Swedish ISP Blocks Computers That Send Spam

snuppepuppan writes "One of Sweden's largest ISPs, Telia starts to block computers that send spam. 'The computers that Telia will block are primarily those that have been infected with "trojans" which are being used, without the customer's knowledge, to send enormous amounts of spam.'"

a great idea

[batray]

If more ISPs took spam complaints seriously and acted on them quickly the net would be a better place. However it is has been my experience that abuse desks are mostly staffed by the clueless.
For me the dominant source of spam that I get now comes from infected computers, since DNSBLs have rendered fixed spaming IPs impotent.

Re:a great idea

[BrokenHalo]

abuse desks are mostly staffed by the clueless.

That's where they are staffed at all. There are all too many ISPs who appear to be happy to turn a blind eye to this type of activity, in spite of the fact that it costs them money.

Re:a great idea

[ClosedGL]

I think there is a lack of skills. Many ISPs employ call centre staff that have crib sheets infront of them and if the problem isn't outlined on the sheet, then it ain't getting solved.

Re:a great idea

[Zocalo]

abuse desks are mostly staffed by the clueless

Depends on the ISP. Generally speaking mid-sized ISPs have pretty good abuse desks, mainly because they are big enough to have a decent technical team, yet small enough to not be swamped by abuse reports. That said, this kind of thing is a no brainer for the scripted response type of first line support used by large ISPs. Basically it boils down to "look for an IP in the mail headers that falls within a set of provided IPs and if present, click some widget to block outbound email from that IP". All you need then is some process to advise the customer of the problem and remove the block once the problem is resolved.

As you say, DNSBLs (non-dynamic ones anyway) have been rendered largely obsolete by the spamnets of compromised machines. There are so many of the damn things that a spammer can use an IP for a couple of days, discard it and not need to use it again for a couple of months, by which time it is probably off the DNSBLs again. This approach adopted by Telia (and Demon Internet in the UK, others?) is the only efficient way a large ISP can deal with this issue without incurring massive labour costs that I can think of.

Re:a great idea

[Keith_Beef]

There are all too many ISPs who appear to be happy to turn a blind eye to this type of activity, in spite of the fact that it costs them money.

Well, in France, many ISPs have premium rate phone numbers for the helpdesk. So, if you're on a dial-up connection, the ISP makes money hand-over-fist! First, you pay to download the spam (because the ISP doesn't block it). Then you pay for the pleasure of listening to 10 minutes of vivaldi's Four Seasons, before explaining to helpdesker No.1, who then passes you on to helpdesker No.2, who wants all the same details again... you get the picture. Finally, if you manage to get any help at all, you'll be sent an e-mail with a 650KByte MS Word attachment, with details of how to set up spam filtering *on your home computer*, so as to filter out spam *after you've downloaded it* Stupid, those ISPs? No, they have a profitable, if immoral, business model. Keith.

Re:a great idea

[gizmonic]

My guess is that part of the problem is that most abuse desks are flooded with inane crap. At least ours is. I can't tell you how many emails we get from people who forward a spam to us, and do not include full headers. I mean, they had to find the IP and track down who owned it to get the spam report to us, so how can they then forward us the spam and not include headers? Amazingly, that accounts for well over half the abuse mail we get. Then there are the people who send a message saying "Stop sending me spam" and include an IP address, followed by a copy of our ARIN netblocks, as if we didn't know who we were, and that's it. No spam, no timestamp. Nothing. Then there are the myriad of people who simply write our abuse desk with nothing more than "Please remove me from your mailing list." And it goes on and on and on like that. Of course, now that all the nice new viruses are out there, we also get a ton of "One of your users attacked me on port 135" emails. (We have port 135 blocked on our routers to keep from our users from infecting the net, but on the same NAS, they can still get to each other.) The best ones are from people who send us email claiming they are being attacked by one of our DNS servers because their firewalls are capturing logs of the DNS requests.

That's why, as I've said before, we love SpamCop. When we see a SpamCop report, we know we will have everything we need to knock someone off the network. Very seldomly have we gotten a SpamCop report on something that was not spam. As for the rest of the abuse mail? Maybe 1% or 2% have enough information to track the user, and are actual abuse issues. And usually, they were already banned from a SpamCop report.

Anyway, I've rambled on enough. But for those who don't work abuse for a large ISP, now you have a small glimpse of what the abuse mail looks like.

Re:a great idea

[AndroidCat]

An awful lot of large ISPs are undead companies. (Worldcom/MC/UUNET, etc) They bought up a lot of lesser companies and then died a few years ago. They still shamble around in Chapter 11 or such, selling body parts to maintain their un-life. (They need brains, okay?)

Because a proper abuse desk doesn't generate direct profits (it can cost them spammy customers), it's the first to get chopped when cuts happen. You can argue that in the long term, spam costs them money, but long term to them is two quarters away.

Re:a great idea

[fredklein]

Then ISP's need to add a new option to their script: "If caller complains about Spam, confirm Spam ands cancel offending account."

There. Problem solved. Sheesh.

Re:a great idea

[Tripster]

I contract to a small cable ISP, their policy is simple, your machine is infected we drop your IP from network until such time as it is fixed. Upon further infestations by the same user they require them to install a hardware cable router/firewall solution before letting them back on the network.

We also treat those who run P2P in "supernode" mode the very same way, as a small network with 200 users they can only afford a 5mbit pipe to the net, a few guys in supernode mode and the network becomes very ugly. In essence any home user with 5000+ connections in a couple minutes gets tossed until they learn to play nice.

After the users know they rules they settle down nicely it seems, we also block the common worm ports at the headend so there is less chance of our users becoming infected in the first place.

Re:a great idea

[gizmonic]

So, what's the problem? Are you too dumb to set something like that up??

Not to respond to Anonymous Coawrds, but in case anyone else was wondering the same thing...

I don't make policy. And those that do want a human to read over all support / abuse mail. So, while an auto-responder is fine, having a script delete mail that does not meet criteria is simply not going to fly with management.

Personally, I would love to have a script that parses the mail, runs some checks to verify it is indeed spam, go through the accounting logs and find the user, and then ban them if they are not already, and respond to the complainer with the results. But, my l33t coding skillz aside :) that simply is not going to happen as management would never allow it.

Sometimes in life, you have to do things the way other people want you too.

Re:a great idea

[Valdier]

Earthlink in fact blocks computers that send spam out. In addition they are pretty helpful when it comes to letting you know/test if you have managed to stop the spam. Unfortunately in my case we couldn't find the trojan/proxie on a win2k machine and so it led to recreating the servers install.

Re:a great idea

[Alpha_Traveller]

Ahh... actually it can make them money too. I know of more than one small to mid-size ISP that purposely sets up mass mailing addresses within the mail system and sells the 'location' of the individual mail address for broadcasting within the ISP itself to spamhouses.

So have a nice day.

Re:a great idea

[bedessen]

Whaddya talkin about? This Dave Null guy seems to be employed by thousands of ISPs to handle abuse@. He must be really good at his job...

Re:a great idea

[csk_1975]

You seem to like spamcop reports and have entertained the thought of automatically banning people by parsing the spam reports you receive. This should be treated with a great deal of caution unless you want to be responsible for fiascos like this or this.

