Slashdot Mirror
Comcast Thinks About Stopping Zombies
LehiNephi writes "Comcast has finally admitted that its users are responsible for a large amount of spam, and they are thinking about how to stop it. Apparently they haven't been turning a blind eye to the problem after all. The simple, blanket approach of blocking all traffic on port 25 would have too many side effects, particularly for users running their own mail servers. However, they can block that port on individual cable modems-a sort of surgical strike. As far as I'm concerned, the sooner they implement this, the better!"
Comcast cable modem customers aren't allowed to run mail servers anyway, so I doubt the side-effects would bother them
This clearly violates the right to maintain your own SCO-attack zombie.
All they nned to do is to restrict SMTP outbound connections to their own mailservers. Forcing traffic through their won machines will qucik;ly point out who the abusers are, and they can likewise filter for viruses and worms preventing propogation.
I think it's a good idea. But why stop there? Disconnect the zombies until they fix the problem on their computer.
Had a user come into our help channel last night, unable to send email through his account with us since that morning (yesterday Sun 05/23) and I confirmed the server was working fine so I had him telnet to port 25 - no luck, had him telnet to port 25 on the server I use for email - no dice, had him use port 2525 - SMTP connection opened up fine.
He was using comcast for his cable modem. Said it just started that day.
We accept incoming smtp on port 2525 also since my OWN isp at home blocks port 25 (knology) so I have ot use 2525 to send email through my company email server myself.
--- www.f-theocean.com
There's a real easy way to tell the difference between a zombie and somebody running a home mail server...
The zombie will be sending an insane number of e-mails to an insane number of users constantly. No home mail server should be used to run a listserve with anything more than a hundred people or so. Therefore, bursts of port 25 are okay, camping on port 25 is a sign of trouble.
What if they had a *simple* process for registering your mail server with them? 5 minutes, maybe $20 and that's it?
People who run their own mail servers are control freaks and had better be technically minded enough to call the Admins at Comcast in order to register their mail server.
Otherwise, who'd notice or care?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
"We're the biggest spammer on the Internet," network engineer Sean Lutner said at a meeting of an antispam working group in Washington, D.C., last week.
Seconds later, bangs, thrashes, and pleads for mercy in a very Lutner-like voice could be heard from outside the conference room.
The coolest voice ever.
As a mail admin stop the shit yourself.
:-)
Ban - client.comcast.net, and client2.comcast.net
Since the spammers can't forge the reverse DNS on the IP you can trust your blocking Comcast's dynamic ranges. Their business customers are not on any of the IP's that reverse to client.comcast.net or client1.comcast.net, and residential customers in the blocked dynamic ranges can relay mail to you through comcast's mail servers like they are supposed to.
There is absolutely no reason in this day and age of spam to run a legit mail server off of a dynamic IP address.
Incoming mail servers are arguable, though not allowed in Comcast's EULA, but outgoing- I can't think of a single good reason why a user needs to run their own outgoing mail server and not relay through the Comcast server.
Yes, the Comcast tech support people are complete morons, I'm a Comcast subscriber myself. I hate them too, but I can't think of a good reason to allow outbound port 25 mail. One could possibly make an argument about authenticated SMTP relays with silliness like POP before relay, but IMHO such systems are broken (and I've used them- I should know). It's better to use SASL and encrypt the whole thing.
When Comcast starts monitoring indivudal users though- I do get more than a little concerned.
However, they can block that port on individual cable modems-a sort of surgical strike.
Bit like Whack-A-Mole, then?
The coolest voice ever.
Why don't they block it on ALL cable modems and let people unblock it if they wish? The majority of users who go through the trouble to unblock it are going to run secure machines. Even if they don't, it's going to reduce the number of spam bots.
And they won't have the privacy advocates all over them...
Won't someone please think of the zombie child processes?
DSLExtreme out here in California blocks port 25 natively across the board.
they have a registration webserver you can use to whitelist your account/address for such purposes, and monitor port 25 to make sure that you're not all about the open relay after being opened up.
why can't comcast do the same? doesn't seem that difficult to me.
better yet, why can't people patch their damn servers. if you're running an open relay, i say you're fair game. not to mention violating the draconian ToS of a massive media conglomerate. no thanks.
rawr.
There is actually an 'official' alternate port for this purpose. See:
http://www.ietf.org/rfc/rfc2476.txt
If the block outgoing port 25, but not incoming, then it shouldn't mess up people who are running their own mail servers, provided they configure them to use the ISP's mail server as a relay. That's how the whole system was originally supposed to work in the pre-spam days, anyway.
