Forgot your password?
typodupeerror
Spam The Internet Your Rights Online

Comcast Port 25 Blocks Result In Less Spam 381

Posted by timothy
from the choke-it-off dept.
Dozix007 writes "Ars Technica reports that: 'After Comcast finally owned up to the massive amounts of spam coming from their network, they decided to identify spammers and zombie relays on their network and block port 25 traffic from those IP addresses. Comcast's efforts are starting to pay off. They announced the amount of spam from their network has dropped 35 percent since they began port blocking and traffic estimates from SenderBase seem to confirm the claims. Spam coming from Comcast subscribers who were formerly on AT&T networks also seems to have decreased'."
This discussion has been archived. No new comments can be posted.

Comcast Port 25 Blocks Result In Less Spam

Comments Filter:
  • by Anonymous Coward on Wednesday June 30, 2004 @07:30PM (#9576809)
    Here's the actual Ars Technica story [arstechnica.com] that wasn't linked, but copied and pasted as the Slashdot story.

    Something I've been wondering about though is SpamCop's yearly stats [cesmail.net]. Since April, spam reporting has been going down. Is it simply fewer people reporting/people reporting fewer spam, or is it a sign that actual spam is going down or at least being better handled? I know on my mail server I've implemented some straight blacklist checks primarily using sbl-xbl.spamhaus.org [spamhaus.org] and it's been working great with no false positives. Some spam still gets through, but SpamAssassin usually catches it with other checks.
    • My email account at work used to get about 100 spams/day earlier this year, now it's down to 60-70. (This is the spams that hits the spam filter, only 2-3 slips through each day).
      • My email account at work used to get about 100 spams/day earlier this year, now it's down to 60-70. (This is the spams that hits the spam filter, only 2-3 slips through each day).

        I started the year at 100/day... now rapidly closing in on 200/day. The only thing we block at the mail gateway is executable attachments (anything that is typically used by virus/worm such as EXE, VBS, SCR).

        SpamBayes lets 1-2 slip through every few days.

        2003-10 2950 - 94/day
        2003-11 3225 - 108/day
        2003-12 3775 - 122/day
        20
        • Jun 2004 17084 = 573/day
          May 2004 17327 = 559/day
          Apr 2004 17764 = 592/day
          Mar 2004 14119 = 455/day
          Feb 2004 11848 = 409/day
          Jan 2004 9910 = 320/day
          Dec 2003 10002 = 323/day
          Nov 2003 8423 = 281/day

          This includes viruses that my Bayesian filter is catching, but since most of those viruses are probably to install spam-viruses that's probably a fair classification. Anyway, I can't say that I've seen things drop off this month. Seems to be holding steady the last 3 months...

          Maybe we can make comments li

    • Is it simply fewer people reporting/people reporting fewer spam, or is it a sign that actual spam is going down or at least being better handled?

      I know I have stopped reporting all my spam. It took too much time. Now I just target the ones that make it past my spam filters (OK, I have kind of given up on that too).

      But I have noticed a drop in spam recently. Maybe spammers are on spring break.
      • by thedillybar (677116) on Wednesday June 30, 2004 @09:24PM (#9577554)
        >I know I have stopped reporting all my spam. It took too much time.

        I wrote a perl script that I can pipe to from pine. It does a quick check with whois.abuse.net and forwards it off. Soon I may be adding whois.arin.net checks as well as traceroutes to track down the abuse e-mail contact.

        It's real easy to pipe 200 messages to a script everyday before you leave for the day...

      • by Alexey Nogin (10307) on Wednesday June 30, 2004 @10:35PM (#9577912) Homepage
        Do you know that SpamCop has a "quick reporting" option (you have to ask to get it enabled for you)? With quick reporting, you only need to submit the spam via email and the source IP gets automatically reported (but no reporting of spamvertized web sites this way). This way you do not have to go to clicking through their web site, and the bl.spamcop.net still gets all the data.
    • I think it's fewer people reporting spam. My spam count has increased (400+ a day), but I gave up reporting to SpamCop a number of months ago because I couldn't keep up. I emptied my held mail a few weeks ago, and had 6000+ messages on the system. I know SpamCop has been throwing away the older ones that I haven't gotten around to reporting/cleaning out, because I store a local copy of the mail going to SpamCop and I've archived WAY more than that...
    • It's got to be that fewer spam messages are being reported. I've noticed lately that the amount of spam I've received has been slowly going UP, from around 80 junk messages per day to around 100.

      Of course, any one e-mail address can't equal a scientific survey, but still...
    • I'm a paying SpamCop reporter. It's just starting to get too expensive to keep reporting. I'll probably keep it up for a bit, but that 16MB quota disappears awfully fast now. Hopefully Comcast cleaning up its act will reduce the spam load significantly.
    • I'm reporting less (Score:2, Insightful)

      by mr_rangr (311899)
      I have a paid SpamCop account. I used to report everything, but it just takes too much time and the amount of spam continues to rise. I will not be renewing my SpamCop account once it expires next April.

