Nightfall
My Goal Is To Deny Yours
Premium,MVM
join:2001-08-03
Grand Rapids, MI
clubs:
 ·Site5.com
 ·AT&T Midwest
 ·Comcast
| reply to Rob
Re: FCC
Lets take it a step further.
There are zombie machines on every broadband provider's network. As of right now, according to my router logs, I am getting hit by comcast, charter, SBC, etc. This goes far beyond just Comcast's problem. Broadband providers need to step up and take care of this problem.
Now you know why some ISPs are not permitting servers to be run on their connections. It is obvious that the common user cannot successfully administer these servers that they want. If they could, then this wouldn't be an issue.
Now, what to do about these infected machines? I still think my original idea works.
Step 1 - Notify the user via email. Give one week for the computer to be cleaned.
Step 2 - Notify the user via email and snail mail or telephone. Give one week for the computer to be cleaned.
Step 3 - Cut users internet access and notify user. Until system is cleaned, access will not be reactivated.
Make this a policy across the board through all ISPs. That will solve the problem.
--
My Domain
Nightfall's Hockey and Life Journal |
|
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs: | I agree with your suggestion.
--
»maxolasersquad.com |
|
TheMonkey2
join:2004-02-07
Charlottetown, PE
edit:
April 16th, @11:48AM
| reply to Nightfall
Covad do this all the time .. for spammers and also account that harbour virus infected machines. People who refuse / cannot clean their machines have had their accounts terminated in the past. |
|
oldTDNickell
Premium
join:2000-12-19
Federal Way, WA
| reply to Nightfall
said by Nightfall  :
Lets take it a step further.
There are zombie machines on every broadband provider's network. As of right now, according to my router logs, I am getting hit by comcast, charter, SBC, etc. This goes far beyond just Comcast's problem. Broadband providers need to step up and take care of this problem.
Now you know why some ISPs are not permitting servers to be run on their connections. It is obvious that the common user cannot successfully administer these servers that they want. If they could, then this wouldn't be an issue.
Now, what to do about these infected machines? I still think my original idea works.
Step 1 - Notify the user via email. Give one week for the computer to be cleaned.
Step 2 - Notify the user via email and snail mail or telephone. Give one week for the computer to be cleaned.
Step 3 - Cut users internet access and notify user. Until system is cleaned, access will not be reactivated.
Make this a policy across the board through all ISPs. That will solve the problem.
I also agree with you Nightfall,but i think they have to stop the self installation,s hookups.
As it is now the installer never see,s the computer getting the new installation and that computer could be dirty from the start.
Comcast and other HSI network need to have some control over hookup,s from the start.:(
--
Terry D. |
|
Krispy
Premium,VIP
join:2001-12-11
the stix
| reply to Nightfall
said by Nightfall:
Step 1 - Notify the user via email. Give one week for the computer to be cleaned.
A week?!?!?! Oh my, within 24 hours these machines can send out hundreds of thousands of messages, a week is FAR too long to wait. In some cases I suspend without warning, I don't like to do it but if it's a particularly busy worm/virus/trojan then it's in both the subscriber's and ISP's best interest to have that machine stop being abused ASAP.
quote:
Step 2 - Notify the user via email and snail mail or telephone. Give one week for the computer to be cleaned.
Another week?!? By now we're into the millions of messages and the machine is likely exploited by a few different groups/individuals. And snail mail is far too costly in the long run (costs more then just the cost of a stamp) and you know where those costs will eventually end up. Do you really want to have to pay for the fact that your neighbor consistently opens any attachment sent to them?
quote:
Step 3 - Cut users internet access and notify user. Until system is cleaned, access will not be reactivated.
How do you determine if the system is cleaned? Most ISP's legal departments would choke on their screams if they were told the company was accessing subscriber's PCs, registries, etc.
Subscriber security is the responsibility of the subscriber, sure ISPs have to occasionally take out the whacking stick to remind some people but in the end it's the subscriber's PC and ISPs cannot dictate what they can and cannot do/install/whatever on their PC, the best an ISP can do is say 'you're not going to do it on my network'.
