On Tue, Dec 2, 2008 at 9:41 AM, Bayard Coolidge <[EMAIL PROTECTED]> wrote:
> ... considered a spammer and/or that I had a security problem caused by
> a virus/bot.
> ... I'm wondering what their real agenda is...
Making money, of course. But they're trying to increase their money
by blocking spam (thus saving both hardware resources, and resources
on abuse complaints).
The vast majority of spam is sent out from compromised MS-Windows
computers. Since non-server versions of MS-Windows don't include an
SMTP service, any legit MS-Windows home user on a Comcast feed is
going to be relaying through Comcast's SMTP servers. The percentage
of their customers which fit this profile so high it is effectively
"all". So any Comcast customer sending SMTP traffic is -- by this
definition -- a spam source.
Obviously, most of the people on this list don't fit the above
customer profile. Again, the percentage of such is so small that, for
Comcast's purposes, it's effectively zero. I'm not asking anyone to
like it.
This is what modern malware is *really* about. It isn't just
vandalism or hack value, like the malware of old. All these trojans,
worms and the like are all about hijacking millions of luser computers
for nefarious --and *profitable* -- purposes. The most common use is
to turn them into zombie spam cannons in a botnet.
I recent saw some claims that the time-to-widespread-exploit of new
vulnerabilities has actually increased slightly. The speculated
cause? Malware writers now put their exploits through more stringent
QA processes. Better quality malware is more profitable.
> The recommended fix apparently is to move my outbound SMTP to Port 587, which
> I have now done.
To clarify, what they had you do was reconfigure your mail software
to send all your outgoing mail through Comcast's mail servers, on TCP
port 587?
If so, I'm guessing Comcast's goal is to get all of their customers
using TCP/587 to submit to their outbound SMTP relay hosts. That
means they can do either of:
A1: Blocking TCP/25 to their SMTP relay hosts. Reasons for doing this
might include:
A1R1: Eliminating load from random spam attempts. They probably get
lots of spam attempts from customer systems. Lots of spam cannons
fire blindly.
A1R2: Reducing attack surface.
A2: Blocking TCP/25 throughout their residential-customer networks,
rather than at the outbound edge. Reasons for doing A2 might include:
A2R1: Saving significant bandwidth within their residential-customer
networks.
A2R2: Making it easier to identify compromised MS-Windows computers.
(I doubt this is it, since it doesn't make Comcast any immediate
profit.)
TCP/587 is the registered port for the MSA (Mail Submission Agent),
which is kind of like "SMTP Lite". Of note, MSA cannot be used for
mail exchange (relay/final delivery). MSA also almost always requires
authentication in most real-world systems. It's thus not useful to
spammers.)
There's an obvious spammer response to A1R1: Hijack the luser mail
client (or its configuration values) to discover the local MSA and
credentials. However, that's much easier for an ISP to detect,
throttle, and if needed, cut-off on a per-user basis. I see that as a
good thing; lusers will have to learn about responsible operating.
-- Ben
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
