Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Spam The Internet Your Rights Online

Comcast Thinks About Stopping Zombies 592

LehiNephi writes "Comcast has finally admitted that its users are responsible for a large amount of spam, and they are thinking about how to stop it. Apparently they haven't been turning a blind eye to the problem after all. The simple, blanket approach of blocking all traffic on port 25 would have too many side effects, particularly for users running their own mail servers. However, they can block that port on individual cable modems-a sort of surgical strike. As far as I'm concerned, the sooner they implement this, the better!"
This discussion has been archived. No new comments can be posted.

Comcast Thinks About Stopping Zombies

Comments Filter:
  • by lseltzer ( 311306 ) on Monday May 24, 2004 @08:12PM (#9243456)
    Comcast cable modem customers aren't allowed to run mail servers anyway, so I doubt the side-effects would bother them
    • by MikeXpop ( 614167 ) <mike&redcrowbar,com> on Monday May 24, 2004 @08:24PM (#9243538) Journal
      My friend tried to run a mail server off of his comcast connection awhile back. He could recieve mail fine, but anytime he tried to send mail it would fail. I always assumed 25 was off anyway.
      • by gad_zuki! ( 70830 ) on Monday May 24, 2004 @09:05PM (#9243826)
        No, outbound or inbound port 25 are not blocked. What's probably happening is that the recpient's mail server saw that the IP was from Comcast's IP block and either deleted it outright or labeled it as spam.

        For instance, I can send messages my mail server on comcast and it'll get to most places just fine but both Yahoo and Hotmail will just delete it. Or Comcast already has a system to block these messages to popular domains like yahoo or hotmail. So perhaps there is limited filtering.
    • Comcast cable modem customers aren't allowed to run mail servers anyway, so I doubt the side-effects would bother them

      Who are you kidding? Just because they aren't allowed to doesn't mean they're not.

      No one is allowed to download copyrighted material without the necessary license either. So I doubt anyone would be bothered by the RIAA implementing a plan to go after music downloaders...

      • by Anonymous Coward
        The point being that Comcast is well within their rights to block inbound 25.
      • Good point. But then Comcast shouldn't be using that excuse for not doing port 25 blocking.
      • Ah, but why should an ISP care about impact to services it doesn't permit on its network anyways (at least for residential non-business users)? Soon every ISP will block 25/TCP outbound for residential users and spammers will have to find another way. They will, but at least it will put a crimp in their efforts.
        • by SillyNickName4me ( 760022 ) <dotslash@bartsplace.net> on Tuesday May 25, 2004 @01:13AM (#9244888) Homepage
          comcast may not allow it but they are not the only player in town. (and the ISP I am using explicitly allows it for example) so I really doubt you will see a 'blanket solution anytime soon.

          Besides, whats next? blocking all traffic to known p2p related ports? and then filter USENET?

          People should start thinking a lot more about the consequences of 'solutions' they propose, esp those
          involved in spam prevention have a strong tendency to go for measures that are way worse then the problem they try to solve while missing the obvious (the smtp protocol being broken)
    • by wo1verin3 ( 473094 ) on Monday May 24, 2004 @08:25PM (#9243555) Homepage
      technically speaking as per the terms of service (usage agreement) you can't even choose to be the host in a two player online game because that is a service.

      However, ComCast also lives in the real world. While on paper they could make an argument, they're trying NOT to upset the technical folks in their customer base.
    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Monday May 24, 2004 @08:36PM (#9243652)
      Comment removed based on user account deletion
      • by ajs ( 35943 ) <[ajs] [at] [ajs.com]> on Monday May 24, 2004 @09:22PM (#9243938) Homepage Journal
        So, indiscriminate blocking of outbound port 25 will have side-effects.

        Both inbound and outbound blocking will cause problems for users like myself. In particular, it will cause those members of Comcasts user-base (like myself) who are looked at by our friends and family as an expert in such matters to not only choose a different ISP for ourselves, but to recommend that those we care about not use the service either. After all, an ISP that tries to choose which parts of the Internet you have a right to talk to is no better than a fancy BBS, and software that my mother might want to run tomorrow could be hampered by that kind of short-sitedness (e.g. if she wanted to host a mail server that I set up for her home business, which I'll be doing next month).

        No, Comcast knows their customers because the people who set all of this up for them are a fair bit like me...

        Besides, customers like me are gold to Comcast. We do all the right things to protect our systems from compromise, we evangelize new users, we test out new services and build future markets for them. Early adopters are exactly what Comcast wants.
      • Alternate ports (Score:4, Informative)

        by KalvinB ( 205500 ) on Monday May 24, 2004 @10:25PM (#9244263) Homepage
        Cox blocks port 25 inbound and outbound. It used to be an outbound block only until MyDoom showed up.

        This is why Indie-Mail [icarusindie.com] (which is colocated with another ISP) runs the SMTP server on ports 25 and 28. I didn't care to have to run my mail through Cox.

        Other people who run public mail servers would be smart to offer that feature. It allows their legitmate customers a way to avoid having to run all their mail through their ISP and doesn't do anything to help spammers.

        Unless everybody used the same alternate port enough that e-mail viruses just started using the alt port and the standard.

        Ben
      • by muckdog ( 607284 ) on Monday May 24, 2004 @10:58PM (#9244407) Homepage
        Correct, The group that this would effect most directly is telecommuters. The ones that use authenticaion with their company's smtp server. Broadband is almost a requirement if you are telecommuting.
      • I am a Comcast customer, and I'd hate to have all
        my connections proxied or blocked, but I don't see
        the harm in making people like myself call a phone
        number to supply a list of ports to unblock/unproxy.

        Them: "How may we help you?"
        Me: "Please unblock TCP port 25, both ways"
        Them: "OK"

        After all, why should millions of people have tens
        of thousands of unneeded ports available for abuse?
    • by steve buttgereit ( 644315 ) on Monday May 24, 2004 @09:04PM (#9243823) Homepage
      Actually, their reps have said during calls that mail servers are not officially supported, but that they willingly turn a blind eye.