In my opinion one of the biggest problems facing abuse departments right now is the overwhelming number of abuse reports and the lack of any type of standardized logs which makes automation near impossible. For every 100 abuse reports we receive about 80% are invalid (contain no info outside of 'STOP THIS OR I WILL CALL FBI') and the remaining 20% are valid (and that's being generous) but we need to trudge through the entire lot to find that 20%.
Also, it would help abuse departments and their management if network security was more of a selling point as far as the consumer was concerned, if marketing finds out they lost X number of subscribers because the competition responded to abuse reports in a more timely fashion and kept them off blacklists, etc then marketing would be advocating more resources for those departments. |
|
fantomposter
Phantom Poster
Premium
join:2002-09-21
Independence, OH
| reply to Nightfall
said by Nightfall :
Step 1 - Notify the user via email. Give one week for the computer to be cleaned.
Step 2 - Notify the user via email and snail mail or telephone. Give one week for the computer to be cleaned.
Step 3 - Cut users internet access and notify user. Until system is cleaned, access will not be reactivated.
An infected machine can send millions of spam messages a day. You are letting the infected user sent 14 million+ messages before your plan does anything about it. I think that is totally unaceptable.
Upon receipt of a complaint and verification that the machine is infected, easy to do with a scan, the ISP must immediatly stop the flow of spam, period.
And that is easy to do also. A simple outgoing port 25 block at the nearest router for the IP address the infected user is on and the flow of spam stops.
There is no reason for anything more than 3 to 4 day turn around time on stopping the flow of spam from an infected machine. Any thing less is an excuse by the ISP. |
|
from outer space
 from:
Pz_
| reply to oldTDNickell
--------------------------------------------
I also agree with you Nightfall,but i think they have to stop the self installation,s hookups.
As it is now the installer never see,s the computer getting the new installation and that computer could be dirty from the start.
Comcast and other HSI network need to have some control over hookup,s from the start.
--
Terry D.
--------------------------------------------
Surely you jest! When Comcast came to install my connection, they fooled around with trying to get it provisioned for a couple of hours... then I had to step away for a couple of minutes. When I returned, they were on my system un-installing some of my hardware drivers for my ATI 8500DV A-I-W, and several other hardware functions along with my dialer for my fax and a few other things ( read this as "Custom Written Software" that I had written.
For what it's worth, these guys didn't know the first thing about a computer system, what to do with it, how to work it or anything else. To top it off, when they left, the internet connection wasn't working and my machine wasn't booting correctly. These guys told me the problem was becaue I have my HP 990 hooked to 2 physical systems at the same time ( 1 USB; 1 Parallel)!
It took me some 3 days to start from scratch and re-install my operating system and everything else.
Now, if for any reason Comcast comes to do anything, I don't let them touch anything execpt perhaps the cable modem.. heck.. after all... that's theirs, but if they want to re-plug my machine from out of my router to the back of their modem, I grill em' pretty good to find out what they think they are going to accomplish... and for goodness sake... my keyboard is completely off limits... |
|
newview
Ex .. Ex .. Exactly
Premium
join:2001-10-01
Parsonsburg, MD
 ·Vonage
| reply to fantomposter
said by fantomposter :
A simple outgoing port 25 block at the nearest router for the IP address the infected user is on and the flow of spam stops.
BINGO
But take it a step further . . . port 25 blocking across the entire network. Stopping the spam abusing the rest of the internet takes precedence over the inconvenience of those who may be legitimately sending email thru servers other than those belonging to their ISP.
Then Comcast can fight it out with zombied customers who continually bang on the door of a closed port without the rest of the internet receiving the garbage.
--
The Rules of Spam | Maryland's New Anti-Spam Law
Where are we going? And what's with the hand basket? |
|
TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Underway
·Verizon Online DSL
| reply to Nightfall
said by Nightfall :
There are zombie machines on every broadband provider's network. As of right now, according to my router logs, I am getting hit by comcast, charter, SBC, etc. This goes far beyond just Comcast's problem.
According to our sendmail logs we see the same; However
the spam from Comcast is more than all the others you
mention combined. said by Nightfall :
Now, what to do about these infected machines?
Route ALL packets with a destination port of 25 to an
authorised Comcast SMTP server. Problem SOLVED Cheaply!
If you dissallow direct SMTP From broadband networks, the
totality of the spam problem as we know it, will cease to exist; and blacklist operators will concentrate on direct
spammers.
