Comcast Port 25 Blocks Result In Less Spam

Dozix007 writes "Ars Technica reports that: 'After Comcast finally owned up to the massive amounts of spam coming from their network, they decided to identify spammers and zombie relays on their network and block port 25 traffic from those IP addresses. Comcast's efforts are starting to pay off. They announced the amount of spam from their network has dropped 35 percent since they began port blocking and traffic estimates from SenderBase seem to confirm the claims. Spam coming from Comcast subscribers who were formerly on AT&T networks also seems to have decreased'."

Does Bittorent need that port?

[Anonymous Coward]

I am with comcast and the last 2 days I can't get at all to bittorent downloads. Does bittorent needs port 25?

In the last few months I didn't have a problem btw, only the last few days.

OK, that's step 1...

[WIAKywbfatw]

Step 2 is to take these selfish bastards to court. They were clearly breaching the terms and conditions of their accounts, so proving a case against them won't take more than five minutes.

Once a few of these spammers have lost everything including the shirt on their backs then you'll see a serious drop in the number of people who think that spamming is a quick and easy path to riches.

Incoming or outgoing 25?

[Anonymous Coward]

I suppose it's port 25 outgoing, right? The same one that Earthlink has blocked for ages. (not sure if they still do) The same one that won't let you send SMTP mail with a different domain even if you owned the domain name?

I understand it's for spam-fighting and they only go after the uber-offenders...but it's definitely something to watch for since the ability to send mail (through the domains of our choosing if we own it) should be a fundamental feature of an ISP.

Now can we get un-blackholed?

[tjgrant]

I have a little mail-server on the end of my cable line for my domain which has three mail accounts on it. I always find it immensely frustrating that my mail server is on MAPS DUL list and people who subscribe to MAPS block my mail.

It's not been a big enough issue that I've installed SASL for my postfix server, but it would be nice to get off the list.

Re:Good job on the cut and pase

[silentbozo]

I think it's fewer people reporting spam. My spam count has increased (400+ a day), but I gave up reporting to SpamCop a number of months ago because I couldn't keep up. I emptied my held mail a few weeks ago, and had 6000+ messages on the system. I know SpamCop has been throwing away the older ones that I haven't gotten around to reporting/cleaning out, because I store a local copy of the mail going to SpamCop and I've archived WAY more than that...

I might as well sign up with AOL...

[xiang shui]

I take offense to this kind of thing. I live in northern Alberta, and my ISP, Telus, recently began blocking a wide range of ports, most of which I had previously noticed heavy worm activity on. So I must presume that is their rationale behind filtering these ports. But this worm activity didn't bother me, since I have my machine properly secured. It's none of my concern if some people don't. Now I feel as if I don't have a REAL TCP/IP connection to the internet. I have 65355 ports on my TCP/IP stack that I should be able to use, as I please. But I no longer can, because of this. I run an HTTP server as a testing ground for some of my web projects, and an FTP server so my friends can transfer files to and from my machine. And I'd like other people on the internet to be able to access these ports, since that's what the internet DOES. That's what it's for. If I wanted a private company to dictate how I could use my computer and my internet connection, I would be a regular Microsoft customer. Admittedly, this situation is a little different than the one in the article - since comcast only blocked port 25 of computers known to be transmitting spam. But the situation with Telus is a blanket filtering of these ports for all DSL users, which I completely disagree with, and it actually angers me. Now I have to find a new service provider, and believe me, this isn't easy in the small community where I live.

Blocking connects from broadband subscribers

[perp]

After I first read about this Comcast thing, I looked into how to block connections directly from spambots on home machines to the corporate mail server I admin (~500 users). I set Postfix up to check_client_restrictions and look up the connecting machine's name in a file that lists all the broadband domain names I could find. The results were so good that I have now added every little ISP whose machines send me spam and started using regexes to catch the ones where if I blocked the domain I'd also block their mail server.

The results are truly staggering. I have cut the incomimg spam by 80-90%. I cut incoming spam by 50% just by blocking client.comcast.net, client2.attbi.com and cpe.net.cable.rogers.com. The users think I'm a miracle worker. So far I blocked 2 legit messages ... one guy with a home mail server and one guy whose Telus mail server I accidentally blocked with my filter. The error message says to mail abuse@mydomain if the message is blocked in error and, of course, check_client _restrictions is turned off for the abuse account.