Relying upon some of the kooks who use spamcop to make the determination as to which of your users should be "killed" is not wise and I think your management has made the right decision. Certainly automating the process of sorting the complaints into wheat or chaff and cross referencing them to user accounts is worthwhile, but this should be an aid to human review and not an end in itself.

Having scripts which automatically hit the kill button is open to abuse - so it will be abused.

In a related story...

[bobdotorg]

In a related story, Microsoft sues Telia, commenting, "C'mon, it would only be a matter of time before all Outlook and IE users get banned from the net."

Re:In a related story...

[rifter]

these lame "jokes" are really getting old. why don't you use the four brain cells you have left for something more productive?

It's not a joke, though Outlook is. The parent post was +5 informative in my book. :)

Re:In a related story...

[Bunji+X]

Funny thing is that in Sweden, Telia is for ISPs, what Microsoft is for desktop operating systems in general. Abusing monopolistic power is run of the mill business practice for Telia and has been like that for the last 20 years.

Microsoft vs Telia would be a case in which I'd very much like to see both parties loose. :)

Good.

[clfrd]

More ISP's should do the same.

Period.

Re:Good.

[krymsin01]

It'd be a lot easier that block a user's dynamic IP. Simply suspend their account. Then you don't have to loss an IP from your pool.

Re:Good.

[You're+All+Wrong]

Telia is now "TeliaSonera", after merging with the Finnish company Sonera. This anti-spam move is not just in Sweden, it's in Finland too.

ISPs must provide a QOS in Finland, and Sonera were fined recently (last few weeks) for being unable to deliver mail as they were so bogged down with spam.

So they're not doing it for altruistic reasons, they're doing it because it costs them big-time if they don't. I'm still glad they're doing it though.

All of this was filtered from stories in the Helsingin Sanomat
via my "doesn't speak Finnish" brain, so may be not quite true.
(HS had suffered because of the Sonera e-mail problems, I remember, so they had a particular bias (anti-spam, not anti-Sonera) in
their report).

Anyway - agreed. Period.

YAW.

Re:Good.

[cybergrue]

They are. Bell Canada's ISP Sympatico has threatened to do the same, and just this morning, I got an emil from them saying "Although your computer does not appear to have a virus on it, please buy our virus scanner".
And to think, the last time my computer caught a virus, it was after their helpdesk staff advised me to turn off my firewall when connecting to the net.

Re:Good.

[Per+Wigren]

One way for an ISP to inform clueless users before shutting them down is to SNAT all outgoing port 80 connections to an informationpage saying something like "Your computer is infected by a virus and is causing problems for the rest of the network. Click here to install an antivirus program!"
A bit extreme maybe but still better than just shutting the thing down..

Re:Good.

[DavidTC]

You can even give them access to incoming email, and even shunt their SMTP into a custom mail server that lets them send email to tech support. (Or, hell, to anyone in the world...at one piece of mail every ten minutes.)

Of course, I'm in serious favor of outbound SMTP blocking in general. With the ability to have it disabled for people who know what they are doing. While trojans can still check what network they are on and spam though the right relay server, that requires custom code for each ISP and it's a hell of a lot more noticable by the ISP.

Before all you people start whining that you run Postfix behind a dynamic DSL, note I said 'the ability to have it disabled', and thus, not only can you turn it off, it's a hell of a lot more likely your entire dialup range isn't blocked somewhere because one third of the lusers on your ISP are running open proxies.

Re:Good.

[ViolentGreen]

That sounds suspiciously like a pop-up scam. A lot of people will simply ignore this message like they have been tought to do with pop-ups even if it did have the ISP logo or URL. I would be hesitant to do that as well.

Re:Good.

[Dawn+Falcon]

Fine. But they DO need to state it up-front. I've had massive trouble in the past with "hidden" ISP policies (not dorectly related to this, but..)

Oh, and they REALLY need to list the ports they block. One perfectly legit program was blocked and it took a me and several people at the ISP several days to find out why it wasn't working.

Once we KNEW, I recompiled the program to use another port and problem was solved.

This is a great thing

[the+man+with+the+pla]

ISP's taking some level of responsibility for the actions of their subscribers is *tremendously* important. Spam exists because of the complacency of two entities: ISPs that allow (or even sell bandwidth to) spammers to use their networks; and Microsoft, for making it so easy for computers to be enslaved by spammers (sorry I know that's flaimbait, but it's true.)

Re:This is a great thing

[it0]

Yes but it has implications, if they take action against spam, they must take action against kiddie porn, warez etc. That's still fine, however I can imagine that there are gray area's where ISP's going to screw up.

Why is this news?

[eddy]

Telia is mostly known for their suckage over here. They've made several false starts, including blocking SMTP completely at their border making it impossible to host ones own mail server.

I guess if they've finally given up on that idoicy and actually go after the specific hosts that are a problem -- like we in the community has said for years is the correct solution -- then I'm all for it.

Just sad that it's making news the way it is. I think the news should be that they wasted at least two years reaching this "insight"!

Would be interesting to know if this was because the suits finally listened to their techs, or if it's because the techs finally gained a clue.

Re:Why is this news?

[Drakin]

It's news because it's an ISP actually doing something useful and proper in dealing with this sort of thing.

It's unbeleiveably rare.

Re:Why is this news?

[Anime_Fan]

Telia is mostly known for their suckage over here. They've made several false starts, including blocking SMTP completely at their border making it impossible to host ones own mail server.

Yes, but bostream is no better. They make customers who want to use an email with FROM-header other than foo@*.bostream.foo setup their own SMTP-server. I preferred Telia's approach.

I don't think their press release will affect the ammount of spam in my inbox. Telia is all too clueless for that. I am however happy that I get a pretty low ammount of spam when compared to US figures. I'm down to less than one junk mail per hour and still not prepared to pipe all messages through SpamAssassin (too high false negatives due to most mail being sent in Swedish).

Still, Telia has alot to do with the ammount of incoming spam. Most of the spam that arrive in my Telia inbox doesn't even have my email in the TO-header (but has it in X-Original-To). The other types of spam I get is the ones that look like:
Received: [*Snip*] Sat, 1 Nov 2003 15:50:49 +0100 (CET)
Date: Wed, 28 May 2003 23:14:06 +0000
I hate spam I can't directly see which box it is sent to, which date it was sent or that has ASCII-art topics.

Re:Why is this news?

[BetterThanCaesar]

blocking SMTP completely

That might just have been because AOL began bouncing all e-mail from Telia -- mainly due to the same problem as they have now. What would you have done?

I think this is a good thing. it stops the relays now and those affected will notice it, call the support, and be informed of why they were cut off.

Re:Why is this news?

[Troed]

I'm down to less than one junk mail per hour and still not prepared to pipe all messages through SpamAssassin (too high false negatives due to most mail being sent in Swedish).

I've never had a mail in Swedish marked spam by SpamAssassin - the only false positives I've had (three in 6 months) were mails from mailing lists where the poster indeed had weird headers.

Re:Why is this news?

[m2uk]

Could be worse. Your neighbour country Finland has the delights of Telia Sonera to fuzz up their mail, for several weeks, and then they blame viruses. Outsource to Messagelabs then twats or similar.

Re:Why is this news?