      I'm happier with using good spam filtering (Spam Assassin/Spam Sieve) and just ignoring the problem. I see much less spam this way, compared to looking at each and every spam I report.
    • by Night Goat (18437) on Wednesday June 30, 2004 @08:23PM (#9577226) Homepage Journal
      I used to report spam more diligently than I do now. Nowadays my filtering does a pretty good job, and only occasionally when I am bored do I report spam. And I've given up on the Chinese spam. Those servers have admins who don't care. I used to think maybe it was the language barrier, but they must get enough e-mails with the word spam in them that it's got to be a word they recognize. So I think it's just people are reporting less spam.
      • by Pharmboy (216950) on Wednesday June 30, 2004 @10:15PM (#9577810) Journal
        I used to report spam more diligently than I do now.

        Same, but now I filter through and make sure I report all Comcast spam, since it may actually make a difference. I have definately seen a reduction in spam from comcast since the report. We receive many THOUSANDS of spam messages a day for less than two dozen email addresses over 2 domains. I don't even log virus hits anymore, they just delete. A couple hundred a day. I only report spam to known major ISPs. Over 97% of the traffic at our mail server is spam or viruses. Sad.

        Regarding chinese/russian/korean spam, I just block several thousand class B IP blocks. Yes, this is not the best method, but then again, since I don't email anyone in China, etc, perhaps it is.

        Also, any domain that sends spam, and doesn't have an abuse@ address is blacklisted instantly. Several small ISPs fit into this catagory. I will NOT fill out a form on a fucking web page to report spam. No abuse@, no access.

        optonline and adelphia seem to be the worst about not responding to spam, and verizon is the WORST. God I hate them, for so many reasons. I have the least problems/repeats with spam from rr.com and aol.com, ironically.
    • 1. I couldn't keep up and my efforts didn't seem to make much difference.

      2. Spamcop got stricter and a simple copy and paste from the outlook express headers stopped working. At the time I was using spamcop I wasn't willing to switch email clients. Now thunderbird is almost up to par with everything I need.
  • But For How Long? (Score:5, Insightful)

    by gbulmash (688770) * <semi_famous@ya[ ].com ['hoo' in gap]> on Wednesday June 30, 2004 @07:30PM (#9576817) Homepage Journal
    Those numbers are all really nice, but isn't this just putting one of those little dot band-aids on a stab wound? It seems to work for a while, but how long before the spambot authors come up with a way around the port 25 block? How long until new worms are traversing the net, creating worldwide bottlenecks, pinging out from newly zombied PCs to find the latest Windows vulnerability and install themselves?

    Better yet, what if these zombied spambot-infected PC's have been creating a shadow P2P network so their makers can quickly and easily install patches, or send out network-wide commands to their armies of zombies? How long will the port 25 block remain effective then?

    I give Comcast all sorts of kudos for doing something to try to staunch the spam spurting from their digital arteries, but I don't see this working in the long term.

    - Greg

    • Re:But For How Long? (Score:5, Informative)

      by rsmith-mac (639075) on Wednesday June 30, 2004 @07:34PM (#9576851)
      It seems to work for a while, but how long before the spambot authors come up with a way around the port 25 block?

      They can't, that the beauty of it. Standard SMTP servers listen on port 25, as defined in the RFC; with port 25 blocked, it's simply not possible for spam zombies to talk to normal SMTP servers, period.
      • So, anyone think there might be a IIS or Linux vulnerability that could change that?

        I think the grandparent was being too depressed. Measures like this are about the only logical way to combat spam, short of having police raid everyone with a computer and force them to install patches, or sending them to the gallows if they're actually originating spam. And that isn't going to happen. So be happy that Comcast has done this, and hope that they'll continue to be diligent and block any work-arounds.
      • by Baron_Yam (643147) on Wednesday June 30, 2004 @07:43PM (#9576927)
        Which is why (some) Windows users learned to hide behind NAT or disable their Messenger service - because some spammers moved on from email to direct popups on the desktop.
      • Let's just toss out an idea (poorly formed), but might work.
        As each PC gets infected with the spambot, the first thing it does is try to contact a known SMTP server on the web. If it can get through, it sets up shop as normal, and opens up another port, lets call it port 12345 for now.
        Now, if the spambot cannot contact the chosen SMTP server(might even go through a list of them), it starts scanning the internet for any IP listening on port 12345. If it finds an system operating on port 12345, it sends
        • Or, the virus could read the registry and use the smtp server defined in Outlook.

          I'm on comcast and I send mail using SMTP_AUTH through port 25 on my work server. I haven't been blocked yet. When I am I'll just switch to SMTP_AUTH over TLS/SMTP which is port 465. What would stop a virus from reading the registry to find the SMTP user/pass and port settings. The virus would then send mail as an authenticated user.

