 
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| How hard could this be? Many other cable providers have managed to block port 25/tcp - why is it so hard for Comcast? I think they are still regionalized, so some areas may not have the equipment to handle it, but when it looks like they're doing nothing but saying "Yah, we suck", others are inclined to agree with them.
I have been blocking the entire Comcast IP range for months.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site | |
|  | 
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
 ·Comcast
| Re: How hard could this be? said by Steve  :
Many other cable providers have managed to block port 25/tcp
There are many legitimate email users who send outbound email via Port 25 using their own hosted email services. If they block Port 25, the spammers will simply use another port.
There are other ways to track and disable infected PCs, Comcast should use those instead.
--
Keep America Strong! Bush/Cheney 2004 | |
| | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: How hard could this be? said by pnh102 :
If they block Port 25, the spammers will simply use another port.
Huh? My mailserver only listens for traffic on port 25/tcp, so if spammer try to use another port, they're not going to get anywhere.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site | |
| | | |
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
·Comcast
| Re: How hard could this be? said by Steve :
Huh? My mailserver only listens for traffic on port 25/tcp, so if spammer try to use another port, they're not going to get anywhere.
Sorry, I was not clear in my parent post. I was referring to Comcast's blocking outbound port 25 so that I could not reach my domain's hosted email server.
--
Keep America Strong! Bush/Cheney 2004 | |
| | | Thaler
Premium
join:2004-02-02
Encino, CA
| There are many legitimate email users who send outbound email via Port 25 using their own hosted email services. Correct me if I'm wrong, but I thought basic Comcast internet service (along with most other DHCP internet services) prohibits server functions on their basic residential internet package.
If Comcast were to shut down port 25, customers with these service packages that are legitimately affected do not have any grounds with which to complain upon. Therefore, they could just shut down this port for these customers, and should people complain about this service being blocked...well, RTFM...er, user agreement, not manual. ^_^ | |
| | | |
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD
·Comcast
| Re: How hard could this be? said by Thaler :
Correct me if I'm wrong, but I thought basic Comcast internet service (along with most other DHCP internet services) prohibits server functions on their basic residential internet package.
You're right, but most of us who do these things are not running servers on Comcast connections. Rather, what we are doing is buying our own domain and hosting, and sending email through that host, using that host's port 25. If Comcast were to block outgoing port 25, then email would not work.
Although most hosting companies do provide an alternative port to send email, it is still not fair that users who keep their machines virus-free should have our connections hobbled because some idiot is too lazy to maintain their system.
--
Keep America Strong! Bush/Cheney 2004 | |
| | | | | 
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
·Cox HSI
 ·Speakeasy
| Re: How hard could this be? said by pnh102 :
said by Thaler :
Correct me if I'm wrong, but I thought basic Comcast internet service (along with most other DHCP internet services) prohibits server functions on their basic residential internet package.
You're right, but most of us who do these things are not running servers on Comcast connections. Rather, what we are doing is buying our own domain and hosting, and sending email through that host, using that host's port 25. If Comcast were to block outgoing port 25, then email would not work.
Although most hosting companies do provide an alternative port to send email, it is still not fair that users who keep their machines virus-free should have our connections hobbled because some idiot is too lazy to maintain their system.
You're rather contradicting yourself here. First you say that SMTP relay services are available through other ports, then you say that blocking port 25 hobbles your service. Which is it?
I'm sorry, but port 25 is for MTA to MTA SMTP traffic. SMTP submissions via SMTP clients should be done via authenticated connections to the MSA at port 587.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" | |
| | | | 
Rhobite
Premium
join:2002-02-24
Cambridge, MA
clubs:
| We're talking about shutting down outgoing port 25, not ingoing. This has nothing to do with a customer running a server on their Comcast line. Port 25 blocks do affect legitimate users, but given the damage done by spammers I think an ISP is within its rights to block outgoing 25.
--
Jimmysquid.com - I take pictures. | |
| | kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
2 edits | The article addresses this - blocking port 25 would create a tech support nightmare with the possibly thousands of support calls from people who use smtp servers other than Comcast's, and would cost them a lot of money in support costs. Instead, according to the article they will monitor traffic and block the port only for subscribers who are sending out large volumes of email.
IMHO, this is a better solution than blocking the port for everyone. Just punish the bad folks, and leave those who behave alone.
