X

Attack of Comcast's Internet zombies

CNET News.com's Declan McCullagh explains how spammers are hijacking Comcast's network to transform subscriber PCs into spambots.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
See full bio
Declan McCullagh
4 min read
Comcast's high-speed Internet subscribers have long been rumored to be an unusually persistent source of junk e-mail.

Now someone from Comcast is confirming it. "We're the biggest spammer on the Internet," network engineer Sean Lutner said at a meeting of an antispam working group in Washington, D.C., last week.

Lutner said Comcast users send out about 800 million messages a day, but a mere 100 million flow through the company's official servers. Almost all of the remaining 700 million represent spam erupting from so-called zombie computers--a breathtaking figure that adds up to six or seven spam-o-grams for each American family every day.

Zombie computers arise when spammers seize on bugs in Microsoft Windows--or from naive users who click on attachments--to take over PCs and transform them into spambots.

Comcast users send out about 800 million messages a day, but a mere 100 million flow through the company's official servers.
No hard numbers exist, but some estimates say that about one-third of spam comes from zombie computers with broadband connections. The owners of the zombie PCs typically don't even notice what's happening.

Because home computers are more likely to be infected than business PCs, and because Comcast has about 6 million high-speed customers, it may have been inevitable that the cable provider became a haven for remote-controlled zombies that churn out junk e-mail.

Lutner pointed to IronPort Systems' statistics for comcast.net. It shows that while the company's six official mail servers have a monthly outgoing e-mail index of 6.2, there are at least 44 Comcast subscribers with similar scores of 5.8 or higher. Overall, Comcast is the single biggest source of all types of e-mail, with a higher volume than the next two, Time Warner's Road Runner and Yahoo, combined.

Brian Martin, a computer security consultant in Denver, experienced Comcast zombies firsthand. Last year, a Comcast subscriber apparently infected by zombieware disgorged approximately 10,000 e-mail messages an hour to Martin's e-mail address.

It took two weeks of almost daily complaints to Comcast's abuse department before the deluge stopped. "I don't think that they really care about spam or virus infections," Martin said. "They don't want to put any personnel on it, because it takes away from the bottom line."

Slowing the spam
I don't mean to pick on Comcast. At least nowadays, its technicians appear to be more responsible: In March, it began sending warnings to suspected zombie infectees. In terms of the percentage of its users infected by zombies, Comcast is far from the worst--it's just the sheer number of subscribers that makes the company such an awesome source of spam.

Comcast could block zombies by preventing outgoing mail from leaving its network before it flows through its servers. That technique is called blocking port 25, the port used by the venerable Simple Mail Transport Protocol.

It's just the sheer number of subscribers that makes the company such an awesome source of spam.
It has the benefit of making e-mail departing Comcast's network easier to monitor so that network technicians can spot zombie PCs more quickly.

"It's not rocket science," John Levine, co-chair of the Internet Engineering Task Force's antispam research group, said of this technique. "Basically, you count the mail, and you give everyone a quota. If Grandma usually sends six messages a day and now tries to send 10,000 messages a day, what are the odds that she made that many new friends?"

Some Internet providers, including EarthLink, Cox Communications and a number of universities, block port 25. But because it inconveniences people who rely on remote e-mail providers or the Linux aficionados who run their own mail servers, it's still a controversial response. (Eventually, all e-mail clients will support the workaround of outgoing connections through port 587.)

Based on my conversations last week, Comcast's network engineers would like to be more aggressive. But the marketing department shot down a ban on port 25 because of its circa $58 million price tag--so high partially because some subscribers would have to be told how to reconfigure their mail programs to point at Comcast's servers, and each phone call to the help desk costs $9.

Instead, Comcast's engineers plan to try the innovative approach of identifying the zombie PCs and surreptitiously sending the subscriber's cable modem a new configuration routine that prevents outbound connections on port 25. Zombie-infected users won't even notice, the thinking goes, because most people use Comcast's mail servers for outgoing e-mail. Anyone wrongfully blocked can call and complain.

That's a clever idea, and it might even work. More importantly, it shows that the Internet's biggest spammer is finally trying imaginative ways to save our in-boxes from its subscribers.