      Given that they are the only broadband I can get and I do run a mail server for any host of reasons; the targeted approach would be the only acceptable method.
      • I just realized. The solution isn't for carriers (which is all I view comcast as) to block any services. A better email infrastructure is what is required.

        We've now heard tales of domain keys, SPF what have you. These types of measures are the only ones that will really solve for the problem.

        There is no reason for mail servers to be anonymous or blindly relay. Mail admins should also decide whether to accept email from anonymous sources or not. By bringing to bear some sort of digitial signature solu
    • by Aaden42 ( 198257 ) on Monday May 24, 2004 @09:07PM (#9243843) Homepage
      There's an aweful lot of people missing the point here. To cause trouble for people running their own mail server, they'd need to block INBOUND traffic coming to port 25. That wouldn't stop any of the zombied machines since they're all trying to make OUTBOUND connections going to port 25.

      If you block outgoing 25 (thus stopping zombies) what you also accomplish is preventing any of your customers from using anyone else's SMTP server as their outgoing SMTP server. My web host supports TLS encryption which I prefer to use so at least my neighbors aren't reading my mail.

      Requiring everyone to use the ISP SMTP server is the wrong solution, and it's a complete pain for laptops. I can take my laptop anywhere, plug it in, and know that I can send mail (using authenticated SMTP) through mail.myhost.com. If everybody starts blocking OUTBOUND 25, then whereever I plugin my laptop, I need to ask, "Hey, what's your SMTP server???" A very poor solution to the problem.

      Block 25 for known zombies or just disconnect them completely. When they call ("My Internet's broken!") let 'em know they've gotta patch their box and get some antivirus software (and stop clicking on those damn attachments!!!) before they get their pr0n0 feed turned back on.
      • by Medievalist ( 16032 ) on Tuesday May 25, 2004 @03:19PM (#9252137)
        I'm a comcast customer with a mailserver. I also have an IPtables firewall and a zoned defense with an IDS (running no IP address) in the "dirty" zone.

        All these things are true on my connection:

        Incoming port 25 is not blocked from the outside world.

        Incoming port 25 is blocked from other Comcast IP addresses.

        Outgoing port 25 is not blocked to the outside world (but is often filtered out by other networks. Widespread adoption of SPF will make this problem worse).

        Outgoing port 25 is blocked to other comcast addresses - except to the comcast mailservers.

        The comcast mailservers will relay anything that comes from a comcast IP, unfortunately they do this without even the most cursory scanning, so there are several virii (including at least one variant of klez) that are constantly being relayed out into the world at large by the comcast mailservers.

        Blocks and tarpits come and go on other ports; mostly on NetBIOS ports. I block all netbios, but occasionally nmapping from outside comcast will show those ports as "open" (needless to say, my logs at home show the nmap packets never reached me).

        This is the empirical truth, based on actual observation, in my section of the comcast net. There may be different conditions elsewhere.

        I offered to fix comcast's problems for them, using excessed equipment and OSS (I figure it'd take about a week to implement a permanent solution to all virii and most spam on comcast) but their phone support guys were incapable of understanding what I was saying.

  • by Tourney3p0 ( 772619 ) on Monday May 24, 2004 @08:13PM (#9243460)
    This clearly violates the right to maintain your own SCO-attack zombie.
  • Port 25 (Score:3, Insightful)

    by thrillseeker ( 518224 ) on Monday May 24, 2004 @08:13PM (#9243464)
    All they nned to do is to restrict SMTP outbound connections to their own mailservers. Forcing traffic through their won machines will qucik;ly point out who the abusers are, and they can likewise filter for viruses and worms preventing propogation.
    • Re:Port 25 (Score:5, Interesting)

      by gnuman99 ( 746007 ) on Monday May 24, 2004 @08:25PM (#9243547)
      Yeap. This is the only way to stem the traffic. People can still run their own mail servers, but all outbound connections should go though the ISP. Afterall, it is not like it is a privacy issue (they can sniff the packets anyway, so bypassing their SMTP server does not help you!)
      • Re:Port 25 (Score:3, Insightful)

        by jdreed1024 ( 443938 )
        This is the only way to stem the traffic. People can still run their own mail servers, but all outbound connections should go though the ISP. Afterall, it is not like it is a privacy issue

        Who said it was a privacy issue? It's a freedom issue. I often need to send e-mail through other SMTP servers if I'm using my work or school address. Because myisp.com's mail servers will not accept mail from myschool.edu e-mail addresses. And rightly so. If they do, it's called relaying, and we all know relaying is

    • Re:Port 25 (Score:5, Insightful)

      by bigberk ( 547360 ) <bigberk@users.pc9.org> on Monday May 24, 2004 @08:32PM (#9243613)
      All they nned to do is to restrict SMTP outbound connections to their own mailservers.
      Ummm.... no, that alone won't do it. They also have to have vigorous spam and virus controls on their mail server. Otherwise the ISP's mail servers will just relay the spam and viruses. SWEN for instance sends itself via the ISP's "proper" relay.

      For example, ISPs that send me plenty of spam and viruses relayed through their main mail servers are: arnet.com.ar, bigpond.com, btinternet.com, libero.it, singnet.com.sg, videotron.ca, wanadoo.fr

      Case in point. Blocking port 25 doesn't stop spam. Booting your spamming customers does.
      • Re:Port 25 (Score:5, Insightful)

        by Have Blue ( 616 ) on Monday May 24, 2004 @08:52PM (#9243753) Homepage
        This story is about compensating for users who are unaware that their computer has been trojaned and is emitting spam. Is getting kicked off your ISP a suitable punishment for that? Comcast is doing the minimum necessary to keep the most people possible happy (except the spammers, and apparently you).
        • Re:Port 25 (Score:3, Funny)

          by Woody77 ( 118089 )
          No, it's not too harsh. Suspend their service, send them a note saying that they've been compromised, and they need to clean up their PCs.

