Slashdot Mirror
Swedish ISP Blocks Computers That Send Spam
snuppepuppan writes "One of Sweden's largest ISPs, Telia starts to block computers that send spam. 'The computers that Telia will block are primarily those that have been infected with "trojans" which are being used, without the customer's knowledge, to send enormous amounts of spam.'"
If more ISPs took spam complaints seriously and acted on them quickly the net would be a better place. However it is has been my experience that abuse desks are mostly staffed by the clueless.
For me the dominant source of spam that I get now comes from infected computers, since DNSBLs have rendered fixed spaming IPs impotent.
Telia is mostly known for their suckage over here. They've made several false starts, including blocking SMTP completely at their border making it impossible to host ones own mail server.
I guess if they've finally given up on that idoicy and actually go after the specific hosts that are a problem -- like we in the community has said for years is the correct solution -- then I'm all for it.
Just sad that it's making news the way it is. I think the news should be that they wasted at least two years reaching this "insight"!
Would be interesting to know if this was because the suits finally listened to their techs, or if it's because the techs finally gained a clue.
Belief is the currency of delusion.
We have a local ISP and we are probably his largest customer. We've had problems since he is a startup and he traced them to trojans/worms/etc. so he sent them a warning to fix their system and then when they didn't, he shut them off. It's worked very well for us, keeps the number of infections down, keeps his network up and running, and keeps people accountable for the security of their computers.
And if anyone is wondering why we're going with a startup for business, it's because the only choice between 144kbps DSL and a full T1 is this guy.
I have no
It used to be one knew they had a virus because an ambulance would fly around the screen or the computer would stop working. But given the amount of these things coming in through P2P I'm not surprised they aren't seeing all of the extra traffic on the little set of computers in the system tray.
Hopefully, the ISP will be similarly proactive in restoring access when the traffic stops. I'd hate to think somebody's dynamic IP address stops working ala Something Awful because of somebody else's bad Net habit.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
This is certainly good news. Now their customers who are infected will figure things out pretty quickly!
Of course, this would have been easier if they just blocked egress port 25 traffic (which would not include their own SMTP server, of course!). Imagine all ISPs blocking egress port 25 traffic for their DHCP clients (e.g. most cable modem, dial-up, and DSL), and shutting off their corporate clients who spew spam! That would effectively eliminate spam, since IP addresses left still sending spam (directly or due to a trojan/virus) would quickly end up on DNSBLs.
It is irresponsible for ISPs to operate otherwise. Simple steps to be a good netizen:
- Don't use port 25 for initial mail submission. The fact that this port is used for both mail transport (between systems) and initial mail submission (which is really a different activity if you think about it) is a mistake. Use port 587 with SMTP+AUTH, or port 465 with SMTP+AUTH+SSL
- Implement one of the reverse lookups for incoming SMTP traffic (RMX or SPF:Sender) when one of the competing proposals become a standard (and your software catches up)
- Block egress port 25 traffic from your network
These apply to any businesses that supplies IP connectivity to any other computers (offices, schools, WISPs, in addition to standard ISPs). To not do so is to be a part of the problem.The Finnish side of Telia, TeliaSonera, has been in deep sh*t the last few weeks. Their email has been clogged up, apparently at least partly due to the fact that they have been listed in a few blacklists. Even the comms authority has intervened and told them to put their act together.
Trojanised PCs on broadband are the likely cause, and the block is most probably a measure designed to prevent such from happening again.
I'm sorry if I haven't offended anyone
For most users this would be adequate notification and encouragement to fix the problem.
That's rather interesting. Telstra in Australia also has been the laughing stock down under with email servers not working, etc. Whirlpool has the complete story if anyone is interested. Perhaps these guys got their story from the same "excuse file" as Telstra??
FWIW, this is soon likely to take place with Sonera, Finland's biggest ISP, as well.
Swedish Telia and Finnish Sonera (both stemming from the old national telephone companies, thus big players) merged into TeliaSonera last year, but still appear under the original names in the respective countries. Certainly they have a single policy on this.
And Sonera especially has lately had serious, even nation-wide trouble delivering emails, due to worms flooding the system. Actually I wonder why it was Telia that took these measures first -- I haven't read of similar trouble there. (Yeah, maybe I didn't get the email.)
At least major ISPs are recognizing that trojans and spammers are a major issue. I wish more ISPs would maintain a blacklist of trojaned and spamming computers, that takes some of the hassle up farther upstream, so it isn't wasting my bandwidth when I recieve a crap load of spam, or trojan attacks (Code Red comes to mind).
This is a heaven sent, and more ISPs should follow suit.
