Slashdot Mirror
Comcast Port 25 Blocks Result In Less Spam
Dozix007 writes "Ars Technica reports that: 'After Comcast finally owned up to the massive amounts of spam coming from
their network, they decided to identify spammers and zombie relays on their
network and block
port 25 traffic from those IP addresses. Comcast's efforts are starting to
pay off. They announced the amount of spam from their network has dropped
35 percent since they began port blocking and
traffic estimates from SenderBase seem to confirm the claims. Spam coming
from Comcast subscribers who were formerly on AT&T networks also
seems to have decreased'."
Here's the actual Ars Technica story that wasn't linked, but copied and pasted as the Slashdot story.
Something I've been wondering about though is SpamCop's yearly stats. Since April, spam reporting has been going down. Is it simply fewer people reporting/people reporting fewer spam, or is it a sign that actual spam is going down or at least being better handled? I know on my mail server I've implemented some straight blacklist checks primarily using sbl-xbl.spamhaus.org and it's been working great with no false positives. Some spam still gets through, but SpamAssassin usually catches it with other checks.
Better yet, what if these zombied spambot-infected PC's have been creating a shadow P2P network so their makers can quickly and easily install patches, or send out network-wide commands to their armies of zombies? How long will the port 25 block remain effective then?
I give Comcast all sorts of kudos for doing something to try to staunch the spam spurting from their digital arteries, but I don't see this working in the long term.
- Greg
Start a happiness pandemic
No, port 25 is used solely for sending email. It has absolutely nothing to do with BitTorrent. Not only that, but Comcast is only blocking it for spammers and open relays.
Karma: Segmentation fault (tried to dereference a null post)
Step 2 is to take these selfish bastards to court. They were clearly breaching the terms and conditions of their accounts, so proving a case against them won't take more than five minutes.
Once a few of these spammers have lost everything including the shirt on their backs then you'll see a serious drop in the number of people who think that spamming is a quick and easy path to riches.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
I suppose it's port 25 outgoing, right? The same one that Earthlink has blocked for ages. (not sure if they still do) The same one that won't let you send SMTP mail with a different domain even if you owned the domain name?
I understand it's for spam-fighting and they only go after the uber-offenders...but it's definitely something to watch for since the ability to send mail (through the domains of our choosing if we own it) should be a fundamental feature of an ISP.
Kudos to them for doing a good job of it -- my home Internet connection is through Comcast, and I haven't experienced any trouble sending mail to my own SMTP server on another network. They could so easily have just gone the "all SMTP traffic must go to our hosts" route, but they're doing it the right way instead. Nice to see.
this is grand and all, but i run my own mailserver (merely to get a 5gig inbox and the username i want), and since it's on a residential cable line (dynamic address), aol, rr.com, and email.com all reject my e-mails. and no, i never send spam.
spammers aren't the only ones being blocked by spam prevention
It's a small price to pay for a wick3d screensaver.
I have a little mail-server on the end of my cable line for my domain which has three mail accounts on it. I always find it immensely frustrating that my mail server is on MAPS DUL list and people who subscribe to MAPS block my mail.
It's not been a big enough issue that I've installed SASL for my postfix server, but it would be nice to get off the list.
Stand Fast,
tjg.
Spam coming from Comcast subscribers who were formerly on AT&T networks also seems to have decreased.
Seems as as we are *still on* an ATTBI network. I was originally an ATTBI subscriber, and the Comcast transition occured many months ago. Interestingly enough, my rDNS still resolves to:
[ip].[state].client2.attbi.com
Seems awfully odd that this remais.. one would think, at least for the sake of the brandname, that this would be reporting comcast.net
There's a Starman, waiting in the sky / He'd like to come and meet us, but he hasn't got the time.
Not only can you not read the article, you can't even read the story text.
Here, I'll help you:
"spam from their network has dropped 35 percent"
The important thing is HOW MANY OF THOSE 500 ARE FROM COMCAST'S NETWORK?. Also, compare that to your 2 months ago rates of spam coming from comcast's network.
Come on, how hard is it REALLY to read THE TEXT ON SLASHDOT?
... To make up for the difference spammers are making their emails more offensive.
1) Contact them and tell them what you've learned. Give them 30 days to get the machines patched or cleaned.
2) Terminate their service OR allow their service to continue but charge them an extra amount of $$ per month to cover the "blocking service".
Don't just block the port and let the owners continue in ignorance. You've identified them. Now do something with that information that effects long term change!
