Comcast Moves?Slowly booting army of infected zombie boxen ( old news - 09:48AM Friday Mar 05 2004) tags: cable · security · spam Comcast recently found a massive swath of their customer IP addresses blacklisted by SPEWS or Spamhaus because of infected residential accounts acting as unwitting spam relays. In fact at the end of February there were 45,010 spam complaints originating from just 5 Comcast IPs alone; though our forums indicate Comcast is slowly moving. - Not often will a cry of "Hey! I've been disconnected!" be met with a round of applause in our forums - unless you're an infected relay pumping the digital ether full of spam. If our forums are any indication, Comcast is taking some degree of action, even if users are receiving letters four weeks after they claim they've installed firewalls and anti-virus software. It's estimated that thirty percent of the world's spam comes through poorly secured PC's that have become zombie marketers. This thread holds additional details, and the letter Comcast is sending out to infected subscribers is reprinted below. -----
From abuse@comcast.net
Date Thursday, March 04, 2004 6:48 AM
To [All my comcast emails]
Subject [[Last name, First]] Policy Violation (Spam - Insecure) [TICKET_ID: XXX]
* * * IMMEDIATE ACTION and REPLY REQUIRED * * *Please read this entire message, review the required action(s) below, and send a prompt reply message to acknowledge receipt of this email.
From: Comcast Abuse Department [abuse@comcast.net]
Comcast has been made aware and verified that a violation of the Comcast Internet Subscriber Agreement and/or Acceptable Use Policy has occurred from your account. These policies can be found at www.comcast.net/terms. Failure to comply with these policies can result in a permanent termination of your service.
The account holder is solely responsible for any and all activities performed from your Comcast service. Please read the following information carefully to ensure that you understand the violation, our policies, and what you need to do to respond to this warning.
Type of violation: Unsolicited Email ("spam") originating from your Comcast connection.
Explanation:We have confirmed that your machine has been involved in
transmitting unsolicited email, an activity that is in violation of the Comcast Terms of Service Agreement. The reporting parties have provided email header information, which clearly shows the IP address of the computer that was transmitting the email. The IP address listed was one that was assigned to your computer at the date and time in question.
******* IF YOU CANNOT ACCOUNT FOR THIS ACTIVITY, THE EMAIL BEING SENT FROM YOUR COMPUTER MAY BE DUE TO A VIRUS/TROJAN INFECTION, A RESULT OF AN INSECURE SERVER, SUCH AS AN OPEN PROXY OR MAIL RELAY, OR A MISCONFIGURED/INSECURE WIRELESS ACCESS POINT ********
POSSIBLE CAUSES:
(1) Your computer may be infected with a virus, which is trying to spread itself by through email attachments.
(2) Your computer may be infected with a virus, which installed an insecure mail server and/or proxy server on your computer. These viruses allow a spammer on the Internet to bounce unsolicited email advertising through your computer and back out to the Internet. The spam messages would look like they originated from your computer's unique Comcast IP address instead of the spammer's, allowing them to remain anonymous. Please note that if this were occuring, your personal email address would not show up in the "From:" address of the spam messages.
(3) You may have intentionally installed a mail server, proxy server, or even a wireless access point that has not been secured, which is vulnerable to relaying of email.
(4) You may have a mailing list (e.g. marketing, bulk emailing) that you intentionally send email to, which generated complaints from the recipients.
ACTION REQUIRED
(1) Please temporarily remove your computer from the Comcast Internet service if you cannot immediately determine the cause the problem and correct it. This action will protect your computer from being further compromised and protect the Comcast network from receiving further complaints about your account.
(2) Remove any viruses and other illegitimate startup processes from you computer. The best method is to install and/or update commercial antivirus software and run a full scan of your hard drive. Please be aware that some recent viruses can avoid detection by antivirus software, or may not be removed entirely when found. Check with your antivirus vendor to see if it is possible to run the software under Safe Mode for a more complete scan. We would also recommend having the security of your computer reviewed by a third-party computer technician or seek help from your computer manufacturer.