I was amazed at how little "legitimate" spam there is out there. It is almost all hijacked home machines.

Agreed

[TubeSteak]

It'd make much more sense to notify them or do a page redirect than to charge extra or shut 'em down. The odds are, if they're acting as a spam relay, their machines aren't patched, running a virus scan, a firewall, etc. So at the minimum, redirect them to a page with a comcast hosted online virus scanner & windows update. I know I'd suggest Ad-Aware & Spybot & a firewall, but if comcast tells you to use anything... they're stuck having to provide tech support when it screws up.

Re:But For How Long?

[WuphonsReach]

All they would need to to is smart-relay through the ISP's servers. Probably not all that hard to rewrite the zombies to do that, you know.

Which is good, because now the ISP has a central point where they can implement rate-limiting. Or at least maintain log files showing which users are sending large quantities of e-mail.

Even better, if the ISP forces SMTP authentication, it now becomes easy to tie a particular spam run back to an actual Comcast user account. Which gives the Comcast folks even more evidence for use if they decide to deactivate the customer's account.

(Most ISPs will probably install rate-limiting on their SMTP relay servers.)

Re:Good job on the cut and pase

[letxa2000]

Jun 2004 17084 = 573/day
May 2004 17327 = 559/day
Apr 2004 17764 = 592/day
Mar 2004 14119 = 455/day
Feb 2004 11848 = 409/day
Jan 2004 9910 = 320/day
Dec 2003 10002 = 323/day
Nov 2003 8423 = 281/day

This includes viruses that my Bayesian filter is catching, but since most of those viruses are probably to install spam-viruses that's probably a fair classification. Anyway, I can't say that I've seen things drop off this month. Seems to be holding steady the last 3 months...

Maybe we can make comments like Congress... "We've seen a reduction in the rate of increase of spam." :)

I've noted a recent increase in spam.

[Da w00t]

Some spammer decided to joe-job [catb.org] me. Very annoyed. At some point, my domain that they're spoofing mail from is going to get blacklisted -- not because mail is coming from it, but because it appears to be. I havn't seen any spamcop reports or anything similar, but I've seen metric fucktonnes of Win32 worm messages coming into email addresses that never have existed at the same domain that's being joe-jobbed. I really need an antivirus solution built into sendmail. Spamassassin works for 99% of my spam, but these god damn worms are driving me absoltuely insane.

There isn't really all that much you can do about being joe-jobbed, 9 times out of 10 the "admins" for the zombified machine doesn't understand that I'm not the spammer, eventhough I received the bounce for the spam.

Anyone have any good results at trying to get a joe-job to stop?

The comcast USERS get it even worse

[thegoogler]

one of my friends has comcast and he quit using his comcast email because it was getting spammed big time before he had even used it for anything, so its even worse for the users, there not blocking port 25 within there own network are they?

Big Deal

[pbrammer]

Cox blocks ALL outbound port 25 traffic unless it's going through their servers.

Re:Good job on the cut and pase

[thedillybar]

>I know I have stopped reporting all my spam. It took too much time.

I wrote a perl script that I can pipe to from pine. It does a quick check with whois.abuse.net and forwards it off. Soon I may be adding whois.arin.net checks as well as traceroutes to track down the abuse e-mail contact.

It's real easy to pipe 200 messages to a script everyday before you leave for the day...

less spam isnt acceptible, the only answer is NONE

[Indy1]

Comcast (hereby referred to as Spamcast) has ignored their massive spam problem for years now. Fortunately for me the solution was to firewall all of their dynamic space from my mail server.

Apparently Spews [spews.org] thought nuking the dynamic users wasnt enough, and blacklisted all of their dynamic space plus most of their corporate servers as well.

One of these days Spamcast will wake up and realize that a huge chunk of the internet has blackholed them. I only wonder how many months or years it will take for the clue to sink in.