[gizmonic]

Blocking SMTP is not idiocy. You might be inconvenienced a bit, but spammers still use throwaway accounts. They pay their first month of service, and then spam until the ISP finally catches on and shuts down the account. If it takes even 8 hours to catch them, that's millions of spams. Most of our spam reports are around 24 hours old when they reach us. That's 24 hours of constant spamming. Port 25 blocks keep them from being able to use our network to do that.

It may be a bit upsetting not to be able to run your own mailserver, but the amount of spam stopped far outweighs that inconvenience.

Disclaimer: I work for an ISP, but not Telia...

Re:Why is this news?

[Dawn+Falcon]

Fine. As long as you state it up-front.

You pick static or dynamic IP when you sign up to the ISP I use. Only if you're on the static IP do you get the ability to run your own mail server, with the big warning that they cut your net first then investigate abuse complaints.

I think that's reasonable - if you want to run a mail server, make SURE you do it right.

Re:Why is this news?

[eddy]

>Blocking SMTP is not idiocy.

Sure it is, blanket blocking, that is. I pay for an internet connection, not a "web connection".

Just block the fucking machine doing the spamming! Hard to detect one machine sending X/mails per minute? (<-- rethorical question, but feel free to plead stupidity if you want)

My work's ISP does a variation of this

[quizwedge]

We have a local ISP and we are probably his largest customer. We've had problems since he is a startup and he traced them to trojans/worms/etc. so he sent them a warning to fix their system and then when they didn't, he shut them off. It's worked very well for us, keeps the number of infections down, keeps his network up and running, and keeps people accountable for the security of their computers.

And if anyone is wondering why we're going with a startup for business, it's because the only choice between 144kbps DSL and a full T1 is this guy.

Re:My work's ISP does a variation of this

[NorwBlue]

Actually, I did not wonder why You went with a startup for business. I Used to be Head of Computing in a company that spend around 2 mill $ and when we dropped the biggest computer supplier in Norway for a small startup, guess what : We went from being a ok account in a huge company to being the biggest account in a small company (It more than trippeled its sales). We suddenly got really good service, better prices and every one we called for help/support/service bent backwards for us(when we wanted them to, wich wasn't that often*evil grin of power*) So my advice to everyone managing a net is : don't follow the big fish, but find a place where You ARE the biggest fish. A bit off topic maybe, but if everyone did the same when it came to ISP services, YOU to would have leverage if you wanted your ISP to implement something similar.

Customers are *not* unaware of it

[Jugalator]

The users blocked are notified about it, and Telia will help them sort things out. Probably by giving suggestions to clean up trojans, etc. since these are often the reason someone spam without knowing. They also only seem to block well-known, heavy duty, spammers right now, since they haven't yet implemented a spam filter, but are considering it.

So, even if the customers won't be given a time period to stop spamming, they're still not left unaware about it, as the /. news post incorrectly states.

Telia says they're also attempting to detect spam hosts much quicker than earlier, when it could take up to a week or more to shut a host on their network down, when the damage was already done.

Re:Customers are *not* unaware of it

[clfrd]

The post doesn't say the users aren't aware of it, it refers to the users being unware that they're acting as spam relays.

Re:Customers are *not* unaware of it

[Jugalator]

Sorry... Too early in the morning...

Not quite sure how I read that news post. :-) But the other parts should still be true. ;-)

In other news...

* Police arrest citizens who break the law
* Shools suspend students who bully
* Bouncers eject drunken louts
etc...

Tell the Infected Individual First

[GOPWillC]

It makes perfect sense to block off the trojan infected PCs that are sending SPAM. But I don't believe it is fair not to notify the user of said infected PC. Some of these people may have friends who have Telia email accounts, and if they're being blocked, it means they can't receive mail from them. So, while I agree with Telia's decision, they should give the courtous of notifying the individuals first.

Re:Tell the Infected Individual First

[jaavaaguru]

I see nothing wrong with the customer's connection being immediately withdrawn. When they find out they either can't connect to the 'net, or just can't send e-mail, they'll call technical suport anyway, and then the ISP can easily inform them of the problem.

Also, people shouldn't choose to use technology that they don't have a good understanding of unless it's been set up properly by someone else beforehand. By that, I'm not meaning that the average member of the public shouldn't surf the Internet with their PC - one of these things should be happening:

1. They use a computer system that's been set up securely by the vendor

2. They apply all the latest security patches as soon as they're released

3. They understand about computer security and secure their system themselves.

If you own a computer connected to the Internet, then it's up to you to decide what you do with it, and what you let other people do with it.

Re:Tell the Infected Individual First

[flurdy]

I disagree.
It is not nice to be cut off without warning, but if your machine is infected or comprimised in some way then it needs to be isolated.

True, an email warning would be helpfull, but some people only read their email once a week or less. In the mean time their machine could still be on, and relaying junk all over the place.

Best cut them off and have them contact Customer Services to be reconnected. Ok they probably might want to join another company afterwards...

Or send them an physical letter.

The best solution though, would be to move suspected customers into a specific firewalled network where all ports were blocked incomming and outgoing and all that was allowed was incomming pop3/imap so they could receive the warning message?

Re:Tell the Infected Individual First

[Rick+the+Red]

If you own a computer connected to the Internet, then it's up to you to decide what you do with it, and what you let other people do with it.

Oh, I wish that were true. Unfortunately, your ISP decides what you can do on the internet. Some ISPs are much better than others, but most impose some restrictions.

Re:Tell the Infected Individual First

[gothzilla]

Kinda OT but your post reminded me of something I tell my customers when working on their computers.
(in the context of being in the USA)
You gotta have a license to drive, a license to cut hair, and even a license to catch a fish, but any moron can have kids or get on the internet.

You get stung, you react.

[Gubbe]

TeliaSonera is a company formed by the merger of swedish Telia and finnish Sonera. Sonera is one of the largest Internet/telecommunications providers in Finland and their e-mail systems have become a laughingstock during the last month. Reason: they don't work. There have been delays of several days in message delivery, some messages are lost entirely and their SMTP server seems to be down.
Sonera is blaming this 100% on the W32.Swen.A virus and while there is ongoing debate regarding Sonera's e-mail administrators' competency, that certainly explains why Telia is scrambling to remedy this problem in Sweden. [Un]fortunately (ignore the part in brackets if you are a privacy advocate) the Finnish legislation doesn't allow Sonera to perform the same thing as even automatic monitoring of e-mail traffic is not permitted by the communication privacy laws.

Re:You get stung, you react.

[LuckyPhil]

Sonera is one of the largest Internet/telecommunications providers in Finland and their e-mail systems have become a laughingstock during the last month. Reason: they don't work. There have been delays of several days in message delivery, some messages are lost entirely and their SMTP server seems to be down. Sonera is blaming this 100% on the W32.Swen.A virus and while there is ongoing debate regarding Sonera's e-mail administrators' competency, that certainly explains why Telia is scrambling to remedy this problem in Sweden.

That's rather interesting. Telstra in Australia also has been the laughing stock down under with email servers not working, etc. Whirlpool has the complete story if anyone is interested. Perhaps these guys got their story from the same "excuse file" as Telstra??

Re:You get stung, you react.

[weldzu]

[Un]fortunately (ignore the part in brackets if you are a privacy advocate) the Finnish legislation doesn't allow Sonera to perform the same thing as even automatic monitoring of e-mail traffic is not permitted by the communication privacy laws.

