Comcast Gets Tough on Spam

WeakGeek writes "The Washington Post is reporting that Comcast, the nation's largest broadband ISP, has started blocking port 25 to reduce Spam. Jeanne Russo said Comcast is not blocking port 25 for all its users because it does not want to remove the option for legitimate customers who process their own e-mail. So the company is monitoring traffic and picking out machines that look suspicious. By blocking port 25, they say they cut Spam by 20% last week." ZDnet has another article, with a nice statistic: Comcast generates 800 million email messages/day, but only about 100 million of those are sent through Comcast's SMTP servers.

what about mistakes?

[mp3LM]

And what if they make a mistake and block someone who just happens to send a lot of mail?

Is there a place to appeal?...as good as this could be, I think it's going to inconvenience a lot of people.

Re:what about mistakes?

[drinkypoo]

I don't know how they are about this email blocking thing but when they send you an abuse letter for bandwidth overusage :) you can just call support and they'll talk to you. If you want to find out how much bandwidth it's ok for you to use you basically have to call all over the country (hooray for cellular with no long distance fees) to find some guy in Florida (or such was my path, anyhow) who will tell you not to download more than 90GB/mo.

Anyway I installed MRTG and did the math after I got the abuse letter and now I just watch to make sure I haven't downloaded more than about 250kbps averaged over the month (I'm at 181kbps right now) and bingo, problem is solved and I haven't got another abuse letter. Personally I find that to be a pretty pathetic amount of transfer per month but they have a monopoly on broadband here unless you are willing to count satellite as an option, which given the latency, I am not.

Regardless, I'm sure calling technical support will actually be useful in the case where you're not sending spam. However, I have a feeling that they're actually scanning your outgoing messages for particular content. This is not particularly hard to do, and since it's done by an automated system it's not a breach of privacy unless they're holding logging information which contain parts of your emails longer than necessary.

Re:what about mistakes?

[JWSmythe]

That's a good one to ask AOL..

They've been blocking virtually anyone sending lots of mail towards them. You have to sign up for their feedback loop, then for their whitelist. In our case, we send a lot of mail to users, because they write to us asking questions. There's plenty of mail going back and forth, but none of it is spam. Most are written by humans, some are automated (You just completed this function, your tracking number is....). They've been doing hit and miss blocking just because they can. It's really annoying. They blocked my workstation because I sent out 4 messages to AOL users in the same day. {sigh}. For my workstation, it's not a big thing, I just changed the IP. But, it's more of a pain for servers.

It doesn't make a lot of sense. I've known spammers. They'll get multiple lines from multiple providers, and keep switching IP's and networks to keep from being blocked. It's all a big act just to make it look like they're being all progressive, even though they're really just annoying legitimate people. Kinda like the TSA.

One of our clients, with his own server and a completely opt in mailing list (like, you specifically have to ask to be on the list) was blocked. He spent hours on the phone with AOL, and got me in on a conference call with them. The support people I spoke with were completely dense. We gave up on any political approach, and just moved his mail server off to another network. He only has about 2000 people who receive his newsletter, and the people not getting it on AOL were actually complaining that they weren't getting them.

Hopefully Comcast will be more professional about it. I know Roadrunner (now Bright House Networks) were absolute dicks about it. They once disconnected my service because I had a DNS server running. I tried to explain to them that their DNS servers sucked (about 5 to 10 seconds to resolve any name). Instead of fixing their problem, they were busy blocking users. {sigh}

Re:what about mistakes?

[bairy]

I use bandwidth meter to keep track of how much I've down/uploaded during a week/month. And the log files for past months are just geeky genius.

90gig/month is gonna be around 3gig/day.

E-mail Advertising?

[Laivincolmo]

I still don't understand how spam exists economically. I guess people are dumber than I thought:
"Wow! I think I'll find out more about this Viiagraa! Thanks hf387hfjsd73@hotmail.com!"