          The network cannot protect itself against viruses with port filtering. Viruses on the I
      • Forgive what might seem like an ignorant question, but is it possible to forge a port number?
        I don't even understand conceptually what that means, but I do know that just about everything can be done when people are inspired by other greed or boredom.

        • Forgive what might seem like an ignorant question, but is it possible to forge a port number?

          No. Think of a server listening on a port as waiter waiting next to window. Only requests coming in through that window will be served. Trying to talk to a window where the waiter is not will not be of use, since either there would be no waiter there or the waiter that is there wouldn't understand what you are asking.

          Any solution to get round the problem would require hijaking a machine not in the blocked IP rang
      • All they would need to to is smart-relay through the ISP's servers. Probably not all that hard to rewrite the zombies to do that, you know.
        • All they would need to to is smart-relay through the ISP's servers. Probably not all that hard to rewrite the zombies to do that, you know.

          Which is good, because now the ISP has a central point where they can implement rate-limiting. Or at least maintain log files showing which users are sending large quantities of e-mail.

          Even better, if the ISP forces SMTP authentication, it now becomes easy to tie a particular spam run back to an actual Comcast user account. Which gives the Comcast folks even more
    • Re:But For How Long? (Score:2, Informative)

      by Hrolf (564645)
      To the extent that Comcast can keep up with finding zombie PCs for which they provide Internet service, blocking port 25 will guarantee that zombie PCs on Comcast's network will not send spam. It's quite simple: in order to send e-mail, you must connect to a server listening on port 25 for the simple reason that that's where the receiver's SMTP server is listening by convention [iana.org].

      You seem to be complaining that Comcast's spam blocking techniques don't stop the spread of worms. The block is designed to preve

    • by NanoGator (522640)
      "Those numbers are all really nice, but isn't this just putting one of those little dot band-aids on a stab wound?"

      Somehow I doubt Comcast was trying to play anything but a small part in dealing with SPAM.
  • OK, that's step 1... (Score:3, Interesting)

    by WIAKywbfatw (307557) on Wednesday June 30, 2004 @07:37PM (#9576875) Journal
    Step 2 is to take these selfish bastards to court. They were clearly breaching the terms and conditions of their accounts, so proving a case against them won't take more than five minutes.

    Once a few of these spammers have lost everything including the shirt on their backs then you'll see a serious drop in the number of people who think that spamming is a quick and easy path to riches.
    • by cmowire (254489) on Wednesday June 30, 2004 @07:41PM (#9576900) Homepage
      The problem is those machines aren't actually the spammer, they are comprimised machines that the spammer is controlling.

      Although, it seems to me like it would be a nice project to send a Comcast truck around the neighborhood with a list of comprimised machines, armed with a laptop running an ethernet sniffer, then use that information to track down who's controlling the machines.

      Only problem is that it probably leads to machines not within the reach of US-based subopaenas.
      • by AKnightCowboy (608632) on Wednesday June 30, 2004 @09:13PM (#9577494)
        The problem is those machines aren't actually the spammer, they are comprimised machines that the spammer is controlling.

        Why would a legitimate businessman in the bulk e-mail industry use hacked machines? That'd be clearly illegal. Oh that's right, sometimes I forget, they're fucking scumbag criminals who would steal their parents' social security checks if they could get away with it.

    • Keep in mind that the blocks are on what are very likely zombied, trojaned, infected machines and that the users/owners of said machines dont even realize it.
    • Ok. Now how to you distinguish between innocent bystanders (ie. the zombie relay folks) and the fartknockers actually doing the spamming?

      You can't.

      As nice as it would be, you really need to be -absolutely- sure you've got a spammer before you try to ruin their life with the court system.

    • by stefanlasiewski (63134) * <[moc.ocnafets] [ta] [todhsals]> on Wednesday June 30, 2004 @07:55PM (#9577017) Homepage Journal
      Step 2 is finding the spammers, since it's likely that most of these spam machines are comprimised machines running windows, the machine's owners are probably oblivious that their home machine is sending Spam.

      Step 3 is take these selfish bastards to court.
  • by Anonymous Coward on Wednesday June 30, 2004 @07:37PM (#9576877)
    I suppose it's port 25 outgoing, right? The same one that Earthlink has blocked for ages. (not sure if they still do) The same one that won't let you send SMTP mail with a different domain even if you owned the domain name?

    I understand it's for spam-fighting and they only go after the uber-offenders...but it's definitely something to watch for since the ability to send mail (through the domains of our choosing if we own it) should be a fundamental feature of an ISP.
  • A big dent (Score:5, Informative)

    by koreth (409849) on Wednesday June 30, 2004 @07:37PM (#9576879)
    I noticed a big drop in the daily message traffic to my mail server (which receives about 85% spam, last I checked) around the time Comcast put their policy in place. It seems like about a 25-30% drop in overall message traffic, which is in line with the numbers they quote.

    Kudos to them for doing a good job of it -- my home Internet connection is through Comcast, and I haven't experienced any trouble sending mail to my own SMTP server on another network. They could so easily have just gone the "all SMTP traffic must go to our hosts" route, but they're doing it the right way instead. Nice to see.

