Slashdot Mirror
Comcast Gets Tough on Spam
WeakGeek writes "The Washington Post is reporting that Comcast, the nation's largest broadband ISP, has started blocking port 25 to reduce Spam. Jeanne Russo said Comcast is not blocking port 25 for all its users because it does not want to remove the option for legitimate customers who process their own e-mail. So the company is monitoring traffic and picking out machines that look suspicious. By blocking port 25, they say they cut Spam by 20% last week." ZDnet has another article, with a nice statistic: Comcast generates 800 million email messages/day, but only about 100 million of those are sent through Comcast's SMTP servers.
How do you tell whether your machine is zombie spammer? Is running spybot enough?
And what if they make a mistake and block someone who just happens to send a lot of mail?
Is there a place to appeal?...as good as this could be, I think it's going to inconvenience a lot of people.
I still don't understand how spam exists economically. I guess people are dumber than I thought:
"Wow! I think I'll find out more about this Viiagraa! Thanks hf387hfjsd73@hotmail.com!"
... there's a back-channel for people whose email is legitimately disproportionately high to have it reinstated. I'd be a mite annoyed (read: bloody furious) if I wasn't doing anything wrong, but my internet access was suddenly curtailed... I send email from home (though never in any quantity likely to raise suspicion) and I don't see why I should use NTL (whose news and mail servers are crap) over my linux gateway.
:-) port to my co-lo machine and send from there...
....' always seems to send shivers down my spine these days because of the context I find it in. Sigh.
What I find more chilling is the number of people in the article who are recommending general blocking of the smtp port. Just because it makes life easier for large corporations is no excuse for using a blunt instrument where an elegant solution could be found - in this case, I think the dynamic monitoring and blocking is far more preferable. If NTL decide to block port 25, I guess I'll just have to tunnel outgoing port-25 traffic over a different (say: 2525
Aside: The phrase 'Microsoft is working with
Simon
Physicists get Hadrons!
Now, if comcast would sell me a static IP address, I might care, but since they don't it's clearly not meant for servers. As long as I can come up with a way to get my mail out (presumably you could set up sendmail or another MTA to use smtp.comcast.net as a relay even though you need to authenticate to use it, but I've never looked into it) it doesn't seem like an issue to me.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If they detect port 25 traffic over a certain threshold, do a quick dns blocklist check. If they're blacklisted, stop traffic on port 25 for that customer and contact them to let them know their machine may be infected.
I bet it would be a lot more effective to automatically open accounts with that port 25 blocked. If you want to use it, you give them a call and ask for it to be opened. I bet at least 95% of the spam being created is being created without the user knowing so closing port 25 won't affect them.
I don't know about the rest of you here, but since I use them as an ISP and run my own mail server, (exim on debian woody, and yes it's secure) I'm very, very glad that Comcast isn't blocking 25 for everyone.
Not only did they take effors to reduce spam, but for once, they actually listened to their own customers. Thanks Comcast.
Just put these dickhead spammers in jail for 5-10 years for causing so much disruption and cost to the world. I was reading a few days ago (and feel free to correct me/link to the URL) that spam causes ~$1,900 in lost productivity per employee, per year, in the US. THAT is absurd!
On a side note, people with virus infected machines will now notice they can't send email to their external SMTP servers, and call Comcast, which they will reply that you have a mass mailing internet worm, and you've been spamming thousands of messages a day. Due to your incompetence, we have turned off your external access, forever.
http://www.fsckin.com/
This seems like the right way to do it, as long as they've got a reasonable way for you to ask for it to be unblocked.
Nice to see a large soulless corporation not just shaft its customers wholesale.
"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
Sounds like a great plan to me! I don't like the idea of outright port blocking (customers are paying for IP access, right) but it's very easy to locate the suspicious hosts, which means that once the automated systems are in place they can easily add port restrictions.
:) Easy.
We can watch to see how effective this is by seeing how many of comcast's IPs show up in real time spam blocklists. Take CBL and WPBL for instance, two of my favourite lists...
% grepcidr -c -e 68.80.0.0/13 1501
% grepcidr -c -e 68.80.0.0/13 351
Now we see if those numbers go down over time
I would have no problem with my ISP blocking port 25 unless I specifically request it to be open. And I would sleep much better at night knowing that my mother isn't unknowingly spamming me and my closest 25 million friends. The stipulation is that it not cost me extra to be able to use port 25. And that the ISP's support staff not be morons.