Actually, Sonera got a special permit from the Finnish communications bureau last week for scanning all emails for virii and trojans. What I wonder is, if they can't config their mail servers, can they config the scanning properly?

Another matter is that I never saw any mention on how long this permit lasts. Also, I believe that the special permit does not really remove the fact that this scanning is against the law. I may be wrong though, maybe there is a mention about special circumstances and comms bureau in the law...

Re:You get stung, you react.

[BJH]

Sunspots!!

Re:You get stung, you react.

[ajs318]

Or viri. -us -> -i. Not -ii unless the singular ended in -ius.

Good.

[Sheetrock]

Oftentimes, users don't even realize they've got trojans until there's some form of penalty. Internet access suddenly stopping, warning messages, a big red Alert, or something.

It used to be one knew they had a virus because an ambulance would fly around the screen or the computer would stop working. But given the amount of these things coming in through P2P I'm not surprised they aren't seeing all of the extra traffic on the little set of computers in the system tray.

Hopefully, the ISP will be similarly proactive in restoring access when the traffic stops. I'd hate to think somebody's dynamic IP address stops working ala Something Awful because of somebody else's bad Net habit.

Mod parent up

[Adam9]

Very true; the grandparent confused me.

Good news!

[RT+Alec]

This is certainly good news. Now their customers who are infected will figure things out pretty quickly!

Of course, this would have been easier if they just blocked egress port 25 traffic (which would not include their own SMTP server, of course!). Imagine all ISPs blocking egress port 25 traffic for their DHCP clients (e.g. most cable modem, dial-up, and DSL), and shutting off their corporate clients who spew spam! That would effectively eliminate spam, since IP addresses left still sending spam (directly or due to a trojan/virus) would quickly end up on DNSBLs.

It is irresponsible for ISPs to operate otherwise. Simple steps to be a good netizen:

• Don't use port 25 for initial mail submission. The fact that this port is used for both mail transport (between systems) and initial mail submission (which is really a different activity if you think about it) is a mistake. Use port 587 with SMTP+AUTH, or port 465 with SMTP+AUTH+SSL
• Implement one of the reverse lookups for incoming SMTP traffic (RMX or SPF:Sender) when one of the competing proposals become a standard (and your software catches up)
• Block egress port 25 traffic from your network

These apply to any businesses that supplies IP connectivity to any other computers (offices, schools, WISPs, in addition to standard ISPs). To not do so is to be a part of the problem.

Re:Good news!

[AnotherBlackHat]

Of course, this would have been easier if they just blocked egress port 25 traffic (which would not include their own SMTP server, of course!). Imagine all ISPs blocking egress port 25 traffic for their DHCP clients (e.g. most cable modem, dial-up, and DSL), and shutting off their corporate clients who spew spam! That would effectively eliminate spam, since IP addresses left still sending spam (directly or due to a trojan/virus) would quickly end up on DNSBLs.

Eliminate spam? Spare me.
Currently, less than 85% of spam comes from trojaned DHCP clients.

I'm glad that Telia opted for a more targeted approach rather than a blanket "guilty until proven innocent".

-- this is not a .sig

Re:Good news!

[piranha(jpl)]

Imagine all ISPs blocking egress port 25 traffic for their DHCP clients ... It is irresponsible for ISPs to operate otherwise

Then they cease to be Internet Service Providers and become Interweb Service Providers. Why should "consumers" be subject to inferior Internet service? Why wouldn't/couldn't an ISP monitor egress port 25 traffic for suspicious spikes? I won't be doing business with ISPs that try pulling stunts like that.

Re:Good news!

[dmeranda]

Blocking entire ports is like using like using a sledge hammer to affix a staple. First the majority of spam email wouldn't be affected. And if you're delivering mail via some other protocol spammers will still get through. Port blocking is not really a good policy, except on an individual basis where there is proof of such activity; or in cases where the client is paying for an intentionally crippled partial Internet access.

There is nothing wrong with using port 25. And if you want to use TLS/SSL, you should still use port 25 via the well established STARTTLS extension to the SMTP protocol. There is no reason to waste additional port numbers on experimental protocols when the SMTP protocol already does all that and is fairly mature with lots of supported software.

Oh, and I for one rely on having egress port-25 traffic from my home DSL. I am not a spammer, but I am a network administrator of a large company and find it very useful to "test" my own servers from an external unrelated addresses.

Re:Good news!

[pavera]

Don't be stupid.
There are plenty of DSL and Wireless providers that allow you to run servers. I maintain about 30 such servers for small businesses. this policy would completely eliminate the ability of these businesses to economically run their own email/web servers. None of these servers send spam, they are not open relays, they are well maintained servers that deserve to be on the net, blocking them would be draconian and stupid.

Re:Good news!

[skagin]

Cute similie, bit it's _wrong_. I've been an admin at two ISPs, and both blocked port 25 to all mailservers except their own. If one wanted to run one's own smtp server one was required to get explicit permission which included open relay testing. If one wanted to mail out through an alien mailserver a similar process was required. From talking over email issues with other ISP admins I learned that this is (or at least used to be) very common. Here's why

ISPs hold one another responsible for their networks. If I am hosting an open relay, connect proxy, etc. I'm going to be held accountable. I may be blocked one way or another, my ip range may be listed on someones site as hostile or exploitable, or I may get shunned in some other entirely novel manner. I'll almost certainly have to deal with annoyed phone calls and emails from other admins demanding I fix the problem.

This kind of peer pressure is really the only way we have to keep one another playing nice, and for the most part it seems to work. Most folks would be amazed at the amount of spam, viruses, and trojans which are stopped by this ersatz reputation network. Even complete wingnut vigilantes like wossname@monkeys.com occasionally are a blessing (albeit in deep disguise).

So if we can stomp on bad behaviour by blocking port 25 we'll do it. If users can't deal with a simple protocol for approving the use of other mailservers or testing out mailservers on the users' networks they can find another ISP. Most seem to understand and cooperate gladly. Those who don't can find another ISP.

Re:Good news!

[wowbagger]

Currently, less than 85% of spam comes from trojaned DHCP clients.

So, by your own numbers, shutting down direct-to-MX email from DHCP clients should eliminate about 85% of spam - that is a worthy target.

I say 85% because if you had real figures showing a percentage less than 85% you would have used the lower number to make your point.

Re:Good news!

[Hurga]

I've been an admin at two ISPs, and both blocked port 25 to all mailservers except their own. If one wanted to run one's own smtp server one was required to get explicit permission which included open relay testing. If one wanted to mail out through an alien mailserver a similar process was required.

That's excellent practice, but from what I've seen, far from being common. Where do you live?

More ideas how ISPs could help fighting spam:

- Hold your customers responsible for Spam sent in any case. Maybe it really isn't their fault, and this new Trojan sent it, but how can you be sure it isn't just a spammer excuse?

- Require a security deposit for opening egress port 25. If spam is being sent, the deposit is forfeit (and port 25 is closed again). This could help fighting hit-and-run spammers creating accounts with stolen CC numbers or some other fraudulent way.

Hanno

Re:Good news!

[gizmonic]

So, why don't you leave the keys in your car and the windows down everytime you park? You've got OnStar/LoJack/whatever. If you come out and the car is gone, you'll just call whoever, they'll track it down and get it back.

