Slashdot Mirror

← Back to Stories (view on slashdot.org)

Swedish ISP Blocks Computers That Send Spam

Posted by timothy on from the overkill-or-overdue dept.

snuppepuppan writes "One of Sweden's largest ISPs, Telia starts to block computers that send spam. 'The computers that Telia will block are primarily those that have been infected with "trojans" which are being used, without the customer's knowledge, to send enormous amounts of spam.'"

22 of 265 comments (clear)

  1. Good. by clfrd · · Score: 4, Insightful

    More ISP's should do the same.

    Period.

  2. This is a great thing by the+man+with+the+pla · · Score: 4, Insightful

    ISP's taking some level of responsibility for the actions of their subscribers is *tremendously* important. Spam exists because of the complacency of two entities: ISPs that allow (or even sell bandwidth to) spammers to use their networks; and Microsoft, for making it so easy for computers to be enslaved by spammers (sorry I know that's flaimbait, but it's true.)

    --
    The linux hacker
    1. Re:This is a great thing by it0 · · Score: 2, Insightful

      Yes but it has implications, if they take action against spam, they must take action against kiddie porn, warez etc. That's still fine, however I can imagine that there are gray area's where ISP's going to screw up.

  3. Tell the Infected Individual First by GOPWillC · · Score: 2, Insightful

    It makes perfect sense to block off the trojan infected PCs that are sending SPAM. But I don't believe it is fair not to notify the user of said infected PC. Some of these people may have friends who have Telia email accounts, and if they're being blocked, it means they can't receive mail from them. So, while I agree with Telia's decision, they should give the courtous of notifying the individuals first.

    1. Re:Tell the Infected Individual First by jaavaaguru · · Score: 3, Insightful

      I see nothing wrong with the customer's connection being immediately withdrawn. When they find out they either can't connect to the 'net, or just can't send e-mail, they'll call technical suport anyway, and then the ISP can easily inform them of the problem.

      Also, people shouldn't choose to use technology that they don't have a good understanding of unless it's been set up properly by someone else beforehand. By that, I'm not meaning that the average member of the public shouldn't surf the Internet with their PC - one of these things should be happening:

      1. They use a computer system that's been set up securely by the vendor

      2. They apply all the latest security patches as soon as they're released

      3. They understand about computer security and secure their system themselves.

      If you own a computer connected to the Internet, then it's up to you to decide what you do with it, and what you let other people do with it.

      --
      Follow me
    2. Re:Tell the Infected Individual First by flurdy · · Score: 3, Insightful

      I disagree.
      It is not nice to be cut off without warning, but if your machine is infected or comprimised in some way then it needs to be isolated.

      True, an email warning would be helpfull, but some people only read their email once a week or less. In the mean time their machine could still be on, and relaying junk all over the place.

      Best cut them off and have them contact Customer Services to be reconnected. Ok they probably might want to join another company afterwards...

      Or send them an physical letter.

      The best solution though, would be to move suspected customers into a specific firewalled network where all ports were blocked incomming and outgoing and all that was allowed was incomming pop3/imap so they could receive the warning message?

      --
      My other Sig is very funny.
  4. Re:a great idea by BrokenHalo · · Score: 4, Insightful
    abuse desks are mostly staffed by the clueless.

    That's where they are staffed at all. There are all too many ISPs who appear to be happy to turn a blind eye to this type of activity, in spite of the fact that it costs them money.

  5. Statistical analysis by Anonymous Coward · · Score: 5, Insightful

    of traffic can easily be used to find and stop spammers. I am amazed that all ISP are not doing this.

  6. Re:Why is this news? by Drakin · · Score: 2, Insightful

    It's news because it's an ISP actually doing something useful and proper in dealing with this sort of thing.

    It's unbeleiveably rare.

  7. This is news? TOS Enforcement is new? by Anonymous Coward · · Score: 5, Insightful

    How is this news? My local ISP has been doing this for years. It's called "enforcing terms of service" on offending accounts.

  8. Re:Good news! by AnotherBlackHat · · Score: 2, Insightful

    Of course, this would have been easier if they just blocked egress port 25 traffic (which would not include their own SMTP server, of course!). Imagine all ISPs blocking egress port 25 traffic for their DHCP clients (e.g. most cable modem, dial-up, and DSL), and shutting off their corporate clients who spew spam! That would effectively eliminate spam, since IP addresses left still sending spam (directly or due to a trojan/virus) would quickly end up on DNSBLs.