Agile Artisans
I take offense to this kind of thing. I live in northern Alberta, and my ISP, Telus, recently began blocking a wide range of ports, most of which I had previously noticed heavy worm activity on. So I must presume that is their rationale behind filtering these ports. But this worm activity didn't bother me, since I have my machine properly secured. It's none of my concern if some people don't. Now I feel as if I don't have a REAL TCP/IP connection to the internet. I have 65355 ports on my TCP/IP stack that I should be able to use, as I please. But I no longer can, because of this. I run an HTTP server as a testing ground for some of my web projects, and an FTP server so my friends can transfer files to and from my machine. And I'd like other people on the internet to be able to access these ports, since that's what the internet DOES. That's what it's for. If I wanted a private company to dictate how I could use my computer and my internet connection, I would be a regular Microsoft customer. Admittedly, this situation is a little different than the one in the article - since comcast only blocked port 25 of computers known to be transmitting spam. But the situation with Telus is a blanket filtering of these ports for all DSL users, which I completely disagree with, and it actually angers me. Now I have to find a new service provider, and believe me, this isn't easy in the small community where I live.
The results are truly staggering. I have cut the incomimg spam by 80-90%. I cut incoming spam by 50% just by blocking client.comcast.net, client2.attbi.com and cpe.net.cable.rogers.com. The users think I'm a miracle worker. So far I blocked 2 legit messages ... one guy with a home mail server and one guy whose Telus mail server I accidentally blocked with my filter. The error message says to mail abuse@mydomain if the message is blocked in error and, of course, check_client _restrictions is turned off for the abuse account.
I was amazed at how little "legitimate" spam there is out there. It is almost all hijacked home machines.
There are two kinds of sysadmins: paranoids and losers. I'm both kinds.
I'll check my logs when I get into the office, but if Comcast has reduced the flood of spam from their netblocks then someone else has more than taken up the slack.
Normally I get between 2,000-2,500 spam a week in a mailbox I use as a spamtrap. In the past month this has ramped up and last week there was over 4,500 and since monday there are 2,485, um 6, um 7, spams in this particular mailbox. So in 4 days I've seen as much as I normally see in a week - and its not even the weekend yet when the real flood of spam kicks in.
Sendmail supports client-side SSL certificates, as does Mozilla. KDE does not :-( But outlook, probably, does, and that's all that matters.
That your e-mail is protected from sniffing over the WiFi, while you send it, is just gravy.
In Soviet Washington the swamp drains you.
It'd make much more sense to notify them or do a page redirect than to charge extra or shut 'em down. The odds are, if they're acting as a spam relay, their machines aren't patched, running a virus scan, a firewall, etc. So at the minimum, redirect them to a page with a comcast hosted online virus scanner & windows update. I know I'd suggest Ad-Aware & Spybot & a firewall, but if comcast tells you to use anything... they're stuck having to provide tech support when it screws up.
[Fuck Beta]
o0t!
I have a paid SpamCop account. I used to report everything, but it just takes too much time and the amount of spam continues to rise. I will not be renewing my SpamCop account once it expires next April.
I'm happier with using good spam filtering (Spam Assassin/Spam Sieve) and just ignoring the problem. I see much less spam this way, compared to looking at each and every spam I report.
I don't see the problem here. These machines have been *hijacked* so there should be no issue cutting them off from the internet if not for the internet's sake, than for the sake of the owner of the computer! I mean, if the machine has been comprimised, there could be a keylogger running just as easily as a spambot program. Pull the damned thing off the internet and tell the user to fix their machine. If they don't know how to do this, charge them $20 for a technician to come out there and run adaware, S&D, etc...or offer to send them these programs on a CD through the mail or for pickup at the ISP office.
There is no excuse for not securing your computer. If people don't want to take the half hour it takes to learn how to download and run adaware, S&D, and/or an antivirus program, they should NOT be allowed to connect to the internet. Is this so unreasonable?
Comparing to these measurements I made when Comcast first announced its strategy...
Looking at Comcast's IPs appearing on realtime blocklists, today:
CBL: 17132 (Comcast is 1.3% of CBL)
WPBL: 4779 (Comcast is 9.6% of WPBL)
Compared to the number of Comcast IPs that were spam sources two tweeks ago (19897 and 5199) it does appear that there are fewer Comcast spam sources. However the overall proportion of Comcast IPs in the entire lists haven't changed much from (2% and 10%)
Yay! Now we are all forced to forward our mail through Comcast's SMTP server.