          Restrict their accounts to only allow port 80 to known good spyware/malware cleanup vendors, and go from there. AdAware + SpyBotSD + Symantec (Corp Edition) seals up a box nicely, or at least cleans it up temporarily.

          I've been slowly teaching the other firefighters in my volunteer fire dept, and they're learning. They're not the most computer literate, but you give t
    • Re:Port 25 (Score:3, Informative)

      The problem with this is Comcast's SMTP servers will cough up a "relaying denied" at times when they shouldn't - and I've given up trying to get hold of someone competent at their end to point out this problem.

      I used to use the Comcast SMTP servers with my three e-mail accounts (two of them non-Comcast) if I was connected through their cable. But at times when I'd send from my university e-mail account, mail would get blocked with "relaying denied".

      So now I use the university's SMTP server for everything
      • Re:Port 25 (Score:3, Insightful)

        by yorgasor ( 109984 )
        Um, that's what's supposed to happen. Why should Comcast relay email through their servers from some unknown network? That's what's called an 'Open Relay.' And spammers love them. Unless there's a method for the SMTP server to verify that you are in fact their customer, they really should only relay email for people on their network.
    • Re:Port 25 (Score:3, Insightful)

      by nacturation ( 646836 )
      I posted a potential solution for this half a year ago:

      http://slashdot.org/comments.pl?sid=78099&cid=693 6 111 [slashdot.org]

      "Allow for normal port 25 access to the ISP's email server (with the usual restrictions on volume and content) and, for external port 25 access, there's a number of possibilities:

      1. Allow the client to setup a pre-determined list of specific hosts they want to connect to. This might be done using a web-based interface.
      2. Only allow the first 10 hosts (per dialup connection, per DHCP lease,
  • First! (Score:5, Insightful)

    by Anonymous Coward on Monday May 24, 2004 @08:14PM (#9243465)
    I think it's a good idea. But why stop there? Disconnect the zombies until they fix the problem on their computer.
    • Re:First! (Score:3, Insightful)

      by MBCook ( 132727 )
      I agree. Now of course you can't disconnect them completely because then they can't download software to fix their system. This means that you (Comcrud) would have to send them all CDs that contained whatever was neccessary to fix the computer. That costs money, support, etc.

      I agree they should be cut off, but to all but one site (something on Comcrud's servers) that mirrors all the downloads people might need (free AV software, anti-spyware, etc). Once they downloaded the software and ran it, they could r

  • by Grimster ( 127581 ) on Monday May 24, 2004 @08:14PM (#9243468) Homepage
    Had a user come into our help channel last night, unable to send email through his account with us since that morning (yesterday Sun 05/23) and I confirmed the server was working fine so I had him telnet to port 25 - no luck, had him telnet to port 25 on the server I use for email - no dice, had him use port 2525 - SMTP connection opened up fine.

    He was using comcast for his cable modem. Said it just started that day.

    We accept incoming smtp on port 2525 also since my OWN isp at home blocks port 25 (knology) so I have ot use 2525 to send email through my company email server myself.
    • Nope. (Score:5, Informative)

      by Anonymous Coward on Monday May 24, 2004 @08:21PM (#9243516)
      There is actually an 'official' alternate port for this purpose. See:

      http://www.ietf.org/rfc/rfc2476.txt
      • Re:Nope. (Score:3, Informative)

        by hpa ( 7948 )
        Correct (the port is 587.) It's a really nice thing to have on the road - set it up on your home server to *only* accept TLS+SMTP AUTH, and you don't have to deal with blocking.
  • by LostCluster ( 625375 ) * on Monday May 24, 2004 @08:15PM (#9243477)
    There's a real easy way to tell the difference between a zombie and somebody running a home mail server...

    The zombie will be sending an insane number of e-mails to an insane number of users constantly. No home mail server should be used to run a listserve with anything more than a hundred people or so. Therefore, bursts of port 25 are okay, camping on port 25 is a sign of trouble.
  • by mcrbids ( 148650 ) on Monday May 24, 2004 @08:16PM (#9243483) Journal
    What if they had a *simple* process for registering your mail server with them? 5 minutes, maybe $20 and that's it?

    People who run their own mail servers are control freaks and had better be technically minded enough to call the Admins at Comcast in order to register their mail server.

    Otherwise, who'd notice or care?
    • by MalleusEBHC ( 597600 ) on Monday May 24, 2004 @08:21PM (#9243519)
      It doesn't even have to be that difficult. Just block port 25 by default. If someone calls up and asks for it to be enabled, do it free of charge, no questions asked. Now everyone who wants to run a mailserver can do so painlessly, but the average joe zombie wouldn't be able to spread spam because port 25 would be off for him by default. I bet this would stop 90%+ of all the nasty zombie spam.
  • by Faust7 ( 314817 ) on Monday May 24, 2004 @08:16PM (#9243484) Homepage
    "We're the biggest spammer on the Internet," network engineer Sean Lutner said at a meeting of an antispam working group in Washington, D.C., last week.

    Seconds later, bangs, thrashes, and pleads for mercy in a very Lutner-like voice could be heard from outside the conference room.
  • Screw Comcast! (Score:5, Interesting)

    by jchawk ( 127686 ) on Monday May 24, 2004 @08:17PM (#9243490) Homepage Journal
    As a mail admin stop the shit yourself.

    Ban - client.comcast.net, and client2.comcast.net

    Since the spammers can't forge the reverse DNS on the IP you can trust your blocking Comcast's dynamic ranges. Their business customers are not on any of the IP's that reverse to client.comcast.net or client1.comcast.net, and residential customers in the blocked dynamic ranges can relay mail to you through comcast's mail servers like they are supposed to.

    There is absolutely no reason in this day and age of spam to run a legit mail server off of a dynamic IP address. :-)

    • Re:Screw Comcast! (Score:4, Interesting)

      by Erwos ( 553607 ) on Monday May 24, 2004 @08:29PM (#9243585)
      "There is absolutely no reason in this day and age of spam to run a legit mail server off of a dynamic IP address. :-)"

      Speak for yourself.

      For someone like myself, who does a lot of hopping between networks, using the "ISP's SMTP server" is a collossal pain in the ass, forcing me to constantly change the SMTP server settings.

      OTOH, running my own sendmail is fast, effective, and pretty much always works. I don't see how I should be banned from running my own mail server because some people abuse it. With that wonderful logic, it's time to shut down every P2P service, because most people are abusing them.

      -Erwos
      • OTOH, running my own sendmail is fast, effective, and pretty much always works. I don't see how I should be banned from running my own mail server because some people abuse it. With that wonderful logic, it's time to shut down every P2P service, because most people are abusing them

        The vast amount of mail coming from dynamic IP addresses is spam. Users like you are few and far between. As for the P2P services... they SHOULD be shut down as well. 99% of P2P users are stealing software, music, and movie

    • Re:Screw Comcast! (Score:5, Insightful)

      by jchawk ( 127686 ) on Monday May 24, 2004 @08:50PM (#9243743) Homepage Journal
      From the comments so far I've seen "I don't have the money to pay for a static IP address.", I know that it sucks that not everyone can have static IP addresses, but that's something you should take up with your provider. Why should the rest of the Internet Service Providers out there pay for your ability to send email from a dyanmic IP address? You can't begin to imagine how much spam we are able to drop because of those two simple blocks (client.comcast.net and client2.comcast.net)... It's to the point where we would need to add at least another mail server to accept the email coming from those ranges. That's simply not something we are willing to do when 99.9999% of all email from those dynamic ranges are spam.

      You can blame me and the other ISP's out there that refuse to accept mail from dynamic ranges, but you should be blaming the spammers for ruining email as we know it, and you should blame your provider for not allowing you to have a static IP address.

      The ISP I work for only does Static IP addresses (except for dialup customers), all of our DSL customers are allocated a static IP address. This is common if you shop around. From what I understand there are many bigger providers that will allow you to have a static IP address for a few more dollars a month if you can show that you are not using it for commerical purposes, furthermore ISP's like SpeakEasy offer static IP addresses as a part of their typical DSL offerings (no i don't work for them).

      Also, if you're running a server on those dynamic ranges with Comcast you are clearly violating their TOS. Again vote with your wallet and find a provider that is more reasonable with their TOS and IP space. Or get a few friends together and pitch in for a virtual server somewhere. You can find a decent virtual server that will suit all of your needs for less then $50 a month, hell get 5 friends together and it's only $10 a month, surely you can afford that. Plus you can say you have your own server somewhere. :-)
  • by SWroclawski ( 95770 ) <serge@@@wroclawski...org> on Monday May 24, 2004 @08:17PM (#9243491) Homepage
    Incoming mail servers are arguable, though not allowed in Comcast's EULA, but outgoing- I can't think of a single good reason why a user needs to run their own outgoing mail server and not relay through the Comcast server.

    Yes, the Comcast tech support people are complete morons, I'm a Comcast subscriber myself. I hate them too, but I can't think of a good reason to allow outbound port 25 mail. One could possibly make an argument about authenticated SMTP relays with silliness like POP before relay, but IMHO such systems are broken (and I've used them- I should know). It's better to use SASL and encrypt the whole thing.

    When Comcast starts monitoring indivudal users though- I do get more than a little concerned.
    • If it's outgoing mail, it's a mail client.

      I doubt that their TOS disallows one to use a mail client.
    • Simple. I want to send mail with a return address of @lancemcgrath.com, which is my domain.

      Comcast's mail servers won't let me "forge" the headers like that.

      Reason found.
    • by frovingslosh ( 582462 ) on Monday May 24, 2004 @09:26PM (#9243968)
      I can't think of a single good reason why a user needs to run their own outgoing mail server and not relay through the Comcast server.

      Just because you can't think of a reason to not use the Comcast server does not mean there are not good ones. I've recently been put in the same boat by BellSouth, and I assure you there are good reasons for not wanting port 25 blocked.

      First of all, if you, like me, have a notebook and actually move frequently from location to location (home, work, family and friends houses, public sites with wireless access) then you want to be able to configure your mail client so that it will reach a mail server that you can log into and not have to change settings every time you change location. If you have a mail server outside of a "me only" mentality ISP then this is simple and straight forward. But when the ISP blocks port 25 (as well as not letting you use their meil servers whenever you're not originating from their network), it's a royal pain in the ass to reconfigure all the time.

      Also, if you, like me, administer or help maintain a valid mail server off of the Comcast network, you may well find it important to actually send mail through this server. Or you might even have a company policy that states that all business mail must be sent through the compnay mail server. No problem if port 25 isn't blocked and you log into the server you want. Big problem if some short sighted system administrator at your ISP insists that everyone should be expected to use the Internet in exactly the same way.

      And I can't speak about quality of service at Comcast, but at BellSouth the mail server is frequently down. This was not a significant problem if I had to send time critical information out as long as I had port 25 open and could log into one of the other servers I use. Now it's a problem even from my desktop system.

      Fighting spam is great, but fighting stupidity is even more important.

  • by Faust7 ( 314817 ) on Monday May 24, 2004 @08:18PM (#9243501) Homepage
    However, they can block that port on individual cable modems-a sort of surgical strike.

    Bit like Whack-A-Mole, then?
  • Wrong approach? (Score:5, Insightful)

    by thedillybar ( 677116 ) on Monday May 24, 2004 @08:20PM (#9243507)
    However, they can block that port on individual cable modems-a sort of surgical strike.

    Why don't they block it on ALL cable modems and let people unblock it if they wish? The majority of users who go through the trouble to unblock it are going to run secure machines. Even if they don't, it's going to reduce the number of spam bots.

    And they won't have the privacy advocates all over them...

    • Re:Wrong approach? (Score:5, Insightful)

      by LostCluster ( 625375 ) * on Monday May 24, 2004 @08:30PM (#9243594)
      What I would love to see somebody come out with is a provider-side web configurable firewall. Basically, a way to tell my ISP "If you're getting incoming port 80 requests coming my way, don't bother me with it."

      In the default configuration, all ports below 1024 should be blocked, and there should be some explanation to the user that if they want to offer a home-based webserver, they have to visit the designated area on the provider's site to indicate that they want port 80 incoming traffic. That way, ISS-worm-of-the-week traffic will not bother your last mile bandwdith if there's no web server home.

      Outgoing ports can be restricted the same way. Outgoing port 25 should only be allowed to official mail servers, unless the user specifically requests otherwise. That way, if a Spam-bot gets in, most users will already be set to not let it out...
      • Re:Wrong approach? (Score:3, Interesting)

        by nfsilkey ( 652484 )
        What I would love to see somebody come out with is a provider-side web configurable firewall.

        While I am a student at utexas.edu, I must speak up about https://firewall.tamu.edu/ [tamu.edu]. Apparently the resnet team in College Station filters the heck out of their residents' hosts, but allows them to open their boxes up interactively on the fly without having to call tech support. This is all based on what I have gleaned from the TAMU CIT online writeups, so of course dont quote me on it. While I do not have a
  • by Tourney3p0 ( 772619 ) on Monday May 24, 2004 @08:21PM (#9243512)
    Won't someone please think of the zombie child processes?
  • by crow ( 16139 ) on Monday May 24, 2004 @08:22PM (#9243523) Homepage Journal
    If the block outgoing port 25, but not incoming, then it shouldn't mess up people who are running their own mail servers, provided they configure them to use the ISP's mail server as a relay. That's how the whole system was originally supposed to work in the pre-spam days, anyway.

    On the other hand, there's no need to block incoming port 25 unless they're afraid of people running unsecured open relays. Fortunately, that's rarely the case, right? Or are the virus zombies really turned into raw open relays? I'm under the impression that they're controlled more directly, presumably through some different port.
  • by bigberk ( 547360 ) <bigberk@users.pc9.org> on Monday May 24, 2004 @08:24PM (#9243543)
    We in the anti-spam community have been yelling this for a while. Since early 2004, most spam is sent through unwitting zombies (compromised Windows hosts) that are remotely controlled spam bots. This is not just an open relay issue. These hosts are hacked in an automated fashion and loaded with spamming software.

    Now obviously, there's a lot an ISP can do about this and it doesn't have to be as drastic as blocking port 25 outright. Users which generate suspicious amounts of TCP port 25 traffic could be reassigned IP addresses from a probation-class pool. That is, hosts within that netblock might not be allowed to make port 25 connections, or might be advertised to the world as block-on-sight.
  • Comcast's Agreements (Score:5, Informative)

    by Roguelazer ( 606927 ) <Roguelazer AT gmail DOT com> on Monday May 24, 2004 @08:30PM (#9243590) Homepage Journal
    Anybody here ever read a Comcast Usage & Subscriber Agreement? I have. They're quite... chilling to read. Lots of people have posted about the forbidding of running a server of any kind, so here it is: Acceptable Use Policy [comcast.net]

    The area you're referring to is
    (xiv) run programs, equipment, or servers from the Premises that provide network content or any other services to anyone outside of your Premises LAN (Local Area Network), also commonly referred to as public services or servers. Examples of prohibited services and servers include, but are not limited to, e-mail, Web hosting, file sharing, and proxy services and servers;

    For example, take a look at this quote, which makes my browser's caching of Slashdot's GNAA posts illegal:
    (ii) post, store, send, transmit, or disseminate any information or material which a reasonable person could deem to be objectionable, offensive, indecent, pornographic, harassing, threatening, embarrassing, distressing, vulgar, hateful, racially or ethnically offensive, or otherwise inappropriate, regardless of whether this material or its dissemination is unlawful;


    Try reading this one: Subscriber Agreement [comcast.net]. This section, in particular, gives Comcast permission to view any information transmitted over the network from or to you:
    Comcast shall have no obligation to monitor postings or transmissions made in connection with the Service. However, you acknowledge and agree that Comcast and its agents shall have the right to monitor any such postings and transmissions, including without limitation e-mail, newsgroups, chat, IP audio and video, and web space content
    Section 9's cool too. It says that you waive the right to sue them in a real court, but instead will have a hearing before a "neutral arbitrator". Anyhow, you should read all that stuff. Some of it's absolutely unique.

    If I don't get modded up for this, I'll be amazed
    • Section 9's cool too. It says that you waive the right to sue them in a real court, but instead will have a hearing before a "neutral arbitrator".

      You can get the right to sue in court back, or alternatively force them to waive the right to sue YOU in court. See battle of the forms [cexx.org] for more info.
  • Port blocking (Score:5, Interesting)

    by Openstandards.net ( 614258 ) <slashdotNO@SPAMopenstandards.net> on Monday May 24, 2004 @08:32PM (#9243610) Homepage
    I don't believe any ISP should block ports. It's a slippery slope. The ISPs should be utilities, like electric companies, providing you an unhindered connection to the Internet.

    I have two primary requirements for an ISP. (1) must not block any ports for any reason. (2) must provide at least one static IP.

    AOL blocks game ports, so they can charge you $5 more per month for opening the ports. They were one of the first to change the role of ISP from utility to controlled collector of optimal revenue. I have for at least 5 years told everyone to get rid of AOL. Unfortunately, today, people have come to accept the idea that it's ok for an ISP to block ports.

    As for the zombies, the ISPs should try:

    • Informing their customers that their machines are infected. Seems obvious, but it's obviously rarely done, as most users don't know they are infected.
    • Provide links to free virus detection and spyware removal software. There is a lot of it out there. If the users don't want to by Norton, they could at least try a free one. I bet most don't know that there are free options available.
    • Offer free Linux CDs.
    • Re:Port blocking (Score:3, Insightful)

      by bigberk ( 547360 )

      I don't believe any ISP should block ports. It's a slippery slope. The ISPs should be utilities, like electric companies, providing you an unhindered connection to the Internet.

      I agree. An ISP is not only hurting some of its customers by blocking ports outright, but also decreasing its value when the competition might allow you unfettered IP access (or, as I call it, real Internet access). Of course, the ISP can and should inform or even disconnect customers that are spam sources. There are tons of clue

      • Re:Port blocking (Score:5, Interesting)

        by MBCook ( 132727 ) <foobarsoft@foobarsoft.com> on Monday May 24, 2004 @09:00PM (#9243802) Homepage
        If I set some large device to store energy and then send it back into the grid wrong (lets say it comes into my house at 220v, 60hz so send it at 1500v 300hz) therby screwing everything up for everyone else on my section of the grid, don't you think the power company would come and cut me off?

        In fact, thanks to safties in the power system, if you tried that you'd probably blow up the transformer outside your house. This would cut off you from the rest of the grid and protect everyone else.

        It's the power company's job to give me good service. Steady power, clean, no problems. My ISP (who actually IS Comcast) should be the same way. Fast, reliable, no problems. Instead ISPs often follow your "we're just the middle man" theory. This leads to my 'net connection getting wasted by downloading tons of spam for every real message that should get through.

        The power company won't let you scew up THEIR network. The phone company doesn't look kindly to people hijacking phone lines and using them for free, and ISPs should be no different. They should FIGHT these zombies.

        After all, zombies cut into the bottom line in traffic that has to be passed (both outgoing spam and incomming spam), storage (storing spam on their e-mail servers), and other such things.

        Knock the zombies off the network. This is no slippery slope, this is climbing back UP the "you can do whatever you want even when it makes the internet worse for 99% of people" hill that a blind eye has slid us down.

        I won't lose sleep, and neither should you.

    • Re:Port blocking (Score:5, Interesting)

      by Hays ( 409837 ) on Monday May 24, 2004 @09:00PM (#9243804)
      You should not make an analogy between ISPs and traditional utilities like the electric company. Electricity is one way. Internet is two way. No matter what you do with your electricity, it won't destroy the rest of the grid. (barring extreme things for which you WILL receive a visit from the electric company). On the other hand, it's easy for one internet costumer to ruin the experience for many others (by sending thousands of spam a day, for instance).

      A better analogy might be a phone company. They sure as heck don't give you freedom to use your phone however you want.

      But anyway, I agree that ISPs should be unhindered connections to the internet, but only in one direction- to the client.
  • by bludstone ( 103539 ) on Monday May 24, 2004 @08:35PM (#9243640)
    "You shot the zombie flanders!"
    "He was a zombie?"

    What did the vegetarian zombie say?
    "Graaiiiinnnnsssss"

    http://www.brains4zombies.com

    Old unix hackers don't die, they just turn into zombie processes.

    I'm sure I'm missing a ton.
  • by Doc Ruby ( 173196 ) on Monday May 24, 2004 @08:38PM (#9243668) Homepage Journal
    Research has shown that stopping zombies requires blowing their brains out. It's them or you, so don't hesitate. BTW, more recent research suggests that the FZVA [fvza.org] is a front for the vampires, so you're on your own when you stake 'em and bake 'em. We've got a SOLASER to destroy the biters, but the shamblers still require brute force.
  • by The Bungi ( 221687 ) <thebungi@gmail.com> on Monday May 24, 2004 @08:45PM (#9243707) Homepage
    Why would blocking outbound 25 be a problem?? Cox did it a couple of months ago. Blanket block to all its residential customers, with no advance warning. Just like that.

    It took me three days to figure out why I couldn't connect to my domain server (which is hosted by my ISP).

    Much as I disliked the idea, if Cox did it then Comcast should, too. If anything that would take care of about 90% of all the zombies. The ones in the business customer base are probably counted in the few hundreds and can be dealt with on a case-by-case basis.

    And I don't see why it sucks if you're running your own email server - inbound 25 should no be closed, and you can send through Comcast's relays anyway. Or at least that's how it works with Cox.

  • by Radi-0-head ( 261712 ) on Monday May 24, 2004 @08:47PM (#9243720)
    Unless you pay about $85 a month for a "commercial" account, Cox has been blocking port 25 to anything but their own mailservers for more than a year now.

    It sucks, but nobody can match their speed in my area... certainly not DSL.
    • No biggie. Every MTA provides a feature to use a "SMART HOST." This is exactly the point of this. INBOUND port 25 does not need to be blocked, just outbound for this to have an effect. Home user's running their own mail server should have nothing to fear assuming they set their servers up to use a smart host.

      Honestly, whats one more hop? Play nice and let your ISP know you are doing it. If your not a hastle to them, I bet they won't care. I've been doing it for years.

      Just my 2cents.