I never knew Comcast was the largest ISP in the UK.
Oh.. your nation.. not my nation?
Sorry, I forgot there was no other part of the world.
Hi, I received this spam from out of your network. I trust sending spam is in violation of your terms and conditions.
Please take appropriate measures.
I read recently that about 80% of spam is sent via hacked computers on broadband: http://www.sandvine.com/news/pr_detail.asp?ID=50
You might consider closing port 25 per default and only open it for customers who explicitly want to run their own mail servers.
Thanks,
Bellsouth is now blocking all port 25 traffic, whether or not they sell the customer a static IP.
I had a mail server running on static IP for over a year and they've just blocked it as of last night- Their third tier support claimed that it was because they were being threatened with being blocked by other ISPs.
"By blocking port 25, they say they cut Spam by 20% last week."
They're talking out of their asses. I have manually blacklisted their entire cablemodem space quite some time ago. Running a grep on the mail log files shows that this week I've already rejected approximately 20% more spam from Comcast than last week.
And the week ain't over yet. The log files rotate on Sundays.
I have concluded that Comcast is a lost cause. Damaged goods. The best thing to do is to blacklist their whole stinking sewer pit, and move on with your life.
SpamCop will take care of figuring out the origin and reporting spam for you.
Before, I'd receive about a dozen spams a day, at least. I had started getting them right after i signed up for a PAYPAL account. In the past 2 days, i've received not one spam. Absolutely unreal.
For those who do operate home mail servers, why can't such people just configure their outgoing SMTP server to pass all outgoing mail through the ISP's SMTP server to get around such blocks, and therefore have a more "trustwrothy" and less likely to be blocked IP address in the headers?
"So the company is monitoring traffic and picking out machines that look suspicious."
Okay, isn't that what GMail is doing but to ADD a small advert, and everyone goes bonkers..
Comcast does it to 'stop spam' and they're a hero...?
Excuse me, I don't mean to impose, but I am the ocean
... This is starting to worry me a little. I have been happily running my own mail server for over a year now. The reason being is that I want the ability to host all my own solutions and at the same time use the bandwidth i'm already paying for.
With wonderful dynamic DNS services like no-ip.org I am able to do this on any dynamic IP and I have no reason to worry about needing one of those pesky static IP addresses.
Hopefully if something were to happen where I'd start getting blocked I could just use my connections at work and contact their e-mail admins directly to resolve the issue. However this slash and burn tactic is just the wrong way to go about fighting spam. Hence one of the reasons I left Earthlink/Mindspring, who block e-mail from ALL Dynamic IP addresses and also block outbound port 25 on their networks.
I send out on average about 15 emails/day. None of my email traffic goes through comcast's SMTP servers.
Assuming that this is about average, it would only take 46666.67 customers using non-comcast servers to reach this number.
The following is only antidotal, but...
I have set up the cable modems of at least 18 friends and family members. In general I have found that parents tend to use work email addresses most, AOL accouts second most, Hotmail/other free providers, and comcast addresses least. Kids tend to use either AOL or a free email provider more often than using a comcast address.
Thats comes to about 8 comcast addresses that are actualy used out of the 50 or so email accounts used by these friends and family.
I am suprised the number is not much higher.
I have Bellsouth DSL and they're blocking port 25 incoming and outgoing for their DSL subscribers. I had a lengthy discussion with tech support about it and they said "thats just how it is". If you have Bellsouth DSL and you can still use port 25 - enjoy it now. The block is coming.
penis enlargement is dangerous and ineffective.
tell your small dicked friends!
They cant change if they are sending. If they are recieving they can do whatever they like.
When sending to SMTP you only have 25, 587, and sometimes 2525. (and some others)
So if I want to spam your company. I would have to connect to your company's smtp service. Most likely its running on port 25. Thus if 25 is filtered for me, I'm screwed.
Mostly, everything but 25 requires authentication and even if this cuts a few percentage points of spam thats (in real life) millions of stopped spam.
Fighting spam requires many fronts, I'm glad to see comcast join the fight. If they don't screw it up, that is.