Actually, I have been sending all my mail through Comcast's SMTP server for a while now, because AOL blocks mail directly from my (semi-)dynamic IP address. So, if I want to send mail to AOL users (well, the rest of the family using the SMTP server), I have to send it through Comcast's slow-as-hell mail server.
When I send mail to Gmail, for example, directly from my server, it takes just a few seconds to appear in my inbox, but when I forward it through Comcast, it often takes an hour or more.
Now, this is not completely Comcast's fault, AOL is to blame as well. It really pisses me off that I lose the speed and privacy that comes with having my own SMTP server just because the big providers can't figure out any ways to deal with spam. Fun.
Andrew
Some spammer decided to joe-job me. Very annoyed. At some point, my domain that they're spoofing mail from is going to get blacklisted -- not because mail is coming from it, but because it appears to be. I havn't seen any spamcop reports or anything similar, but I've seen metric fucktonnes of Win32 worm messages coming into email addresses that never have existed at the same domain that's being joe-jobbed. I really need an antivirus solution built into sendmail. Spamassassin works for 99% of my spam, but these god damn worms are driving me absoltuely insane.
There isn't really all that much you can do about being joe-jobbed, 9 times out of 10 the "admins" for the zombified machine doesn't understand that I'm not the spammer, eventhough I received the bounce for the spam.
Anyone have any good results at trying to get a joe-job to stop?
da w00t. mtfnpy?
one of my friends has comcast and he quit using his comcast email because it was getting spammed big time before he had even used it for anything, so its even worse for the users, there not blocking port 25 within there own network are they?
relays.ordb.org
bl.spamcop.net
list.dsbl.org
xbl.spamhaus.org
I've got all six of them running on my company's mail server. It's set up to respond to rejected emails with instructions for contacting me via phone in case there's a false positive. That way, I can whitelist the sender and sometimes help them if they have an open relay and didn't know it. I've had one false positive in the last year. That's for 50 users in my company, some of which post their email address everywhere and use it in Banzai Buddy forms. ~90% of spam destined for valid mailboxes is blocked. Not bad considering it's free, easy to set up, and maintenance free.
-Lucas
Being a subscriber to my local cable monopoly (Cablevision), I've enjoyed the reverse situation for several years.... namely, they block traffic going INTO port 25 on my machine. I can send out all the mail I want, but to receive mail directly, I have to have a friend on another network accept it (MX records don't yet allow port specifications... sigh), and then transfer it via fetchmail/ssh.
Note to Cablevision.... I still get lots of spam, it just sits on YOUR disk instead of mine... way to go guys!
Cox ahs been doing this for years. surprised the hell out of me when I oculdn't use anything but cox's SMTP server. Bloody brilliant.
Non impediti ratione cogitationus.
Cox blocks ALL outbound port 25 traffic unless it's going through their servers.
Oh wait, it's probably just down again.
Show me on the doll where his noodly appendage touched you.
Comcast (hereby referred to as Spamcast) has ignored their massive spam problem for years now. Fortunately for me the solution was to firewall all of their dynamic space from my mail server.
Apparently Spews thought nuking the dynamic users wasnt enough, and blacklisted all of their dynamic space plus most of their corporate servers as well.
One of these days Spamcast will wake up and realize that a huge chunk of the internet has blackholed them. I only wonder how many months or years it will take for the clue to sink in.
Lawyers, MBA's, RIAA? A jedi fears not these things!
when I switched from Optimum Online to Comcast, I quit getting ANY spam at all. Obviously this is only talking about folks on their network sending.. but its good that they are being proactive about blocking both incoming and outgoing.
A slip of the foot you may soon recover, but a slip of the tongue you may never get over. -Benjamin Franklin
I'm in the exact same boat. I use a laptop. I am on Telus' network during mornings and evenings, and during those times, access to port 25 is limited to one maching: smtp.telus.net. I *pay* for .Mac email (and webdav, and homepage) service, and they are denying me access to that service.
.Mac service not Telus. They need to add an alternative authenticated SMTP port to their service. Complain to them, because the better mail services (e.g. FuseMail) all have alternate ports (587, 2525) which do not fall victim to the port 25 block.
Which is a problem with the
And if you didn't see the writing on the wall about port 25 blocking, then you haven't been paying close attention the last 2-3 years.
Wolde you bothe eate your cake, and have your cake?