    • They could so easily have just gone the "all SMTP traffic must go to our hosts" route, but they're doing it the right way instead. Nice to see.

      Absolutely! I have a mail server sitting on my Comcast account and I send and receive with it. It would have been a major pain if they blocked all SMTP traffic since they probably wouldn't relay my mail for the addresses on my domain. I would have had to route mail through another machine on another port which is a horrible solution. Eventually I'd end up havin
      • Comcast will route for your domain - I've been doing it for 9 months.

        Incoming still comes direct to my machine, but I route through them. I figure if it's important enough that Comcast not see what I'm sending, I can use GPG.
  • flipside (Score:4, Insightful)

    by name773 (696972) on Wednesday June 30, 2004 @07:38PM (#9576886)
    this is grand and all, but i run my own mailserver (merely to get a 5gig inbox and the username i want), and since it's on a residential cable line (dynamic address), aol, rr.com, and email.com all reject my e-mails. and no, i never send spam.
    spammers aren't the only ones being blocked by spam prevention
    • Re:flipside (Score:3, Informative)

      by prockcore (543967)
      and since it's on a residential cable line (dynamic address), aol, rr.com, and email.com all reject my e-mails. and no, i never send spam.

      Don't talk directly to their mail servers.. talk to the outgoing mailserver provided to you by your ISP. Sheesh.

      I'm always amazed at how many people "run my own mailserver" yet have no idea how mail is supposed to work.
      • by bstadil (7110)
        Let me see. You are travelling and want to send email from a mailserver while logged in via Wifi.

        Now does the mailserver "Provided by your ISP work? No, they block any IP not their own. Now if port 25 wasn't blocked you could use your own and avoid having to change the Client setup.

        I have exactly this problem and have to pay $10 / year to have access to a smtp server that will allow me to log-in from any IP.

        • by mi (197448)
          By letting you download an SSL certificate, your (or any) ISP can allow you (and any of their customers) to relay mail through their servers.

          Sendmail supports client-side SSL certificates, as does Mozilla. KDE does not :-( But outlook, probably, does, and that's all that matters.

          That your e-mail is protected from sniffing over the WiFi, while you send it, is just gravy.

      • Re:flipside (Score:4, Insightful)

        by jfengel (409917) on Wednesday June 30, 2004 @07:56PM (#9577025) Homepage Journal
        Many ISP mail servers refuse to relay mail. If neither the FROM nor the TO addresses belong to that server, they'll reject your message. That means you end up receiving mail on the ISP's mail server, and that completely obliterates the point of running your own mail server.

        The reason for that is obvious: it prevents the mail server from being used to relay spam. But it's also very frustrating if you want more flexbility and you're not a spammer. I don't know comcast's policy; perhaps they'll accept relaying from inside their network.
      • Re:flipside (Score:2, Informative)

        by e9th (652576)
        Read the previous article in yro. If you let your ISP forward your mail, he can read it (at least in the First District) with impunity.
      • Re:flipside (Score:5, Insightful)

        by bourne (539955) on Wednesday June 30, 2004 @08:41PM (#9577346)

        Don't talk directly to their mail servers.. talk to the outgoing mailserver provided to you by your ISP. Sheesh.

        I'm always amazed at how many people "run my own mailserver" yet have no idea how mail is supposed to work.

        No, thanks. I prefer my mail without random 24-48 hour delays and invisibly dropped messages. That's not how mail is "supposed to work."

        • Re:flipside (Score:5, Funny)

          by Some Dumbass... (192298) on Wednesday June 30, 2004 @09:51PM (#9577686)
          No, thanks. I prefer my mail without random 24-48 hour delays and invisibly dropped messages. That's not how mail is "supposed to work."

          You mean that's not how _e-mail_ is supposed to work. I'm pretty sure that's exactly how regular old _mail_ is supposed to work, and the postal service is doing a great job of implementing that system, thank you.
      • Re:flipside (Score:3, Insightful)

        by bigberk (547360)

        I'm always amazed at how many people "run my own mailserver" yet have no idea how mail is supposed to work.

        SMTP certainly does not demand that all mail be sent through a higher-tier relay. Rather, SMTP was designed to provide diverse, peer-to-peer mail transaction facilities. It allows arbitrary hosts to exchange mail with their peers and this flexibility is what's let SMTP revolutionize communications!

