Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Recommends ISPs Disconnect Spam Zombies

Posted by Zonk on from the spombie-hunting dept.

Mike Markley writes "CNN is carrying a story about the the FTC's plans and concerns around spam zombies. They say they will be identifying such zombie hosts and notifying ISPs, and are recommending that the ISPs disconnect indicated users. There's also a recommendation likely to raise the ire of the geekier sorts: that ISPs only permit users to send mail through their own servers (presumably by blocking port 25 outbound)." From the article: "Law enforcers in 25 other countries, from Bulgaria to Peru, are also participating in the campaign, the FTC said. Absent from the list of cooperating countries was China, where experts say rapid growth and a relative lack of technical sophistication have led to a large number of zombie computers."

9 of 411 comments (clear)

  1. Go ahead, block 25 by ProfaneBaby · · Score: 3, Interesting

    Just leave 587 open. The 'geek' users should be smart enough to figure that out anyway.

    Home users SHOULD be blocked or disconnected, one or the other. I don't actually care which, but as someone who watches mail queues for busy hosting servers, home users infected with viruses become a huge annoyance.

    --
    Video Phone Blogs send video messages straight to the web.
    1. Re:Go ahead, block 25 by Lord+Kano · · Score: 4, Interesting

      What happens when spam-bots block pop/IMAP ports on the local machine and then send pop-up windows to the user saying "You can not recieve email because your ISP blocks 'Port 25', call and request that they unblock it."

      User:"I need you to um, 'Unlock Port 25'?"
      Tech Support:"What seems to be the problem?"
      User:"I can't get my email and I need you to unlock port 25."
      Tech Support:"You'll have access in 30 seconds."

      LK

      --
      "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
    2. Re:Go ahead, block 25 by Sheepdot · · Score: 3, Interesting

      Yes, this seems like an answer to the problem, but what I've never understood is that ISPs have the capability to determine when someone is sending spam and when someone isn't. Just monitor egress port usage. If someone is sending out 50 emails per second then block them. If they are sending one every 2 minutes, then don't.

      Or, when a user signs up, give them the option! Why ISPs haven't provided this yet is beyond me. Have a simple web form that lets users sign in and turn off port blocking, the only ones smart enough to know they need to turn it off are also the ones that most likely need to.

      For that matter, why hasn't Microsoft implemented this as a "feature" of windows XP? If they are turning off raw socket access, they might as well also turn off sending from port 25 by default. It'd upset some of us who host websites on our XP workstations, but if they really want to promote Windows 2003 Server, then this would seem like a viable option.

      Or maybe, just maybe, we could abandon the ridiculous email protocol altogether, and move to something that is built with trust in mind. Or we could all start implementing greylisting and actually increase the cost of spam.

  2. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  3. What about VOIP/911 services? by ringfinger · · Score: 4, Interesting
    Completely cutting them off would be a disaster. Most users wouldn't know what happened or how to get back connected. Plus, support costs for ISP's would go through the roof.

    People use their broadband connections for phone and 911 services now -- cutting them off completely could literally cut them off from emergency services.

    --
    21st-Century-Citizen
  4. I already do this on my home net by WillerZ · · Score: 4, Interesting

    Traffic to or from port 25 is dropped at my router. My external email provider gives me SMTP-TLS on a high port, so I lose nothing.

    This means that even if a worm gets through the NAT and manages to infect my patched-to current AV-running machines, it can't do what 90% of them want to. Thus, when the patch/AV database update arrives and kills it, I know I've not contribued to the problem.

    --
    I guess today is a passable day to die.
  5. Not the worst solution.. by Fatal67 · · Score: 5, Interesting

    But there are better ones. I have just shy of 2 million broadband users on my network. Every day I have many customers who are detected as being infected. Automagically they are placed in a walled garden where the only page they can load tells them what is happening. Basically it tells them that they have been compromised. If we can determine the virus/trojan they are running, we give them a link to a locally stored method of corrrecting the problem. I have never received a complaint about it, but I have received hundreds of calls saying thank you.

    I do have to question the FCC's thinking though. Most people who get infected are not of a technical nature. If you disconnect them from the net, they are at a loss of how to fix the issue. Obviously they don't have uptodate protection on their machine. if they go out and buy a brand new copy of whatever virus software, it will need to download the latest definitions, which they can;t do because you shut them off.

    It reminds me of the mid 90's where if your ds3 to one of the 6 or so backbones went down they would send you an email to notify you. Or sending them a letter telling them you shut their phone off and telling to call you to get it turned back on.

  6. Re:Small Business Users / external hosting by gregmac · · Score: 5, Interesting

    Blocking port 25 would just about kill small business people that use a 3rd party hosting service for their webpages and email.

    It doesn't matter what SMTP server you send outgoing mail from (so long as it's not blacklisted) -- SMTP doesn't check domain names or anything (which is also really the reason spam can exist so easily).

    I had a situation that was really annoying a few years ago. We were on DSL with the incumbant phone company, and used our own co-located server to send mail. One day, I could no longer connect to SMTP. Called them, of course teir 1 tech support says "no, nothing has changed". I wait for a while to see if it'll go away, then call them back a couple hours later. This time, the guy says that they noticed one router wasn't blocking 25, so they "fixed" it. I decided just to use their server, since it was an easy fix (make a DNS entry in the office only that points to their IP instead of ours).

    This was fine for a couple months. Then one day, we couldn't send mail again. I tried to connect to their SMTP, and it would either timeout, or VERY slowly connect. I call them, and they say they're being hammered by viruses, and it'll be fixed soon. Within half an hour it was back to normal. This happened about 3 more times, and I got really annoyed. I called and asked them to remove the port 25 block (just for my account -- even to only my mail servers IP), because it was rediculus we couldn't send email. They said they couldn't, I'd just have to wait. Well, it was several hours and still not working, so I called again, and asked to speak to a manager or supervisor. Basically, same deal "no, we can't take off the block. Maybe you can use webmail". Although it would work, I didn't want to tell everyone to use webmail instead of their email clients just because of this. I called another ISP, asked them how long it would take to get me DSL (and made sure I could use my mail server), ordered it, and called my ISP back and set to get rid of their connection.

    Of course, this started another rediculus series of events. The DSL remove order and DSL add order (that get filed by old and new ISPs, respectively) got "mixed up", and a couple days after moving to my new ISP the DSL signal was lost. An angry call to the phone co had it back within an hour (yet it somehow still takes 5 business days normally).

    The old ISP also decided that we actually couldn't cancel when we did - we were on a 1yr contract, and had to pay 50% of 8 months service or something for cancelling early. We had been a customer for 3 years, and none of our bills for the past year said anything about a 1year contract. They also couldn't produce the contract -- not even an unsigned version. In subsequent calls, they claimed that it was a verbal contract yet couldn't name who had supposedly made it. Eventually months later, in an effort to get our local phone service back (we had switched to a CLEC many years ago), they decided to "credit" our account for the charges. Of course, we remained with the CLEC.

    Anyway, that got a tad off topic, but I felt the need to vent. Stay away from the big phone companies ;)

    --
    Speak before you think
  7. Re:Stupid policy. by alienw · · Score: 4, Interesting

    Finally, someone with an ounce of sense. Or, how about this (very real) scenario? My university now publishes SPF listings. Therefore, I have to use the university (authenticated) SMTP server to send out email (to avoid getting an SPF fail for that email). However, my new ISP blocks port 25, so I can't use the university's server anymore and they cannot be bothered to port-forward some other port to the SMTP server. I have to use the ISP's mail server and risk getting my email deleted by the recipient as spam.