Re: Anybody (else) get ping'ed by Comcast about Port 25 emailing?
On Wed, Dec 3, 2008 at 9:07 AM, Mark Komarinski <[EMAIL PROTECTED]> wrote: > I'm amused that I have apparently become an HTML tag. ;-) -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Anybody (else) get ping'ed by Comcast about Port 25 emailing?
On 12/02/2008 11:34 PM, Dan Miller wrote: > Every time I received these emails, all I had running was Linux with a > customized iptables script, so chances of a virus are virtually nil. > Just because you don't have viruses doesn't mean that a misconfiguration of your MTA* will cause you to be an open relay and allow others to use you to send spam. * or perhaps you run a web server or other open service on the same box that could be hijacked? Maybe some Windows systems on your network that could have a virus? -Mark ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Anybody (else) get ping'ed by Comcast about Port 25 emailing?
I've had similar experience. I don't think Comcast can tell the difference between a joe-job and real spam. I gave up pestering them and am just sending all outgoing email through a VPN to one of our servers in Manchester. --Bruce Dan Miller wrote: > I've called Comcast (when I had them) before on this very issue. Ask for > the security department, and then start asking for evidence. Since their > email states (and they state on the phone) that they closed the port > because it looked like you were spamming and have a virus. > > I would always ask for the date and time of when the emails were sent > that made it look like I had a virus. They always stated that they > didn't have any. I would then lay into them stating that you are closing > my port (tied to the account and modem) with no evidence that I have a > virus. They would then state that the port was closed because of the emails. > > This would go on a few times until I would state "So you accusing me of > spamming, but have no evidence of such." Comcast would reply no, so I > would ask for them to either A) produce evidence that I have a virus or > B) open up port 25. > > Usually at this point, they would concede and in a few minutes they will > come back on the line with port 25 being reopened. After a few minutes, > the modem will update its file, and everything will be kosher again.. > > I would never back down, and would always get port 25 reopened. > > Every time I received these emails, all I had running was Linux with a > customized iptables script, so chances of a virus are virtually nil. > > Good luck. > > Dan > > ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Anybody (else) get ping'ed by Comcast about Port 25 emailing?
I've called Comcast (when I had them) before on this very issue. Ask for the security department, and then start asking for evidence. Since their email states (and they state on the phone) that they closed the port because it looked like you were spamming and have a virus. I would always ask for the date and time of when the emails were sent that made it look like I had a virus. They always stated that they didn't have any. I would then lay into them stating that you are closing my port (tied to the account and modem) with no evidence that I have a virus. They would then state that the port was closed because of the emails. This would go on a few times until I would state "So you accusing me of spamming, but have no evidence of such." Comcast would reply no, so I would ask for them to either A) produce evidence that I have a virus or B) open up port 25. Usually at this point, they would concede and in a few minutes they will come back on the line with port 25 being reopened. After a few minutes, the modem will update its file, and everything will be kosher again.. I would never back down, and would always get port 25 reopened. Every time I received these emails, all I had running was Linux with a customized iptables script, so chances of a virus are virtually nil. Good luck. Dan ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Anybody (else) get ping'ed by Comcast about Port 25 emailing?
Many thanks to everyone who's replied so far! Yes, I was aware that there is a very serious spam issue both within Comcast and overall on the Internet. I'd been using the Port 25 configuration since I started with Comcast over 5 years ago (after I got married and moved down here to sunny South Florida), but I hadn't realized that Port 25 usage would be suspicious-looking to them. I now understand more precisely why, however, and the migration to Port 587 was relatively painless/trivial. (I haven't tried running the Microsoft ASP to detect bots on my system yet, as it's unclear how it will work with openSUSE 11.0 ;-). I will, however, try it on my wife's Windows XP laptop, just in case - I do a full-blown Norton anti-virus run on it every week or so (after checking for and installing vendor updates to the other XP components and programs) anyway. I was just kind of surprised by the e-mail from Comcast as such. And while I'm not the biggest fan of Comcast - we've had other issues with them in the past, primarily on the TV stuff - I do certainly empathize with the infrastructure burden that they and everyone else suffers at the hands of spammers; we have plenty of hungry alligators in the Everglades, only a few minutes from here, but I'm not sure I want to poison them by feeding the spammers to them... Well, there's always the Atlantic Ocean... Thanks, Bayard ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Anybody (else) get ping'ed by Comcast about Port 25 emailing?
I would like to have seen Comcast do this in some more gentle way. In my case, I got the message that I was a spammer last March. I was helping with communications right before my daughter's school play. Just days before the show, when we were making last minute tweaks to the schedule, BAM! My outbound email no longer works! Comcast first asked me to send my emails to this group using their web interface. So, basically when I had little, if any free time anyway, I was supposed to re-create my distribution list. The next day, I was told that a change in the outgoing port number would be sufficient. Bottom line... I didn't really mind the change. I minded that there was no warning. Peg > On Tue, Dec 2, 2008 at 9:41 AM, Bayard Coolidge <[EMAIL PROTECTED]> wrote: > > ... considered a spammer and/or that I had a security problem caused by > > a virus/bot. > > ... I'm wondering what their real agenda is... > > Making money, of course. But they're trying to increase their money > by blocking spam (thus saving both hardware resources, and resources > on abuse complaints). > > The vast majority of spam is sent out from compromised MS-Windows > computers. Since non-server versions of MS-Windows don't include an > SMTP service, any legit MS-Windows home user on a Comcast feed is > going to be relaying through Comcast's SMTP servers. The percentage > of their customers which fit this profile so high it is effectively > "all". So any Comcast customer sending SMTP traffic is -- by this > definition -- a spam source. > > Obviously, most of the people on this list don't fit the above > customer profile. Again, the percentage of such is so small that, for > Comcast's purposes, it's effectively zero. I'm not asking anyone to > like it. > > This is what modern malware is *really* about. It isn't just > vandalism or hack value, like the malware of old. All these trojans, > worms and the like are all about hijacking millions of luser computers > for nefarious --and *profitable* -- purposes. The most common use is > to turn them into zombie spam cannons in a botnet. > > I recent saw some claims that the time-to-widespread-exploit of new > vulnerabilities has actually increased slightly. The speculated > cause? Malware writers now put their exploits through more stringent > QA processes. Better quality malware is more profitable. > > > The recommended fix apparently is to move my outbound SMTP to Port 587, which I have now done. > > To clarify, what they had you do was reconfigure your mail software > to send all your outgoing mail through Comcast's mail servers, on TCP > port 587? > > If so, I'm guessing Comcast's goal is to get all of their customers > using TCP/587 to submit to their outbound SMTP relay hosts. That > means they can do either of: > > A1: Blocking TCP/25 to their SMTP relay hosts. Reasons for doing this > might include: > > A1R1: Eliminating load from random spam attempts. They probably get > lots of spam attempts from customer systems. Lots of spam cannons > fire blindly. > > A1R2: Reducing attack surface. > > A2: Blocking TCP/25 throughout their residential-customer networks, > rather than at the outbound edge. Reasons for doing A2 might include: > > A2R1: Saving significant bandwidth within their residential-customer > networks. > > A2R2: Making it easier to identify compromised MS-Windows computers. > (I doubt this is it, since it doesn't make Comcast any immediate > profit.) > > TCP/587 is the registered port for the MSA (Mail Submission Agent), > which is kind of like "SMTP Lite". Of note, MSA cannot be used for > mail exchange (relay/final delivery). MSA also almost always requires > authentication in most real-world systems. It's thus not useful to > spammers.) > > There's an obvious spammer response to A1R1: Hijack the luser mail > client (or its configuration values) to discover the local MSA and > credentials. However, that's much easier for an ISP to detect, > throttle, and if needed, cut-off on a per-user basis. I see that as a > good thing; lusers will have to learn about responsible operating. > > -- Ben > ___ > gnhlug-discuss mailing list > gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ > ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Anybody (else) get ping'ed by Comcast about Port 25 emailing?
On Tue, Dec 2, 2008 at 9:41 AM, Bayard Coolidge <[EMAIL PROTECTED]> wrote: > ... considered a spammer and/or that I had a security problem caused by > a virus/bot. > ... I'm wondering what their real agenda is... Making money, of course. But they're trying to increase their money by blocking spam (thus saving both hardware resources, and resources on abuse complaints). The vast majority of spam is sent out from compromised MS-Windows computers. Since non-server versions of MS-Windows don't include an SMTP service, any legit MS-Windows home user on a Comcast feed is going to be relaying through Comcast's SMTP servers. The percentage of their customers which fit this profile so high it is effectively "all". So any Comcast customer sending SMTP traffic is -- by this definition -- a spam source. Obviously, most of the people on this list don't fit the above customer profile. Again, the percentage of such is so small that, for Comcast's purposes, it's effectively zero. I'm not asking anyone to like it. This is what modern malware is *really* about. It isn't just vandalism or hack value, like the malware of old. All these trojans, worms and the like are all about hijacking millions of luser computers for nefarious --and *profitable* -- purposes. The most common use is to turn them into zombie spam cannons in a botnet. I recent saw some claims that the time-to-widespread-exploit of new vulnerabilities has actually increased slightly. The speculated cause? Malware writers now put their exploits through more stringent QA processes. Better quality malware is more profitable. > The recommended fix apparently is to move my outbound SMTP to Port 587, which > I have now done. To clarify, what they had you do was reconfigure your mail software to send all your outgoing mail through Comcast's mail servers, on TCP port 587? If so, I'm guessing Comcast's goal is to get all of their customers using TCP/587 to submit to their outbound SMTP relay hosts. That means they can do either of: A1: Blocking TCP/25 to their SMTP relay hosts. Reasons for doing this might include: A1R1: Eliminating load from random spam attempts. They probably get lots of spam attempts from customer systems. Lots of spam cannons fire blindly. A1R2: Reducing attack surface. A2: Blocking TCP/25 throughout their residential-customer networks, rather than at the outbound edge. Reasons for doing A2 might include: A2R1: Saving significant bandwidth within their residential-customer networks. A2R2: Making it easier to identify compromised MS-Windows computers. (I doubt this is it, since it doesn't make Comcast any immediate profit.) TCP/587 is the registered port for the MSA (Mail Submission Agent), which is kind of like "SMTP Lite". Of note, MSA cannot be used for mail exchange (relay/final delivery). MSA also almost always requires authentication in most real-world systems. It's thus not useful to spammers.) There's an obvious spammer response to A1R1: Hijack the luser mail client (or its configuration values) to discover the local MSA and credentials. However, that's much easier for an ISP to detect, throttle, and if needed, cut-off on a per-user basis. I see that as a good thing; lusers will have to learn about responsible operating. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Anybody (else) get ping'ed by Comcast about Port 25 emailing?
On 12/02/2008 09:41 AM, Bayard Coolidge wrote: I got a nastygram from Comcast in my normal e-mail inbox this morning, warning me that I was considered a spammer and/or that I had a security problem caused by a virus/bot. The recommended fix apparently is to move my outbound SMTP to Port 587, which I have now done. But, considering that I'm running openSUSE 11.0 and Thunderbird, download my e-mail using POP, and don't use any of the traditional Unix/Linux mail systems, I'm wondering what their real agenda is... Or is this an artifact of the Port 25 stuff that was so heavily discussed here during the summer? Maybe I've been too prolific in forwarding .wmv's and other fun stuff to friends and relatives? It has nothing to do with the port 25 stuff. I'm surprised you have been able to send via port 25 since they changed to port 587 several months ago. While I certainly can't speak for Comcast, by using port 587 they can distinguish between email originated within their network by subscribers and that originated outside. It also reduces the likelihood that a DOS attack on port 25 will block legitimate subscribers from uploading email to Comcast. You also might note that gmail also uses port 587. I use comcast port 587 for my Comcast identity, gmail for my gmail identity and the BLU (via ssh tunnel) for everything else. -- Jerry Feldman <[EMAIL PROTECTED]> Boston Linux and Unix PGP key id: 537C5846 PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB CA3B 4607 4319 537C 5846 signature.asc Description: OpenPGP digital signature ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Anybody (else) get ping'ed by Comcast about Port 25 emailing?
On Tue, Dec 2, 2008 at 10:09 AM, Charlie Farinella < [EMAIL PROTECTED]> wrote: > I had the same thing happen to me. In my case they blocked outgoing > mail from my wife's account only, even though all of my computers go > out through the same router. > > I also followed their instructions and have her sending to port 587. > She has no virus infection, maybe someone can tell me how to check for > a bot on an XP machine. > > My accounts are unaffected. > > --charlie > > You can download and run the rootkit revealer: http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx I also recommend running a full scan with your anti-virus software as well. mark ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Anybody (else) get ping'ed by Comcast about Port 25 emailing?
On Tuesday 02 December 2008, Bayard Coolidge wrote: > I got a nastygram from Comcast in my normal e-mail inbox this morning, > warning me that I was considered a spammer and/or that I had a security > problem caused by a virus/bot. > > The recommended fix apparently is to move my outbound SMTP to Port 587, > which I have now done. > > But, considering that I'm running openSUSE 11.0 and Thunderbird, download > my e-mail using POP, and don't use any of the traditional Unix/Linux mail > systems, I'm wondering what their real agenda is... > > Or is this an artifact of the Port 25 stuff that was so heavily discussed > here during the summer? Maybe I've been too prolific in forwarding .wmv's > and other fun stuff to friends and relatives? > > Thanks, > > Bayard I had the same thing happen to me. In my case they blocked outgoing mail from my wife's account only, even though all of my computers go out through the same router. I also followed their instructions and have her sending to port 587. She has no virus infection, maybe someone can tell me how to check for a bot on an XP machine. My accounts are unaffected. --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668 ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