        Pretty much the only prerequisite condition for establishing a proper SMTP node is having a reliabl

    • Re:flipside (Score:4, Informative)

      by batkiwi (137781) on Wednesday June 30, 2004 @07:49PM (#9576971)
      Look into "smarthost." Every MTA I know of supports it, and it's the proper way to do it.
    • Re:flipside (Score:2, Informative)

      by Anonymous Coward
      Thank the spammers [linxnet.com]. Seriously, a very good read, if ever in doubt who deserves your anger.
    • Then configure your MTA to use your ISPs SMTP server as a smarthost. All your outgoing mail will be routed through your ISPs mail server and won't be rejected by AOL and others.
  • by Anonymous Coward on Wednesday June 30, 2004 @07:39PM (#9576887)
    It's a small price to pay for a wick3d screensaver.
  • by tjgrant (108530) <tjg@noSPaM.craigelachie.org> on Wednesday June 30, 2004 @07:42PM (#9576923) Homepage

    I have a little mail-server on the end of my cable line for my domain which has three mail accounts on it. I always find it immensely frustrating that my mail server is on MAPS DUL list and people who subscribe to MAPS block my mail.

    It's not been a big enough issue that I've installed SASL for my postfix server, but it would be nice to get off the list.

    • by paitre (32242) on Wednesday June 30, 2004 @08:03PM (#9577079) Journal
      Very, _VERY_ unlikely.

      One of the tactics that pretty much -all- DNSBLs (and even some ISPs wholesale - like Comcast, incidentally) is to simply not receive email from dial-up type networks. Comcast's consumer-level cable modem service really is no better than dial-up service from a certain point of view (ie. every j6p is able to use it - and they aren't exactly concerned about security).

      The odds of a cable modem network getting out of MAPS is as likely as my winning a million bucks tomorrow - nil.

  • AT&T - Comcast (Score:5, Informative)

    by murderlegendre (776042) on Wednesday June 30, 2004 @07:44PM (#9576935)

    Spam coming from Comcast subscribers who were formerly on AT&T networks also seems to have decreased.

    Seems as as we are *still on* an ATTBI network. I was originally an ATTBI subscriber, and the Comcast transition occured many months ago. Interestingly enough, my rDNS still resolves to:

    [ip].[state].client2.attbi.com

    Seems awfully odd that this remais.. one would think, at least for the sake of the brandname, that this would be reporting comcast.net

  • Less Spam (Score:3, Funny)

    by radiumhahn (631215) on Wednesday June 30, 2004 @07:52PM (#9576996)
    ... To make up for the difference spammers are making their emails more offensive.
  • Why just the port? (Score:5, Insightful)

    by jarich (733129) on Wednesday June 30, 2004 @07:55PM (#9577013) Homepage Journal
    I understand that these machines have been hijacked and the owners aren't at fault (unless you count negligence)... but all that being said...

    1) Contact them and tell them what you've learned. Give them 30 days to get the machines patched or cleaned.

    2) Terminate their service OR allow their service to continue but charge them an extra amount of $$ per month to cover the "blocking service".

    Don't just block the port and let the owners continue in ignorance. You've identified them. Now do something with that information that effects long term change!

    • by cdavies (769941) on Wednesday June 30, 2004 @08:06PM (#9577102) Homepage
      The problem is, none of that is in the best commerical interests of comcast, so they won't do it.

      Actually contacting people costs money because a human has to pick up the phone. Terminating their service costs money for obvious reasons, and charging them for a dubious "service" is likely to get your customer angry at you and waste time and money in calls to your help line.

      In the short term, automated blocking and letting the user ride along is blissful ignorance is the only viable strategy. Isn't capitalism great?

    • I believe a home visit by a cattle-prod wielding Company Representative would also do the trick, and I'm sure myself and other recipients of offers such as "Increase Your Penis Size While Improving Your Search Engine Placings On Google" would willingly fund this if neccessary.

      • by Pharmboy (216950) on Wednesday June 30, 2004 @09:57PM (#9577712) Journal
        I believe a home visit by a cattle-prod wielding Company Representative would also do the trick, and I'm sure myself and other recipients of offers such as "Increase Your Penis Size While Improving Your Search Engine Placings On Google" would willingly fund this if neccessary.

        I don't know about you, but I have been responding to all the "Increase your Penis" ads, and now my wang is so big, I had to buy new pants. Thanks to all those guys in Africa, I have more money in my bank account than I could hope for. I used it to buy stocks based on tips that these guys have been sending me, and have doubled my money in a week every time. Of course, it doesn't really matter, because I am buying software for 80% off retail, get people sending me really cool screen savers for free, and refinanced my home at unheard of interest rates.

        Now I'm getting tons of email from girls that want me to meet them and their coed girlfriends, so the new, bigger penis will come in handy. I even ordered some discount Viagra so I can keep it going all night. I think what really impressed them was my new university diploma, that I received for my lifelong accomplishments.

        Gotta run, looks like someone just sent me a greeting card. Hope its one of the hot college chics. I still don't see what all the fuss is about...
    • Agreed (Score:2, Interesting)

      by TubeSteak (669689)
      It'd make much more sense to notify them or do a page redirect than to charge extra or shut 'em down. The odds are, if they're acting as a spam relay, their machines aren't patched, running a virus scan, a firewall, etc. So at the minimum, redirect them to a page with a comcast hosted online virus scanner & windows update. I know I'd suggest Ad-Aware & Spybot & a firewall, but if comcast tells you to use anything... they're stuck having to provide tech support when it screws up.
  • Oh wait, no! It's just that my Comcast-owned cable modem won't talk to my computer for the n'th time today.