Not the best example, but the fact is, by the time you see a "large spike" in outbound port 25 traffic, it is too late. That's spam that just went out to the world.

Being forced to use our SMTP server if you are on our network is not such a big deal. Besides, we voluntarily submit our dial-up IPs to blacklists. So, even if we didn't block port 25, your mail wouldn't get to anyone using one of those blacklists anyway.

Of course, you are free to not use our services. That is the beauty of a free market.

Re:Good news!

[sqlrob]

Require a security deposit for opening egress port 25. If spam is being sent, the deposit is forfeit (and port 25 is closed again). This could help fighting hit-and-run spammers creating accounts with stolen CC numbers or some other fraudulent way.

How does this help with accounts opened with stolen CC numbers? They already used it once to open the account, why do they care if they lose a security deposit from it?

Re:Good news!

Then they cease to be Internet Service Providers and become Interweb Service Providers.
No. At that point I would feel confident in calling them a Responsible Internet Service Provider.

Why should "consumers" be subject to inferior Internet service?
Because the average "consumer" is not an overweight linux nerd who lives in his parents' basement and likes to send mail from his own SMTP server.

Why wouldn't/couldn't an ISP monitor egress port 25 traffic for suspicious spikes?
Because an ISP has more important things to do with their time than monitor their customer's email traffic.

I won't be doing business with ISPs that try pulling stunts like that.
Good. I doubt that they would want your business anyway. I hate to be the one to hit you with the cold, uncaring baseball bat that is reality; but people who run their own mail servers are in the minority. When given a choice between blocking all SMTP traffic from cable/dsl/dial-up IP blocks, resulting in vastly less spam; and pissing off some fat linux geek, I'll take pissing you off any day.

Cheers!

Re:Good news!

[Spl0it]

I'm willing to bet against that figure you 'pulled out of thin air'. I've had a 'private' email address which I don't advertise for over 2years now and just recently I've started to receive spam. Both types of spam I'm getting are virus from infected pc's. As well both are coming in usually one-two times a day, not to mention my isp failed to provide any assitance what so ever even though most of the emails are coming from there users.

Re:Good news!

[AnotherBlackHat]

I'm willing to bet against that figure you 'pulled out of thin air'.

That 85% comes from an analysis of the addresses that hit my 400 spamtraps over the course of three months.

85% were from IPs I'd never seen before and that don't listen on port 25. It's entirely possible that they aren't DHCP clients, but they aren't open relays, or known main sleeze, and there's not a lot of other possibilities left. But there are other possibilities, hence my "less than 85%"
comment.

If you count viruses as spam, then it's a lot higher this month.

Now 400 addresses is still a small amount when measured against the total volume of spam,
and it could easily be off, but I be happy to take your bet.

-- this is not a .sig

Re:Good news!

[BSDorBSOD]

I won't be doing business with ISPs that try pulling stunts like that.

...and another clueless spammer is born. Honestly, reading the comments here is illuminating in a Jekle and Hyde sort of way. It seems everyone wants to have their cake and eat it too. Block everyone else who might send spam out - but don't stop me!

It is irresponsible to not block outgoing SMTP connections from dynamically assigned IP addresses UNLESS they are routed through the ISPs SMTP relay. That does not block ANY outgoing messages, except possibly spam, viruses, or other messages with mailcious content. Is that what you are afraid of piranha(jpl)? At the very least, it gives the ISP a much shorter time between identification and correction of compromised systems.

Re:Second post, but first with a smiley??????

[stefanlasiewski]

It's interesting that all of the images except the smileys are broken.

It's a wierd conspiracy. You will obey the cheeseball smiley faces...

Background

[upside]

The Finnish side of Telia, TeliaSonera, has been in deep sh*t the last few weeks. Their email has been clogged up, apparently at least partly due to the fact that they have been listed in a few blacklists. Even the comms authority has intervened and told them to put their act together.

Trojanised PCs on broadband are the likely cause, and the block is most probably a measure designed to prevent such from happening again.

Re:Background

[BOFHelsinki]

You mean "Sonera, the Finnish side of TeliaSonera". ("Telia" is not a company any more, just a brand for the Swedish side of TeliaSonera. Not that Telia didn't somewhat get the upper hand in the merger...)

Re:Background

[upside]

I stand corrected. :) Another BOFH @ Hki

Re:Background

[juha0]

TeliaSonera has mostly been lying to customers. They have some huge problems with their email system, and they try to explain this in various ways. I received an email two weeks ago from a friend that is using Sonera as his ISP. It arrived two days after it was sent, and to this day I've received that same mail 21 times. That can't be explained by black lists of traffic generated by spam or viruses.

First they said it was the black lists, but the symptoms didn't match. Messages just didn't arrive, and sender was not given any feedback about it. Next they said it was spam and traffic generated mostly by Swen. Other ISPs are not facing this problem, so it seems that they just have messed up their whole system and are too ashamed to admit it.

Workable Solution???

[tintruder]

Instead of shutting them off, how about redirecting all internet activity of the victim/perpetrator to a static web page they must repeatedly click to bypass?

For most users this would be adequate notification and encouragement to fix the problem.

Re:Workable Solution???

[jhunsake]

internet activity of the victim/perpetrator to a static web page

Repeat after me: the internet is not the www and vice-versa

Re:Workable Solution???

[gnu-generation-one]

"Repeat after me: the internet is not the www and vice-versa"

You don't work for Verisign do you?

good idea

[kaan]

This seems like a good (and almost obvious) solution. Forget blocking a Hotmail account, block the entire computer from getting net access in the first place. I like it.

Statistical analysis

of traffic can easily be used to find and stop spammers. I am amazed that all ISP are not doing this.

I wonder if

[Pingular]

Gator, (also know as Claria) is included on the list?

This is news? TOS Enforcement is new?

How is this news? My local ISP has been doing this for years. It's called "enforcing terms of service" on offending accounts.

Ask Slashdot

[handy_vandal]

Okay, I know this is offtopic as hell ....

Then don't post it here -- send it (in the form of a question) to Ask Slashdot.

Re:Ask Slashdot

[stefanlasiewski]

Then don't post it here -- send it (in the form of a question) to Ask Slashdot.

Then we will never ever see the question. Or was that your intention?

Re:Ask Slashdot

[handy_vandal]

Then we will never ever see the question. Or was that your intention?

We might possibly see the question via Ask Slashdot -- isn't necessarily a dead letter office. Probably not: I assume that the editors get way more Ask Slashdot questions than they post, so it's likely that any given question won't get posted. But it could happen; and in any case, it is the appropriate way to initiate a new topic.

It's not my intention to suppress the issue. But I'm against off-topic discussion, because it dilutes the value and works against the spirit of topic-based forums such as SlashDot.

-kgj

Finland Too

[BOFHelsinki]

FWIW, this is soon likely to take place with Sonera, Finland's biggest ISP, as well.

Swedish Telia and Finnish Sonera (both stemming from the old national telephone companies, thus big players) merged into TeliaSonera last year, but still appear under the original names in the respective countries. Certainly they have a single policy on this.

And Sonera especially has lately had serious, even nation-wide trouble delivering emails, due to worms flooding the system. Actually I wonder why it was Telia that took these measures first -- I haven't read of similar trouble there. (Yeah, maybe I didn't get the email.)

Thank Heavens!!

