Slashdot Mirror
Comcast Port 25 Blocks Result In Less Spam
Dozix007 writes "Ars Technica reports that: 'After Comcast finally owned up to the massive amounts of spam coming from
their network, they decided to identify spammers and zombie relays on their
network and block
port 25 traffic from those IP addresses. Comcast's efforts are starting to
pay off. They announced the amount of spam from their network has dropped
35 percent since they began port blocking and
traffic estimates from SenderBase seem to confirm the claims. Spam coming
from Comcast subscribers who were formerly on AT&T networks also
seems to have decreased'."
Here's the actual Ars Technica story that wasn't linked, but copied and pasted as the Slashdot story.
Something I've been wondering about though is SpamCop's yearly stats. Since April, spam reporting has been going down. Is it simply fewer people reporting/people reporting fewer spam, or is it a sign that actual spam is going down or at least being better handled? I know on my mail server I've implemented some straight blacklist checks primarily using sbl-xbl.spamhaus.org and it's been working great with no false positives. Some spam still gets through, but SpamAssassin usually catches it with other checks.
No, port 25 is used solely for sending email. It has absolutely nothing to do with BitTorrent. Not only that, but Comcast is only blocking it for spammers and open relays.
Karma: Segmentation fault (tried to dereference a null post)
It seems to work for a while, but how long before the spambot authors come up with a way around the port 25 block?
They can't, that the beauty of it. Standard SMTP servers listen on port 25, as defined in the RFC; with port 25 blocked, it's simply not possible for spam zombies to talk to normal SMTP servers, period.
Kudos to them for doing a good job of it -- my home Internet connection is through Comcast, and I haven't experienced any trouble sending mail to my own SMTP server on another network. They could so easily have just gone the "all SMTP traffic must go to our hosts" route, but they're doing it the right way instead. Nice to see.
It's not access to your machine's port 25 that is blocked. It is access from your machine to port 25 on other systems.
The problem is those machines aren't actually the spammer, they are comprimised machines that the spammer is controlling.
Although, it seems to me like it would be a nice project to send a Comcast truck around the neighborhood with a list of comprimised machines, armed with a laptop running an ethernet sniffer, then use that information to track down who's controlling the machines.
Only problem is that it probably leads to machines not within the reach of US-based subopaenas.
Gentoo Sucks
You misunderstand. They block connections from their network to port 25 on any machine except their mail servers. Thus any slave computers can't send out e-mail without it hopping past their servers (and likely a quick phone-call from their abuse department).
Spam coming from Comcast subscribers who were formerly on AT&T networks also seems to have decreased.
Seems as as we are *still on* an ATTBI network. I was originally an ATTBI subscriber, and the Comcast transition occured many months ago. Interestingly enough, my rDNS still resolves to:
[ip].[state].client2.attbi.com
Seems awfully odd that this remais.. one would think, at least for the sake of the brandname, that this would be reporting comcast.net
There's a Starman, waiting in the sky / He'd like to come and meet us, but he hasn't got the time.
and since it's on a residential cable line (dynamic address), aol, rr.com, and email.com all reject my e-mails. and no, i never send spam.
Don't talk directly to their mail servers.. talk to the outgoing mailserver provided to you by your ISP. Sheesh.
I'm always amazed at how many people "run my own mailserver" yet have no idea how mail is supposed to work.
Not only can you not read the article, you can't even read the story text.
Here, I'll help you:
"spam from their network has dropped 35 percent"
The important thing is HOW MANY OF THOSE 500 ARE FROM COMCAST'S NETWORK?. Also, compare that to your 2 months ago rates of spam coming from comcast's network.
Come on, how hard is it REALLY to read THE TEXT ON SLASHDOT?
You seem to be complaining that Comcast's spam blocking techniques don't stop the spread of worms. The block is designed to prevent the worm from sending spam. If you want someone to whom to complain about the spread of worms, you might want to direct your anger at the blameworthy.