    Eliminate spam? Spare me.
    Currently, less than 85% of spam comes from trojaned DHCP clients.

    I'm glad that Telia opted for a more targeted approach rather than a blanket "guilty until proven innocent".

    -- this is not a .sig
  9. Re:Good news! by piranha(jpl) · · Score: 4, Insightful
    Imagine all ISPs blocking egress port 25 traffic for their DHCP clients ... It is irresponsible for ISPs to operate otherwise

    Then they cease to be Internet Service Providers and become Interweb Service Providers. Why should "consumers" be subject to inferior Internet service? Why wouldn't/couldn't an ISP monitor egress port 25 traffic for suspicious spikes? I won't be doing business with ISPs that try pulling stunts like that.

  10. trojans... by jlemmerer · · Score: 2, Insightful

    there might be a little problem with the immediate cutting of the line: how do i get rid of the trojan without internet connection (e.g. to download a path or tool form symantec). it would be better to leave at least one port open for these reasons, and if the computer is clean again the customer can call the isp to be fully able to access the net again.

    --
    ".Sig Stealer" was here
  11. Re:Good news! by dmeranda · · Score: 3, Insightful

    Blocking entire ports is like using like using a sledge hammer to affix a staple. First the majority of spam email wouldn't be affected. And if you're delivering mail via some other protocol spammers will still get through. Port blocking is not really a good policy, except on an individual basis where there is proof of such activity; or in cases where the client is paying for an intentionally crippled partial Internet access.

    There is nothing wrong with using port 25. And if you want to use TLS/SSL, you should still use port 25 via the well established STARTTLS extension to the SMTP protocol. There is no reason to waste additional port numbers on experimental protocols when the SMTP protocol already does all that and is fairly mature with lots of supported software.

    Oh, and I for one rely on having egress port-25 traffic from my home DSL. I am not a spammer, but I am a network administrator of a large company and find it very useful to "test" my own servers from an external unrelated addresses.

  12. Re:My work's ISP does a variation of this by NorwBlue · · Score: 5, Insightful

    Actually, I did not wonder why You went with a startup for business. I Used to be Head of Computing in a company that spend around 2 mill $ and when we dropped the biggest computer supplier in Norway for a small startup, guess what : We went from being a ok account in a huge company to being the biggest account in a small company (It more than trippeled its sales). We suddenly got really good service, better prices and every one we called for help/support/service bent backwards for us(when we wanted them to, wich wasn't that often*evil grin of power*) So my advice to everyone managing a net is : don't follow the big fish, but find a place where You ARE the biggest fish. A bit off topic maybe, but if everyone did the same when it came to ISP services, YOU to would have leverage if you wanted your ISP to implement something similar.

  13. Re:a great idea by ClosedGL · · Score: 2, Insightful

    I think there is a lack of skills. Many ISPs employ call centre staff that have crib sheets infront of them and if the problem isn't outlined on the sheet, then it ain't getting solved.

  14. Re:a great idea by Zocalo · · Score: 3, Insightful
    abuse desks are mostly staffed by the clueless

    Depends on the ISP. Generally speaking mid-sized ISPs have pretty good abuse desks, mainly because they are big enough to have a decent technical team, yet small enough to not be swamped by abuse reports. That said, this kind of thing is a no brainer for the scripted response type of first line support used by large ISPs. Basically it boils down to "look for an IP in the mail headers that falls within a set of provided IPs and if present, click some widget to block outbound email from that IP". All you need then is some process to advise the customer of the problem and remove the block once the problem is resolved.

    As you say, DNSBLs (non-dynamic ones anyway) have been rendered largely obsolete by the spamnets of compromised machines. There are so many of the damn things that a spammer can use an IP for a couple of days, discard it and not need to use it again for a couple of months, by which time it is probably off the DNSBLs again. This approach adopted by Telia (and Demon Internet in the UK, others?) is the only efficient way a large ISP can deal with this issue without incurring massive labour costs that I can think of.