---
Mike
I'm going to kick the next person that I see with their karma rating in their sig.
When I worked for DTV BB DSL we'd cut off the access of our customers that were spamming/had trojans or were mass scanning the network. We'd send a email to thier contact address to let them know. (I'm not sure how we expected them to check.) Usually they'd call us to ask why thier service was off and then get transfered to abuse.
On the otherhand, we also double charged customers, charged $10/mo. extra to turn on NAT in our routers and on occasion continued to bill for months after they canceled (I saw a case of two years once.) Of course our service agreement says anything after 6 months is undisputable.
I'm against spam, but I'm more against ISPs deciding what I can do with the service I pay for. If they decide spam is bad, how long before they decide mp3s or porn should be on the "get blocked" list? Or perhaps they'll decide to block access to certain sites like pro-NRA ones? Oh wait, Symantec has already got that covered.
Just make spam illegal and arrest the fuckers. No need to quash user rights in the process. Of course, I'm American so I have no idea what kind of freedom of speech rights you have in Sweden. Maybe you're already used to this kind of thing.
Some Universities have an interesting way of solving the problem. Infected systems are switched to a VLAN that restricts them to accessing a web site that contains information, software and patches on how to clean up their computer.
Mea navis aericumbens anguillis abundat
If I ran a broadband ISP:
1. All users would get a static IP (since there's an expectation that they are always on, there's no point in NOT doing so. In the dialup days you'd have fewer IP addresses than customers, for broadband you can't really do that). Customers having static IPs would make abuse much easier to trace.
2. The initial sign-up would say "Would you like to be protected by our firewall?" with the default option set to YES. The vast majority of normal home users would get some default level of security (known troublesome services, including outbound port 25 filtered, and incoming CIFS filtered etc, plus all Microsoft executables for their ISP email address rejected automatically). People who select NO to this option will be warned of the dangers of doing so, but will have no filtering at all applied to their accounts.
3. A system such as Snort would be run analysing incoming/outgoing traffic and looking for trouble. If a user is trojaned and sending out crap, they get the plug pulled.
Oolite: Elite-like game. For Mac, Linux and Windows
... but: ... Telia will block are primarily those that have been infected with "trojans" which are being used, without the customer's knowledge ...
... Telia is helping customers who are infected to get rid and be more aware of ...
would read better like
Telia will learn that.
CC.
TaijiQuan (Huang, 5 loosenings)
I checked the stats for my web-site just the other day, and noticed that I still get a lot of requests for things like /scripts/..%255c../winnt/system32/cmd.exe and /default.ida?XXXX...
Most of them comming from hosts on the Telia network. While I think its good they are finally doing something good for once (I left Telia when they blocked SMTP), will they do anything about all these Code Red and Nimda and all other old viri still on many of their customers systems?
/ The Arrow
"How lovely you are. So lovely in my straightjacket..." - Nny
One way for an ISP to inform clueless users before shutting them down is to SNAT all outgoing port 80 connections to an informationpage saying something like "Your computer is infected by a virus and is causing problems for the rest of the network. Click here to install an antivirus program!"
A bit extreme maybe but still better than just shutting the thing down..
My other account has a 3-digit UID.
quick question..
If I'm the president of Globaldex Inc.* and a Trojan is spamming products for my company, why doesn't someone of authority (aka. Law Enforcement) come to me and ask a few questions. You know, crazy stuff like, who did I contract to send out email advertisements and such.
I'd imagine that if 1000 computers got broken into by a Trojan, and they are spamming for Globaldex, it would be reasonable to consider Glabaldex an accomplice until they were able to clear themselves.
Why exactly are prople getting away with this?
* Gloabaldex is not real BTW
I'm not feeling witty so bite me
The way my ISP, Cox, tried to do things is bad. They forced all trafic through their SMTP server. They had already blocked incoming mail, so you could not run a mail server on your own. The new policy keeps you from even being able to send you own mail. This sucks in many ways. The most important way it sucks is that they don't quote email that they can't deliver, not even for their business customers, nor do they provide an adequate time stamp. This leaves people clueless if a mail myseriously fails - you can't tell which of a long serries of messages with the same subject did not make it. Less obviously, it leaves you at the whim of your ISP. They can refuse to send mail to people they don't like and there's nothing you can do about it, short of exchanging shell accounts. This method makes an artificial distinction between "client" and "server" that has no place on a free internet.
So, you see, it's not so simple, not period by a long shot. I don't run shitty software that is liable to get trojans and I've never had this kind of problem. My ISP treats me like a peon and it sucks. I've been punished for other people's problems. Microsoft and Cox both sucks.
Friends don't help friends install M$ junk.