Comcast Port 25 Blocks Result In Less Spam 381
Dozix007 writes "Ars Technica reports that: 'After Comcast finally owned up to the massive amounts of spam coming from
their network, they decided to identify spammers and zombie relays on their
network and block
port 25 traffic from those IP addresses. Comcast's efforts are starting to
pay off. They announced the amount of spam from their network has dropped
35 percent since they began port blocking and
traffic estimates from SenderBase seem to confirm the claims. Spam coming
from Comcast subscribers who were formerly on AT&T networks also
seems to have decreased'."
Does Bittorent need that port? (Score:0, Interesting)
In the last few months I didn't have a problem btw, only the last few days.
OK, that's step 1... (Score:3, Interesting)
Once a few of these spammers have lost everything including the shirt on their backs then you'll see a serious drop in the number of people who think that spamming is a quick and easy path to riches.
Incoming or outgoing 25? (Score:4, Interesting)
I understand it's for spam-fighting and they only go after the uber-offenders...but it's definitely something to watch for since the ability to send mail (through the domains of our choosing if we own it) should be a fundamental feature of an ISP.
Now can we get un-blackholed? (Score:3, Interesting)
I have a little mail-server on the end of my cable line for my domain which has three mail accounts on it. I always find it immensely frustrating that my mail server is on MAPS DUL list and people who subscribe to MAPS block my mail.
It's not been a big enough issue that I've installed SASL for my postfix server, but it would be nice to get off the list.
Re:Good job on the cut and pase (Score:3, Interesting)
I might as well sign up with AOL... (Score:4, Interesting)
Blocking connects from broadband subscribers (Score:5, Interesting)
The results are truly staggering. I have cut the incomimg spam by 80-90%. I cut incoming spam by 50% just by blocking client.comcast.net, client2.attbi.com and cpe.net.cable.rogers.com. The users think I'm a miracle worker. So far I blocked 2 legit messages ... one guy with a home mail server and one guy whose Telus mail server I accidentally blocked with my filter. The error message says to mail abuse@mydomain if the message is blocked in error and, of course, check_client _restrictions is turned off for the abuse account.
I was amazed at how little "legitimate" spam there is out there. It is almost all hijacked home machines.
Agreed (Score:2, Interesting)
Re:But For How Long? (Score:3, Interesting)
Which is good, because now the ISP has a central point where they can implement rate-limiting. Or at least maintain log files showing which users are sending large quantities of e-mail.
Even better, if the ISP forces SMTP authentication, it now becomes easy to tie a particular spam run back to an actual Comcast user account. Which gives the Comcast folks even more evidence for use if they decide to deactivate the customer's account.
(Most ISPs will probably install rate-limiting on their SMTP relay servers.)
Re:Good job on the cut and pase (Score:2, Interesting)
May 2004 17327 = 559/day
Apr 2004 17764 = 592/day
Mar 2004 14119 = 455/day
Feb 2004 11848 = 409/day
Jan 2004 9910 = 320/day
Dec 2003 10002 = 323/day
Nov 2003 8423 = 281/day
This includes viruses that my Bayesian filter is catching, but since most of those viruses are probably to install spam-viruses that's probably a fair classification. Anyway, I can't say that I've seen things drop off this month. Seems to be holding steady the last 3 months...
Maybe we can make comments like Congress... "We've seen a reduction in the rate of increase of spam." :)
I've noted a recent increase in spam. (Score:3, Interesting)
There isn't really all that much you can do about being joe-jobbed, 9 times out of 10 the "admins" for the zombified machine doesn't understand that I'm not the spammer, eventhough I received the bounce for the spam.
Anyone have any good results at trying to get a joe-job to stop?
The comcast USERS get it even worse (Score:3, Interesting)
Big Deal (Score:2, Interesting)
Re:Good job on the cut and pase (Score:5, Interesting)
I wrote a perl script that I can pipe to from pine. It does a quick check with whois.abuse.net and forwards it off. Soon I may be adding whois.arin.net checks as well as traceroutes to track down the abuse e-mail contact.
It's real easy to pipe 200 messages to a script everyday before you leave for the day...
less spam isnt acceptible, the only answer is NONE (Score:5, Interesting)
Apparently Spews [spews.org] thought nuking the dynamic users wasnt enough, and blacklisted all of their dynamic space plus most of their corporate servers as well.
One of these days Spamcast will wake up and realize that a huge chunk of the internet has blackholed them. I only wonder how many months or years it will take for the clue to sink in.
That's interesting (Score:3, Interesting)
Re:Good job on the cut and pase (Score:5, Interesting)
Same, but now I filter through and make sure I report all Comcast spam, since it may actually make a difference. I have definately seen a reduction in spam from comcast since the report. We receive many THOUSANDS of spam messages a day for less than two dozen email addresses over 2 domains. I don't even log virus hits anymore, they just delete. A couple hundred a day. I only report spam to known major ISPs. Over 97% of the traffic at our mail server is spam or viruses. Sad.
Regarding chinese/russian/korean spam, I just block several thousand class B IP blocks. Yes, this is not the best method, but then again, since I don't email anyone in China, etc, perhaps it is.
Also, any domain that sends spam, and doesn't have an abuse@ address is blacklisted instantly. Several small ISPs fit into this catagory. I will NOT fill out a form on a fucking web page to report spam. No abuse@, no access.
optonline and adelphia seem to be the worst about not responding to spam, and verizon is the WORST. God I hate them, for so many reasons. I have the least problems/repeats with spam from rr.com and aol.com, ironically.
Now that almost everyone has ~24 hour connectivity (Score:5, Interesting)
Why not move to use "instant messaging" methods of direct connectivity between the sender and recipient, and only falling back to server storage when necessary?
This allows for much better knowledge of successful/failed delivery.
It may move more control of message reception to the recipients, allowing them to implement extra protections. For example, requiring arbitrary/configurable amounts of computation on the behalf of the sender to send them a message (increasing the cost of a message send) (unless ofcourse the sender is on a white list of known correspondents).
Is any such transition feasible in the near future?
Re:ALL ISP's should be filtering port 25 (Score:5, Interesting)
The blocking of outbound port 25 (Which Cox has been doing for years) is the begining of the end of the internet.
When ISPs start deciding what their customers can and can't do on the internet, it's the end of everything. Every ISP will just become an small island of service. What next? Block 21? Hey how about blocking everything but 80? But wait, zombie mail relays can be setup on any port, so set them up on 80, now Comcast can't block outbound 80 can they?!?!? So it solves nothing in the long run.
I need port 25 open so that I can send email through my workplace server. In order to do that I now have to send mail to a third party server at port 2525 and SPOOF the return address. But what happens when spoofing is no longer allowed?
Whiolesale blocking of port 25 is a lazy, destructive answer to the problem. It may stop the flow of zombie machine spam in the short term, but it also seriously harms legitimate users of their network.
At least Comcast has the sense to block it for identified zombie machines and not for every IP they own like COX.
Submitting SPAM to spamcop (Score:1, Interesting)
If anybody is interested I may publish it on a website.
They won't be able to stop at 25 (Score:3, Interesting)
But wait, were you telnetting *from* 25? Of course not. Yet, somehow, it still worked (likely only if your "rcpt to" entry had a local domain).
Malware can use any port they want to relay from a zombie box to smtp.openSmtpRelay.com 25 as well.
Another thread on this
It's issues like those described in that thread that'll help ultimately bring down spams. Telling malware writers to use another port, which is all Comcast's doing, as others have pointed out, will just have ISPs blocking ports until there are no more ports to block.