Comcast Thinks About Stopping Zombies 592
LehiNephi writes "Comcast has finally admitted that its users are responsible for a large amount of spam, and they are thinking about how to stop it. Apparently they haven't been turning a blind eye to the problem after all. The simple, blanket approach of blocking all traffic on port 25 would have too many side effects, particularly for users running their own mail servers. However, they can block that port on individual cable modems-a sort of surgical strike. As far as I'm concerned, the sooner they implement this, the better!"
read your usage agreement (Score:5, Insightful)
Re:read your usage agreement (Score:4, Interesting)
Re:read your usage agreement (Score:4, Informative)
For instance, I can send messages my mail server on comcast and it'll get to most places just fine but both Yahoo and Hotmail will just delete it. Or Comcast already has a system to block these messages to popular domains like yahoo or hotmail. So perhaps there is limited filtering.
Re:read your usage agreement (Score:3, Informative)
These people are talking about SMTP - port 25 - which is how email servers send / receive email messages between servers.
Re:read your usage agreement (Score:5, Insightful)
Uhh, no you don't. POP/IMAP only transfer email between your client and your email provider's mail server. SMTP is used to transfer email between hosts on the internet.
Parent was talking about configuring his/her own SMTP server on their cable connection, and having issues sending mail to specific domains. In this case it was probably because his cable IP was part of some blacklist which says any dynamic IP must belong to a spammer, as there's obviously no use for someone to be running his/her own SMTP server on a lowly dialup or cable connection.
Re:read your usage agreement (Score:3, Insightful)
Who are you kidding? Just because they aren't allowed to doesn't mean they're not.
No one is allowed to download copyrighted material without the necessary license either. So I doubt anyone would be bothered by the RIAA implementing a plan to go after music downloaders...
Re:read your usage agreement (Score:3, Insightful)
Re:read your usage agreement (Score:3, Insightful)
Re:read your usage agreement (Score:3, Interesting)
Re:read your usage agreement (Score:4, Insightful)
Besides, whats next? blocking all traffic to known p2p related ports? and then filter USENET?
People should start thinking a lot more about the consequences of 'solutions' they propose, esp those
involved in spam prevention have a strong tendency to go for measures that are way worse then the problem they try to solve while missing the obvious (the smtp protocol being broken)
Re:read your usage agreement (Score:5, Insightful)
However, ComCast also lives in the real world. While on paper they could make an argument, they're trying NOT to upset the technical folks in their customer base.
Comment removed (Score:5, Informative)
Re:read your usage agreement (Score:4, Insightful)
Both inbound and outbound blocking will cause problems for users like myself. In particular, it will cause those members of Comcasts user-base (like myself) who are looked at by our friends and family as an expert in such matters to not only choose a different ISP for ourselves, but to recommend that those we care about not use the service either. After all, an ISP that tries to choose which parts of the Internet you have a right to talk to is no better than a fancy BBS, and software that my mother might want to run tomorrow could be hampered by that kind of short-sitedness (e.g. if she wanted to host a mail server that I set up for her home business, which I'll be doing next month).
No, Comcast knows their customers because the people who set all of this up for them are a fair bit like me...
Besides, customers like me are gold to Comcast. We do all the right things to protect our systems from compromise, we evangelize new users, we test out new services and build future markets for them. Early adopters are exactly what Comcast wants.
Alternate ports (Score:4, Informative)
This is why Indie-Mail [icarusindie.com] (which is colocated with another ISP) runs the SMTP server on ports 25 and 28. I didn't care to have to run my mail through Cox.
Other people who run public mail servers would be smart to offer that feature. It allows their legitmate customers a way to avoid having to run all their mail through their ISP and doesn't do anything to help spammers.
Unless everybody used the same alternate port enough that e-mail viruses just started using the alt port and the standard.
Ben
Re:read your usage agreement (Score:4, Informative)
proxy everything until asked (Score:3, Interesting)
my connections proxied or blocked, but I don't see
the harm in making people like myself call a phone
number to supply a list of ports to unblock/unproxy.
Them: "How may we help you?"
