Re: [Declude.JunkMail] Comcast Update -- With a new question

[Matt]

Comcast doesn't block in all markets.  My father was suddenly blocked about a year and a half ago, and it took us a couple of hours to figure out what was going on.  Their tech support confirmed that they didn't even bother telling their customers that they were going to do this.  In many other markets, Comcast does nothing, and when they get abuse reports, they also do nothing.  SenderBase shows a huge disparity between the number of zombies on Comcast and RoadRunner. SenderBase mail hosts tracked =================================== 14584 - comcast.net - http://www.senderbase.org/search?searchString=comcast.net 8387 - rr.com - http://www.senderbase.org/search?searchString=rr.com Note that rr.com numbers reflect many more legitimate hosts because biz.rr.com is included in the total.  It does though look like Comcast finished porting over att.net tagged space to comcast.net, which might make them look even worse now, being that they are the largest cable provider now. Regarding blocking at the SMTP envelope, why waste the processing on 2,000,000 messages a day.  Parse the logs at regular intervals and update an ACL on your router to block this stuff.  It should be fairly easy to identify which zombies are being used during one particular moment in time. Also, from the looks of the headers posted earlier...turn off the damn Nobody alias and forget it ever existed.  Spammers and virus writers ruined it pretty much forever. The best way to stop this stuff is take the contact information that I posted, call the FBI, and press charges.  This is beyond a civil matter due to the volume, it's the same thing as a DDOS attempt which is clearly a crime. Matt Gerald V. Livingston II wrote: Comcast already does block 25. They don't require SMTP Auth though so it doesn't do much good. I contract for a small dial up ISP and we have customers who are on Comcast at home but use us for travelling. It's NOT that difficult to walk most of them through the few steps to change the outbound mail server when they switch locations. Most remember the steps after two or three times. What I'm wondering though is if ALL ISP's blocked port 25 and REQUIRED SMTP Auth -- wouldn't that block all the viruses/zombie worms that use their own SMTP engine? They would need a valid username/password for the server to get mail to go out -- period. Or even if they all left port 25 open and REQUIRED SMTP AUTH! I've been meaning to look for a way to see if our users are sending out viral mails that bounce because of failed AUTH. Ideas? My home system (this box) is on RoadRunner. They don't block snot (except port 80 as a NIMDA holdover) but so few people accept mail directly from a dynamic IP (even RR addresses bounce mail if I try to send it directly from my SMTP daemon even though it does have a valid MX) I do route all my mail through the RR SMTP server. If tey required SMTP Auth to do that it wouldn't bother me a bit, one quick config change and I'd keep right on firing. My home SMTP daemon requires AUTH. In fact it uses AUTH for a rather unique purpose. It sets the Sender: header based on what I auth as so I can send mail from my addresses in several different domains and not have a FROM: and Sender: mismatch making it look like spam. Hmm -- so, UNblocked port 25 with SMTP Auth would be the way to go so users could send through the proper SMTP server to get a proper Sender: header that matches the address they're sending from. G On Wed, 10 Mar 2004 23:21:47 -0500 Matt said something about Re: [Declude.JunkMail] Comcast Update: Not to start a big argument about the issue, but just to reiterate my stance on this...while blocking port 25 would work, it is unnecessarily prohibitive. If my provider was to drop port 25 support, I would be forced to move to a new provider immediately as would most around here. I also get enough calls already from the few customers that actually have E-mail hosting with my company when they can't send E-mail or when E-mail isn't being received, only to find that they aren't even using my server for SMTP. If they shut off port 25, there would still be hundreds of thousands of open proxies and other types of relays for spammers to hit, and to administrators like ourselves, this would have little impact. Most importantly though...if these guys find it difficult to relay their spam directly from such IP space, they will turn in greater numbers to relaying though the ISP's mail servers as they have already been doing, and spam relayed through legitimate mail hosts is difficult to score in comparison to a direct host, and many of the people around here are already giving legitimate mail hosts extra credit by using tests like SPF and AHBL-EXEMPT. I would personally much rather score Comcast zombies with 8 points for being DUL, 8 points for XBL, 4 points for BADHEADERS, 3 points for HELOBOGUS, 4 points for SPAMDOMAINS, 6 points for SNIFFER-PHARMACY, 3 points for GIBBERISH, 4 points for GIBBERISHSUB, etc., etc. The zombies that land in my hold file are almost always from obscure ISP's with untracked DUL space, or virus infected mail hosts. If people want to stop the problem, they should go out and arrest the dozen or so people at the root of every piece of zombie spam out there currently. There's a very limited number of criminals doing this. Matt Dave Doherty wrote: I know I don't see eye to eye with some folks here about this, but Comcast could prevent the problem entirely by blocking port 25 and putting some solid limits on outbound mail with a product like Ddeeclude Hijack... If they were really serious about fixing the problem, that is. -Dave ----- Original Message ----- From: "Dan Patnode" <[EMAIL PROTECTED]> Seems they're actually aware of the problem: http://maccentral.macworld.com/news/2004/03/10/comcast/index.php?redirect=1078943859000 -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================