[mharris007]

At least major ISPs are recognizing that trojans and spammers are a major issue. I wish more ISPs would maintain a blacklist of trojaned and spamming computers, that takes some of the hassle up farther upstream, so it isn't wasting my bandwidth when I recieve a crap load of spam, or trojan attacks (Code Red comes to mind).

This is a heaven sent, and more ISPs should follow suit.

WHY?

[sinserve]

Shouldn't this be "YRO" instead of "Spam"? One man's spammer is another's Information Minister.

Re:WHY?

[drinkypoo]

Maybe that's the real reason we went to war... It wasn't Weapons of Mass Destruction, it was Weapons of Mail Distribution.

Lies, damned lies and Telia

[Dr.+q00p]

Actually, last year (2002-10-29, if I remember correctly) they closed down all SMTP traffic from DSL accounts without any type of notice. Yes, you did read that correctly. Without notice!

A lot of companies and individuals switched other companies like Bostream and Bredbandsbolaget. I don't think anyone ever regretted this. Because Telia mostly....hm, is not that good. :)

This had one amusing side effect thou. Telias customer support service used DSL and could not send any mail to their clients. Nice going...

Re:Lies, damned lies and Telia

[lordholm]

And bostreams DNS-servers (for their 512kbit service) refuse to obtain MX-records from external hosts.

Solution: use a public DNS-server.

What real good will this do?

[dysprosia]

Ok, so blocking them is a good thing, sure - but what long term good will this do: a spammer will just move right along to the next ISP that doesn't give 2c about sending spam and it will continue...

Maybe if more ISPs followed suit, this would be more pleasing, but what to do with dedicated spamhausen out there?

Re:What real good will this do?

[Hittis]

Well...

I maintain a pretty large network (about 300 locations with more than 30K akademic and other users) and we have rules handling this.

If a computer is relaying spam we ask the local organisation (school for example) to fix the problem within a fixed amount of time. If the local organisation is unwilling or unable to fix the problem we will help but we can shut down the links for the local organisation completeley. If we didn't do that then we ourselves would be shut down. What I hope is that, someday, the ISPs will do the same at each other.

The clueless/ignorant ISP wont survive long if they didn't implement proactive rules for handling abuse.

If the peer process worked then this wouldn't be a problem but more often than not the end user gets to carry the blame.

I Don't care if an ISP is the largest in a country... Shut them down untill they rectify the problem.

Oh.. BTW. A general filtering is not a solution. It would block a market (appliances that take care of your internet service needs like mail, web and so forth) and make it a "HTTP" only network.

I am all for Telias new rule. It will work (I must think like that unless I wan't to go postal :) )

Re:What real good will this do?

[You're+All+Wrong]

It means that all the customers of that ISP can sit back and know that they won't have their netblocks blacklisted.
Cornering them is the next best thing to actually purging the net of them.

YAW.

We used to do this at DirecTV Broadband

When I worked for DTV BB DSL we'd cut off the access of our customers that were spamming/had trojans or were mass scanning the network. We'd send a email to thier contact address to let them know. (I'm not sure how we expected them to check.) Usually they'd call us to ask why thier service was off and then get transfered to abuse.

On the otherhand, we also double charged customers, charged $10/mo. extra to turn on NAT in our routers and on occasion continued to bill for months after they canceled (I saw a case of two years once.) Of course our service agreement says anything after 6 months is undisputable.

cliche!

I for one welcome our new swedish spam blocking overlords.

Censorship.

I'm against spam, but I'm more against ISPs deciding what I can do with the service I pay for. If they decide spam is bad, how long before they decide mp3s or porn should be on the "get blocked" list? Or perhaps they'll decide to block access to certain sites like pro-NRA ones? Oh wait, Symantec has already got that covered.

Just make spam illegal and arrest the fuckers. No need to quash user rights in the process. Of course, I'm American so I have no idea what kind of freedom of speech rights you have in Sweden. Maybe you're already used to this kind of thing.

Re:Censorship.

[ioErr]

Telia's terms of use state that the customer may not use their service to send spam, and that he will have his connection terminated if he does. If someone wishes to send spam then he'll just have to find an ISP that is willing to sell him that service.

Re:Censorship.

[mst]

If they decide spam is bad, how long before they decide mp3s or porn should be on the "get blocked" list?

Many ISP:s already will block you if you try to share mp3:s etc and they get prodded by your "favourite" record association. And since that type of behavior is already taking place - desirable or not - I personally am almost happy to see one ISP now doing something more constructive with their surveillance as well by trying to stop spam, which really is bad.

But then again, I live in Sweden ;)

Re:Censorship.

[jonbryce]

The European parliament has voted to make spam illegal. It will become a criminal offence to send spam in the UK from 11th December, subject to a long list of exceptions. I suspect other EU countries will implement the directive around the same time.

Sweden?

[LadyLucky]

Why not try a holiday in Sweden this year?

Re:Sweden?

[Detritus]

See the loveli lakes

The wonderful telephone system

And mani interesting furry animals

Re:Sweden?

[fiannaFailMan]

...and hot, tall blonde chicks.

Re:Sweden?

[Cygnus78]

You haven't been to Norway, have you ?

Take the expensive Swedish beer prices and multiply by almost 3.

Sorry?

[Dr.+q00p]

The way I see it, Bostream takes a very simple approach to mail. Either you set up your own SMTP-server or you buy an e-mail account from them. If you buy an e-mail account from them, why should you be able to set the "MAIL FROM"-header?

Honestly, I am curious.

Re:Sorry?

[innocent_white_lamb]

If you buy an e-mail account from them, why should you be able to set the "MAIL FROM"-header?

Because the mere fact that you choose to purchase an email account from one provider doesn't mean that you choose to abandon any and all other email accounts that you may have for various purposes, perhaps.

I may have an email account for responding to work-related email and another for personal messages, for one example.

Re:Sorry?

[Dr.+q00p]

Yes, but if I was Bostream and you have "licensed" the right to use the address somebody@bostrem.com, why should I let you send any other mail via my SMTP-server?

Re:Sorry?

[Anime_Fan]

If you buy an e-mail account from them, why should you be able to set the "MAIL FROM"-header?

When signing up for their $2.5/mo mail service, one of the main features advertised is being able to send mail. However, they do in fact require you to set the FROM header to your new mail account.

This sucks big time because:
1. I didn't want to spend 4 minutes configuring Postfix to send my mail.
2. When I informed them of the problem they sent me a Win32 MTA (despite the fact that I said I was using Linux).
3. I didn't want to use the new mail account (I have an own domain that gives me shorter mail adresses than their domain name).
4. I already pay $1/mo for a 100MB mail account.

b-one, which I use for my mail won't let me use their SMTP for things other than PHP scripts (beacause, they say: The ISP is supposed to relay mail, in order to reduce the spamload). Telia locks their SMTP servers to allow outgoing mail only from *.telia.com. Bostream does this for their premium accounts as well, but their standard ADSL service is using a very dynamic IP (*.bredband.skanova.com, which it shares with other ISPs). Thus they can't use an IP range to allow outgoing mail (if you want, you can check this page to see how many IP updates I've had. I've had zero downtime until sometime Thursday last week, but I've had _many_ different IPs.