Me: "Please unblock TCP port 25, both ways"
Them: "OK"
After all, why should millions of people have tens
of thousands of unneeded ports available for abuse?
Re:proxy everything until asked (Score:4, Insightful)
Me: "Please unblock TCP port 25, both ways"
Them: "OK" , we could do it for 5$ a month
After all, why should millions of people have not to pay for ten of thousands of needed ports ?
Re:read your usage agreement (Score:4, Interesting)
Given that they are the only broadband I can get and I do run a mail server for any host of reasons; the targeted approach would be the only acceptable method.
Re:read your usage agreement (Score:3, Informative)
We've now heard tales of domain keys, SPF what have you. These types of measures are the only ones that will really solve for the problem.
There is no reason for mail servers to be anonymous or blindly relay. Mail admins should also decide whether to accept email from anonymous sources or not. By bringing to bear some sort of digitial signature solu
Re:read your usage agreement (Score:5, Insightful)
If you block outgoing 25 (thus stopping zombies) what you also accomplish is preventing any of your customers from using anyone else's SMTP server as their outgoing SMTP server. My web host supports TLS encryption which I prefer to use so at least my neighbors aren't reading my mail.
Requiring everyone to use the ISP SMTP server is the wrong solution, and it's a complete pain for laptops. I can take my laptop anywhere, plug it in, and know that I can send mail (using authenticated SMTP) through mail.myhost.com. If everybody starts blocking OUTBOUND 25, then whereever I plugin my laptop, I need to ask, "Hey, what's your SMTP server???" A very poor solution to the problem.
Block 25 for known zombies or just disconnect them completely. When they call ("My Internet's broken!") let 'em know they've gotta patch their box and get some antivirus software (and stop clicking on those damn attachments!!!) before they get their pr0n0 feed turned back on.
I read the usage agreement - then I experimented. (Score:4, Informative)
All these things are true on my connection:
Incoming port 25 is not blocked from the outside world.
Incoming port 25 is blocked from other Comcast IP addresses.
Outgoing port 25 is not blocked to the outside world (but is often filtered out by other networks. Widespread adoption of SPF will make this problem worse).
Outgoing port 25 is blocked to other comcast addresses - except to the comcast mailservers.
The comcast mailservers will relay anything that comes from a comcast IP, unfortunately they do this without even the most cursory scanning, so there are several virii (including at least one variant of klez) that are constantly being relayed out into the world at large by the comcast mailservers.
Blocks and tarpits come and go on other ports; mostly on NetBIOS ports. I block all netbios, but occasionally nmapping from outside comcast will show those ports as "open" (needless to say, my logs at home show the nmap packets never reached me).
This is the empirical truth, based on actual observation, in my section of the comcast net. There may be different conditions elsewhere.
I offered to fix comcast's problems for them, using excessed equipment and OSS (I figure it'd take about a week to implement a permanent solution to all virii and most spam on comcast) but their phone support guys were incapable of understanding what I was saying.
How to block? (Score:3, Interesting)
The one my ISP (a University) use it to black any incoming tcp connection with dst port 25. This stops spammers to use any badly configure mail server from beeing used as a relay. I can still use any mail server i want to send mails though, i can even run one of my own. What i can't do is handle incoming emails for my own domain. They also monitors how much mail is sent, and if your computer seems to send out "too much" mails, you'll get an email from the s
What about legitimate zombies? (Score:5, Funny)
Port 25 (Score:3, Insightful)
Re:Port 25 (Score:5, Interesting)
Re:Port 25 (Score:3, Insightful)
Who said it was a privacy issue? It's a freedom issue. I often need to send e-mail through other SMTP servers if I'm using my work or school address. Because myisp.com's mail servers will not accept mail from myschool.edu e-mail addresses. And rightly so. If they do, it's called relaying, and we all know relaying is
Re:Port 25 (Score:3, Insightful)
If your ISP is shyte at delivering mail that's not a reason to start your own mail server it's a reason to get a new isp because if they're shyte at something as b
Re:Port 25 (Score:5, Insightful)
For example, ISPs that send me plenty of spam and viruses relayed through their main mail servers are: arnet.com.ar, bigpond.com, btinternet.com, libero.it, singnet.com.sg, videotron.ca, wanadoo.fr
Case in point. Blocking port 25 doesn't stop spam. Booting your spamming customers does.
