Perspective: Attack of Comcast's Internet zombies

Comcast's high-speed Internet subscribers have long been rumored to be an unusually persistent source of junk e-mail.

Now someone from Comcast is confirming it. "We're the biggest spammer on the Internet," network engineer Sean Lutner said at a meeting of an antispam working group in Washington, D.C., last week.

Lutner said Comcast users send out about 800 million messages a day, but a mere 100 million flow through the company's official servers. Almost all of the remaining 700 million represent spam erupting from so-called zombie computers--a breathtaking figure that adds up to six or seven spam-o-grams for each American family every day.

Zombie computers arise when spammers seize on bugs in Microsoft Windows--or from naive users who click on attachments--to take over PCs and transform them into spambots.

Comcast users send out about 800 million messages a day, but a mere 100 million flow through the company's official servers.

No hard numbers exist, but some estimates say that about one-third of spam comes from zombie computers with broadband connections. The owners of the zombie PCs typically don't even notice what's happening.

Because home computers are more likely to be infected than business PCs, and because Comcast has about 6 million high-speed customers, it may have been inevitable that the cable provider became a haven for remote-controlled zombies that churn out junk e-mail.

Lutner pointed to IronPort Systems' statistics for comcast.net. It shows that while the company's six official mail servers have a monthly outgoing e-mail index of 6.2, there are at least 44 Comcast subscribers with similar scores of 5.8 or higher. Overall, Comcast is the single biggest source of all types of e-mail, with a higher volume than the next two, Time Warner's Road Runner and Yahoo, combined.

Brian Martin, a computer security consultant in Denver, experienced Comcast zombies firsthand. Last year, a Comcast subscriber apparently infected by zombieware disgorged approximately 10,000 e-mail messages an hour to Martin's e-mail address.

It took two weeks of almost daily complaints to Comcast's abuse department before the deluge stopped. "I don't think that they really care about spam or virus infections," Martin said. "They don't want to put any personnel on it, because it takes away from the bottom line."

Slowing the spam
I don't mean to pick on Comcast. At least nowadays, its technicians appear to be more responsible: In March, it began sending warnings to suspected zombie infectees. In terms of the percentage of its users infected by zombies, Comcast is far from the worst--it's just the sheer number of subscribers that makes the company such an awesome source of spam.

Comcast could block zombies by preventing outgoing mail from leaving its network before it flows through its servers. That technique is called blocking port 25, the port used by the venerable Simple Mail Transport Protocol.

It's just the sheer number of subscribers that makes the company such an awesome source of spam.

It has the benefit of making e-mail departing Comcast's network easier to monitor so that network technicians can spot zombie PCs more quickly.

"It's not rocket science," John Levine, co-chair of the Internet Engineering Task Force's antispam research group, said of this technique. "Basically, you count the mail, and you give everyone a quota. If Grandma usually sends six messages a day and now tries to send 10,000 messages a day, what are the odds that she made that many new friends?"

Some Internet providers, including EarthLink, Cox Communications and a number of universities, block port 25. But because it inconveniences people who rely on remote e-mail providers or the Linux aficionados who run their own mail servers, it's still a controversial response. (Eventually, all e-mail clients will support the workaround of outgoing connections through port 587.)

Based on my conversations last week, Comcast's network engineers would like to be more aggressive. But the marketing department shot down a ban on port 25 because of its circa $58 million price tag--so high partially because some subscribers would have to be told how to reconfigure their mail programs to point at Comcast's servers, and each phone call to the help desk costs $9.

Instead, Comcast's engineers plan to try the innovative approach of identifying the zombie PCs and surreptitiously sending the subscriber's cable modem a new configuration routine that prevents outbound connections on port 25. Zombie-infected users won't even notice, the thinking goes, because most people use Comcast's mail servers for outgoing e-mail. Anyone wrongfully blocked can call and complain.

That's a clever idea, and it might even work. More importantly, it shows that the Internet's biggest spammer is finally trying imaginative ways to save our in-boxes from its subscribers.

Biography
Declan McCullagh is CNET News.com's chief political correspondent. He spent more than a decade in Washington, D.C., chronicling the busy intersection between technology and politics. Previously, he was the Washington bureau chief for Wired News, and a reporter for Time.com, Time magazine and HotWired. McCullagh has taught journalism at American University and been an adjunct professor at Case Western University.

More Perspectives

[bobbycrab]

Comcast Zombies

I get more than 100 spam emails a day. Many do not have a ?To?, ?Subject? or ?From? or they use my old attbi.com address. In answer to my complaint to Comcast, the problem will exist until December when they pull the plug on attb.com. The way I understood the technician is that the attbi.com servers are still running freely and without supervision. I never did understand his answer to why I get 2kb email without addresses and subject line. He also said I would just have to live with it. Your article is the first on the subject I have seen and I appreciate it. I had began worrying why there was so much interest that I needed a larger member and to last longer.

[bigduke]

Comcast and spams

We have a different Comcast problem. Today we were off cable connection from daybreak untill after 1500. This was longer than usual, but at least once a week there is some form of connect glitch.

Service calls are useless. We run behind a Linksys? and that keeps much out of our machines.

Problem staying connected

I had the same problem when I first became a Comcast member. It lasted for almost 5 months, which gave me a headache as I was trying to take online classes. The problem turned out that they didnt install the cable lines properly and there was a loose connection. When it rained, or was windy, or snowed I would loose service. Finally after much aggervation I had someone that came to the house and actually knew what he was doing. Have them re-check your cable lines on the outside of the house, and to the connecting telephone poles and have them refund you the time you had no service.

Why not transparently proxy port 25?

Im possibly being very simple minded, however why is it that they do not route all outbound traffic for a destination port of 25 to their servers?