Re:E-mail Advertising?

[vena]

that's just it, economics. for a spammer to send out 1mil emails, the cost is trivial (for the spammer). if they get a response of just 1%, that's 10,000 customers, .1% gives 1,000 customers. that's not a bad haul for a fly-by-night pharmacy with likely very little overhead. they likely have no warehouse, no real store or property outside of the home of the person running it and postage is paid by the consumer.

Seems reasonable, as long as...

[Space+cowboy]

... there's a back-channel for people whose email is legitimately disproportionately high to have it reinstated. I'd be a mite annoyed (read: bloody furious) if I wasn't doing anything wrong, but my internet access was suddenly curtailed... I send email from home (though never in any quantity likely to raise suspicion) and I don't see why I should use NTL (whose news and mail servers are crap) over my linux gateway.

What I find more chilling is the number of people in the article who are recommending general blocking of the smtp port. Just because it makes life easier for large corporations is no excuse for using a blunt instrument where an elegant solution could be found - in this case, I think the dynamic monitoring and blocking is far more preferable. If NTL decide to block port 25, I guess I'll just have to tunnel outgoing port-25 traffic over a different (say: 2525 :-) port to my co-lo machine and send from there...

Aside: The phrase 'Microsoft is working with ....' always seems to send shivers down my spine these days because of the context I find it in. Sigh.

Simon

Re:Seems reasonable, as long as...

[techno-vampire]

I used to work for an ISP. We blocked all outgoing Port 25 to keep our customers from relaying. We also blocked inbound at first, to keep out spammers. This ran into trouble quickly. Not only are there services that don't offer SMTP, there are some that insist you use an address at their domain on all outgoing. We had customers that either couldn't send at all, or not with our address because their broadband carrier wasn't accepting their messages. The way we fixed this, we put up an authenticating server. This way, if you ouldn't connect directly through us you still had one of our servers you could use. Worked just fine, and made a lot of people very happy. I doubt we had as many as 0.01% of our customers complain about this, mostly because they needed to send work mail from home and their company insisted that all mail with the company address went through their own servers.

Fine by me

[drinkypoo]

In fact it's A-Ok in my book if they block port 25 outgoing for all users. If you want to send mail to outside mailservers directly you are free to use a VPN connection or other types of tunnels.

Now, if comcast would sell me a static IP address, I might care, but since they don't it's clearly not meant for servers. As long as I can come up with a way to get my mail out (presumably you could set up sendmail or another MTA to use smtp.comcast.net as a relay even though you need to authenticate to use it, but I've never looked into it) it doesn't seem like an issue to me.

Why not work with the blacklists?

If they detect port 25 traffic over a certain threshold, do a quick dns blocklist check. If they're blacklisted, stop traffic on port 25 for that customer and contact them to let them know their machine may be infected.

Reverse That

[Elecore]

I bet it would be a lot more effective to automatically open accounts with that port 25 blocked. If you want to use it, you give them a call and ask for it to be opened. I bet at least 95% of the spam being created is being created without the user knowing so closing port 25 won't affect them.

All in the name of stopping spammers...

[anakin357]

Just put these dickhead spammers in jail for 5-10 years for causing so much disruption and cost to the world. I was reading a few days ago (and feel free to correct me/link to the URL) that spam causes ~$1,900 in lost productivity per employee, per year, in the US. THAT is absurd!

On a side note, people with virus infected machines will now notice they can't send email to their external SMTP servers, and call Comcast, which they will reply that you have a mass mailing internet worm, and you've been spamming thousands of messages a day. Due to your incompetence, we have turned off your external access, forever.

Re:All in the name of stopping spammers...

[JWSmythe]

Just put these dickhead spammers in jail for 5-10 years for causing so much disruption and cost to the world.

You know that'll never happen.

All things considered, spam isn't the only problem out there. The ratio of junk to legitimate mail is about the same in my postal mailbox. I may get one letter or bill in, and the rest is junk.. Why aren't people screaming "We need to make laws.." "they need to be in jail.." etc, etc.. That won't happen because the post office turns a profit on it.

Most US bandwidth providers do a pretty decent job of trying to stop spam. Most have pretty strict standards, and will shut off a line for spam. I've been in on several of those actions, although not against me or my networks. It would be nice if all providers did that, but again, it probably won't happen. Many overseas companies make good money selling overpriced bandwidth to spammers. Think of it in business terms. If you're a [insert country here] provider, you can charge double or more for hosting and bandwidth to a spammer. You don't really have to answer to anyone but yourself, why not take the sale? Big spammers can use up some pretty substantial bandwidth, so it's worth it for them to sell to this customer. If I have the choice of barely paying my bills, or buying a new house and cars this year, I think the choice is obvious.

One of the magic questions is, who do you go after? Just a couple days ago, a site hosted on a network belonging to a friend of mine was the "source" of spam. I know they didn't do it, it had absolutely no relationship to them or what they did. So I got on the machines, and found the source. They had a feedback program that was fairly well written, but someone exploited a bug in it, to send out to a few thousand people before I stopped it. Should they throw this perfectly legitimate businessman in jail because someone managed to exploit something. I had to look at it a few times to figure out how they exploited it, the script was fairly well written.

Since plenty of the spam relates back to overseas sources, you'll never see them spending time in a US jail. Simply enough, you'd never see every government in the world agreeing on enforcement of any law, even an anti-spam law. In a lot of countries, it's rather difficult to even report the spam. What happens when you're trying to report it, and the support people don't speak English. And don't be so egotistical to say "they should all speak English", the universe or even the Internet doesn't revolve around America.

Re:Question...

[TWX]

"How do you tell whether your machine is zombie spammer? Is running spybot enough?"

Just monitor traffic coming into and out of your computer. There are utilities that will let you do that. If you see stuff coming and going that you aren't generating then something is definitely wrong.

We'll see how effective this is

[bigberk]

Sounds like a great plan to me! I don't like the idea of outright port blocking (customers are paying for IP access, right) but it's very easy to locate the suspicious hosts, which means that once the automated systems are in place they can easily add port restrictions.

We can watch to see how effective this is by seeing how many of comcast's IPs show up in real time spam blocklists. Take CBL and WPBL for instance, two of my favourite lists...

% grepcidr -c -e 68.80.0.0/13 1501

% grepcidr -c -e 68.80.0.0/13 351

Now we see if those numbers go down over time :) Easy.

Getting close to the solution...

[Caseylite]

I would have no problem with my ISP blocking port 25 unless I specifically request it to be open. And I would sleep much better at night knowing that my mother isn't unknowingly spamming me and my closest 25 million friends. The stipulation is that it not cost me extra to be able to use port 25. And that the ISP's support staff not be morons.

Largest in the nation?

[azzy]

I never knew Comcast was the largest ISP in the UK.

Oh.. your nation.. not my nation?

Sorry, I forgot there was no other part of the world.

Here is what I paste into spam complaints.

[Serious+Simon]

I check out the Received: headers for the IP address that the spam is coming from, then use whois to find out who it belongs to. I then forward the spam, including full headers, and the following text:

Hi, I received this spam from out of your network. I trust sending spam is in violation of your terms and conditions.
Please take appropriate measures.
I read recently that about 80% of spam is sent via hacked computers on broadband: http://www.sandvine.com/news/pr_detail.asp?ID=50
You might consider closing port 25 per default and only open it for customers who explicitly want to run their own mail servers.

Thanks,

...my name here...

Bellsouth, on the other hand blocks all 25

[firewort]

Bellsouth is now blocking all port 25 traffic, whether or not they sell the customer a static IP.

I had a mail server running on static IP for over a year and they've just blocked it as of last night- Their third tier support claimed that it was because they were being threatened with being blocked by other ISPs.