If mail servers would start blocking all mail coming from dynamic IPs, they would block the vast majority of spam and block almost no legitimate mail. Yeah, I know that some folks running mail servers on dynamic IPs aren't going to like that, they can still send mail through their provider's mail servers. The arguments against blocking mail from dynamic IPs are pretty much the same as when people were arguing about open mail servers. This is just one mor ething that spammers have ruined.
What legal use could a person possibly have for needing 3 gigs per day of bandwidth, out of curiousity? I peak when I download or significantly update my systems, but even that rarely goes over a couple of gigs, and that's certainly not an every day thing.
And even though they are not blocking port 25 for me, I've found that if I send from their network, a good portion of my email bounces because a lot of companies have all of comcast's network blacklisted.
I now relay my mail through another server and have no problems.
Need Free Juniper/NetScreen Support? JuniperForum
I generally don't like the idea of ISP's interfering with the network, but port 25 is the exception. I like the idea of them blocking 25 by default, but this plan of keeping an eye on their customers is the next best thing. Most people don't realize how much spam comes from broadband accounts. There is some legitimate mail, yes, but those people need to find a new way of life, because it's mostly spam. I use Sendmail at work, and realizing how things have changed on the spam front I updated my /etc/mail/access file so it now starts like this:
And it goes on, and on, and on, for well over a thousand lines. After implementing this I did some calculation and determined that I was blocking about 22% of our incoming mail. There have been some hiccups, but in general I'm really glad I did this. A few people have contacted me to complain that they can't send mail to my users, and I usually tell them to get a static IP address for their mail server or send through a designated relay. This inconvenience to cheap-o owners of SMTP servers with DHCP-assigned addresses has been a real shame, but my users have commented on how much less spam theiy've been getting recently. Blocking broadband users and using Spamcop have been a great combination. Perhaps one day if more ISPs follow Comcast we'll be able to trust those domains again.
I'm a comcast user and I thought you wouldn't let you get away with running anything that accepts inbound connections. Does this mean I can get away with openning up for inbound ssh?
1) What if I want to create a mailing list for a project that I (hypothetically) am making and host the e-mail server myself?
2) I have absolutely no idea what their virus filter du jour is. Nor do I have any influence on it. If it nukes a ZIP file that I was trying to send (or hoping to receive) then it's just bad luck I guess.
3) The performerance of smtp.mail.dk has been known to be abysmal at times... I wouldn't call it smart to force all e-mail to go through your server if it couldn't even handle the load when only some percentage of what your customers sent went through it earlier...
And I have to deal with this crud because some morons don't belong on the internet, aren't using a firewall and get infected with every single fscking e-mail "virus" [*] that is sent their way.
Not to mention how frustrating it was when my e-mail suddenly one day just stopped working.
[*]: Trojan of course. But noone ever seems to use the right terminology.
________
Entranced by anime since late summer 2001 and loving it ^_^
*LOGICAL FALACY ALERT* "i recieved more spam from them this week" does not translate into "they sent more spam". it is entirely possible for their spam numbers to go down and yours to go up, that just means someone else got 40% less spam from them this week.
I never said I was smart, I just said I was smarter than you
And do you think Comcast finally took this step because they decided to stop their spamming users?
Hell no!
The only reason they got off their asses is because admins started wholesale blacklisting of their IP space and their customers started complaining.
Blacklisting WORKS! It's the only way to force these ISPs to be responsible.
If you're running content-based filtering, you're part of the problem. If you refuse SMTP traffic from confirmed spam sites, you are part of the solution.
Serving their own (popular) web page? Hosting a busy mailing list for some obscure interest? Doing both at once?
I'm sure Slashdot has put more than 3gigs load on some of the websites it has linked to. Many are hosted out of somebody's basement. (Ok, so that is a one-day load.)
Do you really have to be a business to need to send stuff to other people?
'Sensible' is a curse word.
Here's how it works:
AOL user has a button in their email "this is spam" or "I don't want this" or somesuch.
When they hit the button, the message and headers are sent to some server.
The server automatically blocks the IP of the SMTP server that sent the message so it can no longer send email to AOL.
This works in theory, execpt many users treat this button as a way to muffle their annoying friends. So a "forwarded joke" can get flagged as spam even if it is from their cousin on a small local ISP. There is NO oversight in the process.
Utterly stupid.
I know this, because a local ISP that I help out sometimes coaxed the AOL people to foward the messages with headers so he could address the "problems" and get his mail server unblocked. The messages were personal emails, notes from friends, messages from people's own lawyers as well as normal span.
