Comcast Port 25 Blocks Result In Less Spam 381
Dozix007 writes "Ars Technica reports that: 'After Comcast finally owned up to the massive amounts of spam coming from
their network, they decided to identify spammers and zombie relays on their
network and block
port 25 traffic from those IP addresses. Comcast's efforts are starting to
pay off. They announced the amount of spam from their network has dropped
35 percent since they began port blocking and
traffic estimates from SenderBase seem to confirm the claims. Spam coming
from Comcast subscribers who were formerly on AT&T networks also
seems to have decreased'."
But For How Long? (Score:5, Insightful)
Better yet, what if these zombied spambot-infected PC's have been creating a shadow P2P network so their makers can quickly and easily install patches, or send out network-wide commands to their armies of zombies? How long will the port 25 block remain effective then?
I give Comcast all sorts of kudos for doing something to try to staunch the spam spurting from their digital arteries, but I don't see this working in the long term.
- Greg
flipside (Score:4, Insightful)
spammers aren't the only ones being blocked by spam prevention
Re:But For How Long? (Score:5, Insightful)
Re:Good job on the cut and pase (Score:3, Insightful)
I know I have stopped reporting all my spam. It took too much time. Now I just target the ones that make it past my spam filters (OK, I have kind of given up on that too).
But I have noticed a drop in spam recently. Maybe spammers are on spring break.
Why just the port? (Score:5, Insightful)
1) Contact them and tell them what you've learned. Give them 30 days to get the machines patched or cleaned.
2) Terminate their service OR allow their service to continue but charge them an extra amount of $$ per month to cover the "blocking service".
Don't just block the port and let the owners continue in ignorance. You've identified them. Now do something with that information that effects long term change!
Re:OK, that's step 1... (Score:5, Insightful)
Step 3 is take these selfish bastards to court.
Re:flipside (Score:4, Insightful)
The reason for that is obvious: it prevents the mail server from being used to relay spam. But it's also very frustrating if you want more flexbility and you're not a spammer. I don't know comcast's policy; perhaps they'll accept relaying from inside their network.
If anything I'm seeing more spam (Score:3, Insightful)
Normally I get between 2,000-2,500 spam a week in a mailbox I use as a spamtrap. In the past month this has ramped up and last week there was over 4,500 and since monday there are 2,485, um 6, um 7, spams in this particular mailbox. So in 4 days I've seen as much as I normally see in a week - and its not even the weekend yet when the real flood of spam kicks in.
Re:Why just the port? (Score:4, Insightful)
Actually contacting people costs money because a human has to pick up the phone. Terminating their service costs money for obvious reasons, and charging them for a dubious "service" is likely to get your customer angry at you and waste time and money in calls to your help line.
In the short term, automated blocking and letting the user ride along is blissful ignorance is the only viable strategy. Isn't capitalism great?
Re:But For How Long? (Score:3, Insightful)
As each PC gets infected with the spambot, the first thing it does is try to contact a known SMTP server on the web. If it can get through, it sets up shop as normal, and opens up another port, lets call it port 12345 for now.
Now, if the spambot cannot contact the chosen SMTP server(might even go through a list of them), it starts scanning the internet for any IP listening on port 12345. If it finds an system operating on port 12345, it sends some sort of test string to that IP/port. The listening server responds with some pre-determined code. Once the originating system receives the expected response, it starts sending all of its email out using the other system as a proxy. Thus doubling the amount of bandwidth used on the proxy, but allowing the spambot to function on a "protected" computer.
Lastly, the proxy server should only allow a few connections, to keep from saturating the bandwidth available to it.
Granted, this isn't a whole solution around the port 25 block, but it may be a start of how it might be done, and something to watch for. Personally, I'm all in favor of ISP's blocking outbound port 25, and only opening it for those who request it specifically. My current ISP does this, and I'm perfectly happy with it.
I'm reporting less (Score:2, Insightful)
I'm happier with using good spam filtering (Spam Assassin/Spam Sieve) and just ignoring the problem. I see much less spam this way, compared to looking at each and every spam I report.
Disable their Internet connection (Score:5, Insightful)
There is no excuse for not securing your computer. If people don't want to take the half hour it takes to learn how to download and run adaware, S&D, and/or an antivirus program, they should NOT be allowed to connect to the internet. Is this so unreasonable?
Re:Good job on the cut and pase (Score:5, Insightful)
meanwhile, Comcast's SMTP server is slow as hell (Score:5, Insightful)
Actually, I have been sending all my mail through Comcast's SMTP server for a while now, because AOL blocks mail directly from my (semi-)dynamic IP address. So, if I want to send mail to AOL users (well, the rest of the family using the SMTP server), I have to send it through Comcast's slow-as-hell mail server.
When I send mail to Gmail, for example, directly from my server, it takes just a few seconds to appear in my inbox, but when I forward it through Comcast, it often takes an hour or more.
Now, this is not completely Comcast's fault, AOL is to blame as well. It really pisses me off that I lose the speed and privacy that comes with having my own SMTP server just because the big providers can't figure out any ways to deal with spam. Fun.
Andrew
Re:flipside (Score:5, Insightful)
Don't talk directly to their mail servers.. talk to the outgoing mailserver provided to you by your ISP. Sheesh.
I'm always amazed at how many people "run my own mailserver" yet have no idea how mail is supposed to work.
No, thanks. I prefer my mail without random 24-48 hour delays and invisibly dropped messages. That's not how mail is "supposed to work."
Re:But For How Long? (Score:3, Insightful)
Somehow I doubt Comcast was trying to play anything but a small part in dealing with SPAM.
Re:I might as well sign up with AOL... (Score:2, Insightful)
Re:flipside (Score:3, Insightful)
Pretty much the only prerequisite condition for establishing a proper SMTP node is having a reliable, stationary position.