This would also enhance security, as the major reason for
hijacking home pc's on broadband networks is to turn them into smap-bots. There would be nothing to be gained by spammers hijacking computers connected to broadband connections. said by Nightfall :
Step 1 - Notify the user via email. Give one week for the computer to be cleaned.
Step 2 - Notify the user via email and snail mail or telephone. Give one week for the computer to be cleaned.
Step 3 - Cut users internet access and notify user. Until system is cleaned, access will not be reactivated.
Make this a policy across the board through all ISPs. That will solve the problem.
This solution is VERY Labor intensive (Labor=$$$), and would actually exaserbate the problem. Spammers would step up the hijackings, knowing they had a very limited time (One week by your solution) to use the infected PC's.
I am afraid port-blocking is the only viable solution if you really want to stop this abuse. I would also advocate blocking all port 80 inbound connections to broadband networks, as a lot of hijackings are for the purpose of "bullet-proof" web hosting.
For those subscribers who absolutely need direct SMTP/HTTP to their home machines, some form of special service can be offered. Perhaps taking a course, and taking a test, and paying a bit more?? Perhaps a periodic security scan on these by the ISP ??
Bob
--
Motor Vessel - Tamara B. - 43' Long-Range Trawler Cape Elizebeth ME.»www.tamara-b.org
|
|
Nightfall
My Goal Is To Deny Yours
Premium,MVM
join:2001-08-03
Grand Rapids, MI
clubs:
·Site5.com
·AT&T Midwest
·Comcast
| reply to Krispy
I agree, a week is a little too long.
If I were in charge, it would be 4 hours or immediate suspension of internet access. However, as other posters have said, this is very labor intensive. How many network engineers are you going to have watching over these connections. The big question is, should have have to be spending hours policing all the computers on their network? I am a network manager and that is my job, but I also regulate what all the computers have on them in my network. On the broadband network, these engineers are going to have much much more to deal with.
Looks like a difficult situation to deal with.
--
My Domain
Nightfall's Hockey and Life Journal |
|
JTRockville
Data Ho
Premium,MVM
join:2002-01-28
Rockville, MD
clubs: | reply to newview
Does the solution always have to be soooooooo draconian?
AOL has enjoyed much success by blocking port email from the offending IPs.
Why couldn't/doesn't Comcast do this? |
|
Nightfall
My Goal Is To Deny Yours
Premium,MVM
join:2001-08-03
Grand Rapids, MI
clubs:
·Site5.com
·AT&T Midwest
·Comcast
| said by JTRockville :
Does the solution always have to be soooooooo draconian?
AOL has enjoyed much success by blocking port email from the offending IPs.
Why couldn't/doesn't Comcast do this?
That is also an option.
Maybe keep these ports open to you initially, but then if your system is comprimised, the ports are closed. I think of it like network access. You are given full rights to do what you want. If you prove yourself to be a moron when it comes to security, then you are downgraded. If the ISP downgrades you, then they have to submit a message to the user explaining why and so on.
Obviously, this won't fix the port 80 attacks bouncing off my router because you can't close that port if the user is a moron without shutting down their entire internet access. 
In some cases, it has to be draconian and in other cases it doesn't. If we want to have a system like this, each ISP is going to have to hire experienced network people to be able to determine if these machines have been comprimised. There should be a checks and balances system in place so only the users who have comprimised machines have their connections turned off or ports closed. There can be no room for error due to the fact that it will take only one user who gets shut down to complain about it and cause a huge stink.
Since experienced network people cost money, and you are going to need a nice group of them to monitor all the systems and look for violations, I don't see it happening.
It would be easier to just cut the connection instead of do it the right way.
--
My Domain
Nightfall's Hockey and Life Journal |
|
fantomposter
Phantom Poster
Premium
join:2002-09-21
Independence, OH
| said by Nightfall :
Maybe keep these ports open to you initially, but then if your system is comprimised, the ports are closed.
Good idea, but how about the converse? Close them all and open it for anyone that asks. My GUESS, 95 percent of the people would not even notice they were closed. |
|
russotto
join:2000-10-05
Collegeville, PA
| reply to TamaraB
Anti-spammers are always willing to destroy the net in order to save it.
