FTC Recommends ISPs Disconnect Spam Zombies

Mike Markley writes "CNN is carrying a story about the the FTC's plans and concerns around spam zombies. They say they will be identifying such zombie hosts and notifying ISPs, and are recommending that the ISPs disconnect indicated users. There's also a recommendation likely to raise the ire of the geekier sorts: that ISPs only permit users to send mail through their own servers (presumably by blocking port 25 outbound)." From the article: "Law enforcers in 25 other countries, from Bulgaria to Peru, are also participating in the campaign, the FTC said. Absent from the list of cooperating countries was China, where experts say rapid growth and a relative lack of technical sophistication have led to a large number of zombie computers."

Block 25 all you like.

[jd]

I've got an IPv6 tunnel onto the 6bone, and can therefore run my own IPv6-aware mailserver. I can still send to IPv4 mail addresses, because mail addresses aren't IP version-aware.

So nyah!

Oh. They just blocked tunnels, too. Shit.

Re:Block 25 all you like.

[Martin+Blank]

Instead of charging customers for opening the port, they could have a provision where you request in writing that the port be opened for your IP address. Upon finding that you have been spamming (intentionally or not), they disconnect you (for a minimum time, say, 24 hours) until you pay a reconnect fee. A second time results in a longer disconnect (a week, perhaps) and a higher fee. A third offense bars you from their network for a year.

Re:Block 25 all you like.

[jd]

That would be a very good system - perhaps even extend it to people who have any kind of virus, trojan or zombie that inconveniences or harms others, even if it's not spamming people.

(It would be no different from, say, driving a car that had failed - or not received - State safety checks, in those States that require them. If you do something reckless, but do so in a way that doesn't actually interfere with anyone, then there's no big deal, but it's on you - not them - to make sure of that.)

Re:Block 25 all you like.

[msim]

My isp blocks inbount port 80, 25, netbios, etc, packets by default, and you have to go into your system profile and have this blocking disabled if you want to look after this yourself.

I presume a similar thing could be configured for outbound port 25 if they wanted to, perhaps even with a "whitelist" of hosts your permitted to send to. Definitely food for thought

Re:Block 25 all you like.

[Martin+Blank]

If it's made relatively easy to get fixes for the issues, then it is possible. Instead of an absolute cut-off, that MAC address can be assigned a private address that allows access only to a very limited network that contains information about, and opportunity to buy, anti-virus software and OS/application patches. It could even, with appropriate permission from the AV vendors, provide downloads for the stand-alone tools that are created for removing small numbers of viruses. It would assist people in getting better control over things, and I think they would be appreciative of that.

Go ahead, block 25

[ProfaneBaby]

Just leave 587 open. The 'geek' users should be smart enough to figure that out anyway.

Home users SHOULD be blocked or disconnected, one or the other. I don't actually care which, but as someone who watches mail queues for busy hosting servers, home users infected with viruses become a huge annoyance.

Re:Go ahead, block 25

[coyote-san]

"Home user" is not synonymous with "personal user," especially as more and more people work from home. (Either by choice or because their employers are too cheap to spring for office space.)

I paid substantially more for a Comcast "business" account at my home address, then found I still had problems hosting my own domains because of their inability to provide a static address... or even a dynamic address within a "business class" block. (The latter meant I was blocked by RBLs listing all residential DSL/cable modem IP blocks.)

Could I have bounced outbound mail through their servers? Sure.

Could I stop them if they decided to rewrite the headers to indicate the true sender of the message, e.g., in an attempt to prevent malicious users/malware from pretending to be the security department at eBay or Citibank? Nope. Besides "what's the harm" if I'm identified as "some.user@comcast.net" instead of "some.user@my.own.domain.com" since I'm the same person?

I eventually switched to a virtual server at <URL:http://tummy.com/>. It was cheaper, it has a static IP address, it isn't blacklisted, etc. Of course I still need an outgoing port 25 so I can bounce my outbound mail through it.

Re:Go ahead, block 25

[Lord+Kano]

What happens when spam-bots block pop/IMAP ports on the local machine and then send pop-up windows to the user saying "You can not recieve email because your ISP blocks 'Port 25', call and request that they unblock it."

User:"I need you to um, 'Unlock Port 25'?"
Tech Support:"What seems to be the problem?"
User:"I can't get my email and I need you to unlock port 25."
Tech Support:"You'll have access in 30 seconds."

LK

Re:Go ahead, block 25

[Sheepdot]

Yes, this seems like an answer to the problem, but what I've never understood is that ISPs have the capability to determine when someone is sending spam and when someone isn't. Just monitor egress port usage. If someone is sending out 50 emails per second then block them. If they are sending one every 2 minutes, then don't.

Or, when a user signs up, give them the option! Why ISPs haven't provided this yet is beyond me. Have a simple web form that lets users sign in and turn off port blocking, the only ones smart enough to know they need to turn it off are also the ones that most likely need to.

For that matter, why hasn't Microsoft implemented this as a "feature" of windows XP? If they are turning off raw socket access, they might as well also turn off sending from port 25 by default. It'd upset some of us who host websites on our XP workstations, but if they really want to promote Windows 2003 Server, then this would seem like a viable option.

Or maybe, just maybe, we could abandon the ridiculous email protocol altogether, and move to something that is built with trust in mind. Or we could all start implementing greylisting and actually increase the cost of spam.

China will play along

[winkydink]

If this gets substantial traction, China will get it's collective shit together and do something about it. A few days of null-routing their traffic should do the trick.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:25? Already blocked.

[Chmarr]

Umm... how does sending to port 80 work? Or... have you configured your mail server to accept mail on port 80... and they're only sending to you?

What about VOIP/911 services?