On the other hand, there's no need to block incoming port 25 unless they're afraid of people running unsecured open relays. Fortunately, that's rarely the case, right? Or are the virus zombies really turned into raw open relays? I'm under the impression that they're controlled more directly, presumably through some different port.
They meant destination port - from X port on comcast to port 25 elsewhere..
...they're concerned about having adverse effects on people running mail servers???? I could have sworn we weren't allowed to run any type of server (HTTPd, IRCd, anything) through their connections. My friend runs a HTTP server through his, but I've never run one through mine for more than a day at a time, being the good customer I am.
It always seemed to me that if they didn't want people hosting servers, they'd block the ports from the beginning. Don't get me wrong though, I'm glad to see they're finally cracking down on spam, and I'm glad they're not going to just block port 25. Maybe Comcast isn't as horrible as everyone says they are.
If the spammer wants to *send* spam out, they're going to aim at port 25 on the target box.
/^.*\.client\.comcast\.net/ 550 comcast direct-to-mx
/24 there.
If they aim at any other port, they're very likely to see nothing but "Connection denied" messages.
I've already got most of Comcast simply blocked from my mailservers, simply because I never see anything but spam coming from them:
If they REALLY want to send me e-mail, they need to send it through a non-client address (for example, through Comcast's own mailservers...)
It's nice to see that someone at Comcast is waking up, though. I'd been reporting spam coming from a triplet of IP addresses for approximately four months before I simply blackholed the entire
Now, to see if they can actually *do* anything about the problem they just noticed...
Specialization is for insects. - R.A.H.
We in the anti-spam community have been yelling this for a while. Since early 2004, most spam is sent through unwitting zombies (compromised Windows hosts) that are remotely controlled spam bots. This is not just an open relay issue. These hosts are hacked in an automated fashion and loaded with spamming software.
Now obviously, there's a lot an ISP can do about this and it doesn't have to be as drastic as blocking port 25 outright. Users which generate suspicious amounts of TCP port 25 traffic could be reassigned IP addresses from a probation-class pool. That is, hosts within that netblock might not be allowed to make port 25 connections, or might be advertised to the world as block-on-sight.
Just like squid proxying, why not redirect port 25 transparently to a Comcast mail proxy. This proxy could queue mail and essentially throttle outgoing mail or reject if spam is detected.
The area you're referring to is
For example, take a look at this quote, which makes my browser's caching of Slashdot's GNAA posts illegal:
Try reading this one: Subscriber Agreement. This section, in particular, gives Comcast permission to view any information transmitted over the network from or to you: Section 9's cool too. It says that you waive the right to sue them in a real court, but instead will have a hearing before a "neutral arbitrator". Anyhow, you should read all that stuff. Some of it's absolutely unique.
If I don't get modded up for this, I'll be amazed
My Systems
I have two primary requirements for an ISP. (1) must not block any ports for any reason. (2) must provide at least one static IP.
AOL blocks game ports, so they can charge you $5 more per month for opening the ports. They were one of the first to change the role of ISP from utility to controlled collector of optimal revenue. I have for at least 5 years told everyone to get rid of AOL. Unfortunately, today, people have come to accept the idea that it's ok for an ISP to block ports.
As for the zombies, the ISPs should try:
Open Standards Portal
If your modem activity light is on all the time.
If your network activity box (on your gnome pop up tool bar) is showing traffic even when you are not deliberately doing any network activity.
If your other network traffic monitors are showing activity when you are not doing any traffic.
Your modem activity light is, I suppose, the most foolproof method.
You can always wire up a bell which rings when the modem activity light goes on, so you will have an idea of what is going on.
Salivation optional.
;)
"... Comcast's network engineers would like to be more aggressive. But the marketing department shot down a ban on port 25 because of its circa $58 million price tag--so high partially because some subscribers would have to be told how to reconfigure their mail programs to point at Comcast's servers, and each phone call to the help desk costs $9."
It's interesting how such a simple technical change can wind up costing so much money. It's amazing how such small, seemingly innocent details add up to be monstrous problems!
"You shot the zombie flanders!"
"He was a zombie?"
What did the vegetarian zombie say?
"Graaiiiinnnnsssss"
http://www.brains4zombies.com
Old unix hackers don't die, they just turn into zombie processes.