  • by LaForce ( 688117 ) on Monday May 24, 2004 @09:00PM (#9243803)
    Up until now, ISPs have been able to hide behind their status as a common carrier for anything illegal that their customers do. They don't monitor, thus, they can't do anything about it. Comcast is admitting their ability and willingness to monitor the types of traffic their customers are producing, and block undesirable traffic. How long before this gets turned around and smacks Comcast (and their customers) with problems?
  • Bot hunting (Score:4, Interesting)

    by Enoch Zembecowicz ( 698998 ) on Monday May 24, 2004 @09:07PM (#9243842)
    The ISP I work for (name withheld to protect the proactive) has what I consider to be a good policy for handling bots. I think it is good because I came up with it myself. Any host that we get a complaint about is portscanned (all ports are scanned). The output from nmap is then fed into amap for application fingerprinting and mothra to grab banners. We then suspend the customer's internet access until they clean up the computer. On the whole port 25 thing, ever day we find systems that are running SMTP servers on bizarre, very high ports.
  • My local ASP [pe.net] has a good solution to this. By default, port 25 is blocked, but customers can ask for it to be allowed through. The presumption is that if you know enough to ask for port 25, then you can take proper responsibility for your machines.
  • Not surprising. (Score:3, Interesting)

    by Bill_Royle ( 639563 ) on Monday May 24, 2004 @09:13PM (#9243883)
    Even if Comcast goes forth with this, it's just a drop in the bucket. Maintaining an open database of websites known to propogate spam, then blacklisting them would do more.

    Of course, that'd require *real* work and verification, as those sites move all the time. Still, it's possible.

    The point is, this is lipstick on a pig. No amount of port blocking is going to stop dumbass users from being turned into zombies, short of pulling the plug or blocking their access to a database of known-to-be-harmful sites.

    Here's an idea: how about disabling it like they are considering, and then putting them on a probationary term? They'd be able to continue with Comcast, but their traffic would have to be filtered through the blacklist for, say three months?

    I know it's not popular to talk about censoring sites, but it's wasteful in terms of productivity and economics to have to clean up after these zombies all the time. Perhaps the "denial of service" should be applied to those infected, say after two incidents?

    Just thoughts. I applaud Comcast for thinking about it, but can't help but shake my head as to the likely effectiveness.
  • by IBitOBear ( 410965 ) on Monday May 24, 2004 @09:34PM (#9244021) Homepage Journal
    Comcast could and should have gone ahead user-runtime-reversably blocked all of the common low service ports (1-1024) a long time ago.

    By user-runtime-reversable I mean:

    Put up a web page that I can connect to from my served address only, that lets me check-mark the common ports I want to allow in/out/both. And, most importantly, *NOT* change billing or pricing by check-box etc.

    The default map would never be changed by users that don't care, and thus zombie-spam would be greatly reduced.

    The custom map would be useful for those who do care.

    Keying this on the "hostname" a paying customer sends with their DHCP requests, or by IP address and giving out nearly-static leases by default and clearing the map when a lease is lost, would be child's play. It is no harder technologically than dynamic DNS.

    It could be instanciated anonymously one day and the only legitamate users who cared would even notice. As long as there was an obvious "so your ports were just locked on a service you were running at home and you don't like that? here's how to open them" link obviously placed on an "expert users" page on the corporate web site everythign would be self-healing.

    Of course that implies that they have rationally segmented their network so that the routers can leverage this information in reasonable time.

    Eveidence suggests that they have-not so segmented. (You would not *beleive* the amount of cyclic arping across multiple address ranges I see from their servers on my cable modem segment...)

    Heck, the simple intelegence-test-effect created by requiring a user to find their own hostname string from inside either their active configuration or their setup invoice would be enough to stop all sorts of shenanagans... 8-)

    So anyway Comcast, get a nice firewall box, set up a permiable wall, with a nice default mask, and let users instanciate a private mask if they so desire by visiting their service settings web page.

    Not that hard, unless you bought your infrastructure *really* cheap... 8-)
  • IAAMCCNE (Score:5, Informative)

    by papasui ( 567265 ) on Monday May 24, 2004 @09:41PM (#9244052) Homepage
    I am a major cable company network engineer... and while the idea of allowing certain people access to having the ports open is nice in theory, it would be nearly impossible to implement on a large scale operation. With existing infrastructure all restrictions are placed in the access control list on the CMTS router. Without purchasing additional firewall equipment that can service a 1/2 million customers, which would run upwards of hundreds of thousands of dollars. The only way to selectively allow individual ip addresses to be able to use outbond would be to have individual allow statements for each customer who requested it placed on the ACL. Since nobody but the network group is allowed access to these systems we would need individual people dedicated to simply adding ip addresses to the ACL. And of course since each time a packet on port 25 is sent the entire outbound port 25 ACL is processed the load on the routers would be so high that additonal upgrades would be necessary. The entire reason to block all outbound port 25 connections is to stop those with viruses/spam relays from causing the isp's email server from ending up on blacklists from the likes of AOL, earthlink, and other very large isps. So the trade off is you inconvince those customer's who are already violating the acceptable use policy by running a prohibited email server or force them to use your outgoing smtp server. In the end the vast majority of customers are much happier because their email works better, has less spam and garbage and the isp has less work to do by contacting and disabling the service of those customer's spreading viruses or spam via email. If your the type that needs a service that allows servers, static ips, 4 hour service resolutions, higher upload then you can pay extra for those things and get a business class connection. That's really what it boils down to.
    • Re:IAAMCCNE (Score:3, Insightful)

      If your the type that needs a service that allows servers, static ips, 4 hour service resolutions, higher upload then you can pay extra for those things and get a business class connection. That's really what it boils down to.
      -

      Or just sign up with Speakeasy, that gives you all of the above except an SLA, and doesn't meddle with what you do with your connection and justify it with the misdeeds of hojillions of clueless newbies on their network.

  • by Dimensio ( 311070 ) <darkstarNO@SPAMiglou.com> on Monday May 24, 2004 @10:00PM (#9244134)
    Apparently they haven't been turning a blind eye to the problem after all.

    Yes, yes they have. They ignore complaints. If they weren't turning a blind eye to the problem, it wouldn't be necessary to totally block Comcast's IP space on mail filters.

    They have the ability to take action when they receive abuse reports regarding zombie machines. They have thus far done nothing. It seems as though the volume of users bitching about being firewalled from the rest of the 'net as a result of their ISP's total inaction has finally reached a critical point.
  • by IBitOBear ( 410965 ) on Monday May 24, 2004 @10:04PM (#9244156) Homepage Journal
    I would dearly love it if Comcast (nee any and every ISP) offered a spesific /dev/null address that I could use with icmp-redirect like clarity.

    When I see a bunch of bogus packets slam into my box that have no reason to exist, I would like to be able to automagically do the IP equivalent of call blocking.

    Sending an ICMP-REDIRECT-like message out in response to a bogus packet should be snuffled up by the ISP equipment and taken as a "call block" request against a particular peer address.

    So if I rig up my firewall to icmp-redirect to some magic address (say 0.0.0.0, which is never legal in a redirect), the upstream router should process it as, say, a 24 hour ban of packets from that address to my address.

    Were such a thing to become common, the ISP could forward that ban on to the next upstream peer and so on until the "well behaved" router closest to the miscreant would be keeping the wastage off of the backbones entirely.

    Since it is a poit-to-point ban it would be rather effective without letting malicious third parties do too much damage unless they could get common-segment with one of the parties.

    Talk about killing a DDOS at the diverse roots.

    Anyway, it would need a little refinement to keep the haxors next door from pretending to be me and cutting all of the sites they sniff me using, you know, check mac addresses or require me to use an activation squib from my firewall from time to time....

    But it should be easy and safe enough once the nearest "Real" router got the do-not-call packet.
  • by DavidinAla ( 639952 ) on Monday May 24, 2004 @10:16PM (#9244227)
    My father had BellSouth DSL, and they've started blocking Port 25 for outgoing mail. This means that he couldn't send mail through the third-party mail server that he's been using for years. I don't want to have to change his settings (and he doesn't want to give people a new address) every time he has to change ISPs, so he pays a bit of money to use NetIdentity.com for his mail.

    Since BellSouth wouldn't use some sort of reasonable measure of WHO was abusing the service instead of treating everyone as a spammer, we switched him to another DSL carrier. I think it's unreasonable to expect everyone to have to use ONLY the mail server of the ISP.

    BTW, BellSouth said they WOULD open Port 25 if my father would pay double the money for a "business-class" DSL account, which shows me that it's more of a marketing distinction on their part than a distinction with a truly technical justification.
  • Redirection (Score:3, Interesting)

    by macdaddy ( 38372 ) on Monday May 24, 2004 @10:37PM (#9244304) Homepage Journal
    I'm trying to convince the powers that be to redirect outbound SMTP from all but our business customers and our own server farms to our local SMTP servers. That way we'd force all our normal customers into a mandatory Smarthost configuration. The only problem I've found while trying to get this going is a problem with redirection on Ciscos. It's been a few weeks since I stumbled across it. It's something about the redirected packet using the wrong source IP when dumped onto the wire facing the target of the redirection. Something like that. With a simple Linux firewall this wouldn't be a problem. I vote for redirection personally. Still this adversely affects users using SMTP authentication.
  • by GrouchoMarx ( 153170 ) on Monday May 24, 2004 @11:15PM (#9244501) Homepage
    I'm happy to see that they're planning to do something non-drastic. RCN opted to simply block all outbound 25 and inbound 80, which is asinine. Fortunately I'd already moved from them to Comcast by that point, and Comcast wasn't misbehaving. If they start blocking ports, though, I'll go elsewhere.

    Biggest advantage of running my own mail server? I can run IMAP there as well with squirrelmail, then receive AND send mail from any terminal in the world on my own account. No screwing around with finding the local SMTP server on whatever ISP I happen to be on. That's far more useful than you realize! And no, I do not accept the idea that just because some people abuse SMTP to send spam that we should slam everyone for it. I also run my own DNS server behind my firewall to let me centrally control aliases to various hosts. That's a perfectly benign act. I also make NTP requests, although I don't serve NTP to anyone else.

    Someone else suggested a good compromise, I think. Default block anything below 1024 (in the appropriate direction, depending on the port), but let anyone explicitly request any given port to be opened, no questions asked. Quick signup on a web form, no long delay. That automatically keeps 99% of the zombies in check (since zombified users, most likely, won't know what a port is) and allows people like me to make full use of an always-on connection. Anyone who has requested a port be opened, however, is monitored not for content but for volume. OK, they'd get cranky if my home web server were slashdotted. Well so would I. :-) If they see a shitload of mail flooding out of my mail server constantly, then either I'm a spammer (in which case they should kill my account) or my SMTP server has been hacked, in which case they can notify me and I can fix it, saving everyone in the world a huge hassle. If I don't fix it, then they can turn the port off until I do.

    Makes everyone happy, and kills most zombies in the process.
  • One solution (Score:4, Insightful)

    by japa ( 28571 ) on Tuesday May 25, 2004 @12:12AM (#9244718)
    I work at a Finnish ISP and we have an automated system that monitors user traffic. Not the content, but the amount. There are lots of rulesets, which may trigger the action. For example scanning X amount of ports in second (like some viruses do). When users computer is determined to be infected/owned by the system, all outbound http connections are directed to a page telling their system is infected and general information on what to do next. All outbound smtp connections are replied by similar kind of error message (and 500 series reply). Besides getting those replies, the customer is basically disconnected from the net. (s)he can't connect anywhere and can't be connected to.

    The system lets the user out of isolation 30 minutes after the reason for isolation has disappeared. Though there are some users who get into isolation, out of it, back again all day long. One has to wonder what the users is doing with the computer? Just having it on, warming the house? Cause they can't surf the net, they can't send email...

    This system has reduced outbound spam drastically! And the best part is, we don't have to find out who is infected (dynamic IPs) and then try to contact the end user (many times not the one who pays..).

    here's the manufacturer's slide show [rommon.com] (don't slashdot him to death..)

news: gotcha

Working...