I am not sure if they have given up caring if AOL-bound emails are blocked. But that's just about the only thing they can do.
Note the DO NOT REPLY TO THIS EMAIL ADDRESS. .005 cents.
The fax address could also be faked.
At 20 million addresses, that makes my eyeballs worth
I am insulted!
(some stuff deleted to avoid lameness filter)
EMAIL BLAST CAMPAIGNS
ARE YOU TOO BUSY TO SEND OUT YOUR EMAILS YOURSELF?
WHY NOT LET US DO IT FOR YOU?
HOW MANY WOULD YOU LIKE US TO BROADCAST FOR YOU?
PLEASE CHOOSE FORM THE FOLLOWING:
[ ] 5 Million ADDRESSES $400.00
[ ] 10 Million ADDRESSES $600.00
[ ] 20 Million ADDRESSES $1,000.00
[ ] 30 Million ADDRESSES $1,500.00
We use our own directory, so you do not need to pay one dime extra.
"69 percent of U.S. e-mail users have made purchases online, 59 percent have
Purchased in retail stores, 39 percent have purchased through catalogs,
34 percent through call centers and 20 percent through postal mail."
E-mail broadcasting is the simplest, fastest, and most effective way to
Communicate. Reach media messages, which invite recipients to respond live.
SEE HERE FOR DETAILS ON OUR CURRENT PROMOTIONS
No Software to Buy - Nothing to download
Lowest cost for broadcast - Guarantee!
E-Mail is a key component in maintaining contact with your customers!
Email Broadcasting
==DO NOT REPLY TO THIS EMAIL ADDRESS==
ONLY COMMUNICATE WITH US BY FAX
Fill out the Form below and fax it back to 1-240-371-0672
PLEASE PRINT OR TYPE CLEARLY BY CAPITAL LETTERS:
Name:
Country: City:
Telephone:
Email Address:
(REQUIRED)
{ } Information regarding the available forms of payment.
{ } If you need more information it is quicker for us and for you to Communicate through email:
To be removed from the database please follow this link, http://notinuse.biz/takeoff/takeoff.html
Headers:
Return-Path: kgbwascaeper@fri.uni-lj.si
Received: from 221.2.198.66 (221.2.198.66)
by mail01h.rapidsite.net (RS ver 1.0.94vs) with SMTP id 0-0164468140
for ; Sat, 12 Jun 2004 07:02:30 -0400 (EDT)
Received: from 248.113.104.192 by 221.2.198.66; Sat, 12 Jun 2004 17:56:23 +0600
Message-ID:
From: "Scot Swain"
Reply-To: "Scot Swain"
To: CENSORED
Subject: ARE YOU TOO BUSY TO SEND OUT YOUR EMAILS YOURSELF?
Date: Sat, 12 Jun 2004 08:02:23 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--263BC7F2E7F33859B"
X-Priority: 3
X-IP: 80.224.251.116
X-Loop-Detect:1
Status:
I, and many of my family member in other cable providers (whoever does Atlanta does the same thing) have had port 25 blocked. Took me awhile to figure out at first. Actually had to have a family membet telenet to blah:25 before i beleived what was happening.
The solution was to open up another port for SMTP access on our server.
This happened years ago, I never thought twice about it.
-Malakai
A Dragon Lives in my Garage
On the other hand, serving ones own web page from a residential broadband connection is usually against the user policy of the ISP, hence making it not legal to do so.
Backup not found: (A)bort (R)etry (P)anic
Has anyone noticed that email which passes through Comcast's servers is delayed for an amazing amount of time? I had a customer that I consult for miss deadlines (and consequently sales) because of mail that was sent at 0800 and got recieved at 2200 the next day. I'm not exaggerating.
Hearing this and playing around with it a bit, it became obvious that the mail was simply lounging around on Comcast's servers.
Now, of course, I can talk to their tech support until I'm blue in the face and ask them what's going on, but I'd like to take this chance to appeal to the Slashdot community, who usually have a much better understanding of these matters than the droids at the Comcast call center.
If you do a couple quick searches around dslreports and newsgroups and so on, you'll see that there are in fact many people who have the precise same issue, and have recieved no significant reply.
Are there any Comcast insiders who know why these emails float around in limbo for 24 hour periods?