Re:Port 25 (Score:5, Insightful)
Re:Port 25 (Score:3, Funny)
Restrict their accounts to only allow port 80 to known good spyware/malware cleanup vendors, and go from there. AdAware + SpyBotSD + Symantec (Corp Edition) seals up a box nicely, or at least cleans it up temporarily.
I've been slowly teaching the other firefighters in my volunteer fire dept, and they're learning. They're not the most computer literate, but you give t
Re:Port 25 (Score:4, Funny)
Somehow I don't think you meant what I interpreted this as...
Re:Port 25 (Score:3, Informative)
I used to use the Comcast SMTP servers with my three e-mail accounts (two of them non-Comcast) if I was connected through their cable. But at times when I'd send from my university e-mail account, mail would get blocked with "relaying denied".
So now I use the university's SMTP server for everything
Re:Port 25 (Score:3, Insightful)
Re:Port 25 (Score:3, Insightful)
http://slashdot.org/comments.pl?sid=78099&cid=693 6 111 [slashdot.org]
"Allow for normal port 25 access to the ISP's email server (with the usual restrictions on volume and content) and, for external port 25 access, there's a number of possibilities:
1. Allow the client to setup a pre-determined list of specific hosts they want to connect to. This might be done using a web-based interface.
2. Only allow the first 10 hosts (per dialup connection, per DHCP lease,
Re:Port 25 (Score:4, Informative)
About fucking time a provider started doing something about their users.
First! (Score:5, Insightful)
Re:First! (Score:3, Insightful)
I agree they should be cut off, but to all but one site (something on Comcrud's servers) that mirrors all the downloads people might need (free AV software, anti-spyware, etc). Once they downloaded the software and ran it, they could r
Hmm I think they just started... (Score:5, Interesting)
He was using comcast for his cable modem. Said it just started that day.
We accept incoming smtp on port 2525 also since my OWN isp at home blocks port 25 (knology) so I have ot use 2525 to send email through my company email server myself.
Nope. (Score:5, Informative)
http://www.ietf.org/rfc/rfc2476.txt
Re:Nope. (Score:3, Informative)
Big difference between zombie and server... (Score:5, Interesting)
The zombie will be sending an insane number of e-mails to an insane number of users constantly. No home mail server should be used to run a listserve with anything more than a hundred people or so. Therefore, bursts of port 25 are okay, camping on port 25 is a sign of trouble.
Re:Big difference between zombie and server... (Score:3, Insightful)
Re:Big difference between zombie and server... (Score:4, Informative)
Re:Big difference between zombie and server... (Score:5, Interesting)
Time to move it to the garage, I guess.
Re:Big difference between zombie and server... (Score:3, Informative)
Just set up the mail server to forward all traffic though your ISP's mail server. Not a big deal.
Re:Big difference between zombie and server... (Score:4, Interesting)
The point I was making, in addition to the parent poster was, a blanket Nobody should be running a mail server at home statment is prima facie false. There may be very good reasons -- such as "wanting to have email".
For what it's worth, I am very happy with my broadband vendor, both on price and performance, and they sell me a pipe in which I transport bits. No application layer services, no restrictions, no bullshit.
Easy solution (Score:3, Insightful)
Also most of the viruses are scanning/spamming other ports (looking for hsots to infect). There is NO legitimate reason I can think for a host to randomly and intensly scan for port 445 (the Windows fileshare port) on the Internet. You are
Re:Big difference between zombie and server... (Score:4, Insightful)
Registering mail servers? (Score:5, Insightful)
People who run their own mail servers are control freaks and had better be technically minded enough to call the Admins at Comcast in order to register their mail server.
Otherwise, who'd notice or care?
Re:Registering mail servers? (Score:5, Interesting)
*insert anime sweat drop* (Score:5, Funny)
Seconds later, bangs, thrashes, and pleads for mercy in a very Lutner-like voice could be heard from outside the conference room.