(3) Ensure that any servers installed on you home network are NOT accessible from the Internet. It may be necessary to disable, uninstall the services, or in the case of wireless access points, set up encryption (WEP) to protect your network from hijacking.Please reply to this email, keeping the original message and subject unchanged for tracking purposes, upon your receipt of this message. We require your reply to signify
that you have received this message. In some cases, failure to reply can result in account suspension. Further information regarding Internet abuse and security can be found on our web page at »www.comcast.net/terms. This web page also provides links to our Subscriber Agreement and Acceptable Use Policy (AUP); please review these policies should you have any questions or concerns.
Related:- Wednesday Evening Links
- Thursday Morning Links
- Thursday Evening Links
- Friday Evening Links
- Monday Evening Links
- Wednesday Evening Links
- Friday Evening Links
- Can Spam Act Celebrates Five Years Of Ineffectiveness
|
 
Wills
join:2001-01-03
Port Charlotte, FL
| 5 IPs? Please explain to me why 5 IP's were allowed to reach 45,000 complaints.
One would think that 3 or 4 would be enough...
I'm glad they are disconnecting them.
--
Abit VP-6 twin 800EB's @ 1002 Mhz.Proud member of the XDC. | |
|  | 
N3OGH
Will it all be Obama's fault now?
Premium
join:2003-11-11
Philly burbs
 ·Verizon Online DSL
| Re: 5 IPs? I agree..
Half the spam I get is from Comcast.net addresses. I am a Comcast customer, and I'm sure that has something to do with it. Half the mail I get is spam.
The bottom line is, if you won't secure your machine, expect to have your connection cut. If you claim you've secured your machine, and it still pumps out spam, well then, hire a pro and get it right.
If my machine was a spam zombie, I would hope they would give me the chance to fix it, but if I kept spewing out the spam, I would expect to be cut off. | |
| | 
GNXPower
Got Boost?
Premium
join:2003-12-18
Huntington Beach, CA | 'Cause Comcast abuse is a complete joke. The only parts of Comcast that work are those that hose their customers with rate increases. | |
| | 
Bucknet
join:2002-10-18
Hamilton, ON
| I don’t feel it’s the ISP’s reasonability to provide firewalls or antiviral programs. Both are readily available to anyone who wishes to choose those options. Even with firewalls and antiviral in place I see infected machines everyday in the job I do. Just as people don’t update their antiviral programs they also don’t update their operating system, sometimes this is far worse. As ISP’s become more vigilant in protecting their mail server’s spammers have taken to infecting home PC’s more and more. We have some of the fastest speeds in Canada and in the last year have seen a large increase in infected sets running proxy relays. When we spot an infected pc and the user doesn’t answer our contact attemps, the modem is put in quarantine until the user calls in and is advise of the condition their pc is in. For the most part the user is totally unaware of the problem. We will provide them with a number of web sites and informational sites so that they can clean their PC’s but in the end it’s the users responsibility to clean there PC. It should be the responsibility of the ISP to try and keep their footprint as clean as possible so that their user community isn’t impacted by compromised machines residing on that footprint. This is an uphill battle that never ends. We use a 3 strike rule, if a machine appears in the data base 3 times in a certain amount of time the modem Mac is sent to the security dept. and chances of that modem ever being enabled under that customers are reduce greatly. I think we are one of the few isps that are proactive in this area. It’s in the user agreement of most ISP’s if they choose to exercise the option,.Generally we have found our user base to be positive to this approach knowing that at least someone is trying to quell this scourge. | |
| | 
AmeritecTech
Change we can believe in, 1922
Premium
join:2002-09-06
00000
| said by Wills  :
Please explain to me why 5 IP's were allowed to reach 45,000 complaints.
One would think that 3 or 4 would be enough...
I'm glad they are disconnecting them.
Could be one batch of spam. They send millions at a time.
--
Independent thinkers tend to ALWAYS have someone not agreeing with them. It's the non-thinkers that always come in legions." -John Callari | |
| | | 
quibbly
Premium
join:2003-02-07
Sugar Land, TX | Re: Action Required Software firewalls are a complete joke. Easy to bypass and remove. | |
| | | 
Combat Chuck
Too Many Cannibals
Premium
join:2001-11-29
Erie, PA
| Re: Action Required said by quibbly :
Software firewalls are a complete joke. Easy to bypass and remove.
How so? Can you Back this up?
--
Japan-- Now with 30% more climbable telephone poles!! | |
| | | 
Wall9
Tell Me, Did You See It Too?
Premium
join:2002-06-25
Dupo, IL | And you know this because you've done it yourself a million times, right? | |
| 
Nightfall
My Goal Is To Deny Yours
Premium,MVM
join:2001-08-03
Grand Rapids, MI
 ·Site5.com
·AT&T Midwest
 ·Comcast
|  Far beyond Comcast. PEBKAC
Yes, Comcast seems to be making a move. However, ALL ISPs have to make this move. Anyone infected with the Nimda virus for instance. I still get attacks on my router from people infected with this virus. I can't believe it. A patch was out for that attack 6 months before it was released. It has been about a year now (I think) and people are STILL infected? Gimmie a break.
It just goes to show you why the TOS/AUP is written against users having servers on their broadband connections. Even with hardware/software firewalls, the problem exists between keyboard and chair. PEBKAC.
All ISPs have got to come up with a policy. The steps of this new policy should be VERY easy.
1. Infection detected - Warning letter sent out
2. Infection detected a week later - Phone call and warning letter sent out.
3. Infection detected two weeks later - Shut off internet service to home. When user calls to have it reactivated, explain the situation. When the user's computer is cleaned up, then internet service will be reactivated.
All users running these services need to be aware of the situation as well. If they want to run these services and expose them to the internet, then they have to be responsible for them. This means, patching and updating. I have no problem with people wanting to run a small WWW site or FTP site on their connections. The problem is when these things are installed and the ports just opened without any thought to patching or updating. If users want their cake and eat it too, then they have to be more responsible for their systems.
--
My Domain
Nightfall's Hockey and Life Journal | |
| | 
Karl Bode
News Guy
join:2000-03-02
Host:
Road Runner
PC gaming GAMES
PC gaming Tech
| Re: Far beyond Comcast. PEBKAC quote:
1. Infection detected - Warning letter sent out
2. Infection detected a week later - Phone call and warning letter sent out.
3. Infection detected two weeks later - Shut off internet service to home. When user calls to have it reactivated, explain the situation. When the user's computer is cleaned up, then internet service will be reactivated.
The zealots in the newsgroups who would destroy a small Ohio town and all of their pets to stop a spammer will find that unacceptable.
To satiate them, I suggest:
1. Beatings about the head and chest.
2. Floggings.
3. More Floggings. | |
| | | | | 
brandon
Some truth included in this post.
Premium
join:2003-03-31
Hurley, MS | Well more than a year--nimda was released in 2001. | |
| | 
Jason Levine
Premium
join:2001-07-13
Albany, NY
| said by Nightfall :
All ISPs have got to come up with a policy. The steps of this new policy should be VERY easy.
1. Infection detected - Warning letter sent out
2. Infection detected a week later - Phone call and warning letter sent out.
3. Infection detected two weeks later - Shut off internet service to home. When user calls to have it reactivated, explain the situation. When the user's computer is cleaned up, then internet service will be reactivated.
Very good idea. It gives the user ample time and warning to fix the problem while taking care of the situation in a reasonable time frame.
Of course, then you might also have "repeat offenders" who get infected (and are forced to clean their systems) regularly. Perhaps 3 Internet shut offs in a specified short period of time (3 months?) would lead to account termination. (Since they obviously didn't get the point about securing their PC.)
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ | |
| 
Transmaster
Don't Blame Me I Voted For Bill and Opus
join:2001-06-20
Cheyenne, WY | so simple It would be so simple for the likes of Comcast to give their customers an anti virus and firewall as part of their subscription price.
--
"Remember when hacking a loogy it comes not so much from the lungs but from the soul." | |
| | 
hbreg
Premium
join:2000-11-09
Feasterville Trevose, PA
| Re: so simple said by Transmaster :
It would be so simple for the likes of Comcast to give their customers an anti virus and firewall as part of their subscription price.
This has been discussed before and it wouldn't benefit Comcast 1 bit. The people who's machines are being used as zombies most likely don't have a firewall or A/V software on their computers because:
•They don't know about them
•They don't know how to properly set them up
•They couldn't care less about them
Most computers today come with A/V and Firewall software already installed on them. People just don't know or care about it.
If Comcast gave all of their users A/V and Firewalls can you imagine the support calls to Comcast when people can't configure them properly and can't connect to the Internet. a lot of the support calls now that people are having trouble, Comcast will tell them to turn off any A/V programs and firewalls they have running.
I think if Comcast gets a complaint about an IP being used for spam, monitor the IP, and within an hour they will know by the amount of traffic coming from that machine it is being used for spam and take them off of the network. No warning letters, no phone calls just remove them. Once a person can't connect then they can call Comcast and they can explain it to them. If a person only goes online every few days why have that box on the network spewing spam when you can disconnect the system and it would take a few days for the person to realize they can't get online.
--
I try to keep an open mind, but not so open that my brains fall out. -- Judge Harold T. Stone | |
| | SacredNaCl
join:2004-02-17
Saint Louis, MO
| said by Transmaster :
It would be so simple for the likes of Comcast to give their customers an anti virus and firewall as part of their subscription price.
Ultimately that is what it is going to come to. A few ISP's already do ship firewalls and antivirus programs with this DSL/Cable kits. Unfortunately, most of them are trial offers and those that aren't are usually limited to a 6 month or 1 year subscription to updates.
I'm somewhat hesitant to seek legislation in this area, I don't want the equivalent of drivers licenses for the internet - but it would be the responsible thing for the service providers to go ahead and bite the bullet and tack on "$30-40" to the setup fee to include one. Antivirus and firewall vendors would bend over backwards to hear they could get "$2-3 per month from 1 million customers". Big ISP's have a lot to broker with. Is SBC's deal with Yahoo to provide content really any different than this deal would be? Comcast has to be large enough to be able to get at least that good of deal if not a substantially better one.
If they raise their renewal fee "1-2$" to cover it so be it.
It's not like everyone isn't used to cable rate increases, eh? | |
| | | | |
Karl Bode
News Guy
join:2000-03-02 | Re: so simple quote:
But even then, what percentage of people would actually use it?
Exactly. Or know how to use it. Or bother to update it. | |
| | | | 
vice8686
join:2000-10-13
Lancaster, CA
·RoadRunner Cable
| Re: so simple said by Karl Bode :
quote:
But even then, what percentage of people would actually use it?
Exactly. Or know how to use it. Or bother to update it.
...or, in fact, I've know people to uninstall those programs claiming slow internet speeds. It's sad. | |
| | | | | | bradleym
join:2002-08-05
Dunfermline, IL
·Mediacom
| let the beatings begin! I propose public execution of the spammers themselves in addition to the beatings of the uneducated masses that are being used as relay hosts.
I wish the problem was limited to Comcast - I get spam relayed off tons of other DSL and cable subscribers, too. | |
| ParanoiaInc
join:2002-08-28
Tucker, GA | This could all be avoided if ... If the SMTP protocol required a password to even access the SMTP server. Of course, it would do nothing if someone runs their own SMTP server, but then again that could be port-controlled by the ISP. | |
| |
Jason Levine
Premium
join:2001-07-13
Albany, NY
| Re: This could all be avoided if ... Most of the modern spam trojans include their own SMTP engine, so a password wouldn't protect anything.
As far as ISP port blocking goes, I'm against that. I connect to two systems to download my non-ISP e-mail. If my ISP blocked the mail ports, I wouldn't be able to view my mail and my connection to the Internet wouldn't be as valuable to me. (Ok, I could get everything set to use a different port, but that's beside the point.)
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ | |
| | | ParanoiaInc
join:2002-08-28
Tucker, GA | Re: This could all be avoided if ... Downloading email is via a different port (POP3) than out-going email (SMTP). | |
| | | |
Jason Levine
Premium
join:2001-07-13
Albany, NY | Re: This could all be avoided if ... In that case, I wouldn't be able to send out e-mails from my non-ISP e-mail account even if I was able to read them. | |
| | 
MidnightOne
@12.45.x.x | 
Just one small alteration of the SMTP protocol: If claimed IP source != real IP source, drop mail.
Selah. | |
|
Jason Levine
Premium
join:2001-07-13
Albany, NY
| Base ISPs off of auto insurance? A thought just occurred to me. I keep hearing Allstate insurance ads which proclaim that if you are a safe driver you should pay less in auto insurance. What if we were to apply the same methodology to broadband ISPs? Take this hypothetical model:
You sign up with ISP X. You can either start with a basic bandwidth amount. Periodically, ISP X checks to see if your system has been generating a suspicious level of traffic. (For example, due to a virus or spammer trojan infection.) If you haven't, you get a bandwidth increase (up to a certain maximum). If you have, you get bumped down in bandwidth and warned about the issue. There would also be a cut off point where, if you flunk the safety test 3 times in a row, you'd get disconnected.
This way safe surfers would get the opportunity to surf faster and infected surfers wouldn't be able to spread spam/viruses as fast (or at all). Of course, there are a lot of nagging details (switching providers would start you from scratch, do anti-virus programs get you an automatic bump up, do you have to provide proof of updating, does a firewall bump you up, etc) but I think the basic plan might work.
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ | |
| Timo_D
join:2002-10-22
Chicago, IL
| the next step in social engineering So now that ALL email is suspicious (with 419 scams and phishing), who is going to believe an email from "comcast" telling you that you have a virus or worm? I get dozens of those spams every day. Everyone has been trained over the last year or two to be suspicious of ALL email, it has become an untrusted transmission medium, about the only way to verify the validity of a message is that if it "sounds like your friend" when it says it is from one. So this is a nice try but everyone will have to start going out of band, like via phone calls or via letters in the mail (or service disconnections.)
I guess the other thing is that these worms set up their own SMTP engines, which means that the zombie machines may not even be going through comcast's email servers. Could be hitting an open proxy somewhere? So the suggestion to have comcast do authenticate senders might not work. | |
|
tsmode
@200.75.x.x
moderated:
March 5th, @04:30PM
thumbs down from:
ArchAngel21x
N10Cities
| God Good thing those zombies were used for spam and not for ddos attacks
Image removed - MSeng | |
| | 
ArchAngel21x
MacFan Pro
Premium
join:2001-10-28
Lincoln, NE | Re: God Whatever you tried to post attempted to put a cookie on my computer. I didn't appreciate that. | |
| | cbs228
Geeks Of The World, Unite
join:2000-09-04
Saint Louis, MO
| The image in "tsmode"'s post has an URL of:
»64.69.78.71/poll.spark/815011?ballot=8
Going to the URL http://64.69.78.71/ results in a 302 redirection response to http://webpoll.sparklit.com/. The site appears to be a web poll. From the URL indicated above, it seems that "tsmode" is attempting to turn everyone's machines into voters for this web poll.
I have alerted the moderators.
--
"If you stare too long into the abyss the abyss stares back at you." -Nietzsche
GENERAL FAILURE READING ©: DRIVE
(A)bort, (R)etry, (F)rivolous Lawsuits, (B)ribe Congress? | |
| 
rec9140
Provoice just DO it
join:2003-07-29
Mulberry, FL
·RoadRunner Cable
|  Nuke the spammers
03-05-2004 16:25:23 Local7.Debug 192.168.0.1 Unrecognized access from 162.119.64.111:39649 to TCP port 80
03-05-2004 16:25:17 Local7.Debug 192.168.0.1 Unrecognized access from 162.119.64.111:39649 to TCP port 80
03-05-2004 16:25:14 Local7.Debug 192.168.0.1 Unrecognized access from 162.119.64.111:39649 to TCP port 80
03-05-2004 15:47:04 Local7.Debug 192.168.0.1 Unrecognized access from 200.149.125.160:4337 to TCP port 17300
03-05-2004 15:47:01 Local7.Debug 192.168.0.1 Unrecognized access from 200.149.125.160:4337 to TCP port 17300
03-05-2004 15:43:44 Local7.Debug 192.168.0.1 Unrecognized access from 217.217.140.170:2348 to TCP port 80
03-05-2004 15:43:38 Local7.Debug 192.168.0.1 Unrecognized access from 217.217.140.170:2348 to TCP port 80
03-05-2004 15:43:35 Local7.Debug 192.168.0.1 Unrecognized access from 217.217.140.170:2348 to TCP port 80
03-05-2004 15:25:13 Local7.Debug 192.168.0.1 Unrecognized access from 67.165.160.145:2750 to TCP port 17300
03-05-2004 15:25:10 Local7.Debug 192.168.0.1 Unrecognized access from 67.165.160.145:2750 to TCP port 17300
03-05-2004 15:23:35 Local7.Debug 192.168.0.1 Unrecognized access from 220.219.85.212:2891 to TCP port 80
03-05-2004 15:23:29 Local7.Debug 192.168.0.1 Unrecognized access from 220.219.85.212:2891 to TCP port 80
03-05-2004 15:23:26 Local7.Debug 192.168.0.1 Unrecognized access from 220.219.85.212:2891 to TCP port 80
03-05-2004 15:15:52 Local7.Debug 192.168.0.1 Unrecognized access from 199.191.64.1:16800 to TCP port 80
03-05-2004 15:15:46 Local7.Debug 192.168.0.1 Unrecognized access from 199.191.64.1:16800 to TCP port 80
03-05-2004 15:15:43 Local7.Debug 192.168.0.1 Unrecognized access from 199.191.64.1:16800 to TCP port 80
03-05-2004 15:04:17 Local7.Debug 192.168.0.1 Unrecognized access from 151.24.211.16:1285 to TCP port 3127
03-05-2004 15:04:13 Local7.Debug 192.168.0.1 Unrecognized access from 151.24.211.16:1285 to TCP port 3127
03-05-2004 14:37:00 Local7.Debug 192.168.0.1 Unrecognized access from 211.5.43.150:4312 to TCP port 80
03-05-2004 14:36:54 Local7.Debug 192.168.0.1 Unrecognized access from 211.5.43.150:4312 to TCP port 80
03-05-2004 14:36:51 Local7.Debug 192.168.0.1 Unrecognized access from 211.5.43.150:4312 to TCP port 80
03-05-2004 14:08:59 Local7.Debug 192.168.0.1 Unrecognized access from 198.203.102.3:21557 to TCP port 80
03-05-2004 14:08:35 Local7.Debug 192.168.0.1 Unrecognized access from 198.203.102.3:21557 to TCP port 80
03-05-2004 14:08:23 Local7.Debug 192.168.0.1 Unrecognized access from 198.203.102.3:21557 to TCP port 80
03-05-2004 14:08:17 Local7.Debug 192.168.0.1 Unrecognized access from 198.203.102.3:21557 to TCP port 80
03-05-2004 14:08:11 Local7.Debug 192.168.0.1 Unrecognized access from 198.203.102.3:21557 to TCP port 80
03-05-2004 14:07:35 Local7.Debug 192.168.0.1 Unrecognized access from 211.181.86.240:3255 to TCP port 80
03-05-2004 14:07:29 Local7.Debug 192.168.0.1 Unrecognized access from 211.181.86.240:3255 to TCP port 80
03-05-2004 14:07:26 Local7.Debug 192.168.0.1 Unrecognized access from 211.181.86.240:3255 to TCP port 80
03-05-2004 14:07:07 Local7.Debug 192.168.0.1 Unrecognized access from 216.31.128.146:12347 to UDP port 33439
03-05-2004 14:07:02 Local7.Debug 192.168.0.1 Unrecognized access from 216.31.128.146:12347 to UDP port 33439
03-05-2004 14:06:57 Local7.Debug 192.168.0.1 Unrecognized access from 216.31.128.146:12347 to UDP port 33439
03-05-2004 14:06:52 Local7.Debug 192.168.0.1 Unrecognized access from 216.31.128.146:12347 to UDP port 33439
03-05-2004 14:06:47 Local7.Debug 192.168.0.1 Unrecognized access from 216.31.128.146:12347 to UDP port 33439
You will see various attempts from 3127 virus, attempts to get to a non existant web server and various other mal/spy/virus ware.
I wonder how many of RR's 2Millon customers are using a simple router v. connected straight to the PC via USB (most likely) or ethernet.
I really think DSL, ISDN, cable, VSAT, even dial up should require at a minimum a NAT router. That would cut down on alot of the crap. Parterning with one of the anti virus providers would also be a plus.
Maybe they could come up with a litte live CD you put in, run it. It runs a software with no install, updates its virus definitions, and spy/mal/adware definitions then runs an anti virus, and SpyBot S&D then sends a signal to an activation server to enable the account once you get a clean bill of health.
For all those that suggest port blocks.  STEP AWAY from your PC's! Some users have legitimate uses for outbound SMTP on port 25. I have hosted domains which all my mail goes thru and need to access them. I don't need a bunch of hoops to jump thru to send my mail.
I don't try to limit your use, so maybe if there are port blocks we block some ports that really don't have a use. Online game ports.  See you gamers are probably fuming by now. Well, thats how those of us with hosted domains with/SMTP servers feel.
At least comcrap is trying to clean up its network and get the zombies back to the cemetary. | |
| | KitFox
join:2002-10-09
Denver, CO
| Re: Nuke the spammers Okay, so you run a server and domain on your system and have to accept SMTP. However, consider this:
Comcast's ToS does not allow the running of any servers, which includes SMTP. As such, it would not break anything to enforce this by disallowing Port 25 connections to any Comcast customer. (Note: Still allow OUTBOUND 25 traffic, but not inbound). This would not help with the people whose zombies are listening on something like port 31337 or such, but it would defang all the improperly-configured mail servers on home connections. (Of which there are unfortunately way too many.)
And, then consider, under most circumstances, it would not hurt Comcast home users to block outbound port 25 to all but smtp.comcast.net. Unless you fear being discovered doing soemthing wrong (In which case, get PGP or such), or the mail server is down, there really is no good reason to need to send mail directly to another ISP's mail server.
And, for those who scream "Well I have a good reason!!!"... You're probably technically inclined... set a port shift locally and at a remote machine. Connect locally to a hard-coded port, pipe it to a remote machine at a non-blocked port, and have that machine pipe it to the proper location. And anybody who says "But I have SO many machines that I have to send to on the same port!"... You're just not thinking of things hard enough. Remember, your computer has a whole personal loopback /8 assigned to it. 
Overall, yes, some things can make it harder for us who have a clue to get things done, but as long as we can get it done somehow, and we block the ID Ten T errors from other folks, I'm willing to jump through a few hoops to get things done. AS LONG as the hoops are actualy available. (No fair forcing NAT on and not letting me access it.) | |
| mhermeston
join:2003-09-06
Vancouver, WA
| ComKrap Software/Eamil I suggest most of the spam everyone is encountering on ComKrap is due to their software. I believe ComKrap insists that subscribers load this cumbersome software on their computers when subscribing. You don't need it. Just use IE or the "other" one. I believe that ComKrap is allowing certain spammers to use their system to spam you. When I say "use" I mean they are getting their nickel. Recently, ComKrap tried to upgrade their web mail. It did not work and they had to roll back which a huge problem with customers as well as identifying the so-called "blacklist". Now think about that for a minute.......ComKrap only saw that after their upgrade? Or did their spammers suddenly get the door slammed in their face. I just love reverse-slamming. LOL. Did that feel good going in - or - did ComKrap do a little foreplay??
Disclaimer: These are only the opinions of an uninformed noob. My advice: Don't bend over with either the TV or the computer on. Reeooowwww. | |
| | dda
Premium
join:2003-12-29
Bolton, MA
| Re: ComKrap Software/Eamil Comcast didn't require me to install anything, but then I already had broadband from MediaOne, since taken over by AT&T, since taken over by Comcast.
It is easy to see how a machine with a virus-installed proxy/relay could pump out enough spam to generate 45K complaints, provided it was just left on. Even with a 256K upload cap, you can put out a lot of data. | |
| 
FLECOM
Bay Networks Freak
Premium
join:2003-03-03
Miami, FL
| Virus? Hacked? You sure? Why is everyone automatically assuming that these are hacked boxes? i mean, dont you think if 5 ip's can create 45k complaints, those must be some major home-pc's eh?
i would imagine that you will find spammers behind those ip's... not dolts that open attachemtns...
im not saying that it dosent happen but dont be too quick to assume one way or another thats all 
--
BellSouth sucks | |
| | Daemon
Premium
join:2003-06-29
San Francisco, CA
·Comcast
| Re: Virus? Hacked? You sure? They are just relays that hide the spammers true location. The spammers merely send all of the spam through the comcast boxes .
No spammer would last more than 5 minutes if he sent spam directly from a computer to a mail server.
--
-Ryan
The more you know the more you know how little you know,you know? | |
|
copy
@peoril.ameritech
| alot of isp's are infected as well many isp's are infected with the zombies also.
I used to check them out and report the servers that were infected to the tech people, at these isp's.
they would usually have them offline within 24 hours.
I would do it again if it paid something. | |
| | | |
|
|