They really wanted me to be able to send my mail with their server, as that was the way it was intended to be used, and it's not really their fault. It's just that a monopoly (Telia) sucks.elia is, in this regard, a much better ISP. This is much due to the fact that they own skanova (which means the other ISPs bite the dust).

And now for your actual question: Why should I be able to set my FROM-header? Simple: In Sweden, you may get a wide range of mail-adresses, none of which you have an SMTP server for. Take my student.liu.se for example. It will only relay my mail if I am on the student network. Telia will only relay if I am on their network. Bostream won't relay at all. An ISP is supposed to give you a service. And with the ammount of spam today, none other than your ISP wants to give you that service. That's why. Simple as that.

Re:Sorry?

[Dr.+q00p]

As always, I am confused. If you have your own domain and run your own mail server (Postfix), why do you need a mail account with Bostream? Why not relay all mail (regardless of domain) from your own server?

Re:Sorry?

[schon]

why do you need a mail account with Bostream?

If you read his email, he's saying exactly that - he DOESN'T WANT OR NEED a mail account with Bostream.

Why not relay all mail (regardless of domain) from your own server?

Maybe because "his own server" (like the University account he mentioned) won't relay for him when he's not connected to it's network, and (since it's a university server) he doesn't have the authority or ability to change it.

Re:Sorry?

[Dr.+q00p]

If you read his email, he's saying exactly that - he DOESN'T WANT OR NEED a mail account with Bostream.

No, sorry, I did not read his email. I did read his /. post though. Did you? If he "DOESN'T WANT OR NEED a mail account with Bostream" why did he order one, for $2.5 a month? Maybe you should read his post.

Maybe because "his own server" (like the University account he mentioned) won't relay for him when he's not connected to it's network, and (since it's a university server) he doesn't have the authority or ability to change it.

Well wiseguy, we are talking Bostream now, an ISP. I so happens that I have Bostream as well, and there is absolutely nothing stopping me from relaying through my own server. I have done so for over a year now.

Please come back when you know what you are talking about.

Re:Sorry?

[Anime_Fan]

No, sorry, I did not read his email. I did read his /. post though. Did you? If he "DOESN'T WANT OR NEED a mail account with Bostream" why did he order one, for $2.5 a month? Maybe you should read his post.

Let's sum this up: I needed an SMTP server. Bostream didn't provide one. So I run my own server.
As compared to the *better* thing: Bostream doesn't allow me to have an own SMTP, but relay all the mail I want.

trojans...

[jlemmerer]

there might be a little problem with the immediate cutting of the line: how do i get rid of the trojan without internet connection (e.g. to download a path or tool form symantec). it would be better to leave at least one port open for these reasons, and if the computer is clean again the customer can call the isp to be fully able to access the net again.

Re:trojans...

[Alkonaut]

They simply assume that you call support to ask why your connection has been cut. Support will provide the information necessary to clean away any trojans etc. I think it would be a better idea to restrict all connections to a page with cleaning instructions instead.

Leper VLAN

[Detritus]

Some Universities have an interesting way of solving the problem. Infected systems are switched to a VLAN that restricts them to accessing a web site that contains information, software and patches on how to clean up their computer.

Excellent

[AchmedHabib]

Over a period of 4 days, I got 2000+ virus mails from a dsl user in Norway, it would have been very annoing if it wasn't because the virus faked the from field, and my mail server rejected it due to the wrong domain of the sender.
Anyway, the ended shutting down their line at some point, and I guess that people with less strict configured mail servers got really annoyed.

If I ran an ISP...

[Alioth]

If I ran a broadband ISP:

1. All users would get a static IP (since there's an expectation that they are always on, there's no point in NOT doing so. In the dialup days you'd have fewer IP addresses than customers, for broadband you can't really do that). Customers having static IPs would make abuse much easier to trace.
2. The initial sign-up would say "Would you like to be protected by our firewall?" with the default option set to YES. The vast majority of normal home users would get some default level of security (known troublesome services, including outbound port 25 filtered, and incoming CIFS filtered etc, plus all Microsoft executables for their ISP email address rejected automatically). People who select NO to this option will be warned of the dangers of doing so, but will have no filtering at all applied to their accounts.
3. A system such as Snort would be run analysing incoming/outgoing traffic and looking for trouble. If a user is trojaned and sending out crap, they get the plug pulled.

Re:If I ran an ISP...

[houghi]

All users would get a static IP (since there's an expectation that they are always on, there's no point in NOT doing so

In Belgium there is a reason not to do so. A commercial one. If you want a fixed IP, you will have to take a more expensive account.

Re:If I ran an ISP...

[You're+All+Wrong]

3 might make you a publisher in some coutries, and therefore responsible for all content that you serve, such as kiddie-pron and illegal MP3s.

YAW

Re:If I ran an ISP...

[cdn-programmer]

Yes... this is a very good idea... so why aren't you the president of an ISP? Get your butt in gear my friend because the NET needs you to lead the way!

As for the "commercial" reason in belgium cited in another reply... the reason for statics not being viable is that they cost more...

Well, that is a concocted abuse of the system.

How would you like it if every time you picked up your cell phone the telco injected a new telephone number? This would allow you to make outgoing calls. If you want to receive calls? Well - get a more expensive account.

That is about the state of affairs with regard to DHCP and the net. IF you want to run a server... you get to pay more even though servers provide the content of the net and thus provide a service to the industry.

Its just one of those aberations that we get in the peering verses client arrangements in the telecommunications industry.

You can read more about these issues here: paper from Telstra on the peering vs client problem at ISCO.org

Ok... back on the topic... Kudo's for Telia!

Re:If I ran an ISP...

[Alioth]

It's a pretty flawed reason, too, IMHO. Trying to milk extra money for static IP addresses means it costs them more to run their abuse department - and there's probably a vanishingly small market of people who would pay extra just for a static IP (I suspect in .be that static IP gets bundled with other 'business' services, like different contention, and cannot be unbundled)

Re:If I ran an ISP...

[Alioth]

Yes... this is a very good idea... so why aren't you the president of an ISP

The market is saturated. I live on an island whose population is 76,000 and we have not one, but FOUR ISPs already. (One ISP only caters for business though). The wires are sold by a monopoly telco, Manx Telecom (they sell ADSL wholesale to the ISPs).

However, one of the ISPs (Domicilium) has just been granted a license to use the fixed base wireless system to provide 5Mbit/s connectivity, competing with MT's wires. They haven't settled on pricing yet, but IF the price is right, I may run a "community ISP" - incoroporate as a non-profit, get a 5Mbit/s link, then share it amongst my neighbourhood via cat5e wiring on my side of the street, and some breed of 802.11x for others in range.

We'll see what happens.

Re:If I ran an ISP...

[The+Creator]

3. Well whatever your exuse you can tell it to the judge.

Nice try ...

[foobsr]

... but: ... Telia will block are primarily those that have been infected with "trojans" which are being used, without the customer's knowledge ...

would read better like ... Telia is helping customers who are infected to get rid and be more aware of ...

Telia will learn that.

CC.

Re:What should have been done?

[rifter]

Maybe they should have blocked the ones sending out SPAM, instead of everybody! Do you honestly think that innocent companies and individuals should be punished? Oh, and without notice by the way.

The ISP is not innocent; it is their job to enforce policies and to be a good citizen on the net. Unfortunately to block an ISP you do block customers by extension, but this is the only way to get ISPs to do something.

