Become a fan of Slashdot on Facebook


Forgot your password?
Security Spam The Internet

Comcast Cuts Infected PCs' Network Connections 592

fidget42 writes "I just noticed this article over at Infoworld. It seems that Comcast is finally doing something about the machines on their network that are being used by spammers. They are now cutting off service to those customers who have computers that have been hijacked by spammers. Now, if only other broadband ISPs would start policing their user base ..."
This discussion has been archived. No new comments can be posted.

Comcast Cuts Infected PCs' Network Connections

Comments Filter:
  • by garcia ( 6573 ) * on Wednesday March 10, 2004 @08:05AM (#8520022)
    Now, if only other broadband ISPs would start policing their user base ..."

    ATTBI (back in 2002) was disabling people's account for being infected with worms... People's modem CFG file would be set to disabled.cfg and they would have block sync but wouldn't be permitted onto the network.

    If Comcast took over from ATTBI and is using parts of their existing network, I just can't understand why modems were not being disabled recently for infection by worms.
    • by mikeophile ( 647318 ) on Wednesday March 10, 2004 @08:11AM (#8520065)
      It seems like it would be pretty trivial for a virus to re-write the modem CFG file to get back on the network.

      Hell, it might as well uncap the modem while it's at it too.

      • For one, aren't there enough ISP- and cable-modem-specific issues with updating the CFG file (eg. different community strings and cable-modem IPs) that one virus is unlikely to work for a majority of cable modem connections?

        For two, it'd be pretty trivial for the cable company to detect the change and cut off that connection at the CO, limiting the damage to just the users on the same physical cable connection, no?

  • Yes Yes! (Score:5, Insightful)

    by canwaf ( 240401 ) on Wednesday March 10, 2004 @08:06AM (#8520026) Homepage Journal
    Because we all know Corporations policing is a VERY GOOD THING!tm
    • Re:Yes Yes! (Score:5, Insightful)

      by p2sam ( 139950 ) on Wednesday March 10, 2004 @08:10AM (#8520058)
      Here is my preference for internet "policing" in decreasing order:

      1. user self-policing
      2. ISP self-policing
      3. federal government "pound-me-in-the-ass" policing
      • Re:Yes Yes! (Score:5, Insightful)

        by thegrommit ( 13025 ) on Wednesday March 10, 2004 @08:33AM (#8520255)
        Here is my preference for internet "policing" in decreasing order:

        1. user self-policing

        That might be true in an ideal world. However, these users were disconnected because they failed to police themselves.

        I know someone who's running a Win98 box thats been infected with SoBig.F for over a month. Yet his copy of Norton AV has been sitting on his desk for the past year. His excuse for not cleaning it up? No time and he doesn't want to reinstall everything.

        I'd say it's fair to assume that the vast majority of these Comcast customers are just like him - clueless and happy that way.

      • Re:Yes Yes! (Score:5, Insightful)

        by 4of12 ( 97621 ) on Wednesday March 10, 2004 @10:08AM (#8520997) Homepage Journal

        You think you're funny, but you're damn right!

        Enforcement should be delegated and hierarchal, just like DNS lookups.

        If a clueless and lazy user can't bother to patch up their box, then the ISP should cut `em off.

        If the ISP is too cheap and lazy to enforce good network behavior on their users, then their broadband provider should cut `em off.

        All the way to the backbone, to the biggest router!

        Start with the premise of responsibility, enforce only when responsibility is not exercised.

    • Re:Yes Yes! (Score:5, Interesting)

      by Anonymous Coward on Wednesday March 10, 2004 @08:14AM (#8520085)
      Because we all know Corporations policing is a VERY GOOD THING!tm

      It's presumably a terms-of-service violation so technically you're in breach of contract and they can do what the hell they want.
      • Re:Yes Yes! (Score:3, Insightful)

        by David_W ( 35680 )
        It's presumably a terms-of-service violation so technically you're in breach of contract and they can do what the hell they want.

        I think you missed the point of the parent entirely... just because you can do something doesn't mean you should do something. Yes, the contract allows Comcast to cut off users like that, but do we want them to? And, in what other situations do we want them to (or not to)?

        • Re:Yes Yes! (Score:3, Insightful)

          by JDBrechtel ( 48222 )
          What exactly would you prefer?? The users are NOT going to take care of this themselves unless they're forced to. It's like having a car with a really bad emissions's screwing up the environment for everyone else. Only in that case the government steps in and makes them fix it....not doing so is ILLEGAL. I'd rather it be a corporate policy than a law personally.
        • Re:Yes Yes! (Score:5, Insightful)

          by the_mad_poster ( 640772 ) <> on Wednesday March 10, 2004 @09:24AM (#8520613) Homepage Journal

          Yes, the contract allows Comcast to cut off users like that, but do we want them to?

          What an easy question. Yes.

          These people DO have the capability to take care of themselves. However, they have repeatedly shirked the responsibility of learning the basic tenets of computer use on a connected, global network.

          Comcast is cutting these people off and basically walking them through the process of using their computer like they're helpless small children because, frankly, when it comes to computing, they are. There are plenty of resources out there to teach you some very basic safeguards that require only common sense and a few guided mouse clicks to eliminate a huge portion of this problem. These people consistently refuse to use these resources, or simply choose to ignore them when it becomes slightly inconvenient to do otherwise. How many people ran out to find out how to turn off the deep-sixing of executables in Outlook when Microsoft added that feature? Did these idiots run out to find out why their PC was rebooting, how they got infected, and how they could prevent similar attacks in the future when Blaster hit? Of course not. They still don't patch, they still execute attachments, they still download and run crap like Gator, they're still grabbing executables off of Kazaa, and they STILL aren't turning on ICF. I could understand people getting burned once, but these imbeciles are getting burned again and again and again by the same thing over and over. I mean, look how lazy these spam-virus writers are now. They have the ultimate exploit: people with an IQ of about 2 when they're around computers. Shit... the goddamn viruses come with instructions on how to install them now and these morons are STILL getting infected!

