Comcast Port 25 Blocks Result In Less Spam

Dozix007 writes "Ars Technica reports that: 'After Comcast finally owned up to the massive amounts of spam coming from their network, they decided to identify spammers and zombie relays on their network and block port 25 traffic from those IP addresses. Comcast's efforts are starting to pay off. They announced the amount of spam from their network has dropped 35 percent since they began port blocking and traffic estimates from SenderBase seem to confirm the claims. Spam coming from Comcast subscribers who were formerly on AT&T networks also seems to have decreased'."

But For How Long?

[gbulmash]

Those numbers are all really nice, but isn't this just putting one of those little dot band-aids on a stab wound? It seems to work for a while, but how long before the spambot authors come up with a way around the port 25 block? How long until new worms are traversing the net, creating worldwide bottlenecks, pinging out from newly zombied PCs to find the latest Windows vulnerability and install themselves?

Better yet, what if these zombied spambot-infected PC's have been creating a shadow P2P network so their makers can quickly and easily install patches, or send out network-wide commands to their armies of zombies? How long will the port 25 block remain effective then?

I give Comcast all sorts of kudos for doing something to try to staunch the spam spurting from their digital arteries, but I don't see this working in the long term.

- Greg

Re:But For How Long?

[Baron_Yam]

Which is why (some) Windows users learned to hide behind NAT or disable their Messenger service - because some spammers moved on from email to direct popups on the desktop.

Re:But For How Long?

[Sylver+Dragon]

Let's just toss out an idea (poorly formed), but might work.
As each PC gets infected with the spambot, the first thing it does is try to contact a known SMTP server on the web. If it can get through, it sets up shop as normal, and opens up another port, lets call it port 12345 for now.
Now, if the spambot cannot contact the chosen SMTP server(might even go through a list of them), it starts scanning the internet for any IP listening on port 12345. If it finds an system operating on port 12345, it sends some sort of test string to that IP/port. The listening server responds with some pre-determined code. Once the originating system receives the expected response, it starts sending all of its email out using the other system as a proxy. Thus doubling the amount of bandwidth used on the proxy, but allowing the spambot to function on a "protected" computer.
Lastly, the proxy server should only allow a few connections, to keep from saturating the bandwidth available to it.
Granted, this isn't a whole solution around the port 25 block, but it may be a start of how it might be done, and something to watch for. Personally, I'm all in favor of ISP's blocking outbound port 25, and only opening it for those who request it specifically. My current ISP does this, and I'm perfectly happy with it.

Re:But For How Long?

[NanoGator]

"Those numbers are all really nice, but isn't this just putting one of those little dot band-aids on a stab wound?"

Somehow I doubt Comcast was trying to play anything but a small part in dealing with SPAM.

flipside

[name773]

this is grand and all, but i run my own mailserver (merely to get a 5gig inbox and the username i want), and since it's on a residential cable line (dynamic address), aol, rr.com, and email.com all reject my e-mails. and no, i never send spam.
spammers aren't the only ones being blocked by spam prevention

Re:flipside

[jfengel]

Many ISP mail servers refuse to relay mail. If neither the FROM nor the TO addresses belong to that server, they'll reject your message. That means you end up receiving mail on the ISP's mail server, and that completely obliterates the point of running your own mail server.

The reason for that is obvious: it prevents the mail server from being used to relay spam. But it's also very frustrating if you want more flexbility and you're not a spammer. I don't know comcast's policy; perhaps they'll accept relaying from inside their network.

Re:flipside

[bourne]

Don't talk directly to their mail servers.. talk to the outgoing mailserver provided to you by your ISP. Sheesh.

I'm always amazed at how many people "run my own mailserver" yet have no idea how mail is supposed to work.

No, thanks. I prefer my mail without random 24-48 hour delays and invisibly dropped messages. That's not how mail is "supposed to work."

Re:flipside

[bigberk]

I'm always amazed at how many people "run my own mailserver" yet have no idea how mail is supposed to work.