    --
    UNIX? They're not even circumcised! Savages!
  15. Re:What should have been done? by rifter · · Score: 3, Insightful

    Maybe they should have blocked the ones sending out SPAM, instead of everybody! Do you honestly think that innocent companies and individuals should be punished? Oh, and without notice by the way.

    The ISP is not innocent; it is their job to enforce policies and to be a good citizen on the net. Unfortunately to block an ISP you do block customers by extension, but this is the only way to get ISPs to do something.

  16. Re:a great idea by Keith_Beef · · Score: 4, Insightful
    There are all too many ISPs who appear to be happy to turn a blind eye to this type of activity, in spite of the fact that it costs them money.
    Well, in France, many ISPs have premium rate phone numbers for the helpdesk. So, if you're on a dial-up connection, the ISP makes money hand-over-fist! First, you pay to download the spam (because the ISP doesn't block it). Then you pay for the pleasure of listening to 10 minutes of vivaldi's Four Seasons, before explaining to helpdesker No.1, who then passes you on to helpdesker No.2, who wants all the same details again... you get the picture. Finally, if you manage to get any help at all, you'll be sent an e-mail with a 650KByte MS Word attachment, with details of how to set up spam filtering *on your home computer*, so as to filter out spam *after you've downloaded it* Stupid, those ISPs? No, they have a profitable, if immoral, business model. Keith.
  17. Re:If I ran an ISP... by houghi · · Score: 1, Insightful

    All users would get a static IP (since there's an expectation that they are always on, there's no point in NOT doing so

    In Belgium there is a reason not to do so. A commercial one. If you want a fixed IP, you will have to take a more expensive account.

    --
    Don't fight for your country, if your country does not fight for you.
  18. I'll buy that... by Nijika · · Score: 2, Insightful
    Seriously, for e-mail administrators it's been like one new variant a week since about oh I dunno, JULY. Most ISPs these days can handle the amount of UCE that's sent through thier systems, but some just barely. Tack on these viruses and you can easily see your e-mail jump four fold. Add to that queueing of messages that are "undeliverable" and your systems, no matter how big, start to falter.

    In these instances filters like SpamAssasin may even add to the problem since they often consume more overhead than even SMTP daemons do, so that usually goes out the window as well (It's great, but not on a large scale (perl)). It's better to just let the mail pass than to slow it down like that.

    So in theory, let's say you have a mid sized ISP with 6 SMTP relays. You can't run an anti-spam service directly on those boxes because the volume would kill them, so you have to break them off on to their own box. Suddenly you've got 10 or 12 boxes to care for, and when you've got something like this where you have maybe let's say 10,000 customers on your core network infected, more perhaps, things get really ugly. So even if you have that anti-spam monitor broken off on to it's own cluster, you can either leave the filtering up to some vague RegEx rules in your SMTP configuration or you can pass it through the anti-spam devices, causing each peice of e-mail to pass through your system twice, making 3 to 4 connections each.

    I'm responsible for a fairly large e-mail system, but not nearly the size of any mid to large scale ISP and it's gotten pretty hairy, I can't even imagine what it's like at a Telia or RoadRunner for that matter. People keep forgetting to look at WHY this is happening, other than MS and hapless users. The SMTP protocol allows it all. Want to find a solution? We need to start moving to something else, as painful as that may be.

    --
    Luck favors the prepared, darling.
  19. Re:Good news! by Anonymous Coward · · Score: 1, Insightful
    Then they cease to be Internet Service Providers and become Interweb Service Providers.
    No. At that point I would feel confident in calling them a Responsible Internet Service Provider.

    Why should "consumers" be subject to inferior Internet service?
    Because the average "consumer" is not an overweight linux nerd who lives in his parents' basement and likes to send mail from his own SMTP server.

    Why wouldn't/couldn't an ISP monitor egress port 25 traffic for suspicious spikes?
    Because an ISP has more important things to do with their time than monitor their customer's email traffic.

    I won't be doing business with ISPs that try pulling stunts like that.
    Good. I doubt that they would want your business anyway. I hate to be the one to hit you with the cold, uncaring baseball bat that is reality; but people who run their own mail servers are in the minority. When given a choice between blocking all SMTP traffic from cable/dsl/dial-up IP blocks, resulting in vastly less spam; and pissing off some fat linux geek, I'll take pissing you off any day.

    Cheers!