          Look, I'm sorry, but we don't let mentally retarded people do a lot of dangerous things in "real" life, why should we let the Internet equivalent do the equivalent things on the net? It's not exactlyl a matter of freedom, it's a matter of truly incompetent people repeatedly failing to live up to even the most basic obligations of owning a broadband connection.

          I see no problem with this, whatsoever. In fact, I hope they start barring chronic offenders from the network permanently if they can't even take basic care of the connection.

          • Re:Yes Yes! (Score:5, Insightful)

            by southpolesammy ( 150094 ) on Wednesday March 10, 2004 @09:51AM (#8520854) Journal
            By any chance, would you be willing to CC this extremely excellent posting to all of the major ISP's, starting with RoadRunner? I was dealing with them regarding on of their users who most likely had an infected PC that he/she didn't know anything about, but was sending me virus-infected email for six months, and all the while, repeated attempts at communication with RoadRunner were totally useless. Their is an auto-responder, there is no telephone number for info-security, and the online techs could offer no assistance either.

            I'm sure my cust-serv problems are more related to the whole "No Help Helpdesk" thread of a few weeks back, but at what point do/can we start holding the ISP's liable for their users?
            • Re:Yes Yes! (Score:3, Funny)

              by CKW ( 409971 )

              Maybe you should claim that you are the author of some (benign) sub-component of the Virus, and as such you'll be able to send them a DMCA request for the identity of the user.

              Betcha the tech who saw that would get a laugh, and probably put it through!!
    • Re:Yes Yes! (Score:5, Interesting)

      by OECD ( 639690 ) on Wednesday March 10, 2004 @08:15AM (#8520095) Journal

      Because we all know Corporations policing is a VERY GOOD THING!tm

      Well, a coworker brought in his virus-ridden computer for me to take a look at, precisely because Comcast threatened to turn off his pipe. The interesting thing is that he knew he had a problem, but because he could work with a slower computer he didn't take care of it. So at least one zombie box that would have been 'put up with' by its owner is now off the net.

      OTOH, I'm worried about the precedent this sets. Who knows what other things will bring the 'death penalty' from the ISPs? What ports will be shut down because 'you don't need them'?

      • Re:Yes Yes! (Score:5, Interesting)

        by 47PHA60 ( 444748 ) on Wednesday March 10, 2004 @08:41AM (#8520305) Journal
        I agree with you on your second point. I am a comcast customer because they let me connect out to any port and leave all inbound ports open, which I need to test things as part of my job.

        My dream ISP service agreement would be one that guarantees full access to all ports and protocols, but the ISP reserves the right to shut off my connection if it is hijacked.
      • by Beithir ( 756523 ) on Wednesday March 10, 2004 @08:57AM (#8520423)
        I'm one of the sysadmins for a company with a large number of remote employees. Recently, one called me saying Comcast told them they had a trojan. Well, I couldn't fly out to look at the laptop and the employee couldn't exactly just send the computer and work from nothing. I had this person seek local help, and after several attempts Comcast still shut down internet service.

        I understand that techies across the world think this is super-fantabulous, but this is horrendous for the average end-user. Comcast doesn't (I will refrain from saying can't or won't) say what a user's system is infected with, or what exactly it's doing...just that there's some "illicit traffic" coming from that IP. That's great, now how am I supposed to diagnose the problem? It wouldn't be that difficult if the machine were in front of me, but how to I walk Mary End User through complicated tasks over the phone while she's already frustrated? If Comcast were doing more - i.e. they told you what the problem was and the steps you can take to remedy it - I would be more supportive of this. As it stands, it's just going to make a lot of end-users get cheated by shady local PC repair places while they get the run-around from fifteen different vendors. Make jokes about virus scans all you want, but nothing is fool-proof...and since any fool is equipped with a computer these days, infections will happen and malicious attacks will succeed. So +1 to Comcast for taking some initiative, and -2 for crappy execution and not giving half as much of a flying foo as they'd leave their customers to believe.
        • by spincycle1953 ( 721087 ) on Wednesday March 10, 2004 @09:20AM (#8520585)
          "I couldn't fly out to look at the laptop and the employee couldn't exactly just send the computer and work from nothing. I had this person seek local help, and after several attempts Comcast still shut down internet service....this is horrendous for the average end-user." What's horrendous for the end user you speak of is not that Comcast acted responsibly by cutting off a spam zombie's access, but that your IT department has not provided adequate support for remote users.
      • Heh (Score:3, Insightful)

        by The Tyro ( 247333 )
        same situation with a neighbor... I cleaned Mydoom, Netsky, and Beagle (the J variant) out of his computer... his computer was slower and more unstable than usual, so he asked me to look at it for him (it's a win98 box... 'nuff said).

        I've already set them up with a good firewall... controlling what they do with their Email attachments is a bit more problematic.

        I support cutting off accounts for abuse, whether intentional or simply clueless/negligent. Hell, I'd be delighted if somebody warned me that som
    • Re:Yes Yes! (Score:4, Insightful)

      by nacturation ( 646836 ) <nacturation @ g> on Wednesday March 10, 2004 @08:15AM (#8520098) Journal
      Because we all know Corporations policing is a VERY GOOD THING!tm

      It's their service and you're likely violating their AUP by allowing (through ignorance) your machine to be a spamming source. They have every right to police their own network to enforce their TOS.