At that point they can clean the spam, and not affect their "users" in the slightest. It would save them $9 per user according to their numbers.

[karn]

Transparent proxies are **EVIL**

I know of at least one ISP (the one that provides DSL service in hotel rooms) that transparently proxies port 25. Not only does this break the end-to-end model on which the Internet was built, but it introduced a nasty security vulnerability. You see, I routinely encrypt my SMTP transfers with STARTTLS, but because they intercepted port 25 this mechanism was silently disabled.

Transparent proxies are superficially attractive, but they only make the problem worse in the long run. The only solution is to shoot Microsoft, since they clearly cannot get their act together on security.

[gaelwolf]

Why am I not surprised?

I spent a couple of weeks of support Hell trying to get the Comcast abuse department to fess up that one of my clients ... one of their customers ... was being blacklisted because of spam coming from one of the IP addresses in the same block as hers. We tested and tested, and her system was not sending unusual amounts of mail at any time around the clock. She was, however, being blacklisted and was not able to send mail through her own domain's mail server.

We finally put in a workaround, forcing all of her mail to go through a Comcast mail server. All without knowledge of this little tidbit of information. In all of the hours I spend dealing with (and silently gnashing my teeth at) any number of surly Comcast support "professionals" ... including one who hung up on us...

In all of those hours, not a single one of them admitted that Comcast has a problem, even though I was presenting them with evidence of it. The one time one of them inadvertently mentioned that other customers were having problems, too, she was cut off by a supervisor who came along to "help"...and promptly said my client must be spamming.

Rubbishy outfit...

[Remo_Williams]

port 25 is not evil

part of the reason i'm not an earthlink customer is their policy of blocking port 25 access. so if you own your own domain and don't allow earthlink to host, you are SOL.

i hate cable companies, but cablevision's optimum online service is the best, even better than verizon circa 1999.

-Remo

comcast support

I just don't like when people automatically assume that the people they talk to when they call the tech lines know anything about these work arounds, first of all tech supprt agents are given a very limited amount of things they can do,and even if they do know how to fix the problems sometimes they are simply not allowed because it is not part of their job describtion and if they go outside of that it is possible to lose your job, I work for one of those suprt lines and I try my very best to help as best I can whoever calls, by the way you get much better help if you lose the attitude, and I am not about to lose my job to do something the company does not tell me to do.

[karn]

Too enlightened to be true

The practice of blackholing a user only when they actually generate spam (as opposed to the usual shotgun approach of blocking *everyone*, guilty or not) is just too enlightened for a company like Comcast.

I'll believe it when I actually see it.

[Michael Grogan]

Hit the spammers

Why not go after the spammers responsible for the spambots in the first place. Spam is worthless unless it ccontains the spammers identity so they should be easy to find..

"Bounce" Zombie Mail

Why not re-direct each email sent by the zombie program back to its source? For example, the abuse address of the spam-mill hosting the site?

[George Cole]

Spam is worthless

http://www.analogstereo.com/pontiac_grand_prix_owners_manual.htm

[cpudrewfl]

Bellsouth blocks port 25 for residental customers

If your a res customer port 25 is blocked but not for biz customers.

[bobbycrab]

Spam and Response by Comcast

I asked Comcast Tech why I receive spam email that does not have a ?To? and/or ?From? address, many without a ?Subject? line. Others have another person?s attbi.com address but not my old attbi address. I check the source of some spam email and do not find my IP addres listed nemerically or by name.
The technicians response, as I understand it, that the old attbi.com servers are still in operation and that they are running without any supervision. The technicians said this is something that I will just have to live with and that they only provide the ?connection? and have nothing to do with which email ends up in my box. Strange reply.

Their service is great otherwise.

They always say "LIVE WITH IT"

I have found one-way to stop most of my hackers, and spam mail. It took me 3 weeks, but it did work; some-what? The multi-media, your soft modem is not blocked by your fire-wall. They bye pass it to get in-Once they are in (after dialing) they have a sound connection to our computers. You do not need your messanger either, they get in this way also, I "am going out to get a rotor-fire-wall. They run $80-100 dollars. Forget comcast on helping?

Don't punish us because of others offenses

Many people have good reason to use a mail server other than that provided by their internet connection provider. (Putting aside quality of service, and to give just one of many kinds of examples: my employer requires that i use their mail server.)

It is outrageous for the author to treat preventing use of a customer's choice of mail server as a solution to the problem caused by (to mention a link in the article) bugs in Microsoft Windows < http://news.com.com/Microsoft+warns+of+widespread+Windows+flaw/2100-7355_3-5156647.html?tag=nl > and the offenses of others.

Let's get real.

It is fine to mention that some connection providers propose this solution. The next paragraph needs to say this is unacceptable. Let's fix the spam and Big Bill Bugs problems as best we can, not punish the innocent.

Joaquin

Windows Bugs...

You are correct that people shouldn't be punished for bugs in Windows. However, since Microsoft at least of late has been pretty good about putting out patches for the security holes. The problem then goes right to the users who do not bother to install the patches. When this happens it is no longer Microsoft's fault.

I will also say that by and large Windows has had too many security holes. I just hope Microsoft keeps their promise and starts putting out better and more secure software. Most of these problems should have been fixed long ago.

Robert

[justdarick]

No, you're the one who's unacceptable, not comcast

If it's so wrong for Comcast to try to help out the world by blocking the offending users, then I think you don't need to be on Comcast. I applaud Comcast for trying to clean up the problem anyway they can. Blocking port 25, while not the easiest method, can effectively curb this problem. If you need to send out messages from another server for "business" purposes, then maybe you don't need to be on a resdential service for personal use. Ever think of that?

Comcast Zombie replies

What was told to you was untrue, you can get the atttbi account forwarding cancelled before december.