of surgical strike. As far as I'm concerned, the sooner they implement this, the better!"
Had a user come into our help channel last night, unable to send email through his account with us since that morning (yesterday Sun 05/23) and I confirmed the server was working fine so I had him telnet to port 25 - no luck, had him telnet to port 25 on the server I use for email - no dice, had him use port 2525 - SMTP connection opened up fine.
He was using comcast for his cable modem. Said it just started that day.
We accept incoming smtp on port 2525 also since my OWN isp at home blocks port 25 (knology) so I have ot use 2525 to send email through my company email server myself.
--- www.f-theocean.com
There's a real easy way to tell the difference between a zombie and somebody running a home mail server...
The zombie will be sending an insane number of e-mails to an insane number of users constantly. No home mail server should be used to run a listserve with anything more than a hundred people or so. Therefore, bursts of port 25 are okay, camping on port 25 is a sign of trouble.
As a mail admin stop the shit yourself.
:-)
Ban - client.comcast.net, and client2.comcast.net
Since the spammers can't forge the reverse DNS on the IP you can trust your blocking Comcast's dynamic ranges. Their business customers are not on any of the IP's that reverse to client.comcast.net or client1.comcast.net, and residential customers in the blocked dynamic ranges can relay mail to you through comcast's mail servers like they are supposed to.
There is absolutely no reason in this day and age of spam to run a legit mail server off of a dynamic IP address.
It doesn't even have to be that difficult. Just block port 25 by default. If someone calls up and asks for it to be enabled, do it free of charge, no questions asked. Now everyone who wants to run a mailserver can do so painlessly, but the average joe zombie wouldn't be able to spread spam because port 25 would be off for him by default. I bet this would stop 90%+ of all the nasty zombie spam.
My friend tried to run a mail server off of his comcast connection awhile back. He could recieve mail fine, but anytime he tried to send mail it would fail. I always assumed 25 was off anyway.
Etiquette is etiquette. He kills his mother but he can't wear grey trousers.
We in the anti-spam community have been yelling this for a while. Since early 2004, most spam is sent through unwitting zombies (compromised Windows hosts) that are remotely controlled spam bots. This is not just an open relay issue. These hosts are hacked in an automated fashion and loaded with spamming software.
Now obviously, there's a lot an ISP can do about this and it doesn't have to be as drastic as blocking port 25 outright. Users which generate suspicious amounts of TCP port 25 traffic could be reassigned IP addresses from a probation-class pool. That is, hosts within that netblock might not be allowed to make port 25 connections, or might be advertised to the world as block-on-sight.
Yeap. This is the only way to stem the traffic. People can still run their own mail servers, but all outbound connections should go though the ISP. Afterall, it is not like it is a privacy issue (they can sniff the packets anyway, so bypassing their SMTP server does not help you!)
I have two primary requirements for an ISP. (1) must not block any ports for any reason. (2) must provide at least one static IP.
AOL blocks game ports, so they can charge you $5 more per month for opening the ports. They were one of the first to change the role of ISP from utility to controlled collector of optimal revenue. I have for at least 5 years told everyone to get rid of AOL. Unfortunately, today, people have come to accept the idea that it's ok for an ISP to block ports.
As for the zombies, the ISPs should try:
Open Standards Portal
I've seen some different approaches to block mail.
The one my ISP (a University) use it to black any incoming tcp connection with dst port 25. This stops spammers to use any badly configure mail server from beeing used as a relay. I can still use any mail server i want to send mails though, i can even run one of my own. What i can't do is handle incoming emails for my own domain. They also monitors how much mail is sent, and if your computer seems to send out "too much" mails, you'll get an email from the sysadmins asking you to explain what's up.
The other approach I've seen used by xDSL providers here is to block any outgoing connections to dst port 25. This way you could run you own mail server for you domain, but you must relay all sent email through the ISP's smtp server.
I think both solutions offers some protection against spammers, without putting to mych restrions on the users. Not sure which one is most effectiv e though, if any.
Actually, their reps have said during calls that mail servers are not officially supported, but that they willingly turn a blind eye.
Given that they are the only broadband I can get and I do run a mail server for any host of reasons; the targeted approach would be the only acceptable method.