      After all, we've seen how well relying on users to police themselves has worked.
    • Re:Yes Yes! (Score:3, Interesting)

      by thales ( 32660 )
      As a Matter of fact yes, having the owners of Networks policing them from abuse that affects other people on the Network as well as third parties is a very good thing, even if they are Corporations. Much better than having a knee jerk reaction of "a business did it so it's evil".
    • by JaredOfEuropa ( 526365 ) on Wednesday March 10, 2004 @08:21AM (#8520145) Journal
      Because we all know Corporations policing is a VERY GOOD THING!
      It sounds scary if you put it that way...

      Lets put it another way: the ISP states in their terms & conditions something like: "Subscribers are not allowed to distribute spam or worms over their connection, nor are they allowed to carry out DDOS attacks.". Doesn't sound too unreasonable, does it? Not even if the user breaks this rule unwittingly, because his computer is infected with something nasty.

      A rule like this puts the responsibility for the cleanliness of the subscriber's computer firmly with that subscriber. Rightly so, since that user is in an excellent position to do something about it. It sucks being disconnected because of a worm on your machine, but the alternative is to allow the worm to continue to spread.

      The only things I worry about is the accuracy of the detection mechanism used on the ISP's side, and the promptness with which they reconnect you after you fix the problem on your machine.
    • Re:Yes Yes! (Score:3, Insightful)

      by ThisIsFred ( 705426 )
      Well, because one corporation can't police its own defective products, I guess this is the better alternative. And I wish they would start throwing the switch on accounts that are sending out dozens of virus-infected e-mail messages. I'm sick of deleting them from my inbox, and so are my users.
    • Re:Yes Yes! (Score:5, Interesting)

      by DroopyStonx ( 683090 ) on Wednesday March 10, 2004 @08:49AM (#8520369)
      Because we all know Corporations policing is a VERY GOOD THING!tm

      Wow, you make it sound like a conspiracy theory as if your rights are being taken away. What they're doing is right. It's THEIR network, they can do whatever you want. It's not like you have a right to use the internet.

      If I owned an ISP and some computer illiterate moron failed to keep up with patches, I would dump them too. People need to start getting with it and taking responsibility for their own actions. How many years now have all kinds of viruses and worms been glorified in the media? Far back as I can remember.. so saying, "Well, I didn't know" no longer cuts it.

      If you're gonna go on someone's network, the least you could do is be kind enough to educate yourself about how to update/protect your own PC.
    • Re:Yes Yes! (Score:5, Interesting)

      by KC7GR ( 473279 ) on Wednesday March 10, 2004 @08:50AM (#8520373) Homepage Journal
      You're obviously not a SysAdmin, or someone else who runs mail servers. Otherwise, you'd be cheering very loudly (and a lot less sarcastically) in response to this (as I am!)

      I've lost count of the number of times a virus-infested "spammer zombie" Comcast box has tried to hit our mail servers, and the problem's been going on for at least the last six months. In fact, it has gotten bad enough that I have two entire domains ( and blocked out of our servers altogether.

      If Comcast's cable broadband customers are too ignorant or too stupid to take even the most basic of computing security precautions, why should the rest of the 'net have to suffer for their utter lack of responsibility for their systems? If they lose their connection until they TAKE RESPONSIBILITY for cleaning up their system, they have only themselves to blame.

      I, for one, am stunned that Comcrap actually DID something useful! Their abuse-handling unit has, in times past, shown all the responsiveness of a sun-warmed snail on vallium.

  • by Anonymous Coward on Wednesday March 10, 2004 @08:06AM (#8520029)

    Now, if only other broadband ISPs would start policing their user base

    You'd be first in line to moan about them 'infringing' on your interweb right!
  • wtf (Score:4, Insightful)

    by Anonymous Coward on Wednesday March 10, 2004 @08:07AM (#8520033)
    which side of the fence are we on? We don't like bandwidth limits, but we do like automatically triggered cutoffs, because we all know there is no such thing as a false positive.

    also, say grandma gets infected. She is best off downloading updated definitions for her old version of symantec, and letting AV take care of it. how do you do that with no intarweb?
    • Re:wtf (Score:3, Insightful)

      also, say grandma gets infected. She is best off downloading updated definitions for her old version of symantec, and letting AV take care of it. how do you do that with no intarweb?
      Grandma will get a friendly warning first, according to the article: "Fix the crap on your box asap or have your access terminated". That will give her time to get the update for her virus scanner.
    • how do you do that with no intarweb?

      ISP could set up captive portal (like on WLANs) with information and pointers to AV software updates. Either all traffic is relayed through proxy or then packets are allowed to AV sites.

      But false positives are the problem, of course. But once you get confirmed spam, virus or worm traffic, then you can be quite sure.

    • You ask why we don't like bandwidth limits and like automatically triggered cut offs, like the two are equal. I don't mind bandwidth limits as long as they are clear, since you pay for your usage, if you use more, you pay. You're generally not pestering other people when you use more and the burden falls on you as well.

      With cut offs it is different. An infected machine is a pain to the entire internet community except (often) the person whose machine got infected. If such a machine gets blocked from the i
  • by ObviousGuy ( 578567 ) <> on Wednesday March 10, 2004 @08:07AM (#8520037) Homepage Journal
    Doesn't this force those users to go out to CompUSA and buy a copy of McAfee or Norton antivirus?

    Blocking web access also means that those users aren't able to download good, free virus scanners like Grisoft's AVG.
    • by rebeka thomas ( 673264 ) on Wednesday March 10, 2004 @08:15AM (#8520100)
      I think so.

      My sister's university would not allow her PC back on the school network after they cut ALL student network access in the wake of MyDoom, until it could be verified by a tech at the school that she was running Norton AV.

