[ISN] The biggest spammer on the Net? Comcast?

From: InfoSec News (isn@private)
Date: Mon May 24 2004 - 23:15:57 PDT

  • Next message: InfoSec News: "[ISN] Hackers getting harder to keep out: survey"

    By Declan McCullagh 
    CNET News.com
    May 24, 2004
    Comcast's high-speed Internet subscribers have long been rumored to be
    an unusually persistent source of junk e-mail.
    Now someone from Comcast is confirming it. "We're the biggest spammer
    on the Internet," network engineer Sean Lutner said at a meeting of an
    antispam working group in Washington, D.C., last week.
    Lutner said Comcast users send out about 800 million messages a day,
    but a mere 100 million flow through the company's official servers.  
    Almost all of the remaining 700 million represent spam erupting from
    so-called zombie computers--a breathtaking figure that adds up to six
    or seven spam-o-grams for each American family every day.
    Zombie computers arise when spammers seize on bugs in Microsoft
    Windows--or from naive users who click on attachments--to take over
    PCs and transform them into spambots. No hard numbers exist, but some
    estimates say that about one-third of spam comes from zombie computers
    with broadband connections. The owners of the zombie PCs typically
    don't even notice what's happening.
    Because home computers are more likely to be infected than business
    PCs, and because Comcast has about 6 million high-speed customers, it
    may have been inevitable that the cable provider became a haven for
    remote-controlled zombies that churn out junk e-mail.
    Don't take Comcast's word for it. IronPort Systems' statistics for
    comcast.net show that while the company's six official mail servers
    have a monthly outgoing e-mail index of 6.2, there are at least 44
    Comcast subscribers with similar scores of 5.8 or higher. Overall,
    Comcast is the single biggest source of all types of e-mail, with a
    higher volume than the next two, Time Warner's Road Runner and Yahoo,
    Brian Martin, a computer security consultant in Denver, experienced
    Comcast zombies firsthand. Last year, a Comcast subscriber apparently
    infected by zombieware disgorged approximately 10,000 e-mail messages
    an hour to Martin's e-mail address.
    It took two weeks of almost daily complaints to Comcast's abuse
    department before the deluge stopped. "I don't think that they really
    care about spam or virus infections," Martin said. "They don't want to
    put any personnel on it, because it takes away from the bottom line."
    Slowing the spam
    I don't mean to pick on Comcast. At least nowadays, its technicians
    appear to be more responsible: In March, it began sending warnings to
    suspected zombie infectees. In terms of the percentage of its users
    infected by zombies, Comcast is far from the worst--it's just the
    sheer number of subscribers that makes the company such an awesome
    source of spam.
    Comcast could block zombies by preventing outgoing mail from leaving
    its network before it flows through its servers. That technique is
    called blocking port 25, the port used by the venerable Simple Mail
    Transport Protocol. It has the benefit of making e-mail departing
    Comcast's network easier to monitor so that network technicians can
    spot zombie PCs more quickly.
    "It's not rocket science," John Levine, co-chair of the Internet
    Engineering Task Force's antispam research group, said of this
    technique. "Basically, you count the mail, and you give everyone a
    quota. If Grandma usually sends six messages a day and now tries to
    send 10,000 messages a day, what are the odds that she made that many
    new friends?"
    Some Internet providers, including EarthLink, Cox Communications and a
    number of universities, block port 25. But because it inconveniences
    people who rely on remote e-mail providers or the Linux aficionados
    who run their own mail servers, it's still a controversial response.  
    (Eventually, all e-mail clients will support the workaround of
    outgoing connections through port 587.)
    Based on my conversations last week, Comcast's network engineers would
    like to be more aggressive. But the marketing department shot down a
    ban on port 25 because of its circa $58 million price tag--so high
    partially because some subscribers would have to be told how to
    reconfigure their mail programs to point at Comcast's servers, and
    each phone call to the help desk costs $9.
    Instead, Comcast's engineers plan to try the innovative approach of
    identifying the zombie PCs and surreptitiously sending the
    subscriber's cable modem a new configuration routine that prevents
    outbound connections on port 25. Zombie-infected users won't even
    notice, the thinking goes, because most people use Comcast's mail
    servers for outgoing e-mail. Anyone wrongfully blocked can call and
    That's a clever idea, and it might even work. More importantly, it
    shows that the Internet's biggest spammer is finally trying
    imaginative ways to save our in-boxes from its subscribers.
    Declan McCullagh is CNET News.com's Washington, D.C., correspondent.  
    He chronicles the busy intersection between technology and politics.  
    Before that, he worked for several years as Washington bureau chief
    for Wired News. He has also worked as a reporter for The Netly News,
    Time magazine and HotWired.
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Tue May 25 2004 - 05:54:51 PDT