Just use SpamCop

SpamCop will take care of figuring out the origin and reporting spam for you.

Why not pass through their mail servers?

[LostCluster]

For those who do operate home mail servers, why can't such people just configure their outgoing SMTP server to pass all outgoing mail through the ISP's SMTP server to get around such blocks, and therefore have a more "trustwrothy" and less likely to be blocked IP address in the headers?

Re:Why not pass through their mail servers?

[Telent]

Um... because most of us who run "home" mail servers do it because our ISP's mail servers are slow, unreliable, and down half of the time? Because the rewriting rules often keep us from using our personal domains? Because if we wanted to use our ISP's mail servers, we wouldn't be running our own?

Now, in my case, none of this applies, because I have a clueful ISP (Hi, Speakeasy!), but back in the Dark Ages of DSL through $TELCO, believe me, I had to. Or I didn't get mail. And believe me, I live for my mail.

As a Comcast User...

[rbabb]

... This is starting to worry me a little. I have been happily running my own mail server for over a year now. The reason being is that I want the ability to host all my own solutions and at the same time use the bandwidth i'm already paying for.

With wonderful dynamic DNS services like no-ip.org I am able to do this on any dynamic IP and I have no reason to worry about needing one of those pesky static IP addresses.

Hopefully if something were to happen where I'd start getting blocked I could just use my connections at work and contact their e-mail admins directly to resolve the issue. However this slash and burn tactic is just the wrong way to go about fighting spam. Hence one of the reasons I left Earthlink/Mindspring, who block e-mail from ALL Dynamic IP addresses and also block outbound port 25 on their networks.

education is the solution

penis enlargement is dangerous and ineffective.

tell your small dicked friends!

There is no need to receive mail from dynamic IPs

[Secrity]

If mail servers would start blocking all mail coming from dynamic IPs, they would block the vast majority of spam and block almost no legitimate mail. Yeah, I know that some folks running mail servers on dynamic IPs aren't going to like that, they can still send mail through their provider's mail servers. The arguments against blocking mail from dynamic IPs are pretty much the same as when people were arguing about open mail servers. This is just one mor ething that spammers have ruined.

What does your average user need with 3 gigs/day?

[Sancho]

What legal use could a person possibly have for needing 3 gigs per day of bandwidth, out of curiousity? I peak when I download or significantly update my systems, but even that rarely goes over a couple of gigs, and that's certainly not an every day thing.

Finally ... now for all the other ISPs

[Random+BedHead+Ed]

I generally don't like the idea of ISP's interfering with the network, but port 25 is the exception. I like the idea of them blocking 25 by default, but this plan of keeping an eye on their customers is the next best thing. Most people don't realize how much spam comes from broadband accounts. There is some legitimate mail, yes, but those people need to find a new way of life, because it's mostly spam. I use Sendmail at work, and realizing how things have changed on the spam front I updated my /etc/mail/access file so it now starts like this:

# Reject cable and DSL users who are now Damned Zombie Spam Bastards - keep adding to this
cable.mindspring.com ERROR:"550 Blocked"
cq.shawcable.net ERROR:"550 Blocked"
cg.shawcable.net ERROR:"550 Blocked"
ed.shawcable.net ERROR:"550 Blocked"
vc.shawcable.net ERROR:"550 Blocked"
vf.shawcable.net ERROR:"550 Blocked"
vs.shawcable.net ERROR:"550 Blocked"
wp.shawcable.net ERROR:"550 Blocked"
ss.shawcable.net ERROR:"550 Blocked"
gv.shawcable.net ERROR:"550 Blocked"
ls.shawcable.net ERROR:"550 Blocked"
tb.shawcable.net ERROR:"550 Blocked"
mj.shawcable.net ERROR:"550 Blocked"
fm.shawcable.net ERROR:"550 Blocked"
du.shawcable.net ERROR:"550 Blocked"
ok.shawcable.net ERROR:"550 Blocked"
rd.shawcable.net ERROR:"550 Blocked"
va.shawcable.net ERROR:"550 Blocked"
dsl.att.net ERROR:"550 Blocked"
client.attbi.com ERROR:"550 Blocked"
client2.attbi.com ERROR:"550 Blocked"
client.comcast.net ERROR:"550 Blocked"
client2.comcast.net ERROR:"550 Blocked"
ks.comcast.net ERROR:"550 Blocked"
fl.comcast.net ERROR:"550 Blocked"
ny.comcast.net ERROR:"550 Blocked"
ma.comcast.net ERROR:"550 Blocked"
pa.comcast.net ERROR:"550 Blocked"
mia.bellsouth.net ERROR:"550 Blocked"