      Her PC runs Debian and only Debian. It took more than a month for her to find a sane enough tech in admin to realise that it was pointless trying to do so. All of the rest tried the different bullshit techniques telling her why all PCs are a problem regardless of OS.

      The most classic was one of the last techs, a supposedly bright 35 year old guy who came around with a warezed copy of NAV to attempt installing on her PC. He not only knew what Linux was when he recognised it, but told her to make her PC secure she'd have to install Windows and THEN put NAV on.
      • by Zak3056 ( 69287 ) on Wednesday March 10, 2004 @09:41AM (#8520752) Journal
        The most classic was one of the last techs, a supposedly bright 35 year old guy who came around with a warezed copy of NAV to attempt installing on her PC. He not only knew what Linux was when he recognised it, but told her to make her PC secure she'd have to install Windows and THEN put NAV on.

        If the school was insisting that all user PCs had to be running NAV, it's possible they bought a site license, so it wasn't necessarily a warezed copy of the software, just something on a CD-R. Also, Symantec does make a linux version of their command line scanner, so it's not absurd that they require she install "NAV" on her machine.

        That said, the guy mentioned above is a dumbass on par with a tech at Adelphia cable I once spoke to when my modem lost sync. "We don't support Linux. You need to get a REAL operating system before I can help you."

      • NAV didn't protect people from Novarg A anyway, what is forcing people to install it supposed to accomplish?
  • Nice but... (Score:5, Insightful)

    by Anonymous Coward on Wednesday March 10, 2004 @08:08AM (#8520045)

    ...I'd like to know that the customers are all made aware of exactly what circumstances will cause their connection to be pulled.

    For example, I administer a mail server, and occasionally have to mail a virus or spam to myself to check that the filters are operating correctly. It would be very inconvenient if I got my connection pulled each time that happened.

    • Re:Nice but... (Score:3, Informative)

      by Flashbak ( 684750 )
      Why would you need to send test email, be they viruses or spam, via your isp's network? If you need to test filters or anti-virus configuration on your mail server do it locally - surely that's the responsible thing to do. I wouldn't want to propogate a virus even the eicar test virus outside of the networks I directly control. (Yes, I'm well aware the eicar test is benign, but that's not the point.)
    • Re:Nice but... (Score:4, Informative)

      by caino59 ( 313096 ) on Wednesday March 10, 2004 @08:33AM (#8520251) Homepage
      this is for the people's machines that are constantly trying to hit other machines and infect them....

      you know, where you see stuff like this recurring in your web server's logs...offending ip removed... - - [09/Mar/2004:14:43:56 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 332 - - [09/Mar/2004:14:43:56 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 332 - - [09/Mar/2004:14:43:57 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 346 - - [09/Mar/2004:14:43:57 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 346 - - [09/Mar/2004:14:43:57 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 356 - - [09/Mar/2004:14:43:58 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 302 376 - - [09/Mar/2004:14:43:58 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 302 376 - - [09/Mar/2004:14:43:58 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1941 - - [09/Mar/2004:14:43:59 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 357 - - [09/Mar/2004:14:43:59 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1941 - - [09/Mar/2004:14:44:00 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 357 - - [09/Mar/2004:14:44:00 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 357 - - [09/Mar/2004:14:44:01 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 337 - - [09/Mar/2004:14:44:01 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 337 - - [09/Mar/2004:14:44:02 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+d ir HTTP/1.0" 302 356 - - [09/Mar/2004:14:44:02 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 356

      the people they are cutting off are sending out daily attacks to multiple machines, not just once or twice sending out crap here and there. i think you'll be ok.

      • Re:Nice but... (Score:4, Informative)

        by DR SoB ( 749180 ) on Wednesday March 10, 2004 @10:37AM (#8521269) Journal
        No it's not, that's some bozo trying to "root" your machine. That's a traverse directory attack they are attempting. It happens all day, every day, and it's NOT what Comcast is going after. Webserver logs show you who is trying to connect to your WEBSITE, it has NOTHING to do with SPAM. If you want to see who these bozo's are just look at the header of your spam email and do a TRACERT (or TRACERTE) to there IP address and see if it's a Comcast subnet (or names resolve...). It may be a cheap virus, it may be some hackers scanning tool, but most Comcast customers are not running old versions of IIS (which is what they are trying to infect by the weblog you posted.).. Check out the Security Focus website for more information..
  • Cox does this... (Score:5, Informative)

    by h0mer ( 181006 ) on Wednesday March 10, 2004 @08:08AM (#8520048)
    I know anecdotal evidence is pretty much worthless, but my friend got infected with all sorts of nasty ad/malwares, along with Blaster and a couple other worms. Cox deactivated his cable modem, he had to call them and go through phone hell to get his service back. So I'm not really sure it's only Comcast doing this.
    • Re:Cox does this... (Score:3, Interesting)

      by AbbyNormal ( 216235 )
      go through phone hell

      I am also a Cox subscriber and I believe that their phone "service" should be labeled cruel and unusual punishment.

      Also, has any other Cox users noticed a decent amount of Port Scanning from Cox? Is this part of their scanning for Viruses/worms? After one weekend where I was scanned twice in a matter of hours, I sent my logs to their "abuse" address. I have yet to hear back from them. Coincidentally, I have yet to be scanned since then.
    • Re:Cox does this... (Score:3, Interesting)

      by LoudMusic ( 199347 )
      Agreed. My roommate worked for a large broadband ISP in Arkansas which was regularly shutting off connections for usage abuse. Though they didn't have tools to help them. For the most part they just watched the load, checked the logs, and updated router configs manually.

