Swedish ISP Blocks Computers That Send Spam

snuppepuppan writes "One of Sweden's largest ISPs, Telia starts to block computers that send spam. 'The computers that Telia will block are primarily those that have been infected with "trojans" which are being used, without the customer's knowledge, to send enormous amounts of spam.'"

a great idea

[batray]

If more ISPs took spam complaints seriously and acted on them quickly the net would be a better place. However it is has been my experience that abuse desks are mostly staffed by the clueless.
For me the dominant source of spam that I get now comes from infected computers, since DNSBLs have rendered fixed spaming IPs impotent.

Why is this news?

[eddy]

Telia is mostly known for their suckage over here. They've made several false starts, including blocking SMTP completely at their border making it impossible to host ones own mail server.

I guess if they've finally given up on that idoicy and actually go after the specific hosts that are a problem -- like we in the community has said for years is the correct solution -- then I'm all for it.

Just sad that it's making news the way it is. I think the news should be that they wasted at least two years reaching this "insight"!

Would be interesting to know if this was because the suits finally listened to their techs, or if it's because the techs finally gained a clue.

My work's ISP does a variation of this

[quizwedge]

We have a local ISP and we are probably his largest customer. We've had problems since he is a startup and he traced them to trojans/worms/etc. so he sent them a warning to fix their system and then when they didn't, he shut them off. It's worked very well for us, keeps the number of infections down, keeps his network up and running, and keeps people accountable for the security of their computers.

And if anyone is wondering why we're going with a startup for business, it's because the only choice between 144kbps DSL and a full T1 is this guy.

Good news!

[RT+Alec]

This is certainly good news. Now their customers who are infected will figure things out pretty quickly!

Of course, this would have been easier if they just blocked egress port 25 traffic (which would not include their own SMTP server, of course!). Imagine all ISPs blocking egress port 25 traffic for their DHCP clients (e.g. most cable modem, dial-up, and DSL), and shutting off their corporate clients who spew spam! That would effectively eliminate spam, since IP addresses left still sending spam (directly or due to a trojan/virus) would quickly end up on DNSBLs.

It is irresponsible for ISPs to operate otherwise. Simple steps to be a good netizen:

• Don't use port 25 for initial mail submission. The fact that this port is used for both mail transport (between systems) and initial mail submission (which is really a different activity if you think about it) is a mistake. Use port 587 with SMTP+AUTH, or port 465 with SMTP+AUTH+SSL
• Implement one of the reverse lookups for incoming SMTP traffic (RMX or SPF:Sender) when one of the competing proposals become a standard (and your software catches up)
• Block egress port 25 traffic from your network

These apply to any businesses that supplies IP connectivity to any other computers (offices, schools, WISPs, in addition to standard ISPs). To not do so is to be a part of the problem.

Background

[upside]

The Finnish side of Telia, TeliaSonera, has been in deep sh*t the last few weeks. Their email has been clogged up, apparently at least partly due to the fact that they have been listed in a few blacklists. Even the comms authority has intervened and told them to put their act together.

Trojanised PCs on broadband are the likely cause, and the block is most probably a measure designed to prevent such from happening again.

Workable Solution???

[tintruder]

Instead of shutting them off, how about redirecting all internet activity of the victim/perpetrator to a static web page they must repeatedly click to bypass?

For most users this would be adequate notification and encouragement to fix the problem.

Censorship.

I'm against spam, but I'm more against ISPs deciding what I can do with the service I pay for. If they decide spam is bad, how long before they decide mp3s or porn should be on the "get blocked" list? Or perhaps they'll decide to block access to certain sites like pro-NRA ones? Oh wait, Symantec has already got that covered.

Just make spam illegal and arrest the fuckers. No need to quash user rights in the process. Of course, I'm American so I have no idea what kind of freedom of speech rights you have in Sweden. Maybe you're already used to this kind of thing.

Leper VLAN

[Detritus]

Some Universities have an interesting way of solving the problem. Infected systems are switched to a VLAN that restricts them to accessing a web site that contains information, software and patches on how to clean up their computer.

If I ran an ISP...

[Alioth]

If I ran a broadband ISP:

1. All users would get a static IP (since there's an expectation that they are always on, there's no point in NOT doing so. In the dialup days you'd have fewer IP addresses than customers, for broadband you can't really do that). Customers having static IPs would make abuse much easier to trace.
2. The initial sign-up would say "Would you like to be protected by our firewall?" with the default option set to YES. The vast majority of normal home users would get some default level of security (known troublesome services, including outbound port 25 filtered, and incoming CIFS filtered etc, plus all Microsoft executables for their ISP email address rejected automatically). People who select NO to this option will be warned of the dangers of doing so, but will have no filtering at all applied to their accounts.
3. A system such as Snort would be run analysing incoming/outgoing traffic and looking for trouble. If a user is trojaned and sending out crap, they get the plug pulled.