    Really! It looks like the equipment they provide now is pure junk. Before it was rock solid, now it goes down many times per day and the only solution is to pull the power connector.

    But seriously, why has the spam from Comcast not fallen further? Is Comcast only running a trial on part of its network?

    I'm still seeing lots of Comcast IP addresses blocked by using the XBL.spamhaus.net RBL -- how is

    • I don't know what kind they gave you, but my Motorola Surfboard SB3100 they gave me 3 years ago, when AT&T Broadband was my ISP, is still kicking and screaming. It's actually outlasted my Linksys BEFSR41 Router in lifespan. I have noticed those newer Surfboard's seem kind of flimsy as if they're made of cheap plastic.
  • by xiang shui (762964) on Wednesday June 30, 2004 @08:03PM (#9577075)
    I take offense to this kind of thing. I live in northern Alberta, and my ISP, Telus, recently began blocking a wide range of ports, most of which I had previously noticed heavy worm activity on. So I must presume that is their rationale behind filtering these ports. But this worm activity didn't bother me, since I have my machine properly secured. It's none of my concern if some people don't. Now I feel as if I don't have a REAL TCP/IP connection to the internet. I have 65355 ports on my TCP/IP stack that I should be able to use, as I please. But I no longer can, because of this. I run an HTTP server as a testing ground for some of my web projects, and an FTP server so my friends can transfer files to and from my machine. And I'd like other people on the internet to be able to access these ports, since that's what the internet DOES. That's what it's for. If I wanted a private company to dictate how I could use my computer and my internet connection, I would be a regular Microsoft customer. Admittedly, this situation is a little different than the one in the article - since comcast only blocked port 25 of computers known to be transmitting spam. But the situation with Telus is a blanket filtering of these ports for all DSL users, which I completely disagree with, and it actually angers me. Now I have to find a new service provider, and believe me, this isn't easy in the small community where I live.
    • If you want unfettered internet access, it is called a T1. Look it up. You signed up for a less expensive service in exchange for a few restrictions. No consumer-level ISP is out to provide you 100% unfettered service. You should have checked your terms of service before you signed on, the ISPs I've seen have it pretty clear that subscribers are not allowed to run servers through that link.

      I know you don't care about the worm activity, but it costs the ISPs a lot of money to be hauling that traffic.
  • by perp (114928) on Wednesday June 30, 2004 @08:03PM (#9577076)
    After I first read about this Comcast thing, I looked into how to block connections directly from spambots on home machines to the corporate mail server I admin (~500 users). I set Postfix up to check_client_restrictions and look up the connecting machine's name in a file that lists all the broadband domain names I could find. The results were so good that I have now added every little ISP whose machines send me spam and started using regexes to catch the ones where if I blocked the domain I'd also block their mail server.

    The results are truly staggering. I have cut the incomimg spam by 80-90%. I cut incoming spam by 50% just by blocking client.comcast.net, client2.attbi.com and cpe.net.cable.rogers.com. The users think I'm a miracle worker. So far I blocked 2 legit messages ... one guy with a home mail server and one guy whose Telus mail server I accidentally blocked with my filter. The error message says to mail abuse@mydomain if the message is blocked in error and, of course, check_client _restrictions is turned off for the abuse account.

    I was amazed at how little "legitimate" spam there is out there. It is almost all hijacked home machines.

  • by csk_1975 (721546) on Wednesday June 30, 2004 @08:06PM (#9577100)
    I'll check my logs when I get into the office, but if Comcast has reduced the flood of spam from their netblocks then someone else has more than taken up the slack.

    Normally I get between 2,000-2,500 spam a week in a mailbox I use as a spamtrap. In the past month this has ramped up and last week there was over 4,500 and since monday there are 2,485, um 6, um 7, spams in this particular mailbox. So in 4 days I've seen as much as I normally see in a week - and its not even the weekend yet when the real flood of spam kicks in.
  • by mikeg22 (601691) on Wednesday June 30, 2004 @08:22PM (#9577221)
    I don't see the problem here. These machines have been *hijacked* so there should be no issue cutting them off from the internet if not for the internet's sake, than for the sake of the owner of the computer! I mean, if the machine has been comprimised, there could be a keylogger running just as easily as a spambot program. Pull the damned thing off the internet and tell the user to fix their machine. If they don't know how to do this, charge them $20 for a technician to come out there and run adaware, S&D, etc...or offer to send them these programs on a CD through the mail or for pickup at the ISP office.

    There is no excuse for not securing your computer. If people don't want to take the half hour it takes to learn how to download and run adaware, S&D, and/or an antivirus program, they should NOT be allowed to connect to the internet. Is this so unreasonable?
  • by bigberk (547360) <bigberk@users.pc9.org> on Wednesday June 30, 2004 @08:27PM (#9577246)
    Comparing to these measurements [slashdot.org] I made when Comcast first announced its strategy...

