Slashdot Mirror
Comcast Thinks About Stopping Zombies
LehiNephi writes "Comcast has finally admitted that its users are responsible for a large amount of spam, and they are thinking about how to stop it. Apparently they haven't been turning a blind eye to the problem after all. The simple, blanket approach of blocking all traffic on port 25 would have too many side effects, particularly for users running their own mail servers. However, they can block that port on individual cable modems-a sort of surgical strike. As far as I'm concerned, the sooner they implement this, the better!"
Comcast cable modem customers aren't allowed to run mail servers anyway, so I doubt the side-effects would bother them
This clearly violates the right to maintain your own SCO-attack zombie.
I think it's a good idea. But why stop there? Disconnect the zombies until they fix the problem on their computer.
Had a user come into our help channel last night, unable to send email through his account with us since that morning (yesterday Sun 05/23) and I confirmed the server was working fine so I had him telnet to port 25 - no luck, had him telnet to port 25 on the server I use for email - no dice, had him use port 2525 - SMTP connection opened up fine.
He was using comcast for his cable modem. Said it just started that day.
We accept incoming smtp on port 2525 also since my OWN isp at home blocks port 25 (knology) so I have ot use 2525 to send email through my company email server myself.
--- www.f-theocean.com
There's a real easy way to tell the difference between a zombie and somebody running a home mail server...
The zombie will be sending an insane number of e-mails to an insane number of users constantly. No home mail server should be used to run a listserve with anything more than a hundred people or so. Therefore, bursts of port 25 are okay, camping on port 25 is a sign of trouble.
What if they had a *simple* process for registering your mail server with them? 5 minutes, maybe $20 and that's it?
People who run their own mail servers are control freaks and had better be technically minded enough to call the Admins at Comcast in order to register their mail server.
Otherwise, who'd notice or care?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
"We're the biggest spammer on the Internet," network engineer Sean Lutner said at a meeting of an antispam working group in Washington, D.C., last week.
Seconds later, bangs, thrashes, and pleads for mercy in a very Lutner-like voice could be heard from outside the conference room.
The coolest voice ever.
As a mail admin stop the shit yourself.
:-)
Ban - client.comcast.net, and client2.comcast.net
Since the spammers can't forge the reverse DNS on the IP you can trust your blocking Comcast's dynamic ranges. Their business customers are not on any of the IP's that reverse to client.comcast.net or client1.comcast.net, and residential customers in the blocked dynamic ranges can relay mail to you through comcast's mail servers like they are supposed to.
There is absolutely no reason in this day and age of spam to run a legit mail server off of a dynamic IP address.
However, they can block that port on individual cable modems-a sort of surgical strike.
Bit like Whack-A-Mole, then?
The coolest voice ever.
Why don't they block it on ALL cable modems and let people unblock it if they wish? The majority of users who go through the trouble to unblock it are going to run secure machines. Even if they don't, it's going to reduce the number of spam bots.
And they won't have the privacy advocates all over them...
Won't someone please think of the zombie child processes?
There is actually an 'official' alternate port for this purpose. See:
http://www.ietf.org/rfc/rfc2476.txt
If the spammer wants to *send* spam out, they're going to aim at port 25 on the target box.
/^.*\.client\.comcast\.net/ 550 comcast direct-to-mx
/24 there.
If they aim at any other port, they're very likely to see nothing but "Connection denied" messages.
I've already got most of Comcast simply blocked from my mailservers, simply because I never see anything but spam coming from them:
If they REALLY want to send me e-mail, they need to send it through a non-client address (for example, through Comcast's own mailservers...)
It's nice to see that someone at Comcast is waking up, though. I'd been reporting spam coming from a triplet of IP addresses for approximately four months before I simply blackholed the entire
Now, to see if they can actually *do* anything about the problem they just noticed...
Specialization is for insects. - R.A.H.
We in the anti-spam community have been yelling this for a while. Since early 2004, most spam is sent through unwitting zombies (compromised Windows hosts) that are remotely controlled spam bots. This is not just an open relay issue. These hosts are hacked in an automated fashion and loaded with spamming software.
Now obviously, there's a lot an ISP can do about this and it doesn't have to be as drastic as blocking port 25 outright. Users which generate suspicious amounts of TCP port 25 traffic could be reassigned IP addresses from a probation-class pool. That is, hosts within that netblock might not be allowed to make port 25 connections, or might be advertised to the world as block-on-sight.