The ISP I work for (name withheld to protect the proactive) has what I consider to be a good policy for handling bots. I think it is good because I came up with it myself. Any host that we get a complaint about is portscanned (all ports are scanned). The output from nmap is then fed into amap for application fingerprinting and mothra to grab banners. We then suspend the customer's internet access until they clean up the computer. On the whole port 25 thing, ever day we find systems that are running SMTP servers on bizarre, very high ports.
"Who's going to believe a talking head?" - Herbert West
I would dearly love it if Comcast (nee any and every ISP) offered a spesific /dev/null address that I could use with icmp-redirect like clarity.
When I see a bunch of bogus packets slam into my box that have no reason to exist, I would like to be able to automagically do the IP equivalent of call blocking.
Sending an ICMP-REDIRECT-like message out in response to a bogus packet should be snuffled up by the ISP equipment and taken as a "call block" request against a particular peer address.
So if I rig up my firewall to icmp-redirect to some magic address (say 0.0.0.0, which is never legal in a redirect), the upstream router should process it as, say, a 24 hour ban of packets from that address to my address.
Were such a thing to become common, the ISP could forward that ban on to the next upstream peer and so on until the "well behaved" router closest to the miscreant would be keeping the wastage off of the backbones entirely.
Since it is a poit-to-point ban it would be rather effective without letting malicious third parties do too much damage unless they could get common-segment with one of the parties.
Talk about killing a DDOS at the diverse roots.
Anyway, it would need a little refinement to keep the haxors next door from pretending to be me and cutting all of the sites they sniff me using, you know, check mac addresses or require me to use an activation squib from my firewall from time to time....
But it should be easy and safe enough once the nearest "Real" router got the do-not-call packet.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
What I would love to see somebody come out with is a provider-side web configurable firewall.
:)
While I am a student at utexas.edu, I must speak up about https://firewall.tamu.edu/. Apparently the resnet team in College Station filters the heck out of their residents' hosts, but allows them to open their boxes up interactively on the fly without having to call tech support. This is all based on what I have gleaned from the TAMU CIT online writeups, so of course dont quote me on it. While I do not have access, maybe some kind A&M soul will offer forth what is contained inside?
Hooray for BSD and Snort inline! Apparently TAMU also doing some really cool IDS work and dynamically switching ACOs to non-routable VLANs and providing fixes via a web interface for compromised hosts. I heard about RIT doing something similar with their homebrewed ActiveX-based development during last July/August during the big RPC craze. I wish more universitys would implement similar solutions.
My father had BellSouth DSL, and they've started blocking Port 25 for outgoing mail. This means that he couldn't send mail through the third-party mail server that he's been using for years. I don't want to have to change his settings (and he doesn't want to give people a new address) every time he has to change ISPs, so he pays a bit of money to use NetIdentity.com for his mail.
Since BellSouth wouldn't use some sort of reasonable measure of WHO was abusing the service instead of treating everyone as a spammer, we switched him to another DSL carrier. I think it's unreasonable to expect everyone to have to use ONLY the mail server of the ISP.
BTW, BellSouth said they WOULD open Port 25 if my father would pay double the money for a "business-class" DSL account, which shows me that it's more of a marketing distinction on their part than a distinction with a truly technical justification.
My Motorola Surfboard's orange "Activity" light (this model doesn't have separate LEDs for TX/RX) is almost always solid, even when I'm not doing anything at all. As if the constant flood of ARP traffic over the cable system wasn't enough, the constant hammering of any number of worms brings the traffic to a steady buzz. I still get Nimda and Code Red attempts on a daily basis, and lots of hits to 3306, which I presume are Slammer. In fact, here's the most recent attempt, About 8 minutes ago. From a worm that came out in, what, 2001?
tcpdump or Ethereal are probably the best ways to determine if you've been turned into a zombie. tcpdump | grep smtp, or leave Ethereal running for awhile and scan the output for connections to port 25. If either comes up with a shitload of outbound SMTP traffic, you've probably got a trojanned box.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
I am a Comcast customer, and I'd hate to have all
my connections proxied or blocked, but I don't see
the harm in making people like myself call a phone
number to supply a list of ports to unblock/unproxy.
Them: "How may we help you?"
Me: "Please unblock TCP port 25, both ways"
Them: "OK"
After all, why should millions of people have tens
of thousands of unneeded ports available for abuse?