Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| How hard could this be?
Many other cable providers have managed to block port 25/tcp - why is it so hard for Comcast? I think they are still regionalized, so some areas may not have the equipment to handle it, but when it looks like they're doing nothing but saying "Yah, we suck", others are inclined to agree with them.
I have been blocking the entire Comcast IP range for months.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
GlenQuagmire
Giggidy Giggidy Giggidy Goo
Premium
join:2004-02-16
Grand Rapids, MI | Proud Comcast Customer
Makes me proud to have comcast 100% pure broadband |
|
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
 ·Comcast
| reply to Steve
Re: How hard could this be?
said by Steve  :
Many other cable providers have managed to block port 25/tcp
There are many legitimate email users who send outbound email via Port 25 using their own hosted email services. If they block Port 25, the spammers will simply use another port.
There are other ways to track and disable infected PCs, Comcast should use those instead.
--
Keep America Strong! Bush/Cheney 2004 |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
2 edits | reply to Steve
The article addresses this - blocking port 25 would create a tech support nightmare with the possibly thousands of support calls from people who use smtp servers other than Comcast's, and would cost them a lot of money in support costs. Instead, according to the article they will monitor traffic and block the port only for subscribers who are sending out large volumes of email.
IMHO, this is a better solution than blocking the port for everyone. Just punish the bad folks, and leave those who behave alone.
It isn't that they have a large percentage of zombied users out there, it's actually quite a small percentage. The reason they are the "worst spammers" is simply because they are the largest ISP. A small percentage of a large number is still a large number. Blocking 25 would adversely affect a far larger percentage of subscribers than those who are spammers or zombie hosts.
So when you see that more spam is coming from Comcast IPs than, say, Verizon IPs, remember that Comcast has far more subscribers.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
yzerman
Premium
join:2001-12-04
Grand Rapids, MI
| Owch!
They got their work cut out for them..
yes blocking port 25 would be a nice start but its not the answer.
The answer is to start killing machines and contacting owners to help fix those compremised workstations.
It's amazing how putting a hardware cable router and a good software antivirus program would take care of (I'm guessing) 90% of these issues.
Why is it so hard for them not to just start manufacturing cable/router devices and come as a router by default? Instead of putting cable modems on machines and having them sit directly on the internet? Half these worms come from direct connections the others come from machines with no antivirus or out-dated antivirus protection. |
|
WolfJaguar
join:2003-03-20
Portland, OR | Er?
Very nice, so we have free-range spam on comcast.
Not like I haven't noticed. Still gotta wonder why nobody secures their pc's.
Lack of knowledge or just plain lazy? |
|
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
| Old news
Quoting from the SPEWS Comcast Evidence File, listing every known Comcast IP address:
»spews.org/html/S2963.html
"Poster child of how not to run a broadband network company
when it comes to dealing with abuse." |
|
gaforces
United We Stand, Divided We Fall
join:2002-04-07
Santa Cruz, CA | reply to Steve
Re: How hard could this be?
at least they acknowledge the problem  |
|
gheezer
Compooters R Us
Premium
join:2002-12-20
Henrietta, NY
1 edit | Blocking Port 25 only treats the symptoms
It would be better by far to get the infected machines off the internet. It's very simple to locate them, the list is here:
»www.senderbase.org/search?search···nization
By the way, Road Runner is not too far behind, but at least their SMTP Servers SHOW UP on the 1st page of mail senders.
»www.senderbase.org/search?search···nization
--
Join the NAVY, see the world....It's mostly water! |
|
Swingerhead
Premium
join:2004-04-06
Richmond, VA
 ·Verizon FIOS
·Comcast
| Internal SMTP server request
How about if you want to use your own SMTP or someone elses, you call in and get pt. 25 released, otherwise its blocked. An email to everyone@comcast would reach those who know what it means and only they could call or email in to get it setup, then on X date the blocks would start. |
|
Minister
join:2002-01-02
Fleeting | reply to graysonf
Re: Old news
First time an employee has sat there saying "We're the biggest spammer on the internet" that I've seen..... |
|
GlenQuagmire
Giggidy Giggidy Giggidy Goo
Premium
join:2004-02-16
Grand Rapids, MI | reply to yzerman
Re: Owch!
Good Idea. Build the NAT firewall right into the cable modem. I am sure that it would not cost that much more. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to pnh102
Re: How hard could this be?
said by pnh102 :
If they block Port 25, the spammers will simply use another port.
Huh? My mailserver only listens for traffic on port 25/tcp, so if spammer try to use another port, they're not going to get anywhere.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL | reply to Minister
Re: Old news
LOL. Maybe a first. Will he get to keep his job? |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to gheezer
Re: Blocking Port 25 only treats the symptoms
said by gheezer :
It would be better by far to get the infected machines off the internet.