Yeap. This is the only way to stem the traffic. People can still run their own mail servers, but all outbound connections should go though the ISP. Afterall, it is not like it is a privacy issue (they can sniff the packets anyway, so bypassing their SMTP server does not help you!)
The area you're referring to is
For example, take a look at this quote, which makes my browser's caching of Slashdot's GNAA posts illegal:
Try reading this one: Subscriber Agreement. This section, in particular, gives Comcast permission to view any information transmitted over the network from or to you: Section 9's cool too. It says that you waive the right to sue them in a real court, but instead will have a hearing before a "neutral arbitrator". Anyhow, you should read all that stuff. Some of it's absolutely unique.
If I don't get modded up for this, I'll be amazed
My Systems
I have two primary requirements for an ISP. (1) must not block any ports for any reason. (2) must provide at least one static IP.
AOL blocks game ports, so they can charge you $5 more per month for opening the ports. They were one of the first to change the role of ISP from utility to controlled collector of optimal revenue. I have for at least 5 years told everyone to get rid of AOL. Unfortunately, today, people have come to accept the idea that it's ok for an ISP to block ports.
As for the zombies, the ISPs should try:
Open Standards Portal
For example, ISPs that send me plenty of spam and viruses relayed through their main mail servers are: arnet.com.ar, bigpond.com, btinternet.com, libero.it, singnet.com.sg, videotron.ca, wanadoo.fr
Case in point. Blocking port 25 doesn't stop spam. Booting your spamming customers does.
"You shot the zombie flanders!"
"He was a zombie?"
What did the vegetarian zombie say?
"Graaiiiinnnnsssss"
http://www.brains4zombies.com
Old unix hackers don't die, they just turn into zombie processes.
I'm sure I'm missing a ton.
no
Comment removed based on user account deletion
Note that you can also appear on blocklists for various other reasons. So look into why you're blocked. If you're listed on AHBL, CBL, SpamCop, WPBL for example then your host is probably infected.
They now have a choice - how much is it going to cost them if they do NOT implement some policy that prevents their users from spamming the entire world, and they end up getting all of their e-mail blocked?
And how much money could have been saved if they'd implemented such a policy when people started telling them it was a problem (it's been several years since people started telling Comcast that their users were a load of USDA Prime Clue-Free Spam Zombies...)
It's interesting how much money can be saved by paying attention to the small, seemingly innocent details before they add up to be monstrous problems.
Specialization is for insects. - R.A.H.
This story is about compensating for users who are unaware that their computer has been trojaned and is emitting spam. Is getting kicked off your ISP a suitable punishment for that? Comcast is doing the minimum necessary to keep the most people possible happy (except the spammers, and apparently you).
The ISP I work for (name withheld to protect the proactive) has what I consider to be a good policy for handling bots. I think it is good because I came up with it myself. Any host that we get a complaint about is portscanned (all ports are scanned). The output from nmap is then fed into amap for application fingerprinting and mothra to grab banners. We then suspend the customer's internet access until they clean up the computer. On the whole port 25 thing, ever day we find systems that are running SMTP servers on bizarre, very high ports.
"Who's going to believe a talking head?" - Herbert West
Speakeasy lets us run whatever the heck we want. Then again, every month or so I see their relay testing in my Postfix logs. It's a strange concept: innocent until found guilty.
Just because you can't think of a reason to not use the Comcast server does not mean there are not good ones. I've recently been put in the same boat by BellSouth, and I assure you there are good reasons for not wanting port 25 blocked.
First of all, if you, like me, have a notebook and actually move frequently from location to location (home, work, family and friends houses, public sites with wireless access) then you want to be able to configure your mail client so that it will reach a mail server that you can log into and not have to change settings every time you change location. If you have a mail server outside of a "me only" mentality ISP then this is simple and straight forward. But when the ISP blocks port 25 (as well as not letting you use their meil servers whenever you're not originating from their network), it's a royal pain in the ass to reconfigure all the time.
Also, if you, like me, administer or help maintain a valid mail server off of the Comcast network, you may well find it important to actually send mail through this server. Or you might even have a company policy that states that all business mail must be sent through the compnay mail server. No problem if port 25 isn't blocked and you log into the server you want. Big problem if some short sighted system administrator at your ISP insists that everyone should be expected to use the Internet in exactly the same way.