      But it worked. And they blacklisted addresses and names of repeat spammer offenders and refused service to them in the future. He said they had the same people buying ISDN lines under different names all the time. Or the same name at a neig
  • Is this right? (Score:3, Interesting)

    by Millbuddah ( 677912 ) on Wednesday March 10, 2004 @08:09AM (#8520051)
    Are these guys even allowed to do this based on the user agreement they get their subscribers to sign? I'm sure most of these computers that get hijacked are used by Joe Somebody who probably has no idea that his computer has been hijacked. If Comcast and other ISPs are so keen on cutting off access to spammers, why not provide a firewall and antivirus programs along with their subscriptions? I'm sure it'd cost them a pidly amount and wouldn't really be all that hard to work out a deal with these software vendors to bundle them into the deal. Maybe I'm way off base here but it just doesn't sound right to just cut off acess.
  • I'm glad. (Score:5, Insightful)

    by jellomizer ( 103300 ) on Wednesday March 10, 2004 @08:09AM (#8520054)
    Although a lot of of the spammer are not spammers but people with infected computers. But they wont do anything unless they have to. Cutting net access to them will force them to fix the problem one way or an other. Most people who are hacked will go well it is not affecting me so I wont fix it. But with their connection gone then it is affecting them. Now they can fix it them self or hire someone to do it. But this is a good first step.
  • by DarkFencer ( 260473 ) on Wednesday March 10, 2004 @08:10AM (#8520059)
    I applaud this decision. Even though it will possibly cost them customers or cost them additional tech support time, they will be cutting off peoples owned windows boxes.

    Lets hope they hold to this once the calls start coming in from people who have everything from Bagle to Netsky (along with probably a heavy dose of spyware too)
  • by Amiga Lover ( 708890 ) on Wednesday March 10, 2004 @08:11AM (#8520062)
    wtf? How is this going to benefit the people who're running the machines?

    Try sending out an ISP bulletin with the simple tips on how to avoid getting exploited in the first place. It's dead simple.

    1. install patches regularly
    2. virus scan
    3. don't open attachments
    4. don't install spyware.

    If people used these 4 simple techniques, while it wouldn't be perfect, it would by my thoughts drop the number of infected machines down by three quarters, which will DRAMATICALLY reduce the efficiency and productivity of running a spamming business, and spammers won't have any choice but to leave you alone.

    Cutting people off is just going to get them to take infected machines somewhere else.
    • by realmolo ( 574068 ) on Wednesday March 10, 2004 @08:28AM (#8520215)
      You obviously have never worked as tech support.

      You could send out that email every day, with detailed instructions, and it would have very, VERY little effect on the number of infected/hijacked machines.

      Most users just won't do that stuff. Especially if it involves anything more complicated than "Click here". Multi-step instructions are not going to be followed. Unless, of course, it's going to win them a free trip to Disneyland.

      As far as "don't install spyware"...well, spyware is hard to classify, and a lot of it installs pretty silently. Expecting users to be able to distinguish between "bad" pop-up dialogs asking to install Gator and "good" pop-up windows asking to install Flash (or whatever) is asking too much.

      Attachments in emails are just going to be opened, period. No one ever learns their lesson in that regard.

    • If they don't just delete the bulletin right off, they probably won't follow it 100% anyway. If they do:

      1. install patches regularly ...or set it up to happen automagically. However, most n00bs are still going to get tripped up by this no matter how easy you *think* it is for them.

      2. virus scan
      Again, automagic updates would be nice too. This one would probably work out most of the time.

      3. don't open attachments
      'But it was from my mother/sister/brother/son and they said they loved me!'... This won
  • A better solution... (Score:5, Interesting)

    by SmackCrackandPot ( 641205 ) on Wednesday March 10, 2004 @08:12AM (#8520073)
    ... would be to put the network connection onto a quarantined sub-net where all the necessary virus removal tools were available. Once the machine was cleaned up, it would be allowed general network access again.
    • by daveewart ( 66895 ) on Wednesday March 10, 2004 @08:25AM (#8520187)

      quarantined sub-net

      My ISP, NTL [], did this during the Blaster epidemic. They used some kind of portscan to determine which machines were infected and then put their connections in a 'walled garden'. All web traffic that went through this 'walled garden' resulted in a page describing what the problem was and included lots of pretty pictures explaining how to fix the problem.

      The portscanning caused some alarm to those of us with firewalls, until it became clear what they were doing.

      I believe their patching instructions were:

      • Download debian-3.0r2-woody.iso
      • Burn to CD
      • Reboot ...
  • Happened to me. (Score:3, Informative)

    by Anonymous Coward on Wednesday March 10, 2004 @08:12AM (#8520077)
    I had a machine on AT&T (now Comcast) that was infected by a worm. Bummer. I'll tell you, you have to keep up with those service packs even if you're going to directly connect to the network for "just a few hours".

    Anyhow, my friends at AT&T Broadband (the ones that never answered their phone) sent me a nastygram telling me that I was doing a bit too much port scanning for their liking (duh...)

    So I ripped the machine of the network and poked around. Yep, it turned out that my machine was infected a few hours after I installed the OS, and it was doing it's bad thing for WEEKS.

    At the time, AT&T just "informed me" that I should stop doing bad things. I think it would have been prudent for them to kill my service until I took corrective action.

    Of course, this was 3 years ago or so... a more innocent time...
  • by gowen ( 141411 ) <> on Wednesday March 10, 2004 @08:13AM (#8520082) Homepage Journal
    That explains why I haven't been spammed by a Comcast box for ... 36 minutes :(
  • I for one... (Score:5, Interesting)

    by Sentosus ( 751729 ) on Wednesday March 10, 2004 @08:14AM (#8520089)
    I for one welcome our new connection blocking ISP overlords?

    First time for me...

