Swedish ISP Blocks Computers That Send Spam

snuppepuppan writes "One of Sweden's largest ISPs, Telia starts to block computers that send spam. 'The computers that Telia will block are primarily those that have been infected with "trojans" which are being used, without the customer's knowledge, to send enormous amounts of spam.'"

Good.

[clfrd]

More ISP's should do the same.

Period.

This is a great thing

[the+man+with+the+pla]

ISP's taking some level of responsibility for the actions of their subscribers is *tremendously* important. Spam exists because of the complacency of two entities: ISPs that allow (or even sell bandwidth to) spammers to use their networks; and Microsoft, for making it so easy for computers to be enslaved by spammers (sorry I know that's flaimbait, but it's true.)

Re:a great idea

[BrokenHalo]

abuse desks are mostly staffed by the clueless.

That's where they are staffed at all. There are all too many ISPs who appear to be happy to turn a blind eye to this type of activity, in spite of the fact that it costs them money.

Statistical analysis

of traffic can easily be used to find and stop spammers. I am amazed that all ISP are not doing this.

This is news? TOS Enforcement is new?

How is this news? My local ISP has been doing this for years. It's called "enforcing terms of service" on offending accounts.

Re:Good news!

[piranha(jpl)]

Imagine all ISPs blocking egress port 25 traffic for their DHCP clients ... It is irresponsible for ISPs to operate otherwise

Then they cease to be Internet Service Providers and become Interweb Service Providers. Why should "consumers" be subject to inferior Internet service? Why wouldn't/couldn't an ISP monitor egress port 25 traffic for suspicious spikes? I won't be doing business with ISPs that try pulling stunts like that.

Re:Good news!

[dmeranda]

Blocking entire ports is like using like using a sledge hammer to affix a staple. First the majority of spam email wouldn't be affected. And if you're delivering mail via some other protocol spammers will still get through. Port blocking is not really a good policy, except on an individual basis where there is proof of such activity; or in cases where the client is paying for an intentionally crippled partial Internet access.

There is nothing wrong with using port 25. And if you want to use TLS/SSL, you should still use port 25 via the well established STARTTLS extension to the SMTP protocol. There is no reason to waste additional port numbers on experimental protocols when the SMTP protocol already does all that and is fairly mature with lots of supported software.

Oh, and I for one rely on having egress port-25 traffic from my home DSL. I am not a spammer, but I am a network administrator of a large company and find it very useful to "test" my own servers from an external unrelated addresses.

Re:My work's ISP does a variation of this

[NorwBlue]

Actually, I did not wonder why You went with a startup for business. I Used to be Head of Computing in a company that spend around 2 mill $ and when we dropped the biggest computer supplier in Norway for a small startup, guess what : We went from being a ok account in a huge company to being the biggest account in a small company (It more than trippeled its sales). We suddenly got really good service, better prices and every one we called for help/support/service bent backwards for us(when we wanted them to, wich wasn't that often*evil grin of power*) So my advice to everyone managing a net is : don't follow the big fish, but find a place where You ARE the biggest fish. A bit off topic maybe, but if everyone did the same when it came to ISP services, YOU to would have leverage if you wanted your ISP to implement something similar.

Re:Tell the Infected Individual First

[jaavaaguru]

I see nothing wrong with the customer's connection being immediately withdrawn. When they find out they either can't connect to the 'net, or just can't send e-mail, they'll call technical suport anyway, and then the ISP can easily inform them of the problem.

Also, people shouldn't choose to use technology that they don't have a good understanding of unless it's been set up properly by someone else beforehand. By that, I'm not meaning that the average member of the public shouldn't surf the Internet with their PC - one of these things should be happening:

1. They use a computer system that's been set up securely by the vendor

2. They apply all the latest security patches as soon as they're released

3. They understand about computer security and secure their system themselves.

If you own a computer connected to the Internet, then it's up to you to decide what you do with it, and what you let other people do with it.

Re:Tell the Infected Individual First

[flurdy]

I disagree.
It is not nice to be cut off without warning, but if your machine is infected or comprimised in some way then it needs to be isolated.

True, an email warning would be helpfull, but some people only read their email once a week or less. In the mean time their machine could still be on, and relaying junk all over the place.

Best cut them off and have them contact Customer Services to be reconnected. Ok they probably might want to join another company afterwards...

Or send them an physical letter.

The best solution though, would be to move suspected customers into a specific firewalled network where all ports were blocked incomming and outgoing and all that was allowed was incomming pop3/imap so they could receive the warning message?

Re:a great idea

[Zocalo]

abuse desks are mostly staffed by the clueless

Depends on the ISP. Generally speaking mid-sized ISPs have pretty good abuse desks, mainly because they are big enough to have a decent technical team, yet small enough to not be swamped by abuse reports. That said, this kind of thing is a no brainer for the scripted response type of first line support used by large ISPs. Basically it boils down to "look for an IP in the mail headers that falls within a set of provided IPs and if present, click some widget to block outbound email from that IP". All you need then is some process to advise the customer of the problem and remove the block once the problem is resolved.

As you say, DNSBLs (non-dynamic ones anyway) have been rendered largely obsolete by the spamnets of compromised machines. There are so many of the damn things that a spammer can use an IP for a couple of days, discard it and not need to use it again for a couple of months, by which time it is probably off the DNSBLs again. This approach adopted by Telia (and Demon Internet in the UK, others?) is the only efficient way a large ISP can deal with this issue without incurring massive labour costs that I can think of.

Re:What should have been done?

[rifter]

Maybe they should have blocked the ones sending out SPAM, instead of everybody! Do you honestly think that innocent companies and individuals should be punished? Oh, and without notice by the way.

The ISP is not innocent; it is their job to enforce policies and to be a good citizen on the net. Unfortunately to block an ISP you do block customers by extension, but this is the only way to get ISPs to do something.

Re:a great idea

[Keith_Beef]

There are all too many ISPs who appear to be happy to turn a blind eye to this type of activity, in spite of the fact that it costs them money.

Well, in France, many ISPs have premium rate phone numbers for the helpdesk. So, if you're on a dial-up connection, the ISP makes money hand-over-fist! First, you pay to download the spam (because the ISP doesn't block it). Then you pay for the pleasure of listening to 10 minutes of vivaldi's Four Seasons, before explaining to helpdesker No.1, who then passes you on to helpdesker No.2, who wants all the same details again... you get the picture. Finally, if you manage to get any help at all, you'll be sent an e-mail with a 650KByte MS Word attachment, with details of how to set up spam filtering *on your home computer*, so as to filter out spam *after you've downloaded it* Stupid, those ISPs? No, they have a profitable, if immoral, business model. Keith.