And I can't speak about quality of service at Comcast, but at BellSouth the mail server is frequently down. This was not a significant problem if I had to send time critical information out as long as I had port 25 open and could log into one of the other servers I use. Now it's a problem even from my desktop system.
Fighting spam is great, but fighting stupidity is even more important.
I'm an American. I love this country and the freedoms that we used to have.
I am a major cable company network engineer... and while the idea of allowing certain people access to having the ports open is nice in theory, it would be nearly impossible to implement on a large scale operation. With existing infrastructure all restrictions are placed in the access control list on the CMTS router. Without purchasing additional firewall equipment that can service a 1/2 million customers, which would run upwards of hundreds of thousands of dollars. The only way to selectively allow individual ip addresses to be able to use outbond would be to have individual allow statements for each customer who requested it placed on the ACL. Since nobody but the network group is allowed access to these systems we would need individual people dedicated to simply adding ip addresses to the ACL. And of course since each time a packet on port 25 is sent the entire outbound port 25 ACL is processed the load on the routers would be so high that additonal upgrades would be necessary. The entire reason to block all outbound port 25 connections is to stop those with viruses/spam relays from causing the isp's email server from ending up on blacklists from the likes of AOL, earthlink, and other very large isps. So the trade off is you inconvince those customer's who are already violating the acceptable use policy by running a prohibited email server or force them to use your outgoing smtp server. In the end the vast majority of customers are much happier because their email works better, has less spam and garbage and the isp has less work to do by contacting and disabling the service of those customer's spreading viruses or spam via email. If your the type that needs a service that allows servers, static ips, 4 hour service resolutions, higher upload then you can pay extra for those things and get a business class connection. That's really what it boils down to.
I would dearly love it if Comcast (nee any and every ISP) offered a spesific /dev/null address that I could use with icmp-redirect like clarity.
When I see a bunch of bogus packets slam into my box that have no reason to exist, I would like to be able to automagically do the IP equivalent of call blocking.
Sending an ICMP-REDIRECT-like message out in response to a bogus packet should be snuffled up by the ISP equipment and taken as a "call block" request against a particular peer address.
So if I rig up my firewall to icmp-redirect to some magic address (say 0.0.0.0, which is never legal in a redirect), the upstream router should process it as, say, a 24 hour ban of packets from that address to my address.
Were such a thing to become common, the ISP could forward that ban on to the next upstream peer and so on until the "well behaved" router closest to the miscreant would be keeping the wastage off of the backbones entirely.
Since it is a poit-to-point ban it would be rather effective without letting malicious third parties do too much damage unless they could get common-segment with one of the parties.
Talk about killing a DDOS at the diverse roots.
Anyway, it would need a little refinement to keep the haxors next door from pretending to be me and cutting all of the sites they sniff me using, you know, check mac addresses or require me to use an activation squib from my firewall from time to time....
But it should be easy and safe enough once the nearest "Real" router got the do-not-call packet.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
My Motorola Surfboard's orange "Activity" light (this model doesn't have separate LEDs for TX/RX) is almost always solid, even when I'm not doing anything at all. As if the constant flood of ARP traffic over the cable system wasn't enough, the constant hammering of any number of worms brings the traffic to a steady buzz. I still get Nimda and Code Red attempts on a daily basis, and lots of hits to 3306, which I presume are Slammer. In fact, here's the most recent attempt, About 8 minutes ago. From a worm that came out in, what, 2001?
tcpdump or Ethereal are probably the best ways to determine if you've been turned into a zombie. tcpdump | grep smtp, or leave Ethereal running for awhile and scan the output for connections to port 25. If either comes up with a shitload of outbound SMTP traffic, you've probably got a trojanned box.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
The system lets the user out of isolation 30 minutes after the reason for isolation has disappeared. Though there are some users who get into isolation, out of it, back again all day long. One has to wonder what the users is doing with the computer? Just having it on, warming the house? Cause they can't surf the net, they can't send email...
This system has reduced outbound spam drastically! And the best part is, we don't have to find out who is infected (dynamic IPs) and then try to contact the end user (many times not the one who pays..).
here's the manufacturer's slide show (don't slashdot him to death..)
Them: "How may we help you?"
Me: "Please unblock TCP port 25, both ways"
Them: "OK" , we could do it for 5$ a month
After all, why should millions of people have not to pay for ten of thousands of needed ports ?