    I agree that this should be done in extreme cases where the customer is CONTACTED before so that information and education can be PROVIDED. Simply clipping the wire does not fix the issue for anyone but the ISP.

    Second, [] implemented the policy above with much success. I was happy as a customer of theirs.

    It is unfortunate that this has to be done, but wouldn't a more effective solution be to block all ports but 80 or maybe even force all their traffic to a URL with an explaination of the virus and let them know that they can not do anything on the web until it is fixed?

    • Re:I for one... (Score:5, Insightful)

      by mccalli ( 323026 ) on Wednesday March 10, 2004 @08:35AM (#8520265) Homepage
      Simply clipping the wire does not fix the issue for anyone but the ISP.

      It fixes the issue for me as well. And you. And, in fact, anyone at all who isn't the person infected.

      Having said that, I agree with your point about prior contact. I'm fully in favour of cutting off virused connections however, and in a reasonably swift time limit too.


  • Code Red Lives! (Score:4, Interesting)

    by ChrisKnight ( 16039 ) <merlin@g[ ] ['hos' in gap]> on Wednesday March 10, 2004 @08:16AM (#8520107) Homepage
    Code Red showed up in August of 2001. Anti-virus vendors, and even Microsoft, released detection and cleaning tools. To this day, two and a half years later, I am still getting Code Red hits from infected machines.

    It is about bloody time that a large provider has become willing to proactively cut off infected machines. Now if only UUNet would do the same, as most of the Code Red hits I receive come from within my own NSP's network.

  • by Osrin ( 599427 ) on Wednesday March 10, 2004 @08:17AM (#8520108) Homepage
    How is an infected user supposed to resolve the issues that they have if they can't get to an update or patch?
  • Debtor's Prison (Score:5, Insightful)

    by Anonymous Coward on Wednesday March 10, 2004 @08:17AM (#8520111)
    This reminds me of the idea of putting people in jail for debt. Bankruptcy amounts to a life sentence, since there was no possible way a person could make up the sum of money while in jail, away from the work force.

    How can these people fix the problem without access to up-to-date patches and virus scans?
    • Business Plan (Score:5, Interesting)

      by bludstone ( 103539 ) on Wednesday March 10, 2004 @09:00AM (#8520445)
      I have a suggestion.

      Write up a small business plan based around these knocked-off-the-network infected PCs.

      You can charge "$50 + travel fees. Usually under $100" to clean their computer, and get them back online. Yeah. It's a fee, and many people wont be happy about paying it. But, at the same time, it'll teach them a lesson about security on their pc. If they dont want to pay it again, theyll have to do their own security stuff.

      You see politics, I see opportunity.

      The only real trick to this would be streamlining with comcast, which is next to impossible.
  • by jchawk ( 127686 ) on Wednesday March 10, 2004 @08:18AM (#8520115) Homepage Journal
    Mail Admins do yourself a favor.

    Just nuke the following -


    And for good measure -

    That should take care of most of the zombie / virus / idiot mail. None of their residential customers should be sending email directly from a dymamic IP address. This will seriously cut a good bite of the spam / viruses you are receiving, and you don't have to worry about missing email because they should be relaying through central mail servers.
    • you don't have to worry about missing email because they should be relaying through central mail servers.

      Sooner or later, mail admins, the target will be you. Today, it's the "clueless" home user. Tomorrow, it will be the clueless admin at a small company. In the end it will be everyone but AOL/M$N/McDisneyNet.

      All praise for Comcast. Comcast's actions will make blocking their clients redundant. This makes it so you won't, in the future, need a license to send email. As a cable subscriber, I want the

  • One Good Result (Score:5, Insightful)

    by VernonNemitz ( 581327 ) on Wednesday March 10, 2004 @08:20AM (#8520138) Journal
    To me, this sounds like an OK idea, because I bet this will be the ONLY way that many users FIND OUT that their computers have become zombie spambots.
  • by ausoleil ( 322752 ) on Wednesday March 10, 2004 @08:20AM (#8520139) Homepage
    There is a certain responsibility that comes with being a part of the internet, one that has become greatly understated since the commoditization and commercialization of the 'net as a whole: do not become a danger or a malfeasance to the rest of the machines that are also connected.

    Unfortunately, this is something that seems to be lost on the clients of broadband always-on connections, especially those that are used by folks with little or no proficiency. While they have no intention of becoming spam-hosts, or DDOS platforms, by not keeping their machines protected against the various evils that lie in waiting out there, they unwittingly become part of the problem.

    This does not reduce the hassles and costs to other sysadmins and users of the 'net as a whole. That said, it seems only fair for an ISP to mitigate the problem by pulling the connection of a user whose systems(s) are spewing out malware.

    There are reasonable precautions one should take, that is, having a good firewall, keeping the machine patched and having good virus protection. No, this does not come without some effort and not always without cost. But, to be connected to the internet full-time, it is a cost of doing business, not unlike having insurance for your car in case you cause an accident. Liability insurance is to protect the public, and you from losing everything should you do harm to others. Keeping worms, trojans and viruses off of your machine also protect not only you but others as well.

    So, it is really a matter of responsibility.
  • Why not... (Score:3, Insightful)

    by Shirov ( 137794 ) on Wednesday March 10, 2004 @08:21AM (#8520142) Homepage
    Require the installation of a "personal firewall" when the users sign up for an account. Hell, everything else and the kitchen sink was on that CD when I signed up for Comcast... This would probably cut 99% of the problems out. If not a software based solution, how about a hardware based one? How hard would it be to put a firewall in the router they charge 4.95/m to use? Hell, tech support could configure it for grandma, grandpa, mom, dad, ...

    But I guess it is easier to just shut them off, and then charge a reconnection fee... eh?