SMTP certainly does not demand that all mail be sent through a higher-tier relay. Rather, SMTP was designed to provide diverse, peer-to-peer mail transaction facilities. It allows arbitrary hosts to exchange mail with their peers and this flexibility is what's let SMTP revolutionize communications!

Pretty much the only prerequisite condition for establishing a proper SMTP node is having a reliable, stationary position.

That's the whole beauty of it. Imagine the unreliable, fragile, and slow communications we would have if every small service provider had to relay its mail through its upstream's relay, until all email was handled through: MCI, UUNet, AOL, etcc. Instead, the point of SMTP is that if your host has its own reliable connection, it can send the mail directly to the destination domain.

Re:Good job on the cut and pase

[JumperCable]

Is it simply fewer people reporting/people reporting fewer spam, or is it a sign that actual spam is going down or at least being better handled?

I know I have stopped reporting all my spam. It took too much time. Now I just target the ones that make it past my spam filters (OK, I have kind of given up on that too).

But I have noticed a drop in spam recently. Maybe spammers are on spring break.

Why just the port?

[jarich]

I understand that these machines have been hijacked and the owners aren't at fault (unless you count negligence)... but all that being said...

1) Contact them and tell them what you've learned. Give them 30 days to get the machines patched or cleaned.

2) Terminate their service OR allow their service to continue but charge them an extra amount of $$ per month to cover the "blocking service".

Don't just block the port and let the owners continue in ignorance. You've identified them. Now do something with that information that effects long term change!

Re:Why just the port?

[cdavies]

The problem is, none of that is in the best commerical interests of comcast, so they won't do it.

Actually contacting people costs money because a human has to pick up the phone. Terminating their service costs money for obvious reasons, and charging them for a dubious "service" is likely to get your customer angry at you and waste time and money in calls to your help line.

In the short term, automated blocking and letting the user ride along is blissful ignorance is the only viable strategy. Isn't capitalism great?

Re:OK, that's step 1...

[stefanlasiewski]

Step 2 is finding the spammers, since it's likely that most of these spam machines are comprimised machines running windows, the machine's owners are probably oblivious that their home machine is sending Spam.

Step 3 is take these selfish bastards to court.

If anything I'm seeing more spam

[csk_1975]

I'll check my logs when I get into the office, but if Comcast has reduced the flood of spam from their netblocks then someone else has more than taken up the slack.

Normally I get between 2,000-2,500 spam a week in a mailbox I use as a spamtrap. In the past month this has ramped up and last week there was over 4,500 and since monday there are 2,485, um 6, um 7, spams in this particular mailbox. So in 4 days I've seen as much as I normally see in a week - and its not even the weekend yet when the real flood of spam kicks in.

I'm reporting less

[mr_rangr]

I have a paid SpamCop account. I used to report everything, but it just takes too much time and the amount of spam continues to rise. I will not be renewing my SpamCop account once it expires next April.

I'm happier with using good spam filtering (Spam Assassin/Spam Sieve) and just ignoring the problem. I see much less spam this way, compared to looking at each and every spam I report.

Disable their Internet connection

[mikeg22]

I don't see the problem here. These machines have been *hijacked* so there should be no issue cutting them off from the internet if not for the internet's sake, than for the sake of the owner of the computer! I mean, if the machine has been comprimised, there could be a keylogger running just as easily as a spambot program. Pull the damned thing off the internet and tell the user to fix their machine. If they don't know how to do this, charge them $20 for a technician to come out there and run adaware, S&D, etc...or offer to send them these programs on a CD through the mail or for pickup at the ISP office.

There is no excuse for not securing your computer. If people don't want to take the half hour it takes to learn how to download and run adaware, S&D, and/or an antivirus program, they should NOT be allowed to connect to the internet. Is this so unreasonable?

Re:Disable their Internet connection

[nick0909]

Because it will take call centers with trained people able to help morons undamage their computer. And from the number of compramised computers, it would take a WHOLE LOT of call centers and trained people to undo what the morons have done to themselves. That would cost way more than if the ISP just pretended not to see it and kept collecting the checks.