It isn't that they have a large percentage of zombied users out there, it's actually quite a small percentage. The reason they are the "worst spammers" is simply because they are the largest ISP. A small percentage of a large number is still a large number. Blocking 25 would adversely affect a far larger percentage of subscribers than those who are spammers or zombie hosts.
So when you see that more spam is coming from Comcast IPs than, say, Verizon IPs, remember that Comcast has far more subscribers.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. | |
| | 
gaforces
United We Stand, Divided We Fall
join:2002-04-07
Santa Cruz, CA | at least they acknowledge the problem  | |
| 
GlenQuagmire
Giggidy Giggidy Giggidy Goo
Premium
join:2004-02-16
Grand Rapids, MI | Proud Comcast Customer Makes me proud to have comcast 100% pure broadband | |
| 
yzerman
Premium
join:2001-12-04
Grand Rapids, MI
| Owch! They got their work cut out for them..
yes blocking port 25 would be a nice start but its not the answer.
The answer is to start killing machines and contacting owners to help fix those compremised workstations.
It's amazing how putting a hardware cable router and a good software antivirus program would take care of (I'm guessing) 90% of these issues.
Why is it so hard for them not to just start manufacturing cable/router devices and come as a router by default? Instead of putting cable modems on machines and having them sit directly on the internet? Half these worms come from direct connections the others come from machines with no antivirus or out-dated antivirus protection. | |
| |
GlenQuagmire
Giggidy Giggidy Giggidy Goo
Premium
join:2004-02-16
Grand Rapids, MI | Re: Owch! Good Idea. Build the NAT firewall right into the cable modem. I am sure that it would not cost that much more. | |
| | 
DracoFelis
Premium
join:2003-06-15
| said by yzerman :
yes blocking port 25 would be a nice start but its not the answer.
I'm not even sure it's all that good of a start. As others have mentioned, there are many legit reasons for directly using port 25.
Also, even if/when a port 25 block is put on, it's often little more than a "band-aid", as there are many ways for malware to get around a port 25 block!
said by yzerman :
The answer is to start killing machines and contacting owners to help fix those compremised workstations.
Agreed! Quickly isolating "infected machines" (while annoying to those who got "isolated"), goes a long way toward containing the "infection".
If a machine is too massively compromised, it should be pulled off the net until it's fixed! And you can even automate this process at the ISP level, by detecting "abuse patterns", and killing that user's traffic, until they contact "customer support" to learn why their access was pulled (they were "infected"), and how to again get re-enabled (fix their PC).
At the University I work at, we have a device we call our "black-hole router". Any IP address in this device is broadcast to all the Cisco routers around campus, with a bogus route that effectively causes that traffic to go nowhere useful (i.e. the traffic for that IP goes "into a black hole"). Network operations can therefore effectively cut off an infected machine (from the rest of the campus and the internet) almost instantly. They will then attempt to contact the owner, and explain why their computer was "cut off". But when an (apparently) infected machine is noticed, it can now be "cut off" very quickly, instead of letting it continue to cause damage (be that SPAM relay, or the latest virus/worm attack) while we try to track down key people!
Yes, there are some people that go "why can't I connect anymore"? So there are a few "support issues" associated with this. However, in the few months we have had this in place, the benefits (of being able to very quickly "pull the plug" on an "infected machine") have far outweighed the extra support costs of people wondering why they can no longer connect! | |
| | | | | LrdVader
Premium
join:2003-12-18
San Diego, CA
| Re: Owch! said by N10Cities :
Comcast's engineers plan to try the innovative approach of identifying the zombie PCs and surreptitiously sending the subscriber's cable modem a new configuration routine that prevents outbound connections on port 25. Zombie-infected users won't even notice
How is it a good thing if they don't notice? If the infected user just gets hit with a port 25 block, and never notices anything is wrong, then that machine is going to stay infected. Sure, it may not be spamming on port 25 anymore, but there are plenty of other antisocial things that can be done through compromised machines that it will remain free to participate in.
IMO, the best solution at the moment is the walled garden approach. Let the user visit antivirus and security sites, and redirect all other pages to an error page explaining the problem and offering links to to sites that can help fix it. Failing that, just brick the damn modem. | |
| | | | 
N10Cities
SILENCE I Keel You
Premium
join:2002-05-07
Roland, OK
clubs: | Re: Owch! Agreed. Stops one aspect of the infection (spam spewing), but still leaves the machine infected..... cutting them totally off so they are forced to fix problems is the only way to get end-user's attention.... | |
| WolfJaguar
join:2003-03-20
Portland, OR | Er? Very nice, so we have free-range spam on comcast.