    Looking at Comcast's IPs appearing on realtime blocklists, today:
    CBL: 17132 (Comcast is 1.3% of CBL)
    WPBL: 4779 (Comcast is 9.6% of WPBL)

    Compared to the number of Comcast IPs that were spam sources two tweeks ago (19897 and 5199) it does appear that there are fewer Comcast spam sources. However the overall proportion of Comcast IPs in the entire lists haven't changed much from (2% and 10%)
  • by adpowers (153922) on Wednesday June 30, 2004 @08:30PM (#9577274)
    Yay! Now we are all forced to forward our mail through Comcast's SMTP server.

    Actually, I have been sending all my mail through Comcast's SMTP server for a while now, because AOL blocks mail directly from my (semi-)dynamic IP address. So, if I want to send mail to AOL users (well, the rest of the family using the SMTP server), I have to send it through Comcast's slow-as-hell mail server.

    When I send mail to Gmail, for example, directly from my server, it takes just a few seconds to appear in my inbox, but when I forward it through Comcast, it often takes an hour or more.

    Now, this is not completely Comcast's fault, AOL is to blame as well. It really pisses me off that I lose the speed and privacy that comes with having my own SMTP server just because the big providers can't figure out any ways to deal with spam. Fun.

    Andrew
  • by Da w00t (1789) * on Wednesday June 30, 2004 @08:31PM (#9577286) Homepage
    Some spammer decided to joe-job [catb.org] me. Very annoyed. At some point, my domain that they're spoofing mail from is going to get blacklisted -- not because mail is coming from it, but because it appears to be. I havn't seen any spamcop reports or anything similar, but I've seen metric fucktonnes of Win32 worm messages coming into email addresses that never have existed at the same domain that's being joe-jobbed. I really need an antivirus solution built into sendmail. Spamassassin works for 99% of my spam, but these god damn worms are driving me absoltuely insane.

    There isn't really all that much you can do about being joe-jobbed, 9 times out of 10 the "admins" for the zombified machine doesn't understand that I'm not the spammer, eventhough I received the bounce for the spam.

    Anyone have any good results at trying to get a joe-job to stop?
    • First, install ClamAV and tell Sendmail to use it as a milter. It's surprisingly effective and lightweight; the load on my mailserver actually went down after installing it because it's no longer attempting to deliver tens of thousands of viral messages.

      Second, configure SPF records [pobox.com] for all of your domains. It may not help today, but an increasing number of mailservers are rejecting mail that fails SPF validation.

      Third, learn to love your access file. Mine contains lines like:

      erin@honeypot.net "55

  • by thegoogler (792786) on Wednesday June 30, 2004 @08:35PM (#9577313)
    one of my friends has comcast and he quit using his comcast email because it was getting spammed big time before he had even used it for anything, so its even worse for the users, there not blocking port 25 within there own network are they?
  • by Quixadhal (45024) on Wednesday June 30, 2004 @08:56PM (#9577424) Homepage Journal
    Being a subscriber to my local cable monopoly (Cablevision), I've enjoyed the reverse situation for several years.... namely, they block traffic going INTO port 25 on my machine. I can send out all the mail I want, but to receive mail directly, I have to have a friend on another network accept it (MX records don't yet allow port specifications... sigh), and then transfer it via fetchmail/ssh.

    Note to Cablevision.... I still get lots of spam, it just sits on YOUR disk instead of mine... way to go guys!
  • by RyuuzakiTetsuya (195424) <taiki@cUMLAUTox.net minus punct> on Wednesday June 30, 2004 @09:08PM (#9577467)
    Cox ahs been doing this for years. surprised the hell out of me when I oculdn't use anything but cox's SMTP server. Bloody brilliant.
  • by pyrrhonist (701154) on Wednesday June 30, 2004 @09:17PM (#9577511)
    It works so well that even access to Comcast's own server (smtp.comcast.net) is blocked for their own users.

    Oh wait, it's probably just down again.

  • by Indy1 (99447) <spamtrap@fuckedregime.com> on Wednesday June 30, 2004 @09:40PM (#9577642) Homepage
    Comcast (hereby referred to as Spamcast) has ignored their massive spam problem for years now. Fortunately for me the solution was to firewall all of their dynamic space from my mail server.

    Apparently Spews [spews.org] thought nuking the dynamic users wasnt enough, and blacklisted all of their dynamic space plus most of their corporate servers as well.

    One of these days Spamcast will wake up and realize that a huge chunk of the internet has blackholed them. I only wonder how many months or years it will take for the clue to sink in.
  • That's interesting (Score:3, Interesting)

    by Servo (9177) <dstringf @ g m a i l . c om> on Wednesday June 30, 2004 @10:09PM (#9577776) Journal
    when I switched from Optimum Online to Comcast, I quit getting ANY spam at all. Obviously this is only talking about folks on their network sending.. but its good that they are being proactive about blocking both incoming and outgoing.
  • by Narcocide (102829) on Wednesday June 30, 2004 @11:18PM (#9578155) Homepage
    from a daily average of ~98 to 54

    thanks comcast. you bastards.
  • Why do we need the mediating storage anymore?