I hope so. Before Cox blocked port 25, I started getting more and more bounces but Exim was still more reliable than Cox's SMTP server. Not being able to run a real mail server bothered me, but having to point my MTA at Cox's SMTP servers has been a real pain.
This inconvenience to cheap-o owners of SMTP servers with DHCP-assigned addresses has been a real shame ...
Do me a favor and tell Cox to get rid of their expensive and money losing DHCP infrastructure for their "always on" internet connection with a 1:1 IP to client ratio. I liked the static IP I got from AtHome and I paid for one from Cox when they started to charge for that "service". I dropped it when they wanted $70/month for service that was slower than DSL.
Friends don't help friends install M$ junk.
bell sympatico in .ca has been blocking outbound port 25 for ages.
it kind of bugged me at first to think "damn them for controlling my usage!"
but then I realized how much spam actually comes directly from idiot systems out there I changed my mind. My server doesn't process all that much mail; maybe 50,000 messages a week. But ever since I stopped allowing mail from unauthorized dynamic hosts (using securitysage's rules and postfix) I've been able to monitor where it comes from. (4400 or so messages/week from comcast hosts)
This type of thing shouldn't affect 'normal' users. For the clients I have that do use sympatico; I've setup an alternative method for them to still use my system as an outbound server -- with authentication, natrually.
It's a lot easier to control spam if email is channeled through an ISPs server rather than a bunch of rogue systems sending directly to destinations... lets see if my numbers on comcast mail rejections drop...
It's just Crap.
Don't forget:
Gaming server
IRC server
multiple VNC server
Internet radio
PHPnuke boards
Popular Blog
Popular Webcomic comic
Not so popular flavor of Linux you made yourself
Internet phone
Being a camgirl
Seriously, is your imagination so limited that you can't think of another way you use up a lot of uploading bandwidth legally?
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
For a company that's "getting tough on spam", they don't seem too interested in implementing one of the more common measures to reduce it...
One of the servers that I administer is on Comcast. I just set up SPF records for that domain, and I "include comcast.net" because we send most of our stuff through their SMTP server. Now if only Comcast would set up their SPF records, we could comply to this lovely standard.
Sorry to take this opportunity to rant about one of my pet peeves...
We send a lot of email to AOL and are in AOL's feedback loop for spam reports.
You are right, pushing the button leads to a spam report being sent to AOL, who then keep statistics on file for the spam's origin. If your IP gets "too many" reports compared to the volume of email you are sending, you will be blocked. But it's not normally a 1-for-1 type of deal. And if you're in the feedback loop, you get a copy of the spam report.
We've had days where we've received as many as 20 spam reports, yet we haven't been blocked yet, presumably because our volume was high enough and our track record good enough to be left alone.
We don't send spam. All our users subscribe (yes, on purpose) to receive our email. Yet you get people pushing the "Report Spam" button for many reasons:
- In AOL 9.0, there is not even a warning or a window asking to confirm the button press. You push the button, and any email you have selected is instantly reported as spam.
- They don't tell their users that spam reports are filed and that this may have adverse affects on the person sending the email. All they know is "I don't want email like this anymore." We go out of our way to remind our users in every email where they can go to cancel their account. Doesn't matter. (Keep in mind these people actually requested our email.)
- The "Report Spam" button is DIRECTLY NEXT TO THE DELETE BUTTON. This is fucking retarded. Combined with no warning when a spam report is filed, half the people filing reports are aiming for the delete button. (We know because we've asked for info about these people.)
Here's the best part.
AOL sends these spam reports to you if you are in the feedback loop. The idea is that you will act on them since you are not supposed to send that person any more email once they report you. But they delete the person's email address so you're SOL in most cases! Luckily for us, we're using a good list server that lets us embed the member ID of the user so we can cancel their account. But lots of times we'll get reports on various automated emails from our website that have no other ID aside from the now-erased email address.
All in all, AOL has their head up their ass.
I work at a small-to-middling isp, and we get almost daily reports from spamcop et al reporting one of our dsl customers. We're going to have to start blocking outgoing port 25 unless the customer requests it be unblocked simply in self-defense. It's a tiny, minute fraction that do actually run their own mail servers, and even they could still relay through our mail server. When SPF or something like it is widely deployed, then we'll be able to open things back up because few of these machines will be authorized mail servers.