Not like I haven't noticed. Still gotta wonder why nobody secures their pc's.
Lack of knowledge or just plain lazy? | |
| 
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
| Old news Quoting from the SPEWS Comcast Evidence File, listing every known Comcast IP address:
»spews.org/html/S2963.html
"Poster child of how not to run a broadband network company
when it comes to dealing with abuse." | |
| | 
Minister
join:2002-01-02
Fleeting | Re: Old news First time an employee has sat there saying "We're the biggest spammer on the internet" that I've seen..... | |
| | |
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL | Re: Old news LOL. Maybe a first. Will he get to keep his job? | |
| | | | Noodlin
join:2003-07-11
Monterey Park, CA | Re: Old news
That person is possibly already fired and the Comcast PR department is unleashing their best Spin team to do damage control. | |
| | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: Blocking Port 25 only treats the symptoms said by gheezer :
It would be better by far to get the infected machines off the internet.
In a sense this is true, in that the real problem is "idiot users", and blocking 25/tcp won't solve that, but I don't care about education idiot users, I care about the rest of the internet that's getting all this trash.
But if there are a few machines that are so badly infected, I don't see why a Comcast engineer doesn't just go through the list once a week and nuke all the bad guys.
It may be that if somebody is sending out 10,000 emails an hour (and contributing to the terrible PR Comcast is getting), they may not really want that customer as a customer: why not just terminate their internet service?
One should not be able to impose costs on others without some consequence.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site | |
| | | 
gheezer
Compooters R Us
Premium
join:2002-12-20
Henrietta, NY
| Re: Blocking Port 25 only treats the symptoms said by Steve :
But if there are a few machines that are so badly infected, I don't see why a Comcast engineer doesn't just go through the list once a week and nuke all the bad guys.
It's not a few, some estimates I've seen hover around 10% of N American Internet users. For comcast, that winds up being almost 2.5 million infected machines. (Many just lying dormant)
said by Steve :
One should not be able to impose costs on others without some consequence.
Steve
Agreed 100%!
--
Join the NAVY, see the world....It's mostly water! | |
| | | | 
J D McDorce
Premium
join:2001-12-29
Westland, MI
| Re: Blocking Port 25 only treats the symptoms said by gheezer :
It's not a few, some estimates I've seen hover around 10% of N American Internet users. For comcast, that winds up being almost 2.5 million infected machines. (Many just lying dormant)
Comcast is just inching up on having 6 million subscribers. While it is possible to have multiple machines per account, 10% of 6 million is 600,000. | |
| | | | |
gheezer
Compooters R Us
Premium
join:2002-12-20
Henrietta, NY | Re: Blocking Port 25 only treats the symptoms I stand corrected. | |
| | | ParanoiaInc
join:2002-08-28
Tucker, GA
| How do you know they are truly an idiot and not just playing the role of one? Let's say you are being paid to play the idiot?
Its been known for years (since the dial-up ages) that accounts are opened for the purpose of coverting the real origins of the abuser. Comcast should have nip this in the bud months ago. But then again its like saying AOL should have implemented ADSL long ago. 
What they need to do and setup mandatory requirements in which all users must have their computers prepped as a contingency for service. Remember, we are all humans and none of us were born with the knowledge on how to safely setup a PC for the Internet.
I think the next, best step is to focus on home portals where the ISP hardware includes preconfigured devices. If someone wants to check POP mail then there are plenty of web-based solutions--have at it. Blocking port 25 is NOT new and some ISP's were doing this five or more years ago.
Now, if you are running a setup that is against the residential TOS/AUP then tough luck, and get a business account--that's what they exist for. This sounds like a wonderful opportunity to warn-->then offer those zombie machines+connections. | |
| | | | | | | ParanoiaInc
join:2002-08-28
Tucker, GA | Re: Blocking Port 25 only treats the symptoms Try ZoneAlarm, a free software firewall. | |
| | | | NightVisor
Premium
join:2001-02-28
Rialto, CA | You don't need Comcast's software to access Comcast Internet. As long as your system can use a TCP stack, you can connect.
My Linux box speeds along quite happily without all of the stuff that forced a format/reinstall of my Windoze system. | |
| | 
Sweet Witch
Be the flame, not the moth.
Premium,MVM
join:2003-07-15
Gallifrey | She has a firewall, I'm talking about the hundreds of thousands out there who don't.
--
I'm a woman by the way . | |
| |
Sweet Witch
Be the flame, not the moth.
Premium,MVM
join:2003-07-15
Gallifrey | But the 'idiots' don't know that (and my mother wouldn't let me remove it from hers) and it would be a good way to get them protected.
--
I'm a woman by the way . | |
| | ParanoiaInc
join:2002-08-28
Tucker, GA
| The problem is not only Comcast, its with public education. One has to have a license to fish in many parts of the country, but having children and internet access you are given access without education.
DSLR has a security forum, and I am willing to bet most capable of talking on the telephone to order Broadband can also read. No excuse for not asking. | |
| | 
JTRockville
Data Ho
Premium,MVM
join:2002-01-28
Rockville, MD
clubs:
 ·LINGO
 ·Sprint Mobile Broa..
 ·surpasshosting
 ·Verizon FIOS
| said by gheezer :
It would be better by far to get the infected machines off the internet. It's very simple to locate them, the list is here:
»www.senderbase.org/search?search···nization
By the way, Road Runner is not too far behind, but at least their SMTP Servers SHOW UP on the 1st page of mail senders.
»www.senderbase.org/search?search···nization
Even though Comcast claims to have begun their "hunt" in March, many of the Comcast IPs on IronPort's list have been spewing since way before that. How hard are they hunting?
btw - if you search IronPort's list by domain, you'll see Comcast's MTAs:
»www.senderbase.org/?searchString···y=domain
Even Comcast's MTAs have been blacklisted in the past:
»sccrmhc12.comcast.net being blacklisted by Spamcop
Comcast Forum topic by dda , April 16, 2004
»Spam from Comcast getting worse . . . not better
Comcast Forum topic by newview , March 18, 2004
Spamhaus has been tracking the weekly Comcast top 5 IPs since FEBRUARY:
Comcast Hall of Shame.
If these organizations can figure out which Comcast IPs are spammers, why can't Comcast? | |
| | KUppiano
Karl Uppiano
join:2003-02-02
Ferndale, WA
| Comcast should start distributing cable modems that include a NAT router, like many DSL companies do. Then, at least, users get firewall-like behavior by default.
Their customer's computers would be hard to see on the WAN in the first place, and without opening a virtual server or DMZ, they would be useless to spammers in any case. | |
| | | korstj
join:2000-08-26
San Diego, CA
·Cox HSI
| Re: Blocking Port 25 only treats the symptoms Here we go again with the port 25 whining.
I can't believe how people who have domains hosted on other servers think that that means they MUST send mail through that same server. I work in the industry and see it all the time and when you try to explain to them that it doesn't matter what server they send their mail through, they just don't get it. These are usually the same people that get that glazed look in their eye when you try to explain the difference between an alias and a POP to them.
If someone has a valid reason for sending mail through an external mail server, then they can figure out a way to do it themselves, either by having that server accept mail on a different port or even simply proxying their port 25 stuff through a shell somewhere that doesn't have port 25 blockage.
Frankly, I wish email software would make the SMTP server config totally separate from the POP config. Allow multiple entries, etc, but make it totally separate. Having the SMTP config included with the POP config just confuses people apparently. | |
| | | | |
J D McDorce
Premium
join:2001-12-29
Westland, MI
| Re: Blocking Port 25 only treats the symptoms SenderBase defines NSP as Network Service Provider, as follows: said by »www.senderbase.org/?page=help :
ISP's (Internet service Providers) and NSP's (Network service Providers) are distinguished by the ratio of mail that is sent through servers controlled by that network owner. ISP's send mail through primarily from ISP-controlled servers, while at NSPs, mail is sent primarily from customer-controlled servers.
It has nothing to do with News or Usenet.
In addition, my understanding is that the SenderBase numbers are total email sent and do not differentiate between Spam and legitimate email. On the other hand, the Total number of emails originating from Comcast should be the sum of the comcast.net (800 million+ emails per day) and attbi.com (200 million+ emails per day) domains. This becomes more interesting when one considers that the attbi.com SMTP servers were shut down in 2003 (something overlooked in the article which led to this news item). | |
| | 
newview
Ex .. Ex .. Exactly
Premium
join:2001-10-01
Parsonsburg, MD
| Blocking port 25 is the only action by Comcast that will convince me that they are serious about eliminating spam from their network. I'm certain that their are a lot of blacklist operators, both public and private, that feel the same way.
When push comes to shove, it really doesn't matter whether it's a Comcast spam zombie, a bona fide spammer operating on Comcast's network or a clueless user that's injecting the millions of pieces of garbage on the rest of the internet . . . it's got Comcast's name all over it.
They need to do something NOW.
--
The Rules of Spam | Maryland's New Anti-Spam Law
Where are we going? And what's with the hand basket? | |
| 
Swingerhead
Premium
join:2004-04-06
Richmond, VA
·Verizon FIOS
·Comcast
| Internal SMTP server request How about if you want to use your own SMTP or someone elses, you call in and get pt. 25 released, otherwise its blocked. An email to everyone@comcast would reach those who know what it means and only they could call or email in to get it setup, then on X date the blocks would start. | |
| |
See 7 replies to this post | |
Stine
Premium
join:2004-02-15
Waterford, MI
|  Fine Them
Computer Illiterate People =$200/month
Computer Literate People =$19.99/month
That will teach them to be more responsible.
It doesn't hurt to mandate antivirus software as well. | |
| |
See 9 replies to this post | |
j_7962
join:2004-05-19
Saint Paul, MN
| "stupid users" well, one thing that i have found is that usually, people who fall victim to OMG HACKERS practically ask for it. Too many people leave their wireless unsecured, have no admin password on their computers, and leave the default passwords on the routers. it's not hackers, it's bored assholes taking advantage of stupid users.
Do you have Windows?
Do you have no password?
Like to use peer to peer networks?
Have huge diskspace and bandwidth?
Can't be bothered spending money on anti-virus and firewall software?
Well fret no more! We have expert hackers who can completely screw your system up just for the hell of it! And what's more, they will do it for practically nothing! That's right! FREE disk corruption! FREE spyware! FREE spam! and if you make your PC an even bigger target, FREE spam relay host as an added bonus!
But WAIT! THERE'S MORE!
FREE zombie slave for Distributed Denial of Service attacks at no added charge!
CALL NOW! | |
| | baked247
Can Nib Is
join:2003-06-25
Phoenix, AZ | Re: "stupid users" Talk about a fat thick slice of sarcastic sarcasm . Your point to all of that harbgargle is?
--
What's that beeping noise? And where's that smoke coming from? | |
| | | 
TraumaJunkie
Premium
join:2004-03-05
Knoxville, TN
| Re: PEBKAC Yep...this is where the problem lies. I have Charter service and someone has grabbed one of my email addys and I am getting hit to the tune of 12-25 virus ladened emails per day from all sorts of domains-AOL, Charter, SBC, Yahoo, google, ebay, etc. Now I know many may be spoofed but it is odd that so far none have been from a comcast address. I am blocking the entire domains of those I am receiving but allowing a certain few that I know and that are not sending me the virus attachments. So far, 1 Charter and zero from the other blicked ISPs. Kinda sucks when some legit emails will be blocked but I can live with that until the entire Internet community steps up and stops this problem. It is a combination of greed on the part of spammers and the corps. who use them, the virus creators-lets give a few life in prison without parole and hard labor and see if there is a deterance, and stupid users who need pencil, paper, and stamps and not the internet.
--
Air goes in and out, blood goes 'round and 'round. Any deviation from this can indicate a problem. | |
|
newview
Ex .. Ex .. Exactly
Premium
join:2001-10-01
Parsonsburg, MD
| Discussion in NANAE calling for IDP of Comcast Thread subject:
[MEDIA] Comcast admits they are the biggest source of spam but will not fix the problem
Some quotes . . .
quote:
If this is not a compelling reason for a Comcast IDP, I don't know what is!
quote:
I second that motion.
For whatever reason, I got to doing stats on my mail log for a 12 hour period between 4AM 23/05/2004 to 16:00.
564 emails from Comcast space
1 false positive for spam (a joke email)
1 false negitive for spam (penis pill spammer)
1 legitimate email (another joke, though)
159 spam emails properly marked and blocked.
0 business related emails.
402 virus infected emails properly marked and blocked.
quote:
If this is not a compelling reason to block client.comcast.net and client2.comcast.net and all the two letter state abbreviations.comcast.net I don't know what is.
quote:
As a Comcast customer who now routes his mail through Morely, I heartily endorse blocking Comcast. Maybe that'll get there attention.
»groups.google.com/groups?dq=&hl=···09e902b8
--
The Rules of Spam | Maryland's New Anti-Spam Law
Where are we going? And what's with the hand basket? | |
| | | |
|
|
Comcast Hunts Zombies
PEBKAC