That's the whole beauty of it. Imagine the unreliable, fragile, and slow communications we would have if every small service provider had to relay its mail through its upstream's relay, until all email was handled through: MCI, UUNet, AOL, etcc. Instead, the point of SMTP is that if your host has its own reliable connection, it can send the mail directly to the destination domain.
Re:Good job on the cut and pase (Score:1, Insightful)
Re:Disable their Internet connection (Score:3, Insightful)
Then there is the liability if they do it wrong and destroy more data on the computer of said moron user. It is just a whole mess that would not get the ISP anything but more phone calls, which is what they like to avoid.
Re:I will also be switching from Telus (Score:3, Insightful)
Which is a problem with the
And if you didn't see the writing on the wall about port 25 blocking, then you haven't been paying close attention the last 2-3 years.
Oh, yeah, it's working just great (Score:1, Insightful)
11:17:30 1 SMTP-074(pcp03798560pcs.galitn01.tn.comcast.net) Return-Path '<vernon@seznam.cz>' rejected: routed to ERROR
11:17:37 1 SMTP-076(c-24-245-53-31.mn.client2.attbi.com) Return-Path '<inderpal@seznam.cz>' rejected: routed to ERROR
11:18:13 1 SMTP-083(pcp02218985pcs.echryh01.nj.comcast.net) Return-Path '<dain@t-online.de>' rejected: routed to ERROR
11:18:16 1 SMTP-084(c-24-5-18-39.client.comcast.net) Return-Path '<raffi@t-online.de>' rejected: routed to ERROR
11:18:48 1 SMTP-091(c-67-167-67-156.client.comcast.net) Return-Path '<trent@seznam.cz>' rejected: routed to ERROR
11:19:10 1 SMTP-094(h00095b8f289b.ne.client2.attbi.com) Return-Path '<dorit@t-online.de>' rejected: routed to ERROR
16:29:41 1 SMTP-130(c-24-15-176-110.client.comcast.net) Return-Path '<rakesh@t-online.de>' rejected: routed to ERROR
16:29:57 1 SMTP-133(c-66-176-92-94.se.client2.attbi.com) Return-Path '<kuo-juey@seznam.cz>' rejected: routed to ERROR
16:30:13 1 SMTP-135(c-24-8-29-151.client.comcast.net) Return-Path '<shih@seznam.cz>' rejected: routed to ERROR
16:30:22 1 SMTP-136(c-24-126-93-71.we.client2.attbi.com) Return-Path '<eleni@t-online.de>' rejected: routed to ERROR
16:31:04 1 SMTP-143(c-67-166-120-177.client.comcast.net) Return-Path '<axel@seznam.cz>' rejected: routed to ERROR
16:31:10 1 SMTP-144(c-24-5-242-4.client.comcast.net) Return-Path '<julia@t-online.de>' rejected: routed to ERROR
16:31:13 1 SMTP-145(c-24-5-194-85.client.comcast.net) Return-Path '<farhad@seznam.cz>' rejected: routed to ERROR
16:31:16 1 SMTP-146(c-67-173-26-207.client.comcast.net) Return-Path '<alun@seznam.cz>' rejected: routed to ERROR
16:31:44 1 SMTP-149(c-67-163-74-4.client.comcast.net) Return-Path '<kyra@seznam.cz>' rejected: routed to ERROR
16:32:28 1 SMTP-155(c-24-12-225-17.client.comcast.net) Return-Path '<amy@seznam.cz>' rejected: routed to ERROR
16:32:48 1 SMTP-157(h00e0183d6b85.ne.client2.attbi.com) Return-Path '<leison@seznam.cz>' rejected: routed to ERROR
This is but a fraction of the spam attempts I see on my server-- they are nearly all from zombied home Windows machines sitting on broadband. They show up in the logs in several clumps of nearly-simultaneous attempts, so it's obvious they are all under the control of a small group of spammers. The next step Comcast makes should be to monitor inbound traffic to the zombied machines on their network... theoretically they should be able to locate the controlling entity by detecting the shitload of inbound traffic to their client IP ranges from a single source.
Re:Now that almost everyone has ~24 hour connectiv (Score:2, Insightful)
Until prices come down and rural areas are better served broadband is not going to be even remotely universal.
ALL ISP's should be filtering port 25 (Score:4, Insightful)
You can bet that Comcast has only done this in response to lots of responsible ISPs starting to wholesale-block all port 25 traffic from their IP space. RBLs continue to be not only the most effective method of stopping spam, but also the only effective method of forcing ISPs to control the rogue behavior of their users.
not everyone needs access to external servers (Score:3, Insightful)
for the 1 or 2% of the users who really need access to external SMTP servers comcast could set up a "white list" to allow them such access.
in other words, what comcast is doing is firewalling in behalf of their users since most of them have no idea what a firewall is.
I don't get it (Score:3, Insightful)
All the problems we're having are precisely _because_ of the open and unregulated way the Internet was. The Internet was designed on the assumption that everyone will be nice, stick to the RFCs religiously, etc. Noone put much thought into the "well, what if they don't?" part. That's the worst design anti-pattern possible and the nemesis of security.
And unsurprisingly that shiny-happy-optimistic approach has failed again and again. E.g., it didn't even take _that_ long for someone to figure out that by intentionally not conforming to the RFCs they can syn-flood and crash a machine.
It's like preaching the ideal society where there are no laws, rules or authorities, and everyone can do whatever they please. It will be such an awesomely nice place, as long as everyone will be nice to each other. But they surely will, right?
Except it's not a realistic scenario.
Re:Good job on the cut and pase (Score:2, Insightful)