Do you know that SpamCop has a "quick reporting" option (you have to ask to get it enabled for you)? With quick reporting, you only need to submit the spam via email and the source IP gets automatically reported (but no reporting of spamvertized web sites this way). This way you do not have to go to clicking through their web site, and the bl.spamcop.net still gets all the data.
from a daily average of ~98 to 54
thanks comcast. you bastards.
Why do we need the mediating storage anymore?
Why not move to use "instant messaging" methods of direct connectivity between the sender and recipient, and only falling back to server storage when necessary?
This allows for much better knowledge of successful/failed delivery.
It may move more control of message reception to the recipients, allowing them to implement extra protections. For example, requiring arbitrary/configurable amounts of computation on the behalf of the sender to send them a message (increasing the cost of a message send) (unless ofcourse the sender is on a white list of known correspondents).
Is any such transition feasible in the near future?
I hate to tell you this but the majority of internet users do not have 24/7 connectivity. Most are still on dial up.
Until prices come down and rural areas are better served broadband is not going to be even remotely universal.
The bottom line is that ALL responsible ISP's should be filtering port 25 traffic. This also stops the propagation of the majority of worms. It's a lot easier for those who want to run SMTP servers to request permission to have port 25 allowed, and otherwise block everyone else.
You can bet that Comcast has only done this in response to lots of responsible ISPs starting to wholesale-block all port 25 traffic from their IP space. RBLs continue to be not only the most effective method of stopping spam, but also the only effective method of forcing ISPs to control the rogue behavior of their users.
they're quite happy using their ISPs SMTP server to relay their messages, so "blocking por 25 is the end of the internet" is a bogus argument.
for the 1 or 2% of the users who really need access to external SMTP servers comcast could set up a "white list" to allow them such access.
in other words, what comcast is doing is firewalling in behalf of their users since most of them have no idea what a firewall is.
What ? Me, worry ?
I see all this pining for the "way the internet was". And I don't get it.
All the problems we're having are precisely _because_ of the open and unregulated way the Internet was. The Internet was designed on the assumption that everyone will be nice, stick to the RFCs religiously, etc. Noone put much thought into the "well, what if they don't?" part. That's the worst design anti-pattern possible and the nemesis of security.
And unsurprisingly that shiny-happy-optimistic approach has failed again and again. E.g., it didn't even take _that_ long for someone to figure out that by intentionally not conforming to the RFCs they can syn-flood and crash a machine.
It's like preaching the ideal society where there are no laws, rules or authorities, and everyone can do whatever they please. It will be such an awesomely nice place, as long as everyone will be nice to each other. But they surely will, right?
Except it's not a realistic scenario.
A polar bear is a cartesian bear after a coordinate transform.
Talking to an SMTP server is easy. Don't believe me? Telnet to your ISP's smtp server (port 25, obviously) and send the bytes for "HELP". Poof, 99% of the time you'll get every command that server accepts. It doesn't take long to figure out how to use it, even if you are too lazy to read RFC 821 (start at "APPENDIX F" and I bet you're telneting email via telnet in 30 seconds or less).
/. discussion deals with issues "underground" relays present, but just remember this -- the SMTP servers you're relaying to don't really care if you're sending from port 25. That's convention. You're likely to find SMTP at smtp.myisp.com's port 25, but it really doesn't make any difference, and even in some email clients it's an option to change.
But wait, were you telnetting *from* 25? Of course not. Yet, somehow, it still worked (likely only if your "rcpt to" entry had a local domain).
Malware can use any port they want to relay from a zombie box to smtp.openSmtpRelay.com 25 as well.
Another thread on this
It's issues like those described in that thread that'll help ultimately bring down spams. Telling malware writers to use another port, which is all Comcast's doing, as others have pointed out, will just have ISPs blocking ports until there are no more ports to block.
It's all 0s and 1s. Or it's not.
The point of having multiple spam bots sending your crap out is to increase the amount of crap you can send. If they are going around setting up SMTP relay bots, then whole exercise is rather pointless, as the bandwidth is still all being shuffled through that relay.
Look at it like this:
With two computers, I've got twice the bandwidth as one computer, and so can send twice the spam.
But with one computer relaying through the other, the bandwidth of that computer is now irrelevant, everything has to go through the relay. Instead of having a relay, it's more efficent to just send the spam from the relay.
Relaying doesn't fix the problem for spammers. And your idea about originating ports is useless, because they're blocking based on destination port, not originating port. Nobody gives a shit about originating port, for almost any protocol. If you want to send spam to ISP's, then you have to connect to SMTP servers to send your spam to, and you have to connect on the port they use, which is port 25 by convention. You cannot work around that fact.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.