[SpamCop.net - protecting the internet through technology]

[SpamCop-List] Re: Comcast considers "clever" anti-spam idea

N. Miller tdy at blackhole.aosake.net
Wed May 26 12:41:10 EDT 2004 

In article <c921fj$85h$1 at news.spamcop.net>, pobox.spamcop at kronatech.net 
says...

> "Rolf" <user\"@domain.invalid.com> wrote in message
> news:c920l6$6vb$1 at news.spamcop.net...

> > I think you are not entirely correct here. As much as blocking port 25
> > will not completely eliminate abuse through proxies/zombies, a lot of my
> > spam arrives directly from such a zombie/proxie at our mail server which
> > only accepts mail on port 25.

> I think you have zombie/proxie too close together for this particular
> context.

> > So if an ISP would be blocking outgoing
> > connections to port 25 to any IP addresses but its own SMTP servers or
> > even altogether for the case of reconfigured cable modems, such a zombie
> > could not deliver its spew to our mail server and would have to look for
> > other means such as sending it to the hopefully protected ISP provided
> > SMTP server or other zombies on non blocking networks or port
> > redirection services if available to him.

> I guess something got lost from the point here. I'll try to illustrate
> without the assistance of a graphic. You believe the zombie connects
> directly to your server (and are commonly right)...

> Zombie --25--> Daemon

> What you're missing...

> Zombie --17354--> Proxy --25--> Daemon

And on whose computer does that proxy exist? The zombified computer, in most 
cases. Proxy listens on port 17354 for incoming connection from the 
spammer's computer. Proxy sends SMTP commands to port 25 on my MX. My MX 
only listens on port 25, so the Comcast proxy must either connect to port 25 
on my MX, or fail to send a message. I have no SMTP process listening on any 
other port, so the spam must either come to port 25, or not come at all. 
Here is a sample from my MTA log:

> T 20040520 095445 40ab38a6 Connection from 24.218.230.167
> T 20040520 095447 40ab38a6 HELO h02a0cce06676.ne.client2.attbi.com
> T 20040520 095448 40ab38a6 MAIL FROM: <YAKYMNQR at dtl.co.nz>
> E 20040520 095526 40ab38a6 Host 24.218.230.167 blocked by DSBL - message rejected.
> T 20040520 095527 40ab38a6 Connection closed with 24.218.230.167, 42 sec. elapsed.

This shows a connection directly from a Comcast residential gateway zombie, 
which is running a proxy; probably without the consent, or even the 
knowledge, of that customer. This connection could have been blocked by 
Comcast, if they had blocked port 25 outbound. This connection represents 
about 90% of the Comcast connections that I get. I don't block their MTAs, 
only their residential gateways; insofar as those gateway IP addresses are 
included in DNSBLs.

> > It's not the non plus ultra in spam fighting but it adds a little bit
> > and I think at this time every bit helps somehow.

> Absolutely. Every little bit does help. The problem is that the 'solution'
> will become obsolete in a very short period of time, when spammers find that
> user connections on 25 are blocked regularly and it's an easy switch to a
> proxy on any port.

Oh, I see. We are confused! The objective is not to block port 25 ***TO*** 
the Comcast user's computer, the objective is to block port 25 ***FROM*** 
the Comcast user's computer. For one thing, if the zombified computer 
actually listened on port 25 for the spammer's inbound connection, a lot of 
Comcast customers would find out just by visiting a popular port scanner 
site. GRC's Shields Up! would quickly identify that the Comcast customer's 
port 25 was open. The Comcast customer's zombie/proxy is a true port 
redirection service; translating the Comcast user's port 17354 inbound to 
port 25 outbound to my MX. See my logs above for the result. Blocking the 
Comcast customer's port 25 OUT means that the Comcast customer's 
zombie/proxy can't reach my MX. Hmmm. Revisiting your diagram, but being 
sure to attach the ports to the devices...

> Spammer's source:port1225>....>port17354:Comcast customer proxy:port2461>....>port25:aosake.net MX

> If that plan was implemented tomorrow, it would kill alot
> of zombies (not all by far) but it's just a small matter of time before the
> zombies use proxy.

Blocking port 25 won't kill the zombies, it will just prevent them from 
connecting to port 25 on MXes. Um, you do know, don't you, that what makes a 
zombie is the presence of a proxy? Just how do you imagine that a "zombie" 
works? The "zombie" is not a program in its own right, it is a computer with 
a proxy running on it. The computer was hacked, or owned, and is under the 
control of a remote system. The remote controller installs a proxy in order 
to facilitate spamming. That proxy must be able to reach port 25 on an MX in 
order to work. If Comcast blocks its customers from reaching port 25 on any 
other network than their own, then the spam from that proxy is effectively 
cut off from direct access to my MX. It can still be routed through the 
Comcast SMTP servers, but...

> SpamCast would then have to face the music to all of the people who believed
> in their 'solution'.

Yep...that will certainly give Comcast a wake-up call.

-- 
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

More information about the SpamCop-List mailing list