And it goes on, and on, and on, for well over a thousand lines. After implementing this I did some calculation and determined that I was blocking about 22% of our incoming mail. There have been some hiccups, but in general I'm really glad I did this. A few people have contacted me to complain that they can't send mail to my users, and I usually tell them to get a static IP address for their mail server or send through a designated relay. This inconvenience to cheap-o owners of SMTP servers with DHCP-assigned addresses has been a real shame, but my users have commented on how much less spam theiy've been getting recently. Blocking broadband users and using Spamcop have been a great combination. Perhaps one day if more ISPs follow Comcast we'll be able to trust those domains again.

Curses, curses and more curses

[Inf0phreak]

The Danish telco TDC has blocked both in- and outgoing connections on port 25 to all other servers than their own smtp.mail.dk for all PPPoE using ADSL customers. I have several issues with this:

1) What if I want to create a mailing list for a project that I (hypothetically) am making and host the e-mail server myself?
2) I have absolutely no idea what their virus filter du jour is. Nor do I have any influence on it. If it nukes a ZIP file that I was trying to send (or hoping to receive) then it's just bad luck I guess.
3) The performerance of smtp.mail.dk has been known to be abysmal at times... I wouldn't call it smart to force all e-mail to go through your server if it couldn't even handle the load when only some percentage of what your customers sent went through it earlier...

And I have to deal with this crud because some morons don't belong on the internet, aren't using a firewall and get infected with every single fscking e-mail "virus" [*] that is sent their way.

Not to mention how frustrating it was when my e-mail suddenly one day just stopped working.

[*]: Trojan of course. But noone ever seems to use the right terminology.

Thanks to Spamhaus, Spamcop, Njabl RBLs

[mabu]

And do you think Comcast finally took this step because they decided to stop their spamming users?

Hell no!

The only reason they got off their asses is because admins started wholesale blacklisting of their IP space and their customers started complaining.

Blacklisting WORKS! It's the only way to force these ISPs to be responsible.

If you're running content-based filtering, you're part of the problem. If you refuse SMTP traffic from confirmed spam sites, you are part of the solution.

And while we're on the subject of Comcast email...

[cshuttle]

Here's a question that I have contacted Comcast support for previously, and of course, I haven't been able to replicate the problem for them.

Has anyone noticed that email which passes through Comcast's servers is delayed for an amazing amount of time? I had a customer that I consult for miss deadlines (and consequently sales) because of mail that was sent at 0800 and got recieved at 2200 the next day. I'm not exaggerating.

Hearing this and playing around with it a bit, it became obvious that the mail was simply lounging around on Comcast's servers.

Now, of course, I can talk to their tech support until I'm blue in the face and ask them what's going on, but I'd like to take this chance to appeal to the Slashdot community, who usually have a much better understanding of these matters than the droids at the Comcast call center.

If you do a couple quick searches around dslreports and newsgroups and so on, you'll see that there are in fact many people who have the precise same issue, and have recieved no significant reply.

Are there any Comcast insiders who know why these emails float around in limbo for 24 hour periods?