Comcast cutting off spam 'zombies'

Internet service provider Comcast Corp. is cutting off Internet service for some customers whose computers are being used to relay spam messages, according to a company spokeswoman.

Comcast has been contacting customers whose machines are being used as "zombies" to forward spam e-mail with warning messages. In some cases, the company has cut off Internet access to customers, some of whom are unaware their system is sending out the commercial solicitations, said Jeanne Russo, a spokeswoman for Comcast's cable division.

The decision to cut off spam zombies is not new, but is part of an "ongoing effort" to protect the company's network and its customers from abuse at the hands of hackers and spammers. Comcast declined to comment on whether it is stepping up its efforts to shut down the spam zombies, but the company will increase its efforts to match any increase in spam, Russo said.

Comcast is one of the U.S.' leading providers of high speed Internet access, with more than 5.2 million subscribers to its high speed data services. It is also the leading sender of e-mail, according to IronPort Systems Inc.'s e-mail analysis service Senderbase.

The company has long been a target of antispam activists, who complain that Comcast's large home user customer base contributes to the spam epidemic, said Johannes Ullrich, chief technology officer of the SANS Institute's Internet Storm Center.

Malicious hackers prey on unprotected systems, as well, installing remote access software that allows the machine to be enlisted in distributed denial of service attacks against Internet domains, he said.

Recent published reports have suggested that spammers may be acting in concert with virus writers, such as the author of the Sobig virus, to build networks of insecure and virus-infected home machines that are used to distribute spam.

"Comcast is one of the favored networks of spammers, because Comcast customers have a lot of bandwidth and are usually not secured against common (software) vulnerabilities," Ullrich said.

The Internet Storm Center recorded scanning activity characteristic of virus-infected machines from about 10,000 Comcast machines on Sunday, Ullrich said.

At the same time, Senderbase records show what appear to be the Internet Protocol addresses of more than 40 Comcast customers who have sent out more than 100,000 e-mail messages a day, with many sending close to 1 million daily e-mail messages. ( http://www.senderbase.org/?searchString=comcast.net&searchBy=domain.)

In addition allowing spam to be sent from its network, Comcast allows traffic over its network that is destined for communications ports, such as port 445, that are favorites of malicious hackers, Ullrich said.

Ullrich said the Internet Storm Center tells Comcast when it finds infected hosts by sending a message to a Comcast e-mail address set up to receive complaints about abuse. Typically the company does not respond directly to such reports, but it has moved to shut down infected hosts after receiving complaints, he said.

Comcast says that it is aware of the problem, is alerting customers who were hacked and helping them secure their computers.

Customers booted from the network can frequently have their access restored after taking steps to prevent future infection, Russo said.

While Comcast's network may be one of the biggest spam conduits on the Internet, the company is not alone in wrestling with the spam problem, Ullrich said.

"It's a combination of high bandwidth and unsophisticated users. Comcast is not that different from AT&T (Corp.) or DSL (Digital Subscriber Line) providers," he said.