One point of having a broadband connection -- particularly one such as mine with a static IP -- is to have a first-class connection to the Internet. Some port-80(in) and port-25(in/out) blocked abomination doesn't cut it. |
|
JTRockville
Data Ho
Premium,MVM
join:2002-01-28
Rockville, MD
clubs:
·LINGO
 ·Sprint Mobile Broa..
·surpasshosting
 ·Verizon FIOS
| reply to Nightfall
said by Nightfall :
Since experienced network people cost money, and you are going to need a nice group of them to monitor all the systems and look for violations, I don't see it happening.
Does Comcast really think they can provide network services without hiring experienced network people? Weren't the "synergies and efficiencies" of running such a huge network supposed to minimize costs such as these?
If you don't see experienced network people dealing with these issues competently, then you've overlooked AOL (and probably other providers too). |
|
TheMadSwede
Premium
join:2001-01-30
Holland, MI
·Charter Pipeline
| reply to fantomposter
said by fantomposter :
said by Nightfall :
Maybe keep these ports open to you initially, but then if your system is comprimised, the ports are closed.
Good idea, but how about the converse? Close them all and open it for anyone that asks. My GUESS, 95 percent of the people would not even notice they were closed.
I'm with you 100% on this, but I'm also laughing to myself as I imagine all the glass-is-half-empty posters here on BBR complaining about port 25 being blocked by that darn [insert ISP name here]. We're never happy.
--
A good idea expressed in a poor manner is a bad idea. |
|
BosstonesOwn
join:2002-12-15
Everett, MA
clubs:
·Comcast
·Comcast Formerly ..
| reply to russotto
said by russotto :
Anti-spammers are always willing to destroy the net in order to save it.
One point of having a broadband connection -- particularly one such as mine with a static IP -- is to have a first-class connection to the Internet. Some port-80(in) and port-25(in/out) blocked abomination doesn't cut it.
Then you choose an isp that wants to give you those options comcast does not give this option. That simple you want it you pay for it. I think comcast should block it and stop all the spam make our network a better place. Let the other isps worry about their problems.
If such a drastic amount of spam is being sent from the comcast network. I think a port block is well warranted. We want a better more stable network and people sending spam over it does nothing for us but drag it down.
Close them ports and save our network comcast
--
This package does not contain a winner... |
|
JTRockville
Data Ho
Premium,MVM
join:2002-01-28
Rockville, MD
clubs:
·LINGO
·Sprint Mobile Broa..
·surpasshosting
·Verizon FIOS
| Let's not forget the reason why such a drastic amount of spam is spewing from Comcast domains: Comcast has allowed spam to flourish, unchecked, for a very long time.
Does their inaction warrant a port block for their entire customer base?
Maybe. But the situation could be diffused much more effectively with a policy that is tough on spammers and zombies, rather than all Comcast customers. |
|
TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Underway
·Verizon Online DSL
| said by JTRockville :
Let's not forget the reason why such a drastic amount of spam is spewing from Comcast domains: Comcast has allowed spam to flourish, unchecked, for a very long time.
Why do you suppose that is?? Greed perhaps??
said by JTRockville :
Does their inaction warrant a port block for their entire customer base?
Yes; but I doubt it will ever happen, it would hurt bottom line.
said by JTRockville :
Maybe. But the situation could be diffused much more effectively with a policy that is tough on spammers and zombies, rather than all Comcast customers.
An effective policy would work, but it too would affect bottom line. It costs $$$ to chase down, warn, help clean, monitor, and expell users. Greed won't allow this to happen.
Only when action is less expensive than inaction will things change. When a significant portion of the net gets so pissed that they block Comcast IP blocks (both port 25 and 80) will Comcast do something real. They will fix the problem when it costs too much not to.
Bob
--
Motor Vessel - Tamara B. - 43' Long-Range Trawler Cape Elizebeth ME.»www.tamara-b.org
|
|
TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Underway
·Verizon Online DSL
| reply to russotto
said by russotto :
Anti-spammers are always willing to destroy the net in order to save it.
Actually it's the spammers, and those ISPs and individuals who support them who are willing to destroy the net. Anything to make a buck eh??
Bob
--
Motor Vessel - Tamara B. - 43' Long-Range Trawler Cape Elizebeth ME.»www.tamara-b.org
|
|