    • Re:Why not... (Score:3, Interesting)

      by CrankyFool ( 680025 )
      Why not require a personal firewall? How about prior restraint (the concept, not the legal definition)?

      If I'm putting a Solaris box on their network, I don't want to have to install ZoneAlarm on it. I know how to secure Solaris boxes, thankyouverymuch. If they see a problem coming from my IP, they have my permission to nuke it, but until then, leave me alone.

      In other words, presume innocent and assume the user will deal with it until proven otherwise -- and then respond with extreme prejudice.
    • Re:Why not... (Score:3, Insightful)

      by kindbud ( 90044 )
      Require the installation of a "personal firewall" when the users sign up for an account.

      Personal firewalls are crap. They cannot - by design - interfere with the other operations of the PC, so they won't allocate a large enough pool of memory for keeping state on active connections. This results in lots of false alerts if TCP FINs are retransmitted, and on our busy ad banner servers, they sometimes are retransmitted. The PC firewalls think this is a FIN scan, because they have already purged the session
  • by SignalFreq ( 580297 ) on Wednesday March 10, 2004 @08:25AM (#8520180)
    Here [] is Comcast's Terms Of Service.

    From the AUP:
    Note: Comcast reserves the right to immediately terminate the Service and the Subscriber Agreement if you engage in any of the prohibited activities listed in this AUP or if you use the Comcast Equipment or Service in a way which is contrary to any Comcast policies or any of Comcast's suppliers' policies. You must strictly adhere to any policy set forth by another service provider accessed through the Service.

    So they can terminate service, based on violation of the subarticles:

    (vii) restrict, inhibit, or otherwise interfere with the ability of any other person, regardless of intent, purpose or knowledge, to use or enjoy the Service, including, without limitation, posting or transmitting any information or software which contains a worm, virus, or other harmful feature, or generating levels of traffic sufficient to impede others' ability to send or retrieve information;

    And transmitting a virus is definitely a violation. Still, it would be nice if there was more information on what will cause them to pull the plug.

  • Overkill (Score:5, Insightful)

    by Albanach ( 527650 ) on Wednesday March 10, 2004 @08:25AM (#8520190) Homepage
    I know of at least one ISP in the UK who respond promptly to omplaints about spamming and worm infections. Their response is that user gets informed of the situations and port 25 gets blocked. No outgoing mail.

    It's about the easiest thing ion the world for the ISP to and it's _very_ effective. Another option would be for ISP's to force all SMTP traffic through their own mailserver and virus scan it. They could easily spot a home user sending a couple of thousand messages in an hour or one spreading infected email everywhere.

    If you want unfettered access you can pay for a co-lo box and take the responsibility too. People can't keep hiding behind their ISP and dynamic IPs. I'm all for personal freedoms on the net, but with freedom comes responsibility. Deal with it.

  • Adelphia (Score:3, Informative)

    by Anonymous Coward on Wednesday March 10, 2004 @08:49AM (#8520362)
    The ISP I work for (Adelphia, thus Anon :) ) is working on a way to handle customers like these.

    -First, the customer is identified, then placed into a 'walled zone'.
    -This walled zone will route/allow the cable modem to go only to one specific location, a certain web page in this case.
    -Said web page will include downloads for virus fixes and such. Customer goes there, downloads, and cleans up his computer.
    -When it has been verified that the customer has gone there and cleaned up, they check his system, then reactivate his account.

    To me it seems like a pretty nifty way of stopping virus spreading while keeping the customer informed of what's going on.
  • by CAIMLAS ( 41445 ) on Wednesday March 10, 2004 @08:51AM (#8520379) Homepage
    instead of cutting off net access entirely, why not provide a means to actually fix the problem instead of alienating their customers?

    why not (say) decrease the dhcp lease time from whatever to an hour or so. when whatever mechanism they're using to detect spam/whatever infection (hope to god they're not just listening for smtp traffic, that'd be evil but sadly likely) goes off, it would tell the cable modem ot use a different config which would then allow the user to get a different dhcp lease. this lease would set their router to something different, which would then pipe a single page to the user - similar to what many universities install for when users try and access pr0n or something like that from a school computer.

    some mechanism ('m not familiar with routing protocols unfortunately) would then be provided to drop all traffic at the router except for http traffic through a specific gateway, possibly to specific hosts such as mcaffee, symantec,, and the vairous other free virus and malware scanning packages.

    This is a bit more complex, but surely it's possible - I've seen and/or read about all the various mechanisms I mentioned above.
  • We do this (Score:3, Informative)

    by PhraudulentOne ( 217867 ) on Wednesday March 10, 2004 @08:53AM (#8520396) Homepage Journal
    I administer a large DSL/dialup userbase and I monitor upstream bandwidth as much as I can. If I notice a DSL customer that has 100% of their upstream bandwidth used I usually check the traffic to see if its email. I will notify the customer and give them a day or two to rectify the problem. If the problem is not fixed within 48 hours I will disable that PVC which will effectively drop sync from the users modem. When the customer comes home, they are now forced to fix the problem. I try to explain to them as politely as possible that they are contributing to the junk mail problem that they are always complaining about and that we had to disable their connection to prevent this. Most people understand and the lack of internet connection gives them the initiative to get up and go purchase some AV software and to run Spybot or some similar program. They phone back once their computer is clean and I turn the circuit back on.
  • Bad Idea (Score:5, Insightful)