I'm sure I'm missing a ton.
no
Comment removed based on user account deletion
I've seen some different approaches to block mail.
The one my ISP (a University) use it to black any incoming tcp connection with dst port 25. This stops spammers to use any badly configure mail server from beeing used as a relay. I can still use any mail server i want to send mails though, i can even run one of my own. What i can't do is handle incoming emails for my own domain. They also monitors how much mail is sent, and if your computer seems to send out "too much" mails, you'll get an email from the sysadmins asking you to explain what's up.
The other approach I've seen used by xDSL providers here is to block any outgoing connections to dst port 25. This way you could run you own mail server for you domain, but you must relay all sent email through the ISP's smtp server.
I think both solutions offers some protection against spammers, without putting to mych restrions on the users. Not sure which one is most effectiv e though, if any.
Note that you can also appear on blocklists for various other reasons. So look into why you're blocked. If you're listed on AHBL, CBL, SpamCop, WPBL for example then your host is probably infected.
Research has shown that stopping zombies requires blowing their brains out. It's them or you, so don't hesitate. BTW, more recent research suggests that the FZVA is a front for the vampires, so you're on your own when you stake 'em and bake 'em. We've got a SOLASER to destroy the biters, but the shamblers still require brute force.
--
make install -not war
A landmine system would be relatively easy to implement - you set up a few hundred landmines and block any customer IP who sends a spam to a landmine. It's similar to honeypots, although you treat the accounts like mines where even a single email will get an address temporarily blacklisted. Once blacklisted, you can shut off port 25 for that IP, disconnect their session for 30 minutes, or do whatever you want. The Streamlined Blackhole List server could be used to create a landmine database with a spread of 1 to instantly identify new hosts.
It took me three days to figure out why I couldn't connect to my domain server (which is hosted by my ISP).
Much as I disliked the idea, if Cox did it then Comcast should, too. If anything that would take care of about 90% of all the zombies. The ones in the business customer base are probably counted in the few hundreds and can be dealt with on a case-by-case basis.
And I don't see why it sucks if you're running your own email server - inbound 25 should no be closed, and you can send through Comcast's relays anyway. Or at least that's how it works with Cox.
Fabulous. Try delivering e-mail to any "real" mailserver on any port other than port 25. Go ahead. I dare you.
You can SEND FROM any port you like, but you're going to have to connect to a destination port 25 on the target box before anything gets delivered, in the vast majority of circumstances. (i.e., barring any misconfiguration, deliberate or otherwise, that results in the SMTPD listening on ports other than 25.)
Please go do some reading on the subject before embarrassing yourself again.
Specialization is for insects. - R.A.H.
Unless you pay about $85 a month for a "commercial" account, Cox has been blocking port 25 to anything but their own mailservers for more than a year now.
It sucks, but nobody can match their speed in my area... certainly not DSL.
Up until now, ISPs have been able to hide behind their status as a common carrier for anything illegal that their customers do. They don't monitor, thus, they can't do anything about it. Comcast is admitting their ability and willingness to monitor the types of traffic their customers are producing, and block undesirable traffic. How long before this gets turned around and smacks Comcast (and their customers) with problems?
The ISP I work for (name withheld to protect the proactive) has what I consider to be a good policy for handling bots. I think it is good because I came up with it myself. Any host that we get a complaint about is portscanned (all ports are scanned). The output from nmap is then fed into amap for application fingerprinting and mothra to grab banners. We then suspend the customer's internet access until they clean up the computer. On the whole port 25 thing, ever day we find systems that are running SMTP servers on bizarre, very high ports.
"Who's going to believe a talking head?" - Herbert West
My local ASP has a good solution to this. By default, port 25 is blocked, but customers can ask for it to be allowed through. The presumption is that if you know enough to ask for port 25, then you can take proper responsibility for your machines.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
Even if Comcast goes forth with this, it's just a drop in the bucket. Maintaining an open database of websites known to propogate spam, then blacklisting them would do more.
Of course, that'd require *real* work and verification, as those sites move all the time. Still, it's possible.
The point is, this is lipstick on a pig. No amount of port blocking is going to stop dumbass users from being turned into zombies, short of pulling the plug or blocking their access to a database of known-to-be-harmful sites.
Here's an idea: how about disabling it like they are considering, and then putting them on a probationary term? They'd be able to continue with Comcast, but their traffic would have to be filtered through the blacklist for, say three months?
I know it's not popular to talk about censoring sites, but it's wasteful in terms of productivity and economics to have to clean up after these zombies all the time. Perhaps the "denial of service" should be applied to those infected, say after two incidents?
Just thoughts. I applaud Comcast for thinking about it, but can't help but shake my head as to the likely effectiveness.
Given the gigantic expansion of broadband, I'm surprised that cable / dsl modems don't just do NAT and other firewalling techniques by default. It certainly seems like something the industry should push. Sure, today it's spam everyone's worried about, but when WindowsProcessX on port whatever is compromised next Comcast will have to start all over again blocking ports, unless the hardware each user had prevented this. As an added bonus, your "technical" users could configure things to their hearts' content too.
Just because you can't think of a reason to not use the Comcast server does not mean there are not good ones. I've recently been put in the same boat by BellSouth, and I assure you there are good reasons for not wanting port 25 blocked.
First of all, if you, like me, have a notebook and actually move frequently from location to location (home, work, family and friends houses, public sites with wireless access) then you want to be able to configure your mail client so that it will reach a mail server that you can log into and not have to change settings every time you change location. If you have a mail server outside of a "me only" mentality ISP then this is simple and straight forward. But when the ISP blocks port 25 (as well as not letting you use their meil servers whenever you're not originating from their network), it's a royal pain in the ass to reconfigure all the time.
Also, if you, like me, administer or help maintain a valid mail server off of the Comcast network, you may well find it important to actually send mail through this server. Or you might even have a company policy that states that all business mail must be sent through the compnay mail server. No problem if port 25 isn't blocked and you log into the server you want. Big problem if some short sighted system administrator at your ISP insists that everyone should be expected to use the Internet in exactly the same way.
And I can't speak about quality of service at Comcast, but at BellSouth the mail server is frequently down. This was not a significant problem if I had to send time critical information out as long as I had port 25 open and could log into one of the other servers I use. Now it's a problem even from my desktop system.
Fighting spam is great, but fighting stupidity is even more important.
I'm an American. I love this country and the freedoms that we used to have.
To provide services (such as incoming SMTP, SSH, etc.), one can rent a co-located box (or a User Mode Linux virtual colo) offsite, drive an outbound encrypted tunnel to that, and pass packets through the outbound connected pipe for all the ports and services blocked by Comcast. Linux servers can stay completely within the TOS. Dynamic IP addresses can change with no changes to the DNS tables. The best part of this is that if Comcast ever gets fiesty and NATs their users, there will be no interruption of service. Since you can choose whatever ports you want, an outbound tunnel will always work. At the user level, you can still use the web, download files, etc. without using bandwidth at the colo.
I am currently setting this up now with a local UML colo service, www.pdxcolo.net. $20/month, which is admittedly not free as in beer, but the cost is less painful than the enormous amount of Comcast zombie spam. And the colo can be shared, so real cheapskates can reduce the colo cost further.
I am glad Comcast is finally removing their heads from their posteriors about this. Maybe with some oxygen to their brains, they can make even more smart decisions. :-)
Keith Lofstrom server-sky.com
Comcast actually did something I agree with. I'm stunned.
Surgical strikes are a good idea--they stop the damn zombies without screwing over everyone else. Tho I think only blocking port 25 for zombies isn't going far enough.
IMO, Comcast should block the MAC addresses of spyware/virus infected zombies and send letters to these people, telling them that they'll only be unblocked if they can present proof that the virii/spyware are off their computers and that they've taken measures to ensure that it never happens again.
I support the Center for Consumer Freedom
Comcast could and should have gone ahead user-runtime-reversably blocked all of the common low service ports (1-1024) a long time ago.
By user-runtime-reversable I mean:
Put up a web page that I can connect to from my served address only, that lets me check-mark the common ports I want to allow in/out/both. And, most importantly, *NOT* change billing or pricing by check-box etc.
The default map would never be changed by users that don't care, and thus zombie-spam would be greatly reduced.
The custom map would be useful for those who do care.
Keying this on the "hostname" a paying customer sends with their DHCP requests, or by IP address and giving out nearly-static leases by default and clearing the map when a lease is lost, would be child's play. It is no harder technologically than dynamic DNS.
It could be instanciated anonymously one day and the only legitamate users who cared would even notice. As long as there was an obvious "so your ports were just locked on a service you were running at home and you don't like that? here's how to open them" link obviously placed on an "expert users" page on the corporate web site everythign would be self-healing.
Of course that implies that they have rationally segmented their network so that the routers can leverage this information in reasonable time.
Eveidence suggests that they have-not so segmented. (You would not *beleive* the amount of cyclic arping across multiple address ranges I see from their servers on my cable modem segment...)
Heck, the simple intelegence-test-effect created by requiring a user to find their own hostname string from inside either their active configuration or their setup invoice would be enough to stop all sorts of shenanagans... 8-)
So anyway Comcast, get a nice firewall box, set up a permiable wall, with a nice default mask, and let users instanciate a private mask if they so desire by visiting their service settings web page.
Not that hard, unless you bought your infrastructure *really* cheap... 8-)
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Before Comcast bought it out (though technically the same people and service, I had my broadband service temp. shutdown because they detected an open relay mail server on my line.
Once I shut off relaying, they had no problems turning the service back on.
"Where is my mind?"
I am a major cable company network engineer... and while the idea of allowing certain people access to having the ports open is nice in theory, it would be nearly impossible to implement on a large scale operation. With existing infrastructure all restrictions are placed in the access control list on the CMTS router. Without purchasing additional firewall equipment that can service a 1/2 million customers, which would run upwards of hundreds of thousands of dollars. The only way to selectively allow individual ip addresses to be able to use outbond would be to have individual allow statements for each customer who requested it placed on the ACL. Since nobody but the network group is allowed access to these systems we would need individual people dedicated to simply adding ip addresses to the ACL. And of course since each time a packet on port 25 is sent the entire outbound port 25 ACL is processed the load on the routers would be so high that additonal upgrades would be necessary. The entire reason to block all outbound port 25 connections is to stop those with viruses/spam relays from causing the isp's email server from ending up on blacklists from the likes of AOL, earthlink, and other very large isps. So the trade off is you inconvince those customer's who are already violating the acceptable use policy by running a prohibited email server or force them to use your outgoing smtp server. In the end the vast majority of customers are much happier because their email works better, has less spam and garbage and the isp has less work to do by contacting and disabling the service of those customer's spreading viruses or spam via email. If your the type that needs a service that allows servers, static ips, 4 hour service resolutions, higher upload then you can pay extra for those things and get a business class connection. That's really what it boils down to.
Apparently they haven't been turning a blind eye to the problem after all.
Yes, yes they have. They ignore complaints. If they weren't turning a blind eye to the problem, it wouldn't be necessary to totally block Comcast's IP space on mail filters.
They have the ability to take action when they receive abuse reports regarding zombie machines. They have thus far done nothing. It seems as though the volume of users bitching about being firewalled from the rest of the 'net as a result of their ISP's total inaction has finally reached a critical point.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I would dearly love it if Comcast (nee any and every ISP) offered a spesific /dev/null address that I could use with icmp-redirect like clarity.
When I see a bunch of bogus packets slam into my box that have no reason to exist, I would like to be able to automagically do the IP equivalent of call blocking.
Sending an ICMP-REDIRECT-like message out in response to a bogus packet should be snuffled up by the ISP equipment and taken as a "call block" request against a particular peer address.
So if I rig up my firewall to icmp-redirect to some magic address (say 0.0.0.0, which is never legal in a redirect), the upstream router should process it as, say, a 24 hour ban of packets from that address to my address.
Were such a thing to become common, the ISP could forward that ban on to the next upstream peer and so on until the "well behaved" router closest to the miscreant would be keeping the wastage off of the backbones entirely.
Since it is a poit-to-point ban it would be rather effective without letting malicious third parties do too much damage unless they could get common-segment with one of the parties.
Talk about killing a DDOS at the diverse roots.
Anyway, it would need a little refinement to keep the haxors next door from pretending to be me and cutting all of the sites they sniff me using, you know, check mac addresses or require me to use an activation squib from my firewall from time to time....
But it should be easy and safe enough once the nearest "Real" router got the do-not-call packet.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
If they notice enough traffic to be of a concern (probably not only quantity, but it being sustained) they ring you and ask. IF you reply "Uhhh, what's SMTP?" they tell you you have a virus and send you to a page to get it diagnosed and fixed. If it's legit, they drop it.
Also most of the viruses are scanning/spamming other ports (looking for hsots to infect). There is NO legitimate reason I can think for a host to randomly and intensly scan for port 445 (the Windows fileshare port) on the Internet. You are either virused, and should be cut off, or cracking, and should be cut off and beaten. Thus if you notice 445 scanning, it's a pretty safe bet to shut down the pipe because you've caught a virused host, or a script kiddie.
It's perfectly possible to watch for abnormal traffic and react accordingly. Some of it is just clearly right out (like random, sustained venerability scanning of hosts on the Internet) and you need no further investigation. Some is suspect, but nothing a simple phone call can't clear up.
It isn't difficult to allow people like yourself to exist, while proactively cutting off virused users.
My father had BellSouth DSL, and they've started blocking Port 25 for outgoing mail. This means that he couldn't send mail through the third-party mail server that he's been using for years. I don't want to have to change his settings (and he doesn't want to give people a new address) every time he has to change ISPs, so he pays a bit of money to use NetIdentity.com for his mail.
Since BellSouth wouldn't use some sort of reasonable measure of WHO was abusing the service instead of treating everyone as a spammer, we switched him to another DSL carrier. I think it's unreasonable to expect everyone to have to use ONLY the mail server of the ISP.
BTW, BellSouth said they WOULD open Port 25 if my father would pay double the money for a "business-class" DSL account, which shows me that it's more of a marketing distinction on their part than a distinction with a truly technical justification.
No biggie. Every MTA provides a feature to use a "SMART HOST." This is exactly the point of this. INBOUND port 25 does not need to be blocked, just outbound for this to have an effect. Home user's running their own mail server should have nothing to fear assuming they set their servers up to use a smart host.
Honestly, whats one more hop? Play nice and let your ISP know you are doing it. If your not a hastle to them, I bet they won't care. I've been doing it for years.
Just my 2cents.
Don't waste time... procrastinate now!
Cox blocks port 25 inbound and outbound. It used to be an outbound block only until MyDoom showed up.
This is why Indie-Mail (which is colocated with another ISP) runs the SMTP server on ports 25 and 28. I didn't care to have to run my mail through Cox.
Other people who run public mail servers would be smart to offer that feature. It allows their legitmate customers a way to avoid having to run all their mail through their ISP and doesn't do anything to help spammers.
Unless everybody used the same alternate port enough that e-mail viruses just started using the alt port and the standard.
Ben
Work Safe Porn
I'm trying to convince the powers that be to redirect outbound SMTP from all but our business customers and our own server farms to our local SMTP servers. That way we'd force all our normal customers into a mandatory Smarthost configuration. The only problem I've found while trying to get this going is a problem with redirection on Ciscos. It's been a few weeks since I stumbled across it. It's something about the redirected packet using the wrong source IP when dumped onto the wire facing the target of the redirection. Something like that. With a simple Linux firewall this wouldn't be a problem. I vote for redirection personally. Still this adversely affects users using SMTP authentication.
I'm happy to see that they're planning to do something non-drastic. RCN opted to simply block all outbound 25 and inbound 80, which is asinine. Fortunately I'd already moved from them to Comcast by that point, and Comcast wasn't misbehaving. If they start blocking ports, though, I'll go elsewhere.
:-) If they see a shitload of mail flooding out of my mail server constantly, then either I'm a spammer (in which case they should kill my account) or my SMTP server has been hacked, in which case they can notify me and I can fix it, saving everyone in the world a huge hassle. If I don't fix it, then they can turn the port off until I do.
Biggest advantage of running my own mail server? I can run IMAP there as well with squirrelmail, then receive AND send mail from any terminal in the world on my own account. No screwing around with finding the local SMTP server on whatever ISP I happen to be on. That's far more useful than you realize! And no, I do not accept the idea that just because some people abuse SMTP to send spam that we should slam everyone for it. I also run my own DNS server behind my firewall to let me centrally control aliases to various hosts. That's a perfectly benign act. I also make NTP requests, although I don't serve NTP to anyone else.
Someone else suggested a good compromise, I think. Default block anything below 1024 (in the appropriate direction, depending on the port), but let anyone explicitly request any given port to be opened, no questions asked. Quick signup on a web form, no long delay. That automatically keeps 99% of the zombies in check (since zombified users, most likely, won't know what a port is) and allows people like me to make full use of an always-on connection. Anyone who has requested a port be opened, however, is monitored not for content but for volume. OK, they'd get cranky if my home web server were slashdotted. Well so would I.
Makes everyone happy, and kills most zombies in the process.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
My Motorola Surfboard's orange "Activity" light (this model doesn't have separate LEDs for TX/RX) is almost always solid, even when I'm not doing anything at all. As if the constant flood of ARP traffic over the cable system wasn't enough, the constant hammering of any number of worms brings the traffic to a steady buzz. I still get Nimda and Code Red attempts on a daily basis, and lots of hits to 3306, which I presume are Slammer. In fact, here's the most recent attempt, About 8 minutes ago. From a worm that came out in, what, 2001?
tcpdump or Ethereal are probably the best ways to determine if you've been turned into a zombie. tcpdump | grep smtp, or leave Ethereal running for awhile and scan the output for connections to port 25. If either comes up with a shitload of outbound SMTP traffic, you've probably got a trojanned box.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
I am a Comcast customer, and I'd hate to have all
my connections proxied or blocked, but I don't see
the harm in making people like myself call a phone
number to supply a list of ports to unblock/unproxy.
Them: "How may we help you?"
Me: "Please unblock TCP port 25, both ways"
Them: "OK"
After all, why should millions of people have tens
of thousands of unneeded ports available for abuse?
AC: Comcast IS proposing... Damn illiterate fuck.
saforrest: Maybe ey's British.
The AC IS provincial and ignorant.
As you (saforrest) point out, collective nouns in British English are usually treated as plurals.
Optus (Australia) has a very good system.
Blanket block of all outgoing port 25 traffic. If you want your port 25 enabled, you go to a specific section of the Optus website, enter your login/pass and click "I Accept" on an agreement type thing, and click "Unblock my port 25".
Done. Techies who want their own mail dealies get them, and people who get infected and deployed as spambots go nowhere.
--
The last digit of pi is four.
Who the hell thinks that Comcast is going to do a surgical strike? What is the criteria? What if your port is accidentally blocked? And you call up Comcast, put on hold for 10 seconds and "Sorry, sir! Our mistake! We'll re-enable it right now!"
It is more like blanket block, 100 minute phone muzak, and "You are spamming! Company policy! Nope, can't do that! You are mistaken, it is not blocked. check your configuration. We only support Windows."
Well, I guess being optimistic is all one can do given the crap that is going around the world these days.
CHeers,
e.
The system lets the user out of isolation 30 minutes after the reason for isolation has disappeared. Though there are some users who get into isolation, out of it, back again all day long. One has to wonder what the users is doing with the computer? Just having it on, warming the house? Cause they can't surf the net, they can't send email...
This system has reduced outbound spam drastically! And the best part is, we don't have to find out who is infected (dynamic IPs) and then try to contact the end user (many times not the one who pays..).
here's the manufacturer's slide show (don't slashdot him to death..)
Comcast itself could transparently proxy all web access to a server that outputs that information.
I think it is a good idea.
Furtermore, I think that Internet providers should implement a standard method for reporting infected PC's by IP address and timestamp. They can forward this message to their customer.
Why not just transparently redirect port 25 the ISPs MTA? Just like a transparent Squid Proxy. That's what I do here at work. As long as the MTA is configured to relay for that IP range there shouldn't be any problem. Yes, the mail headers will have an extra hop; but that hop can scan for mass mailings, viruses or whatever. That way it is controllable in one central location.
I'm a comcast customer with a mailserver. I also have an IPtables firewall and a zoned defense with an IDS (running no IP address) in the "dirty" zone.
All these things are true on my connection:
Incoming port 25 is not blocked from the outside world.
Incoming port 25 is blocked from other Comcast IP addresses.
Outgoing port 25 is not blocked to the outside world (but is often filtered out by other networks. Widespread adoption of SPF will make this problem worse).
Outgoing port 25 is blocked to other comcast addresses - except to the comcast mailservers.
The comcast mailservers will relay anything that comes from a comcast IP, unfortunately they do this without even the most cursory scanning, so there are several virii (including at least one variant of klez) that are constantly being relayed out into the world at large by the comcast mailservers.
Blocks and tarpits come and go on other ports; mostly on NetBIOS ports. I block all netbios, but occasionally nmapping from outside comcast will show those ports as "open" (needless to say, my logs at home show the nmap packets never reached me).
This is the empirical truth, based on actual observation, in my section of the comcast net. There may be different conditions elsewhere.
I offered to fix comcast's problems for them, using excessed equipment and OSS (I figure it'd take about a week to implement a permanent solution to all virii and most spam on comcast) but their phone support guys were incapable of understanding what I was saying.