That's interesting

[Servo]

when I switched from Optimum Online to Comcast, I quit getting ANY spam at all. Obviously this is only talking about folks on their network sending.. but its good that they are being proactive about blocking both incoming and outgoing.

Re:Good job on the cut and pase

[Pharmboy]

I used to report spam more diligently than I do now.

Same, but now I filter through and make sure I report all Comcast spam, since it may actually make a difference. I have definately seen a reduction in spam from comcast since the report. We receive many THOUSANDS of spam messages a day for less than two dozen email addresses over 2 domains. I don't even log virus hits anymore, they just delete. A couple hundred a day. I only report spam to known major ISPs. Over 97% of the traffic at our mail server is spam or viruses. Sad.

Regarding chinese/russian/korean spam, I just block several thousand class B IP blocks. Yes, this is not the best method, but then again, since I don't email anyone in China, etc, perhaps it is.

Also, any domain that sends spam, and doesn't have an abuse@ address is blacklisted instantly. Several small ISPs fit into this catagory. I will NOT fill out a form on a fucking web page to report spam. No abuse@, no access.

optonline and adelphia seem to be the worst about not responding to spam, and verizon is the WORST. God I hate them, for so many reasons. I have the least problems/repeats with spam from rr.com and aol.com, ironically.

Now that almost everyone has ~24 hour connectivity

[Peaker]

Why do we need the mediating storage anymore?

Why not move to use "instant messaging" methods of direct connectivity between the sender and recipient, and only falling back to server storage when necessary?

This allows for much better knowledge of successful/failed delivery.

It may move more control of message reception to the recipients, allowing them to implement extra protections. For example, requiring arbitrary/configurable amounts of computation on the behalf of the sender to send them a message (increasing the cost of a message send) (unless ofcourse the sender is on a white list of known correspondents).

Is any such transition feasible in the near future?

Re:ALL ISP's should be filtering port 25

[TheAwfulTruth]

Bullpucky.

The blocking of outbound port 25 (Which Cox has been doing for years) is the begining of the end of the internet.

When ISPs start deciding what their customers can and can't do on the internet, it's the end of everything. Every ISP will just become an small island of service. What next? Block 21? Hey how about blocking everything but 80? But wait, zombie mail relays can be setup on any port, so set them up on 80, now Comcast can't block outbound 80 can they?!?!? So it solves nothing in the long run.

I need port 25 open so that I can send email through my workplace server. In order to do that I now have to send mail to a third party server at port 2525 and SPOOF the return address. But what happens when spoofing is no longer allowed?

Whiolesale blocking of port 25 is a lazy, destructive answer to the problem. It may stop the flow of zombie machine spam in the short term, but it also seriously harms legitimate users of their network.

At least Comcast has the sense to block it for identified zombie machines and not for every IP they own like COX.

Submitting SPAM to spamcop

[gurubert]

I have written a little python script that does the job of confirming SPAM for me. I would have posted it here but the /. junk character filter was catching on the python syntax. ;-)

If anybody is interested I may publish it on a website.

They won't be able to stop at 25

[mactari]

Talking to an SMTP server is easy. Don't believe me? Telnet to your ISP's smtp server (port 25, obviously) and send the bytes for "HELP". Poof, 99% of the time you'll get every command that server accepts. It doesn't take long to figure out how to use it, even if you are too lazy to read RFC 821 [faqs.org] (start at "APPENDIX F" and I bet you're telneting email via telnet in 30 seconds or less).

But wait, were you telnetting *from* 25? Of course not. Yet, somehow, it still worked (likely only if your "rcpt to" entry had a local domain).

Malware can use any port they want to relay from a zombie box to smtp.openSmtpRelay.com 25 as well.

Another thread on this /. discussion [slashdot.org] deals with issues "underground" relays present, but just remember this -- the SMTP servers you're relaying to don't really care if you're sending from port 25. That's convention. You're likely to find SMTP at smtp.myisp.com's port 25, but it really doesn't make any difference, and even in some email clients it's an option to change.

It's issues like those described in that thread that'll help ultimately bring down spams. Telling malware writers to use another port, which is all Comcast's doing, as others have pointed out, will just have ISPs blocking ports until there are no more ports to block.