Look into "smarthost." Every MTA I know of supports it, and it's the proper way to do it.
Thank the spammers. Seriously, a very good read, if ever in doubt who deserves your anger.
Read the previous article in yro. If you let your ISP forward your mail, he can read it (at least in the First District) with impunity.
Very, _VERY_ unlikely.
One of the tactics that pretty much -all- DNSBLs (and even some ISPs wholesale - like Comcast, incidentally) is to simply not receive email from dial-up type networks. Comcast's consumer-level cable modem service really is no better than dial-up service from a certain point of view (ie. every j6p is able to use it - and they aren't exactly concerned about security).
The odds of a cable modem network getting out of MAPS is as likely as my winning a million bucks tomorrow - nil.
Sendmail supports client-side SSL certificates, as does Mozilla. KDE does not :-( But outlook, probably, does, and that's all that matters.
That your e-mail is protected from sniffing over the WiFi, while you send it, is just gravy.
In Soviet Washington the swamp drains you.
Comparing to these measurements I made when Comcast first announced its strategy...
Looking at Comcast's IPs appearing on realtime blocklists, today:
CBL: 17132 (Comcast is 1.3% of CBL)
WPBL: 4779 (Comcast is 9.6% of WPBL)
Compared to the number of Comcast IPs that were spam sources two tweeks ago (19897 and 5199) it does appear that there are fewer Comcast spam sources. However the overall proportion of Comcast IPs in the entire lists haven't changed much from (2% and 10%)
relays.ordb.org
bl.spamcop.net
list.dsbl.org
xbl.spamhaus.org
I've got all six of them running on my company's mail server. It's set up to respond to rejected emails with instructions for contacting me via phone in case there's a false positive. That way, I can whitelist the sender and sometimes help them if they have an open relay and didn't know it. I've had one false positive in the last year. That's for 50 users in my company, some of which post their email address everywhere and use it in Banzai Buddy forms. ~90% of spam destined for valid mailboxes is blocked. Not bad considering it's free, easy to set up, and maintenance free.
-Lucas
'After Comcast finally owned up to the massive amounts of spam coming from their network, they decided to identify spammers and zombie relays on their network and block port 25 traffic from those IP addresses.
Agile Artisans
Being a subscriber to my local cable monopoly (Cablevision), I've enjoyed the reverse situation for several years.... namely, they block traffic going INTO port 25 on my machine. I can send out all the mail I want, but to receive mail directly, I have to have a friend on another network accept it (MX records don't yet allow port specifications... sigh), and then transfer it via fetchmail/ssh.
Note to Cablevision.... I still get lots of spam, it just sits on YOUR disk instead of mine... way to go guys!
If you want unfettered internet access, it is called a T1. Look it up. You signed up for a less expensive service in exchange for a few restrictions. No consumer-level ISP is out to provide you 100% unfettered service. You should have checked your terms of service before you signed on, the ISPs I've seen have it pretty clear that subscribers are not allowed to run servers through that link.
I know you don't care about the worm activity, but it costs the ISPs a lot of money to be hauling that traffic.
No, that is a problem. As a software developer, I frequently send large attachments to customers that have no other means of receiving them. Being forced to bottleneck ALL my mail through an ISPs mail server (with all the irritating limitations that entails) is simply unacceptable. Furthermore, I personally have Comcast and they were the reason I originally set up my own mail server: theirs was so unreliable that about 20% of my mail just never got through it. Supposedly they've improved that, but I still have my system set to try a direct connection first and only route through Comcast's SMTP server if the direct attempt fails.
Furthermore, given that the court system has decided that it is entirely okay for ISPs to read their customers' mail at will, I don't necessarily want my confidential emails passing through, and being logged by, their mail server. Perhaps you don't particularly care about that but many people do. Yes, I know they can monitor my IP traffic any time they wish, but there isn't any reason to make it easy for them by just stuffing my messages onto their hard disks.