Then there is the liability if they do it wrong and destroy more data on the computer of said moron user. It is just a whole mess that would not get the ISP anything but more phone calls, which is what they like to avoid.

Re:Good job on the cut and pase

[Night+Goat]

I used to report spam more diligently than I do now. Nowadays my filtering does a pretty good job, and only occasionally when I am bored do I report spam. And I've given up on the Chinese spam. Those servers have admins who don't care. I used to think maybe it was the language barrier, but they must get enough e-mails with the word spam in them that it's got to be a word they recognize. So I think it's just people are reporting less spam.

meanwhile, Comcast's SMTP server is slow as hell

[adpowers]

Yay! Now we are all forced to forward our mail through Comcast's SMTP server.

Actually, I have been sending all my mail through Comcast's SMTP server for a while now, because AOL blocks mail directly from my (semi-)dynamic IP address. So, if I want to send mail to AOL users (well, the rest of the family using the SMTP server), I have to send it through Comcast's slow-as-hell mail server.

When I send mail to Gmail, for example, directly from my server, it takes just a few seconds to appear in my inbox, but when I forward it through Comcast, it often takes an hour or more.

Now, this is not completely Comcast's fault, AOL is to blame as well. It really pisses me off that I lose the speed and privacy that comes with having my own SMTP server just because the big providers can't figure out any ways to deal with spam. Fun.

Andrew

Re:I might as well sign up with AOL...

[deflin39]

The problem is ISP's keep changing the TOS and keep RESTRICTING the usage of their network. The noose is getting tighter and tighter, but the cost still keeps going up?!?

Re:Good job on the cut and pase

[Kpt+Kill]

I just wish spamcop would allow me to report spam without having to confirm them. I dont mind fowarding my 30 spams a day, but then having to click 30 links, along with my increasing spam, it just makes me wonder why i bother.

Re:I will also be switching from Telus

[WuphonsReach]

I'm in the exact same boat. I use a laptop. I am on Telus' network during mornings and evenings, and during those times, access to port 25 is limited to one maching: smtp.telus.net. I *pay* for .Mac email (and webdav, and homepage) service, and they are denying me access to that service.

Which is a problem with the .Mac service not Telus. They need to add an alternative authenticated SMTP port to their service. Complain to them, because the better mail services (e.g. FuseMail) all have alternate ports (587, 2525) which do not fall victim to the port 25 block.

And if you didn't see the writing on the wall about port 25 blocking, then you haven't been paying close attention the last 2-3 years.

Oh, yeah, it's working just great

Here's yesterday's comcast and attbi spam attempts from my mailserver logs:

11:17:30 1 SMTP-074(pcp03798560pcs.galitn01.tn.comcast.net) Return-Path '<vernon@seznam.cz>' rejected: routed to ERROR
11:17:37 1 SMTP-076(c-24-245-53-31.mn.client2.attbi.com) Return-Path '<inderpal@seznam.cz>' rejected: routed to ERROR
11:18:13 1 SMTP-083(pcp02218985pcs.echryh01.nj.comcast.net) Return-Path '<dain@t-online.de>' rejected: routed to ERROR
11:18:16 1 SMTP-084(c-24-5-18-39.client.comcast.net) Return-Path '<raffi@t-online.de>' rejected: routed to ERROR
11:18:48 1 SMTP-091(c-67-167-67-156.client.comcast.net) Return-Path '<trent@seznam.cz>' rejected: routed to ERROR
11:19:10 1 SMTP-094(h00095b8f289b.ne.client2.attbi.com) Return-Path '<dorit@t-online.de>' rejected: routed to ERROR
16:29:41 1 SMTP-130(c-24-15-176-110.client.comcast.net) Return-Path '<rakesh@t-online.de>' rejected: routed to ERROR
16:29:57 1 SMTP-133(c-66-176-92-94.se.client2.attbi.com) Return-Path '<kuo-juey@seznam.cz>' rejected: routed to ERROR
16:30:13 1 SMTP-135(c-24-8-29-151.client.comcast.net) Return-Path '<shih@seznam.cz>' rejected: routed to ERROR
16:30:22 1 SMTP-136(c-24-126-93-71.we.client2.attbi.com) Return-Path '<eleni@t-online.de>' rejected: routed to ERROR
16:31:04 1 SMTP-143(c-67-166-120-177.client.comcast.net) Return-Path '<axel@seznam.cz>' rejected: routed to ERROR
16:31:10 1 SMTP-144(c-24-5-242-4.client.comcast.net) Return-Path '<julia@t-online.de>' rejected: routed to ERROR
16:31:13 1 SMTP-145(c-24-5-194-85.client.comcast.net) Return-Path '<farhad@seznam.cz>' rejected: routed to ERROR
16:31:16 1 SMTP-146(c-67-173-26-207.client.comcast.net) Return-Path '<alun@seznam.cz>' rejected: routed to ERROR
16:31:44 1 SMTP-149(c-67-163-74-4.client.comcast.net) Return-Path '<kyra@seznam.cz>' rejected: routed to ERROR
16:32:28 1 SMTP-155(c-24-12-225-17.client.comcast.net) Return-Path '<amy@seznam.cz>' rejected: routed to ERROR
16:32:48 1 SMTP-157(h00e0183d6b85.ne.client2.attbi.com) Return-Path '<leison@seznam.cz>' rejected: routed to ERROR

This is but a fraction of the spam attempts I see on my server-- they are nearly all from zombied home Windows machines sitting on broadband. They show up in the logs in several clumps of nearly-simultaneous attempts, so it's obvious they are all under the control of a small group of spammers. The next step Comcast makes should be to monitor inbound traffic to the zombied machines on their network... theoretically they should be able to locate the controlling entity by detecting the shitload of inbound traffic to their client IP ranges from a single source.

Re:Now that almost everyone has ~24 hour connectiv

[cranos]

I hate to tell you this but the majority of internet users do not have 24/7 connectivity. Most are still on dial up.

Until prices come down and rural areas are better served broadband is not going to be even remotely universal.

ALL ISP's should be filtering port 25

[humankind]

The bottom line is that ALL responsible ISP's should be filtering port 25 traffic. This also stops the propagation of the majority of worms. It's a lot easier for those who want to run SMTP servers to request permission to have port 25 allowed, and otherwise block everyone else.

You can bet that Comcast has only done this in response to lots of responsible ISPs starting to wholesale-block all port 25 traffic from their IP space. RBLs continue to be not only the most effective method of stopping spam, but also the only effective method of forcing ISPs to control the rogue behavior of their users.

not everyone needs access to external servers

[C0vardeAn0nim0]

they're quite happy using their ISPs SMTP server to relay their messages, so "blocking por 25 is the end of the internet" is a bogus argument.

for the 1 or 2% of the users who really need access to external SMTP servers comcast could set up a "white list" to allow them such access.

in other words, what comcast is doing is firewalling in behalf of their users since most of them have no idea what a firewall is.

I don't get it

[Moraelin]

I see all this pining for the "way the internet was". And I don't get it.

All the problems we're having are precisely _because_ of the open and unregulated way the Internet was. The Internet was designed on the assumption that everyone will be nice, stick to the RFCs religiously, etc. Noone put much thought into the "well, what if they don't?" part. That's the worst design anti-pattern possible and the nemesis of security.

And unsurprisingly that shiny-happy-optimistic approach has failed again and again. E.g., it didn't even take _that_ long for someone to figure out that by intentionally not conforming to the RFCs they can syn-flood and crash a machine.

It's like preaching the ideal society where there are no laws, rules or authorities, and everyone can do whatever they please. It will be such an awesomely nice place, as long as everyone will be nice to each other. But they surely will, right?

Except it's not a realistic scenario.

Re:Good job on the cut and pase

[linux_author]

- how about a link to the script? sounds like a great idea!