Re:*insert anime sweat drop* (Score:3, Funny)
Almost sounds like an advert. Comcast Internet is so fast, our virus-infected crapclients send out double the crap of the other leading provider!
Screw Comcast! (Score:5, Interesting)
Ban - client.comcast.net, and client2.comcast.net
Since the spammers can't forge the reverse DNS on the IP you can trust your blocking Comcast's dynamic ranges. Their business customers are not on any of the IP's that reverse to client.comcast.net or client1.comcast.net, and residential customers in the blocked dynamic ranges can relay mail to you through comcast's mail servers like they are supposed to.
There is absolutely no reason in this day and age of spam to run a legit mail server off of a dynamic IP address.
Re:Screw Comcast! (Score:4, Interesting)
Speak for yourself.
For someone like myself, who does a lot of hopping between networks, using the "ISP's SMTP server" is a collossal pain in the ass, forcing me to constantly change the SMTP server settings.
OTOH, running my own sendmail is fast, effective, and pretty much always works. I don't see how I should be banned from running my own mail server because some people abuse it. With that wonderful logic, it's time to shut down every P2P service, because most people are abusing them.
-Erwos
Re:Screw Comcast! (Score:3, Insightful)
The vast amount of mail coming from dynamic IP addresses is spam. Users like you are few and far between. As for the P2P services... they SHOULD be shut down as well. 99% of P2P users are stealing software, music, and movie
Re:Screw Comcast! (Score:5, Insightful)
You can blame me and the other ISP's out there that refuse to accept mail from dynamic ranges, but you should be blaming the spammers for ruining email as we know it, and you should blame your provider for not allowing you to have a static IP address.
The ISP I work for only does Static IP addresses (except for dialup customers), all of our DSL customers are allocated a static IP address. This is common if you shop around. From what I understand there are many bigger providers that will allow you to have a static IP address for a few more dollars a month if you can show that you are not using it for commerical purposes, furthermore ISP's like SpeakEasy offer static IP addresses as a part of their typical DSL offerings (no i don't work for them).
Also, if you're running a server on those dynamic ranges with Comcast you are clearly violating their TOS. Again vote with your wallet and find a provider that is more reasonable with their TOS and IP space. Or get a few friends together and pitch in for a virtual server somewhere. You can find a decent virtual server that will suit all of your needs for less then $50 a month, hell get 5 friends together and it's only $10 a month, surely you can afford that. Plus you can say you have your own server somewhere.
Not only not allowed- shouldn't (Score:3, Interesting)
Yes, the Comcast tech support people are complete morons, I'm a Comcast subscriber myself. I hate them too, but I can't think of a good reason to allow outbound port 25 mail. One could possibly make an argument about authenticated SMTP relays with silliness like POP before relay, but IMHO such systems are broken (and I've used them- I should know). It's better to use SASL and encrypt the whole thing.
When Comcast starts monitoring indivudal users though- I do get more than a little concerned.
Re:Not only not allowed- shouldn't (Score:3, Informative)
I doubt that their TOS disallows one to use a mail client.
Re:Not only not allowed- shouldn't (Score:3, Informative)
Comcast's mail servers won't let me "forge" the headers like that.
Reason found.
What you can't think of is not the issue (Score:5, Insightful)
Just because you can't think of a reason to not use the Comcast server does not mean there are not good ones. I've recently been put in the same boat by BellSouth, and I assure you there are good reasons for not wanting port 25 blocked.
First of all, if you, like me, have a notebook and actually move frequently from location to location (home, work, family and friends houses, public sites with wireless access) then you want to be able to configure your mail client so that it will reach a mail server that you can log into and not have to change settings every time you change location. If you have a mail server outside of a "me only" mentality ISP then this is simple and straight forward. But when the ISP blocks port 25 (as well as not letting you use their meil servers whenever you're not originating from their network), it's a royal pain in the ass to reconfigure all the time.
