[ISN] The biggest spammer on the Net? Comcast?

InfoSec News isn at c4i.org
Tue May 25 02:15:57 EDT 2004


By Declan McCullagh 
CNET News.com
May 24, 2004

Comcast's high-speed Internet subscribers have long been rumored to be
an unusually persistent source of junk e-mail.

Now someone from Comcast is confirming it. "We're the biggest spammer
on the Internet," network engineer Sean Lutner said at a meeting of an
antispam working group in Washington, D.C., last week.

Lutner said Comcast users send out about 800 million messages a day,
but a mere 100 million flow through the company's official servers.  
Almost all of the remaining 700 million represent spam erupting from
so-called zombie computers--a breathtaking figure that adds up to six
or seven spam-o-grams for each American family every day.

Zombie computers arise when spammers seize on bugs in Microsoft
Windows--or from naive users who click on attachments--to take over
PCs and transform them into spambots. No hard numbers exist, but some
estimates say that about one-third of spam comes from zombie computers
with broadband connections. The owners of the zombie PCs typically
don't even notice what's happening.

Because home computers are more likely to be infected than business
PCs, and because Comcast has about 6 million high-speed customers, it
may have been inevitable that the cable provider became a haven for
remote-controlled zombies that churn out junk e-mail.

Don't take Comcast's word for it. IronPort Systems' statistics for
comcast.net show that while the company's six official mail servers
have a monthly outgoing e-mail index of 6.2, there are at least 44
Comcast subscribers with similar scores of 5.8 or higher. Overall,
Comcast is the single biggest source of all types of e-mail, with a
higher volume than the next two, Time Warner's Road Runner and Yahoo,

Brian Martin, a computer security consultant in Denver, experienced
Comcast zombies firsthand. Last year, a Comcast subscriber apparently
infected by zombieware disgorged approximately 10,000 e-mail messages
an hour to Martin's e-mail address.

It took two weeks of almost daily complaints to Comcast's abuse
department before the deluge stopped. "I don't think that they really
care about spam or virus infections," Martin said. "They don't want to
put any personnel on it, because it takes away from the bottom line."

Slowing the spam

I don't mean to pick on Comcast. At least nowadays, its technicians
appear to be more responsible: In March, it began sending warnings to
suspected zombie infectees. In terms of the percentage of its users
infected by zombies, Comcast is far from the worst--it's just the
sheer number of subscribers that makes the company such an awesome
source of spam.

Comcast could block zombies by preventing outgoing mail from leaving
its network before it flows through its servers. That technique is
called blocking port 25, the port used by the venerable Simple Mail
Transport Protocol. It has the benefit of making e-mail departing
Comcast's network easier to monitor so that network technicians can
spot zombie PCs more quickly.

"It's not rocket science," John Levine, co-chair of the Internet
Engineering Task Force's antispam research group, said of this
technique. "Basically, you count the mail, and you give everyone a
quota. If Grandma usually sends six messages a day and now tries to
send 10,000 messages a day, what are the odds that she made that many
new friends?"

Some Internet providers, including EarthLink, Cox Communications and a
number of universities, block port 25. But because it inconveniences
people who rely on remote e-mail providers or the Linux aficionados
who run their own mail servers, it's still a controversial response.  
(Eventually, all e-mail clients will support the workaround of
outgoing connections through port 587.)

Based on my conversations last week, Comcast's network engineers would
like to be more aggressive. But the marketing department shot down a
ban on port 25 because of its circa $58 million price tag--so high
partially because some subscribers would have to be told how to
reconfigure their mail programs to point at Comcast's servers, and
each phone call to the help desk costs $9.

Instead, Comcast's engineers plan to try the innovative approach of
identifying the zombie PCs and surreptitiously sending the
subscriber's cable modem a new configuration routine that prevents
outbound connections on port 25. Zombie-infected users won't even
notice, the thinking goes, because most people use Comcast's mail
servers for outgoing e-mail. Anyone wrongfully blocked can call and

That's a clever idea, and it might even work. More importantly, it
shows that the Internet's biggest spammer is finally trying
imaginative ways to save our in-boxes from its subscribers.


Declan McCullagh is CNET News.com's Washington, D.C., correspondent.  
He chronicles the busy intersection between technology and politics.  
Before that, he worked for several years as Washington bureau chief
for Wired News. He has also worked as a reporter for The Netly News,
Time magazine and HotWired.

More information about the ISN mailing list