    by Underholdning ( 758194 ) on Wednesday March 10, 2004 @08:58AM (#8520431) Homepage Journal
    This is a very bad idea! The best source for antivirus and spyware-removal software is on the internet. To me, it looks like they're burring the problem instead of fixing it.
    Now, here's my humble suggestion for a better solution. If a PC is identified as a compromised machine, it's added to a pool of machines that all gets a special IP and special DNS servers (I assume they run DHCP - if they don't they should). Now, the new DNS servers resolve all addresses to a special page dedicated to downloading anti-spyware and virus checkers. Maybe even an online scanner like housecall. [] So, when Joe Luser fires up his web browser, he reaches this page no matter what he types. Once he's machine is cleaned, he will be removed from the compromised pool.
  • by csoto ( 220540 ) on Wednesday March 10, 2004 @09:05AM (#8520484)
    I sent one here [].
  • Excellent (Score:3, Interesting)

    by Luminous Coward ( 445673 ) on Wednesday March 10, 2004 @09:23AM (#8520608)
    Comcast is, hands down, the largest spam source of the Internet with approximately 640 million messages [] every day. Personally, 25% of the spam I receive comes from the Comcast network. Of course, users are unaware that the latest virus has turned their computer into an open proxy sending millions of messages every day. I hope other major ISPs such as Road Runner (180 million), AT&T (150 million), and AOL (140 million) follow suit, and disconnect open proxies and zombies when they are found.
  • by sqlrob ( 173498 ) on Wednesday March 10, 2004 @09:57AM (#8520910)
    A few weeks ago, I got a warning from RR saying "you are doing a DDOS attack and are probably infected with a trojan"

    Considering a) I'm running Linux and b) I do forensics on trojans at work, I'm not going to be infected.

    I checked my wife's box which was Windows at the time, and it was clean. I checked mine and it was clean.

    A little more digging and the "attack" comes down to SpamAssassin. Anyone who was running SpamAssassin or MailWasher got these warnings because RR couldn't manage their freaking DNS servers correctly.

    I for one do not want to get cut off because of the incompetence of the ISP.

  • by MobyDisk ( 75490 ) on Wednesday March 10, 2004 @10:09AM (#8521014) Homepage

    The problem here is that Comcast is doing shutting down people's connections with no recourse to find out why or to re-enable it.

    I received an email and an automated phone call from Comcast stating that I had an infected computer and I must clean it up. I was immediately pleased that they noticed, but frustrated that I could be infected. 5 PCs with varying OSs, all with firewalls and/or antivirus software, so I thought it was unlikely but possible. After doing a full scan I found no viruses.

    So I called Comcast's 800 number. They said I need to call a different long-distance number. That number is an automated system with nothing but dead ends. If I select the option about "Viruses and spam emails" then it tells me to email abuse at if I get a bad email. But I don't want to report a spam, I received a report. All the options did approximately the same thing: Told me something I already know then hung up. Several calls later, I used the "leave a message" option. A week goes by and I received no call back. I replied to the email but received no response. Nobody on the service number would talk to me about it.

    So I receive another email telling me that my service may be disabled if I don't fix the problem. So what do I do now?

    To top it off, this isn't the first time. About 8 months ago, Comcast calle and told me I was reported for sending spam. When the read me part of the SpamCop report (which they refused to do many times) it turned out to be a SpamCop report that my roommate made! We _reported_ the spam, we didn't _send_ it! After much arguing, the guy finally got it and left us alone. Mistakes happen, but what irks me the most is that they wanted to tell me I sent a spam, and make sure I corrected my behavior, but refused to tell me the source of the report, or what the email was, or when it was sent, or anything!

    Below is the email Comcast sent me. It looks like a form email, with no specific statement about what went wrong.


    Comcast has received complaints about your computer. We believe it may be:

    * Infected with a virus

    * Sending "spam" email that you are unaware of

    * Allowing spammers to use your connection to send their spam

    * Trying to infect other computers on the Internet with viruses

    The health of your computer is your responsibility. Consult your computer's manufacturer if you are unable to remedy the situation.


    This message was sent by the Comcast Network Abuse and Policy Observance Team. We investigate reports of Internet Abuse by our customers. We have received such a report identifying your computer.

    The complaint(s) we have received were from other users of the Internet, who are receiving email from you, which they did not request. We understand that you may not be aware of any such email, and you will not see it in your normal email program.

    Typically these types of emails are caused, or are allowed to be sent by, viruses. They are either trying to infect other user's computers, or they allow spammers to connect to YOUR computer to send their spam.

    If you have anti-virus software on your computer, we recommend visiting the manufacturer's website to update it, as it may be out of date and unable to find the virus that's causing the problem. New viruses come out frequently, so it is important to update the software often, or automatically if possible. We also recommend a security software solution, such as a firewall to further restrict access to your system. Firewalls help to prevent such activity by allowing only the software and transactions that you choose to utilize your Internet connection.

    If you are deliberately sending these emails, we ask you to stop. Further complaints will require us to suspend or even terminate your service.

    If you have further questions or would like to notif

  • I work for Comcast (Score:4, Informative)

    by ironicsky ( 569792 ) on Wednesday March 10, 2004 @10:14AM (#8521057) Journal
    I agree with our cut-off policy for people infected with worms. Right now, we're not actually terminating their service, we're just blocking their SMTP and POP access so they cannot transmit viruses. In the rare case, our system will disable a customers account if they are transmitting a virus.

    But, users are dumb, and I'll agree with that. Last summer when the blaster worm came out, we emailed out customers ahead of time telling them they need to download the microsoft patch.

    On top of that, the Microsoft Windows Update popup that comes up by default, once a week, users still continue to ignore it because they don't know what it does.

    Personally, I'd like to see more type of this internet policing by ISP's. They should also be blocking people who have open SMB shares on their Windows Networks. I cant count the number of times I've purposely went in Someones SMB share and dropped a text file telling them how to fix it.

    I, however, disagree with the Government policing of the internet. I believe the internet should be policed by the people who pay for it to be there. That would be us and the ISP's

"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming