Comcast Port 25 Blocks Result In Less Spam

Dozix007 writes "Ars Technica reports that: 'After Comcast finally owned up to the massive amounts of spam coming from their network, they decided to identify spammers and zombie relays on their network and block port 25 traffic from those IP addresses. Comcast's efforts are starting to pay off. They announced the amount of spam from their network has dropped 35 percent since they began port blocking and traffic estimates from SenderBase seem to confirm the claims. Spam coming from Comcast subscribers who were formerly on AT&T networks also seems to have decreased'."

Good job on the cut and pase

Here's the actual Ars Technica story that wasn't linked, but copied and pasted as the Slashdot story.

Something I've been wondering about though is SpamCop's yearly stats. Since April, spam reporting has been going down. Is it simply fewer people reporting/people reporting fewer spam, or is it a sign that actual spam is going down or at least being better handled? I know on my mail server I've implemented some straight blacklist checks primarily using sbl-xbl.spamhaus.org and it's been working great with no false positives. Some spam still gets through, but SpamAssassin usually catches it with other checks.

Re:Does Bittorent need that port?

[sploo22]

No, port 25 is used solely for sending email. It has absolutely nothing to do with BitTorrent. Not only that, but Comcast is only blocking it for spammers and open relays.

Re:But For How Long?

[rsmith-mac]

It seems to work for a while, but how long before the spambot authors come up with a way around the port 25 block?

They can't, that the beauty of it. Standard SMTP servers listen on port 25, as defined in the RFC; with port 25 blocked, it's simply not possible for spam zombies to talk to normal SMTP servers, period.

A big dent

[koreth]

I noticed a big drop in the daily message traffic to my mail server (which receives about 85% spam, last I checked) around the time Comcast put their policy in place. It seems like about a 25-30% drop in overall message traffic, which is in line with the numbers they quote.

Kudos to them for doing a good job of it -- my home Internet connection is through Comcast, and I haven't experienced any trouble sending mail to my own SMTP server on another network. They could so easily have just gone the "all SMTP traffic must go to our hosts" route, but they're doing it the right way instead. Nice to see.

Re:But For How Long?

It's not access to your machine's port 25 that is blocked. It is access from your machine to port 25 on other systems.

Re:OK, that's step 1...

[cmowire]

The problem is those machines aren't actually the spammer, they are comprimised machines that the spammer is controlling.

Although, it seems to me like it would be a nice project to send a Comcast truck around the neighborhood with a list of comprimised machines, armed with a laptop running an ethernet sniffer, then use that information to track down who's controlling the machines.

Only problem is that it probably leads to machines not within the reach of US-based subopaenas.

AT&T - Comcast

[murderlegendre]

Spam coming from Comcast subscribers who were formerly on AT&T networks also seems to have decreased.

Seems as as we are *still on* an ATTBI network. I was originally an ATTBI subscriber, and the Comcast transition occured many months ago. Interestingly enough, my rDNS still resolves to:

[ip].[state].client2.attbi.com

Seems awfully odd that this remais.. one would think, at least for the sake of the brandname, that this would be reporting comcast.net

Re:flipside

[prockcore]

and since it's on a residential cable line (dynamic address), aol, rr.com, and email.com all reject my e-mails. and no, i never send spam.

Don't talk directly to their mail servers.. talk to the outgoing mailserver provided to you by your ISP. Sheesh.

I'm always amazed at how many people "run my own mailserver" yet have no idea how mail is supposed to work.

Re:flipside

[batkiwi]

Look into "smarthost." Every MTA I know of supports it, and it's the proper way to do it.

Re:Now can we get un-blackholed?

[paitre]

Very, _VERY_ unlikely.

One of the tactics that pretty much -all- DNSBLs (and even some ISPs wholesale - like Comcast, incidentally) is to simply not receive email from dial-up type networks. Comcast's consumer-level cable modem service really is no better than dial-up service from a certain point of view (ie. every j6p is able to use it - and they aren't exactly concerned about security).

The odds of a cable modem network getting out of MAPS is as likely as my winning a million bucks tomorrow - nil.

Let's look at some numbers

[bigberk]

Comparing to these measurements I made when Comcast first announced its strategy...

Looking at Comcast's IPs appearing on realtime blocklists, today:
CBL: 17132 (Comcast is 1.3% of CBL)
WPBL: 4779 (Comcast is 9.6% of WPBL)

Compared to the number of Comcast IPs that were spam sources two tweeks ago (19897 and 5199) it does appear that there are fewer Comcast spam sources. However the overall proportion of Comcast IPs in the entire lists haven't changed much from (2% and 10%)

Re:What a crock0sheet

[Nintendork]

Use DNS Blocklists. There's a few of them out there that allow you to reject SMTP servers on Dynamic IPs. I use dul.dnsbl.sorbs.net and dynablock.njabl.org since sometimes an IP will be on one, but not the other. Even better, use these ones as well.
relays.ordb.org
bl.spamcop.net
list.dsbl.org
xbl.spamhaus.org

I've got all six of them running on my company's mail server. It's set up to respond to rejected emails with instructions for contacting me via phone in case there's a false positive. That way, I can whitelist the sender and sometimes help them if they have an open relay and didn't know it. I've had one false positive in the last year. That's for 50 users in my company, some of which post their email address everywhere and use it in Banzai Buddy forms. ~90% of spam destined for valid mailboxes is blocked. Not bad considering it's free, easy to set up, and maintenance free.

-Lucas

Re:Incoming or outgoing 25?

[ScrewMaster]

No, that is a problem. As a software developer, I frequently send large attachments to customers that have no other means of receiving them. Being forced to bottleneck ALL my mail through an ISPs mail server (with all the irritating limitations that entails) is simply unacceptable. Furthermore, I personally have Comcast and they were the reason I originally set up my own mail server: theirs was so unreliable that about 20% of my mail just never got through it. Supposedly they've improved that, but I still have my system set to try a direct connection first and only route through Comcast's SMTP server if the direct attempt fails.

Furthermore, given that the court system has decided that it is entirely okay for ISPs to read their customers' mail at will, I don't necessarily want my confidential emails passing through, and being logged by, their mail server. Perhaps you don't particularly care about that but many people do. Yes, I know they can monitor my IP traffic any time they wish, but there isn't any reason to make it easy for them by just stuffing my messages onto their hard disks.

Fortunately, at this point Comcast has not chosen to simply block all SMTP transfers, just those from known abusers, so I don't really have a problem with that (for now.) But I do think that reducing or eliminating the capability of the Internet is not the way to solve problems like this, because once ISPs get in the habit of limiting what we can do with the network we will be hard pressed to get back the freedom we have now. I like the fact that any computer on the Internet can connect to any other and communicate in ways defined by the users of those machines. That fundamentally egalitarian aspect of the Internet is what makes the network so useful (and so scary to certain powerful people.) Allowing those that provide our connectivity the power to pick and choose how we communicate is a bad precedent, and one that we will regret. It won't be long, mark my words, when Port 25 access is simply GONE for anyone but a big corporation or Internet provider, unless you want to pay a monthly "SMTP access charge" or something similar. There's already been talk of charging for access to specific types of connectivity. Imagine having to pay an extra $5.00/month "Instant Messaging access charge" for ICQ users, or a "mandated RIAA maintenance fee" for P2P. Keep the damn ports open, block those systems that cause problems, and let the rest of us use the Internet in ways that benefit us.

Have you tried SpamCop's "quick reporting"?

[Alexey+Nogin]

Do you know that SpamCop has a "quick reporting" option (you have to ask to get it enabled for you)? With quick reporting, you only need to submit the spam via email and the source IP gets automatically reported (but no reporting of spamvertized web sites this way). This way you do not have to go to clicking through their web site, and the bl.spamcop.net still gets all the data.

Relaying is not a workaround...

[Otto]

The point of having multiple spam bots sending your crap out is to increase the amount of crap you can send. If they are going around setting up SMTP relay bots, then whole exercise is rather pointless, as the bandwidth is still all being shuffled through that relay.

Look at it like this:
With two computers, I've got twice the bandwidth as one computer, and so can send twice the spam.
But with one computer relaying through the other, the bandwidth of that computer is now irrelevant, everything has to go through the relay. Instead of having a relay, it's more efficent to just send the spam from the relay.

Relaying doesn't fix the problem for spammers. And your idea about originating ports is useless, because they're blocking based on destination port, not originating port. Nobody gives a shit about originating port, for almost any protocol. If you want to send spam to ISP's, then you have to connect to SMTP servers to send your spam to, and you have to connect on the port they use, which is port 25 by convention. You cannot work around that fact.