Comcast Port 25 Blocks Result In Less Spam 381
Dozix007 writes "Ars Technica reports that: 'After Comcast finally owned up to the massive amounts of spam coming from
their network, they decided to identify spammers and zombie relays on their
network and block
port 25 traffic from those IP addresses. Comcast's efforts are starting to
pay off. They announced the amount of spam from their network has dropped
35 percent since they began port blocking and
traffic estimates from SenderBase seem to confirm the claims. Spam coming
from Comcast subscribers who were formerly on AT&T networks also
seems to have decreased'."
Good job on the cut and pase (Score:5, Informative)
Something I've been wondering about though is SpamCop's yearly stats [cesmail.net]. Since April, spam reporting has been going down. Is it simply fewer people reporting/people reporting fewer spam, or is it a sign that actual spam is going down or at least being better handled? I know on my mail server I've implemented some straight blacklist checks primarily using sbl-xbl.spamhaus.org [spamhaus.org] and it's been working great with no false positives. Some spam still gets through, but SpamAssassin usually catches it with other checks.
Re:Does Bittorent need that port? (Score:5, Informative)
Re:But For How Long? (Score:5, Informative)
They can't, that the beauty of it. Standard SMTP servers listen on port 25, as defined in the RFC; with port 25 blocked, it's simply not possible for spam zombies to talk to normal SMTP servers, period.
A big dent (Score:5, Informative)
Kudos to them for doing a good job of it -- my home Internet connection is through Comcast, and I haven't experienced any trouble sending mail to my own SMTP server on another network. They could so easily have just gone the "all SMTP traffic must go to our hosts" route, but they're doing it the right way instead. Nice to see.
Re:But For How Long? (Score:3, Informative)
Re:OK, that's step 1... (Score:5, Informative)
Although, it seems to me like it would be a nice project to send a Comcast truck around the neighborhood with a list of comprimised machines, armed with a laptop running an ethernet sniffer, then use that information to track down who's controlling the machines.
Only problem is that it probably leads to machines not within the reach of US-based subopaenas.
Re:But For How Long? (Score:3, Informative)
AT&T - Comcast (Score:5, Informative)
Spam coming from Comcast subscribers who were formerly on AT&T networks also seems to have decreased.
Seems as as we are *still on* an ATTBI network. I was originally an ATTBI subscriber, and the Comcast transition occured many months ago. Interestingly enough, my rDNS still resolves to:
[ip].[state].client2.attbi.com
Seems awfully odd that this remais.. one would think, at least for the sake of the brandname, that this would be reporting comcast.net
Re:flipside (Score:3, Informative)
Don't talk directly to their mail servers.. talk to the outgoing mailserver provided to you by your ISP. Sheesh.
I'm always amazed at how many people "run my own mailserver" yet have no idea how mail is supposed to work.
Re:Yea right... (Score:3, Informative)
Not only can you not read the article, you can't even read the story text.
Here, I'll help you:
"spam from their network has dropped 35 percent"
The important thing is HOW MANY OF THOSE 500 ARE FROM COMCAST'S NETWORK?. Also, compare that to your 2 months ago rates of spam coming from comcast's network.
Come on, how hard is it REALLY to read THE TEXT ON SLASHDOT?
Re:But For How Long? (Score:2, Informative)
You seem to be complaining that Comcast's spam blocking techniques don't stop the spread of worms. The block is designed to prevent the worm from sending spam. If you want someone to whom to complain about the spread of worms, you might want to direct your anger at the blameworthy [microsoft.com].
Re:flipside (Score:4, Informative)
Re:flipside (Score:2, Informative)
Re:flipside (Score:2, Informative)
Re:Now can we get un-blackholed? (Score:4, Informative)
One of the tactics that pretty much -all- DNSBLs (and even some ISPs wholesale - like Comcast, incidentally) is to simply not receive email from dial-up type networks. Comcast's consumer-level cable modem service really is no better than dial-up service from a certain point of view (ie. every j6p is able to use it - and they aren't exactly concerned about security).
The odds of a cable modem network getting out of MAPS is as likely as my winning a million bucks tomorrow - nil.
Re:Sheesh. yourselves (Score:3, Informative)
Sendmail supports client-side SSL certificates, as does Mozilla. KDE does not :-( But outlook, probably, does, and that's all that matters.
That your e-mail is protected from sniffing over the WiFi, while you send it, is just gravy.
Re:Good job on the cut and pase (Score:3, Informative)
I started the year at 100/day... now rapidly closing in on 200/day. The only thing we block at the mail gateway is executable attachments (anything that is typically used by virus/worm such as EXE, VBS, SCR).
SpamBayes lets 1-2 slip through every few days.
2003-10 2950 - 94/day
2003-11 3225 - 108/day
2003-12 3775 - 122/day
2004-01 3250 - 105/day
2004-02 3600 - 124/day
2004-03 4150 - 134/day
2004-04 5150 - 172/day
2004-05 5450 - 176/day
2004-06 6250 - 208/day
Oops, we just crossed the 200/day mark. And that's just my own work e-mail address, which doesn't count all of the other users.
We won't truly see the impact of the Comcat move until at least the end of July.
Let's look at some numbers (Score:4, Informative)
Looking at Comcast's IPs appearing on realtime blocklists, today:
CBL: 17132 (Comcast is 1.3% of CBL)
WPBL: 4779 (Comcast is 9.6% of WPBL)
Compared to the number of Comcast IPs that were spam sources two tweeks ago (19897 and 5199) it does appear that there are fewer Comcast spam sources. However the overall proportion of Comcast IPs in the entire lists haven't changed much from (2% and 10%)
Re:What a crock0sheet (Score:5, Informative)
relays.ordb.org
bl.spamcop.net
list.dsbl.org
xbl.spamhaus.org
I've got all six of them running on my company's mail server. It's set up to respond to rejected emails with instructions for contacting me via phone in case there's a false positive. That way, I can whitelist the sender and sometimes help them if they have an open relay and didn't know it. I've had one false positive in the last year. That's for 50 users in my company, some of which post their email address everywhere and use it in Banzai Buddy forms. ~90% of spam destined for valid mailboxes is blocked. Not bad considering it's free, easy to set up, and maintenance free.
-Lucas
Re:Why just the port? (Score:3, Informative)
'After Comcast finally owned up to the massive amounts of spam coming from their network, they decided to identify spammers and zombie relays on their network and block port 25 traffic from those IP addresses.
If only MY ISP would read this... (Score:3, Informative)
Note to Cablevision.... I still get lots of spam, it just sits on YOUR disk instead of mine... way to go guys!
Re:I might as well sign up with AOL... (Score:3, Informative)
I know you don't care about the worm activity, but it costs the ISPs a lot of money to be hauling that traffic.
Re:Incoming or outgoing 25? (Score:5, Informative)
Furthermore, given that the court system has decided that it is entirely okay for ISPs to read their customers' mail at will, I don't necessarily want my confidential emails passing through, and being logged by, their mail server. Perhaps you don't particularly care about that but many people do. Yes, I know they can monitor my IP traffic any time they wish, but there isn't any reason to make it easy for them by just stuffing my messages onto their hard disks.
Fortunately, at this point Comcast has not chosen to simply block all SMTP transfers, just those from known abusers, so I don't really have a problem with that (for now.) But I do think that reducing or eliminating the capability of the Internet is not the way to solve problems like this, because once ISPs get in the habit of limiting what we can do with the network we will be hard pressed to get back the freedom we have now. I like the fact that any computer on the Internet can connect to any other and communicate in ways defined by the users of those machines. That fundamentally egalitarian aspect of the Internet is what makes the network so useful (and so scary to certain powerful people.) Allowing those that provide our connectivity the power to pick and choose how we communicate is a bad precedent, and one that we will regret. It won't be long, mark my words, when Port 25 access is simply GONE for anyone but a big corporation or Internet provider, unless you want to pay a monthly "SMTP access charge" or something similar. There's already been talk of charging for access to specific types of connectivity. Imagine having to pay an extra $5.00/month "Instant Messaging access charge" for ICQ users, or a "mandated RIAA maintenance fee" for P2P. Keep the damn ports open, block those systems that cause problems, and let the rest of us use the Internet in ways that benefit us.
Re:But For How Long? (Score:3, Informative)
No. Think of a server listening on a port as waiter waiting next to window. Only requests coming in through that window will be served. Trying to talk to a window where the waiter is not will not be of use, since either there would be no waiter there or the waiter that is there wouldn't understand what you are asking.
Any solution to get round the problem would require hijaking a machine not in the blocked IP range, or the router.
My ISP, Sympatico.ca, blocks all outgoing port 25 requests by default, except those going to its servers. I would imagine that if you could argue a valid need to have it unblocked for you they would do it, but I am just guessing. Although it may be a bit heavy handed, for the majority of most home users this shouldn't cause any problem.
Comcast is behind the times. (Score:3, Informative)
Have you tried SpamCop's "quick reporting"? (Score:5, Informative)
re. shesh yourselfs (Score:1, Informative)
1) web mail (either set it up on one of your own servers or use aol/yahoo)
2) SSH into one of your shell accounts and send it from there vie pine or even plain old mail.
3) Open a machine for relay at work or home... whichever is not blocked and send it through there. (Be sure to close the relay when you are done or the spammers will find it)
4) ssh worksshserver -L 2525:workmailserver:25 then point your mail program to send through localhost:2525
Relaying is not a workaround... (Score:5, Informative)
Look at it like this:
With two computers, I've got twice the bandwidth as one computer, and so can send twice the spam.
But with one computer relaying through the other, the bandwidth of that computer is now irrelevant, everything has to go through the relay. Instead of having a relay, it's more efficent to just send the spam from the relay.
Relaying doesn't fix the problem for spammers. And your idea about originating ports is useless, because they're blocking based on destination port, not originating port. Nobody gives a shit about originating port, for almost any protocol. If you want to send spam to ISP's, then you have to connect to SMTP servers to send your spam to, and you have to connect on the port they use, which is port 25 by convention. You cannot work around that fact.
Re:I've noted a recent increase in spam. (Score:3, Informative)
Second, configure SPF records [pobox.com] for all of your domains. It may not help today, but an increasing number of mailservers are rejecting mail that fails SPF validation.
Third, learn to love your access file. Mine contains lines like:
Mail coming in to any of those accounts is rejected before it can even be transmitted. You still have to spend a TCP connection on the message, but minimal bandwidth and no storage space.