Also, if you, like me, administer or help maintain a valid mail server off of the Comcast network, you may well find it important to actually send mail through this server. Or you might even have a company policy that states that all business mail must be sent through the compnay mail server. No problem if port 25 isn't blocked and you log into the server you want. Big problem if some short sighted system administrator at your ISP insists that everyone should be expected to use the Internet in exactly the same way.
And I can't speak about quality of service at Comcast, but at BellSouth the mail server is frequently down. This was not a significant problem if I had to send time critical information out as long as I had port 25 open and could log into one of the other servers I use. Now it's a problem even from my desktop system.
Fighting spam is great, but fighting stupidity is even more important.
Spammer persistence... (Score:5, Funny)
Bit like Whack-A-Mole, then?
Wrong approach? (Score:5, Insightful)
Why don't they block it on ALL cable modems and let people unblock it if they wish? The majority of users who go through the trouble to unblock it are going to run secure machines. Even if they don't, it's going to reduce the number of spam bots.
And they won't have the privacy advocates all over them...
Re:Wrong approach? (Score:5, Insightful)
In the default configuration, all ports below 1024 should be blocked, and there should be some explanation to the user that if they want to offer a home-based webserver, they have to visit the designated area on the provider's site to indicate that they want port 80 incoming traffic. That way, ISS-worm-of-the-week traffic will not bother your last mile bandwdith if there's no web server home.
Outgoing ports can be restricted the same way. Outgoing port 25 should only be allowed to official mail servers, unless the user specifically requests otherwise. That way, if a Spam-bot gets in, most users will already be set to not let it out...
Re:Wrong approach? (Score:3, Interesting)
While I am a student at utexas.edu, I must speak up about https://firewall.tamu.edu/ [tamu.edu]. Apparently the resnet team in College Station filters the heck out of their residents' hosts, but allows them to open their boxes up interactively on the fly without having to call tech support. This is all based on what I have gleaned from the TAMU CIT online writeups, so of course dont quote me on it. While I do not have a
What about the children? (Score:5, Funny)
Block outgoing, not incoming (Score:3, Informative)
On the other hand, there's no need to block incoming port 25 unless they're afraid of people running unsecured open relays. Fortunately, that's rarely the case, right? Or are the virus zombies really turned into raw open relays? I'm under the impression that they're controlled more directly, presumably through some different port.
People still don't understand the zombie situation (Score:5, Interesting)
Now obviously, there's a lot an ISP can do about this and it doesn't have to be as drastic as blocking port 25 outright. Users which generate suspicious amounts of TCP port 25 traffic could be reassigned IP addresses from a probation-class pool. That is, hosts within that netblock might not be allowed to make port 25 connections, or might be advertised to the world as block-on-sight.
Comcast's Agreements (Score:5, Informative)
The area you're referring to is
For example, take a look at this quote, which makes my browser's caching of Slashdot's GNAA posts illegal:
Try reading this one: Subscriber Agreement [comcast.net]. This section, in particular, gives Comcast permission to view any information transmitted over the network from or to you: Section 9's cool too. It says that you waive the right to sue them in a real court, but instead will have a hearing before a "neutral arbitrator". Anyhow, you should read all that stuff. Some of it's absolutely unique.
If I don't get modded up for this, I'll be amazed
Re:Comcast's Agreements (Score:3, Interesting)
You can get the right to sue in court back, or alternatively force them to waive the right to sue YOU in court. See battle of the forms [cexx.org] for more info.
Port blocking (Score:5, Interesting)
I have two primary requirements for an ISP. (1) must not block any ports for any reason. (2) must provide at least one static IP.
AOL blocks game ports, so they can charge you $5 more per month for opening the ports. They were one of the first to change the role of ISP from utility to controlled collector of optimal revenue. I have for at least 5 years told everyone to get rid of AOL. Unfortunately, today, people have come to accept the idea that it's ok for an ISP to block ports.
As for the zombies, the ISPs should try:
Re:Port blocking (Score:3, Insightful)
I agree. An ISP is not only hurting some of its customers by blocking ports outright, but also decreasing its value when the competition might allow you unfettered IP access (or, as I call it, real Internet access). Of course, the ISP can and should inform or even disconnect customers that are spam sources. There are tons of clue
Re:Port blocking (Score:5, Interesting)
In fact, thanks to safties in the power system, if you tried that you'd probably blow up the transformer outside your house. This would cut off you from the rest of the grid and protect everyone else.
It's the power company's job to give me good service. Steady power, clean, no problems. My ISP (who actually IS Comcast) should be the same way. Fast, reliable, no problems. Instead ISPs often follow your "we're just the middle man" theory. This leads to my 'net connection getting wasted by downloading tons of spam for every real message that should get through.
The power company won't let you scew up THEIR network. The phone company doesn't look kindly to people hijacking phone lines and using them for free, and ISPs should be no different. They should FIGHT these zombies.
After all, zombies cut into the bottom line in traffic that has to be passed (both outgoing spam and incomming spam), storage (storing spam on their e-mail servers), and other such things.
Knock the zombies off the network. This is no slippery slope, this is climbing back UP the "you can do whatever you want even when it makes the internet worse for 99% of people" hill that a blind eye has slid us down.
I won't lose sleep, and neither should you.
Re:Port blocking (Score:5, Interesting)
A better analogy might be a phone company. They sure as heck don't give you freedom to use your phone however you want.
But anyway, I agree that ISPs should be unhindered connections to the internet, but only in one direction- to the client.
Zombies: Obligatory (Score:5, Funny)
"He was a zombie?"
What did the vegetarian zombie say?
"Graaiiiinnnnsssss"
http://www.brains4zombies.com
Old unix hackers don't die, they just turn into zombie processes.
I'm sure I'm missing a ton.
Blow their brains out (Score:3, Funny)
Block outgoing port 25 - Yes! (Score:3, Informative)
It took me three days to figure out why I couldn't connect to my domain server (which is hosted by my ISP).
Much as I disliked the idea, if Cox did it then Comcast should, too. If anything that would take care of about 90% of all the zombies. The ones in the business customer base are probably counted in the few hundreds and can be dealt with on a case-by-case basis.
And I don't see why it sucks if you're running your own email server - inbound 25 should no be closed, and you can send through Comcast's relays anyway. Or at least that's how it works with Cox.
Cox Communications already does this... big whoop (Score:3, Informative)
It sucks, but nobody can match their speed in my area... certainly not DSL.
Re:Cox Communications already does this... big who (Score:3, Insightful)
Honestly, whats one more hop? Play nice and let your ISP know you are doing it. If your not a hastle to them, I bet they won't care. I've been doing it for years.
Just my 2cents.
Good for customers - Bad for Comcast? (Score:3, Insightful)
Bot hunting (Score:4, Interesting)
Port 25 for those who request it (Score:4, Insightful)
Not surprising. (Score:3, Interesting)
Of course, that'd require *real* work and verification, as those sites move all the time. Still, it's possible.
The point is, this is lipstick on a pig. No amount of port blocking is going to stop dumbass users from being turned into zombies, short of pulling the plug or blocking their access to a database of known-to-be-harmful sites.
Here's an idea: how about disabling it like they are considering, and then putting them on a probationary term? They'd be able to continue with Comcast, but their traffic would have to be filtered through the blacklist for, say three months?
I know it's not popular to talk about censoring sites, but it's wasteful in terms of productivity and economics to have to clean up after these zombies all the time. Perhaps the "denial of service" should be applied to those infected, say after two incidents?
Just thoughts. I applaud Comcast for thinking about it, but can't help but shake my head as to the likely effectiveness.
Shoud have done vvv this vvv years ago (Score:4, Insightful)
By user-runtime-reversable I mean:
Put up a web page that I can connect to from my served address only, that lets me check-mark the common ports I want to allow in/out/both. And, most importantly, *NOT* change billing or pricing by check-box etc.
The default map would never be changed by users that don't care, and thus zombie-spam would be greatly reduced.
The custom map would be useful for those who do care.
Keying this on the "hostname" a paying customer sends with their DHCP requests, or by IP address and giving out nearly-static leases by default and clearing the map when a lease is lost, would be child's play. It is no harder technologically than dynamic DNS.
It could be instanciated anonymously one day and the only legitamate users who cared would even notice. As long as there was an obvious "so your ports were just locked on a service you were running at home and you don't like that? here's how to open them" link obviously placed on an "expert users" page on the corporate web site everythign would be self-healing.
Of course that implies that they have rationally segmented their network so that the routers can leverage this information in reasonable time.
Eveidence suggests that they have-not so segmented. (You would not *beleive* the amount of cyclic arping across multiple address ranges I see from their servers on my cable modem segment...)
Heck, the simple intelegence-test-effect created by requiring a user to find their own hostname string from inside either their active configuration or their setup invoice would be enough to stop all sorts of shenanagans... 8-)
So anyway Comcast, get a nice firewall box, set up a permiable wall, with a nice default mask, and let users instanciate a private mask if they so desire by visiting their service settings web page.
Not that hard, unless you bought your infrastructure *really* cheap... 8-)
IAAMCCNE (Score:5, Informative)
Re:IAAMCCNE (Score:3, Insightful)
-
Or just sign up with Speakeasy, that gives you all of the above except an SLA, and doesn't meddle with what you do with your connection and justify it with the misdeeds of hojillions of clueless newbies on their network.
Not turning a blind eye? (Score:3, Insightful)
Yes, yes they have. They ignore complaints. If they weren't turning a blind eye to the problem, it wouldn't be necessary to totally block Comcast's IP space on mail filters.
They have the ability to take action when they receive abuse reports regarding zombie machines. They have thus far done nothing. It seems as though the volume of users bitching about being firewalled from the rest of the 'net as a result of their ISP's total inaction has finally reached a critical point.
Offer a /dev/null machine address too (Score:5, Interesting)
When I see a bunch of bogus packets slam into my box that have no reason to exist, I would like to be able to automagically do the IP equivalent of call blocking.
Sending an ICMP-REDIRECT-like message out in response to a bogus packet should be snuffled up by the ISP equipment and taken as a "call block" request against a particular peer address.
So if I rig up my firewall to icmp-redirect to some magic address (say 0.0.0.0, which is never legal in a redirect), the upstream router should process it as, say, a 24 hour ban of packets from that address to my address.
Were such a thing to become common, the ISP could forward that ban on to the next upstream peer and so on until the "well behaved" router closest to the miscreant would be keeping the wastage off of the backbones entirely.
Since it is a poit-to-point ban it would be rather effective without letting malicious third parties do too much damage unless they could get common-segment with one of the parties.
Talk about killing a DDOS at the diverse roots.
Anyway, it would need a little refinement to keep the haxors next door from pretending to be me and cutting all of the sites they sniff me using, you know, check mac addresses or require me to use an activation squib from my firewall from time to time....
But it should be easy and safe enough once the nearest "Real" router got the do-not-call packet.
Re:Offer a /dev/null machine address too (Score:4, Informative)
A student at Stanford is working on a technique called Active Internet Traffic Filtering [arxiv.org] that works in a similar way to what you describe, blocking malicious traffic as close to its source as possible.
BellSouth blocks Port 25, so we ditched them (Score:4, Interesting)
Since BellSouth wouldn't use some sort of reasonable measure of WHO was abusing the service instead of treating everyone as a spammer, we switched him to another DSL carrier. I think it's unreasonable to expect everyone to have to use ONLY the mail server of the ISP.
BTW, BellSouth said they WOULD open Port 25 if my father would pay double the money for a "business-class" DSL account, which shows me that it's more of a marketing distinction on their part than a distinction with a truly technical justification.
Redirection (Score:3, Interesting)
As a Comcast customer (Score:3, Insightful)
Biggest advantage of running my own mail server? I can run IMAP there as well with squirrelmail, then receive AND send mail from any terminal in the world on my own account. No screwing around with finding the local SMTP server on whatever ISP I happen to be on. That's far more useful than you realize! And no, I do not accept the idea that just because some people abuse SMTP to send spam that we should slam everyone for it. I also run my own DNS server behind my firewall to let me centrally control aliases to various hosts. That's a perfectly benign act. I also make NTP requests, although I don't serve NTP to anyone else.