In a sense this is true, in that the real problem is "idiot users", and blocking 25/tcp won't solve that, but I don't care about education idiot users, I care about the rest of the internet that's getting all this trash.
But if there are a few machines that are so badly infected, I don't see why a Comcast engineer doesn't just go through the list once a week and nuke all the bad guys.
It may be that if somebody is sending out 10,000 emails an hour (and contributing to the terrible PR Comcast is getting), they may not really want that customer as a customer: why not just terminate their internet service?
One should not be able to impose costs on others without some consequence.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
rstrandb
Premium
join:2003-04-17
Albany, GA | reply to Swingerhead
Re: Internal SMTP server request
It's easier than that, just set your outgoing server to their server number and it works fine then
--
What....me worry? |
|
DracoFelis
Premium
join:2003-06-15
| reply to yzerman
Re: Owch!
said by yzerman :
yes blocking port 25 would be a nice start but its not the answer.
I'm not even sure it's all that good of a start. As others have mentioned, there are many legit reasons for directly using port 25.
Also, even if/when a port 25 block is put on, it's often little more than a "band-aid", as there are many ways for malware to get around a port 25 block!
said by yzerman :
The answer is to start killing machines and contacting owners to help fix those compremised workstations.
Agreed! Quickly isolating "infected machines" (while annoying to those who got "isolated"), goes a long way toward containing the "infection".
If a machine is too massively compromised, it should be pulled off the net until it's fixed! And you can even automate this process at the ISP level, by detecting "abuse patterns", and killing that user's traffic, until they contact "customer support" to learn why their access was pulled (they were "infected"), and how to again get re-enabled (fix their PC).
At the University I work at, we have a device we call our "black-hole router". Any IP address in this device is broadcast to all the Cisco routers around campus, with a bogus route that effectively causes that traffic to go nowhere useful (i.e. the traffic for that IP goes "into a black hole"). Network operations can therefore effectively cut off an infected machine (from the rest of the campus and the internet) almost instantly. They will then attempt to contact the owner, and explain why their computer was "cut off". But when an (apparently) infected machine is noticed, it can now be "cut off" very quickly, instead of letting it continue to cause damage (be that SPAM relay, or the latest virus/worm attack) while we try to track down key people!
Yes, there are some people that go "why can't I connect anymore"? So there are a few "support issues" associated with this. However, in the few months we have had this in place, the benefits (of being able to very quickly "pull the plug" on an "infected machine") have far outweighed the extra support costs of people wondering why they can no longer connect! |
|
gheezer
Compooters R Us
Premium
join:2002-12-20
Henrietta, NY
| reply to Steve
Re: Blocking Port 25 only treats the symptoms
said by Steve :
But if there are a few machines that are so badly infected, I don't see why a Comcast engineer doesn't just go through the list once a week and nuke all the bad guys.
It's not a few, some estimates I've seen hover around 10% of N American Internet users. For comcast, that winds up being almost 2.5 million infected machines. (Many just lying dormant)
said by Steve :
One should not be able to impose costs on others without some consequence.
Steve
Agreed 100%!
--
Join the NAVY, see the world....It's mostly water! |
|
ParanoiaInc
join:2002-08-28
Tucker, GA
| reply to Steve
How do you know they are truly an idiot and not just playing the role of one? Let's say you are being paid to play the idiot?
Its been known for years (since the dial-up ages) that accounts are opened for the purpose of coverting the real origins of the abuser. Comcast should have nip this in the bud months ago. But then again its like saying AOL should have implemented ADSL long ago. 
What they need to do and setup mandatory requirements in which all users must have their computers prepped as a contingency for service. Remember, we are all humans and none of us were born with the knowledge on how to safely setup a PC for the Internet.
I think the next, best step is to focus on home portals where the ISP hardware includes preconfigured devices. If someone wants to check POP mail then there are plenty of web-based solutions--have at it. Blocking port 25 is NOT new and some ISP's were doing this five or more years ago.
Now, if you are running a setup that is against the residential TOS/AUP then tough luck, and get a business account--that's what they exist for. This sounds like a wonderful opportunity to warn-->then offer those zombie machines+connections. |
|
Sweet Witch
Be the flame, not the moth.
Premium,MVM
join:2003-07-15
Gallifrey
·Comcast
| reply to Steve
My mother has Comcast and I know she has to be running some kind of software to access it, so why can't they simply add a firewall or something to that program that will stop mass-mailings? The software must auto-update so it shouldn't be too hard. They can track which ip's are the biggest offenders easily enough and can use them as 'test subjects' with a simple little statement like "We have discovered that your computer is compromised and is sending large amounts of spam to others. We have installed a program to stop that. If this program is removed, your account will be terminated." Just make the program know to check with the server to verify before allowing access to the internet.
--
I'm a woman by the way . |
|