[ringfinger]

Completely cutting them off would be a disaster. Most users wouldn't know what happened or how to get back connected. Plus, support costs for ISP's would go through the roof.

People use their broadband connections for phone and 911 services now -- cutting them off completely could literally cut them off from emergency services.

I already do this on my home net

[WillerZ]

Traffic to or from port 25 is dropped at my router. My external email provider gives me SMTP-TLS on a high port, so I lose nothing.

This means that even if a worm gets through the NAT and manages to infect my patched-to current AV-running machines, it can't do what 90% of them want to. Thus, when the patch/AV database update arrives and kills it, I know I've not contribued to the problem.

Re:Wrong way around

[jhoger]

Let me make this clear to you and any other ISPs:

Fail to route your customers packets at your peril. Period.

I already dropped Adelphia cable and went to Speakeasy when they purposely stopped routing ICMP packets. I made the decision in about 3 seconds once I found out what they had done.

There are no bad ports or protocols, just bad people and programs. You'll have to deal with the problem directly not with bandaids if you want to keep your best customers.

That said, if you are a low end provider you don't really have any "good customers" so do whatever you feel like.

-- John.

Re:25? Already blocked.

[The+Cisco+Kid]

The 'better solution' you pine for has already existed for 7 years in RFC 2476, circa 1998. Hopefully more and more DSL/cableco's blocking of port 25 outbound will eventually lead to near-universal implementation of it.

http://www.ietf.org/rfc/rfc2476.txt

Not the worst solution..

[Fatal67]

But there are better ones. I have just shy of 2 million broadband users on my network. Every day I have many customers who are detected as being infected. Automagically they are placed in a walled garden where the only page they can load tells them what is happening. Basically it tells them that they have been compromised. If we can determine the virus/trojan they are running, we give them a link to a locally stored method of corrrecting the problem. I have never received a complaint about it, but I have received hundreds of calls saying thank you.

I do have to question the FCC's thinking though. Most people who get infected are not of a technical nature. If you disconnect them from the net, they are at a loss of how to fix the issue. Obviously they don't have uptodate protection on their machine. if they go out and buy a brand new copy of whatever virus software, it will need to download the latest definitions, which they can;t do because you shut them off.

It reminds me of the mid 90's where if your ds3 to one of the 6 or so backbones went down they would send you an email to notify you. Or sending them a letter telling them you shut their phone off and telling to call you to get it turned back on.

Re:Small Business Users / external hosting

[gregmac]

Blocking port 25 would just about kill small business people that use a 3rd party hosting service for their webpages and email.

It doesn't matter what SMTP server you send outgoing mail from (so long as it's not blacklisted) -- SMTP doesn't check domain names or anything (which is also really the reason spam can exist so easily).

I had a situation that was really annoying a few years ago. We were on DSL with the incumbant phone company, and used our own co-located server to send mail. One day, I could no longer connect to SMTP. Called them, of course teir 1 tech support says "no, nothing has changed". I wait for a while to see if it'll go away, then call them back a couple hours later. This time, the guy says that they noticed one router wasn't blocking 25, so they "fixed" it. I decided just to use their server, since it was an easy fix (make a DNS entry in the office only that points to their IP instead of ours).

This was fine for a couple months. Then one day, we couldn't send mail again. I tried to connect to their SMTP, and it would either timeout, or VERY slowly connect. I call them, and they say they're being hammered by viruses, and it'll be fixed soon. Within half an hour it was back to normal. This happened about 3 more times, and I got really annoyed. I called and asked them to remove the port 25 block (just for my account -- even to only my mail servers IP), because it was rediculus we couldn't send email. They said they couldn't, I'd just have to wait. Well, it was several hours and still not working, so I called again, and asked to speak to a manager or supervisor. Basically, same deal "no, we can't take off the block. Maybe you can use webmail". Although it would work, I didn't want to tell everyone to use webmail instead of their email clients just because of this. I called another ISP, asked them how long it would take to get me DSL (and made sure I could use my mail server), ordered it, and called my ISP back and set to get rid of their connection.

Of course, this started another rediculus series of events. The DSL remove order and DSL add order (that get filed by old and new ISPs, respectively) got "mixed up", and a couple days after moving to my new ISP the DSL signal was lost. An angry call to the phone co had it back within an hour (yet it somehow still takes 5 business days normally).

The old ISP also decided that we actually couldn't cancel when we did - we were on a 1yr contract, and had to pay 50% of 8 months service or something for cancelling early. We had been a customer for 3 years, and none of our bills for the past year said anything about a 1year contract. They also couldn't produce the contract -- not even an unsigned version. In subsequent calls, they claimed that it was a verbal contract yet couldn't name who had supposedly made it. Eventually months later, in an effort to get our local phone service back (we had switched to a CLEC many years ago), they decided to "credit" our account for the charges. Of course, we remained with the CLEC.

Anyway, that got a tad off topic, but I felt the need to vent. Stay away from the big phone companies ;)

Re:Stupid policy.

[alienw]

Finally, someone with an ounce of sense. Or, how about this (very real) scenario? My university now publishes SPF listings. Therefore, I have to use the university (authenticated) SMTP server to send out email (to avoid getting an SPF fail for that email). However, my new ISP blocks port 25, so I can't use the university's server anymore and they cannot be bothered to port-forward some other port to the SMTP server. I have to use the ISP's mail server and risk getting my email deleted by the recipient as spam.

A simple fix?

[blanks]

Many ISP's offer a cd that you use to setup your services.

Why not have built in software (firewall) that by default blocks port 25, and port 80 (inbound) irc in/out etc, and make the customer need to specifically allow those ports if they want them open.

That way, the 99% of the customers who never use those ports will have cleaner or safer machines, while the people who do run their own servers have the ability to use them.