Fortunately, at this point Comcast has not chosen to simply block all SMTP transfers, just those from known abusers, so I don't really have a problem with that (for now.) But I do think that reducing or eliminating the capability of the Internet is not the way to solve problems like this, because once ISPs get in the habit of limiting what we can do with the network we will be hard pressed to get back the freedom we have now. I like the fact that any computer on the Internet can connect to any other and communicate in ways defined by the users of those machines. That fundamentally egalitarian aspect of the Internet is what makes the network so useful (and so scary to certain powerful people.) Allowing those that provide our connectivity the power to pick and choose how we communicate is a bad precedent, and one that we will regret. It won't be long, mark my words, when Port 25 access is simply GONE for anyone but a big corporation or Internet provider, unless you want to pay a monthly "SMTP access charge" or something similar. There's already been talk of charging for access to specific types of connectivity. Imagine having to pay an extra $5.00/month "Instant Messaging access charge" for ICQ users, or a "mandated RIAA maintenance fee" for P2P. Keep the damn ports open, block those systems that cause problems, and let the rest of us use the Internet in ways that benefit us.
The higher the technology, the sharper that two-edged sword.
Forgive what might seem like an ignorant question, but is it possible to forge a port number?
No. Think of a server listening on a port as waiter waiting next to window. Only requests coming in through that window will be served. Trying to talk to a window where the waiter is not will not be of use, since either there would be no waiter there or the waiter that is there wouldn't understand what you are asking.
Any solution to get round the problem would require hijaking a machine not in the blocked IP range, or the router.
My ISP, Sympatico.ca, blocks all outgoing port 25 requests by default, except those going to its servers. I would imagine that if you could argue a valid need to have it unblocked for you they would do it, but I am just guessing. Although it may be a bit heavy handed, for the majority of most home users this shouldn't cause any problem.
Jumpstart the tartan drive.
Cox ahs been doing this for years. surprised the hell out of me when I oculdn't use anything but cox's SMTP server. Bloody brilliant.
Non impediti ratione cogitationus.
Do you know that SpamCop has a "quick reporting" option (you have to ask to get it enabled for you)? With quick reporting, you only need to submit the spam via email and the source IP gets automatically reported (but no reporting of spamvertized web sites this way). This way you do not have to go to clicking through their web site, and the bl.spamcop.net still gets all the data.
Come on... just of of the top of my head I can think of 4 ways to send mail if I am on the road somewhere and port 25 is blocked.
.
1) web mail (either set it up on one of your own servers or use aol/yahoo)
2) SSH into one of your shell accounts and send it from there vie pine or even plain old mail.
3) Open a machine for relay at work or home... whichever is not blocked and send it through there. (Be sure to close the relay when you are done or the spammers will find it)
4) ssh worksshserver -L 2525:workmailserver:25 then point your mail program to send through localhost:2525
The point of having multiple spam bots sending your crap out is to increase the amount of crap you can send. If they are going around setting up SMTP relay bots, then whole exercise is rather pointless, as the bandwidth is still all being shuffled through that relay.
Look at it like this:
With two computers, I've got twice the bandwidth as one computer, and so can send twice the spam.
But with one computer relaying through the other, the bandwidth of that computer is now irrelevant, everything has to go through the relay. Instead of having a relay, it's more efficent to just send the spam from the relay.
Relaying doesn't fix the problem for spammers. And your idea about originating ports is useless, because they're blocking based on destination port, not originating port. Nobody gives a shit about originating port, for almost any protocol. If you want to send spam to ISP's, then you have to connect to SMTP servers to send your spam to, and you have to connect on the port they use, which is port 25 by convention. You cannot work around that fact.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Second, configure SPF records for all of your domains. It may not help today, but an increasing number of mailservers are rejecting mail that fails SPF validation.
Third, learn to love your access file. Mine contains lines like:
Mail coming in to any of those accounts is rejected before it can even be transmitted. You still have to spend a TCP connection on the message, but minimal bandwidth and no storage space.Dewey, what part of this looks like authorities should be involved?