    Why not move to use "instant messaging" methods of direct connectivity between the sender and recipient, and only falling back to server storage when necessary?

    This allows for much better knowledge of successful/failed delivery.

    It may move more control of message reception to the recipients, allowing them to implement extra protections. For example, requiring arbitrary/configurable amounts of computation on the behalf of the sender to send them a message (increasing the cost of a message send) (unless ofcourse the sender is on a white list of known correspondents).

    Is any such transition feasible in the near future?
  • by humankind (704050) on Thursday July 01, 2004 @12:06AM (#9578372) Journal
    The bottom line is that ALL responsible ISP's should be filtering port 25 traffic. This also stops the propagation of the majority of worms. It's a lot easier for those who want to run SMTP servers to request permission to have port 25 allowed, and otherwise block everyone else.

    You can bet that Comcast has only done this in response to lots of responsible ISPs starting to wholesale-block all port 25 traffic from their IP space. RBLs continue to be not only the most effective method of stopping spam, but also the only effective method of forcing ISPs to control the rogue behavior of their users.
    • by TheAwfulTruth (325623) on Thursday July 01, 2004 @01:33AM (#9578746) Homepage
      Bullpucky.

      The blocking of outbound port 25 (Which Cox has been doing for years) is the begining of the end of the internet.

      When ISPs start deciding what their customers can and can't do on the internet, it's the end of everything. Every ISP will just become an small island of service. What next? Block 21? Hey how about blocking everything but 80? But wait, zombie mail relays can be setup on any port, so set them up on 80, now Comcast can't block outbound 80 can they?!?!? So it solves nothing in the long run.

      I need port 25 open so that I can send email through my workplace server. In order to do that I now have to send mail to a third party server at port 2525 and SPOOF the return address. But what happens when spoofing is no longer allowed?

      Whiolesale blocking of port 25 is a lazy, destructive answer to the problem. It may stop the flow of zombie machine spam in the short term, but it also seriously harms legitimate users of their network.

      At least Comcast has the sense to block it for identified zombie machines and not for every IP they own like COX.
      • they're quite happy using their ISPs SMTP server to relay their messages, so "blocking por 25 is the end of the internet" is a bogus argument.

        for the 1 or 2% of the users who really need access to external SMTP servers comcast could set up a "white list" to allow them such access.

        in other words, what comcast is doing is firewalling in behalf of their users since most of them have no idea what a firewall is.
  • by mactari (220786) <rufworkNO@SPAMgmail.com> on Thursday July 01, 2004 @09:12AM (#9580477) Homepage
    Talking to an SMTP server is easy. Don't believe me? Telnet to your ISP's smtp server (port 25, obviously) and send the bytes for "HELP". Poof, 99% of the time you'll get every command that server accepts. It doesn't take long to figure out how to use it, even if you are too lazy to read RFC 821 [faqs.org] (start at "APPENDIX F" and I bet you're telneting email via telnet in 30 seconds or less).

    But wait, were you telnetting *from* 25? Of course not. Yet, somehow, it still worked (likely only if your "rcpt to" entry had a local domain).

    Malware can use any port they want to relay from a zombie box to smtp.openSmtpRelay.com 25 as well.

    Another thread on this /. discussion [slashdot.org] deals with issues "underground" relays present, but just remember this -- the SMTP servers you're relaying to don't really care if you're sending from port 25. That's convention. You're likely to find SMTP at smtp.myisp.com's port 25, but it really doesn't make any difference, and even in some email clients it's an option to change.

    It's issues like those described in that thread that'll help ultimately bring down spams. Telling malware writers to use another port, which is all Comcast's doing, as others have pointed out, will just have ISPs blocking ports until there are no more ports to block.
    • by Otto (17870) on Thursday July 01, 2004 @10:39AM (#9581257) Homepage Journal
      The point of having multiple spam bots sending your crap out is to increase the amount of crap you can send. If they are going around setting up SMTP relay bots, then whole exercise is rather pointless, as the bandwidth is still all being shuffled through that relay.

      Look at it like this:
      With two computers, I've got twice the bandwidth as one computer, and so can send twice the spam.
      But with one computer relaying through the other, the bandwidth of that computer is now irrelevant, everything has to go through the relay. Instead of having a relay, it's more efficent to just send the spam from the relay.

      Relaying doesn't fix the problem for spammers. And your idea about originating ports is useless, because they're blocking based on destination port, not originating port. Nobody gives a shit about originating port, for almost any protocol. If you want to send spam to ISP's, then you have to connect to SMTP servers to send your spam to, and you have to connect on the port they use, which is port 25 by convention. You cannot work around that fact.

Someone is unenthusiastic about your work.

Working...