Someone else suggested a good compromise, I think. Default block anything below 1024 (in the appropriate direction, depending on the port), but let anyone explicitly request any given port to be opened, no questions asked. Quick signup on a web form, no long delay. That automatically keeps 99% of the zombies in check (since zombified users, most likely, won't know what a port is) and allows people like me to make full use of an always-on connection. Anyone who has requested a port be opened, however, is monitored not for content but for volume. OK, they'd get cranky if my home web server were slashdotted. Well so would I.
Makes everyone happy, and kills most zombies in the process.
One solution (Score:4, Insightful)
The system lets the user out of isolation 30 minutes after the reason for isolation has disappeared. Though there are some users who get into isolation, out of it, back again all day long. One has to wonder what the users is doing with the computer? Just having it on, warming the house? Cause they can't surf the net, they can't send email...
This system has reduced outbound spam drastically! And the best part is, we don't have to find out who is infected (dynamic IPs) and then try to contact the end user (many times not the one who pays..).
here's the manufacturer's slide show [rommon.com] (don't slashdot him to death..)
Re:why port 25 (Score:3, Informative)
Re:why port 25 (Score:5, Informative)
If they aim at any other port, they're very likely to see nothing but "Connection denied" messages.
I've already got most of Comcast simply blocked from my mailservers, simply because I never see anything but spam coming from them:
If they REALLY want to send me e-mail, they need to send it through a non-client address (for example, through Comcast's own mailservers...)
It's nice to see that someone at Comcast is waking up, though. I'd been reporting spam coming from a triplet of IP addresses for approximately four months before I simply blackholed the entire
Now, to see if they can actually *do* anything about the problem they just noticed...
Re:How to tell? (Score:3, Informative)
If your modem activity light is on all the time.
If your network activity box (on your gnome pop up tool bar) is showing traffic even when you are not deliberately doing any network activity.
If your other network traffic monitors are showing activity when you are not doing any traffic.
Your modem activity light is, I suppose, the most foolproof method.
You can always wire up a bell which rings when the modem activity light goes on, so you will have an idea of what is going on.
Salivation optional.
;)
Re:How to tell? (Score:5, Interesting)
My Motorola Surfboard's orange "Activity" light (this model doesn't have separate LEDs for TX/RX) is almost always solid, even when I'm not doing anything at all. As if the constant flood of ARP traffic over the cable system wasn't enough, the constant hammering of any number of worms brings the traffic to a steady buzz. I still get Nimda and Code Red attempts on a daily basis, and lots of hits to 3306, which I presume are Slammer. In fact, here's the most recent attempt, About 8 minutes ago. From a worm that came out in, what, 2001?
tcpdump or Ethereal are probably the best ways to determine if you've been turned into a zombie. tcpdump | grep smtp, or leave Ethereal running for awhile and scan the output for connections to port 25. If either comes up with a shitload of outbound SMTP traffic, you've probably got a trojanned box.
Re:How to tell? (Score:5, Informative)
Note that you can also appear on blocklists for various other reasons. So look into why you're blocked. If you're listed on AHBL, CBL, SpamCop, WPBL for example then your host is probably infected.
Re:An expensive problem. (Score:5, Insightful)
And how much money could have been saved if they'd implemented such a policy when people started telling them it was a problem (it's been several years since people started telling Comcast that their users were a load of USDA Prime Clue-Free Spam Zombies...)
It's interesting how much money can be saved by paying attention to the small, seemingly innocent details before they add up to be monstrous problems.
Re:Can't stop 'em (Score:3, Interesting)
You can SEND FROM any port you like, but you're going to have to connect to a destination port 25 on the target box before anything gets delivered, in the vast majority of circumstances. (i.e., barring any misconfiguration, deliberate or otherwise, that results in the SMTPD listening on ports other than 25.)
Please go do some reading on the subject before embarrassing yourself again.
Re:some ISP's already do this (Score:5, Insightful)