Am I on the list?

[irabinovitch]

I hope they plan on making a list of blocked IPs available and make it easy to get off the list as well. I wonder if they plan to block all traffic to/from those hosts or just SMTP.

Not so gray an area

[87C751]

if they take action against spam, they must take action against kiddie porn, warez etc.

Not necessarily. My ISP (Fuze) recently started blocking outbound port 25 connections unless directed to their SMTP server. Shortly after that, I heated up an older box I have, which used to be the house mailserver. Of course, there was some traffic stuck in its mail queue, which it tried to send. Fuze suspended my service (reported with a web page shown when I tried to go out on the web) until I called the helpdesk. They did this purely based on the appearance of the traffic, and not on the content.

The conversation with the helpdesk guy was kinda amusing, though.

HDG: "Are you familiar with a program called Zone Alarm?"

Me: "Sure. Are you familiar with the SMC Barricade router?"

Re:Why is this news? (major OT)

[1lus10n]

this has nothing to do with the topic at hand, I just clicked through to your website (and although I cant read swedish...) I must say I enjoyed the bush resume`, and rigging the election thing as well. highly amusing stuff.

I also didnt know there were so many Swedish folks on /. , it being so american-centric.

What about all other viruses?

[the_arrow]

I checked the stats for my web-site just the other day, and noticed that I still get a lot of requests for things like /scripts/..%255c../winnt/system32/cmd.exe and /default.ida?XXXX...
Most of them comming from hosts on the Telia network. While I think its good they are finally doing something good for once (I left Telia when they blocked SMTP), will they do anything about all these Code Red and Nimda and all other old viri still on many of their customers systems?

Re:What about all other viruses?

[Nonillion]

I still get these along with code red attempts. But the most annoying thing is that my e-mail address is being used to propagate this stupid Microsoft update e-mail virus. I have had to resort to blocking hundreds of domains to keep it to a trickle, but I still reject upto 50 or more a day. It's REALLY getting old

Re:The GPL is a licese to Steal

[ajs318]

Not sharing your source code with others is theft, pure and simple. See sig. So how can something which enforces sharing be encouraging theft?

block the hosting ISPs, not the spam source

[geoff+lane]

Most spam source is spoofed in some manner, but equally most spam has a real URL or email address for the gulible to contact the spammer.

If you are going to block anybody, block the ISPs that host the web sites and email reply addresses for the spammers - AND LET EVERYBODY KNOW in any error messages you issue. Blocking the real or apparent source of the spam itself is ineffective in the long run.

Re:block the hosting ISPs, not the spam source

[Dunark]

If you are going to block anybody, block the ISPs that host the web sites and email reply addresses for the spammers

The spammers have already thought of that. One thing they do to counter it is to have to URL point to a trojaned PC, and to change the DNS every few minutes to rotate through a large pool of such owned machines.

I'll buy that...

[Nijika]

Seriously, for e-mail administrators it's been like one new variant a week since about oh I dunno, JULY. Most ISPs these days can handle the amount of UCE that's sent through thier systems, but some just barely. Tack on these viruses and you can easily see your e-mail jump four fold. Add to that queueing of messages that are "undeliverable" and your systems, no matter how big, start to falter.

In these instances filters like SpamAssasin may even add to the problem since they often consume more overhead than even SMTP daemons do, so that usually goes out the window as well (It's great, but not on a large scale (perl)). It's better to just let the mail pass than to slow it down like that.

So in theory, let's say you have a mid sized ISP with 6 SMTP relays. You can't run an anti-spam service directly on those boxes because the volume would kill them, so you have to break them off on to their own box. Suddenly you've got 10 or 12 boxes to care for, and when you've got something like this where you have maybe let's say 10,000 customers on your core network infected, more perhaps, things get really ugly. So even if you have that anti-spam monitor broken off on to it's own cluster, you can either leave the filtering up to some vague RegEx rules in your SMTP configuration or you can pass it through the anti-spam devices, causing each peice of e-mail to pass through your system twice, making 3 to 4 connections each.

I'm responsible for a fairly large e-mail system, but not nearly the size of any mid to large scale ISP and it's gotten pretty hairy, I can't even imagine what it's like at a Telia or RoadRunner for that matter. People keep forgetting to look at WHY this is happening, other than MS and hapless users. The SMTP protocol allows it all. Want to find a solution? We need to start moving to something else, as painful as that may be.

Re:I'll buy that...

[42forty-two42]

In these instances filters like SpamAssasin may even add to the problem since they often consume more overhead than even SMTP daemons do, so that usually goes out the window as well (It's great, but not on a large scale (perl)).

I want a Ponie.

Re:The GPL is a licese to Steal

[Interfacer]

>>Wouldn't it be great when you needed to acess the registry, you could fnd a pice of code, and just integrate it?

you can do this already. it is called an SDK, and it is installed with Visual Studio.

Clueless?

[Dr.+q00p]

Chain of events:

1. The ISP AOL begins bouncing all e-mail from the ISP Telia due to large amounts of SPAM from some of Telias DSL customers.

2. Telia blocks all of their DSL customers (companies and individuals) outgoing SMTP (port 25) traffic.

3. eddy states (correctly) that: Telia is mostly known for their suckage over here. They've made several false starts, including blocking SMTP completely at their border making it impossible to host ones own mail server.

4. BetterThanCaesar asks (regarding Telias SMTP blocking): What would you have done?

5. I answer: Maybe they (clarification for the clueless: "they" is a reference to the ISP Telia) should have blocked the ones sending out SPAM, instead of everybody! Do you honestly think that innocent companies (another clarification for the clueless: these "companies" are customers of Telia) and individuals should be punished? Oh, and without notice by the way.

6. You claim that: The ISP is not innocent; it is their job to enforce policies and to be a good citizen on the net. Unfortunately to block an ISP you do block customers by extension, but this is the only way to get ISPs to do something.

7. We conclude that you are clueless, and apparently /. as well since you been modded to a score of 2....eh, hmmm....well I guess we knew the last bit, but I expected more from you.

Re:Clueless?

[GreyPoopon]

Maybe they (clarification for the clueless: "they" is a reference to the ISP Telia) should have blocked the ones sending out SPAM, instead of everybody!

I hate to tell you doc, but based on context, the reference to "they" could have easily been interpreted as AOL -- even if Telia makes more sense. The followup response about the ISP not being innocent was in reference to Telia with the assumption that your previous reference to "they" meant AOL.

Re:Clueless?

[rifter]

"Maybe they (clarification for the clueless: "they" is a reference to the ISP Telia) should have blocked the ones sending out SPAM, instead of everybody!"

I hate to tell you doc, but based on context, the reference to "they" could have easily been interpreted as AOL -- even if Telia makes more sense. The followup response about the ISP not being innocent was in reference to Telia with the assumption that your previous reference to "they" meant AOL.

That is how I interpreted it, indeed. You have to be careful with vagaries like they. You could mean anything. Even the amorphous "they" that is responsible for world conspiracies, windows backdoors, and all the missing pencils. Or you could mean the underpants gnomes. I chose to interpret "they" in this context as meaning AOL. really! :)

Or people who aren't allowed to help...

[Channard]

I used to work at a computer helpdesk dealing with customers (I'm thankfully working at a better one now), and we had no incentive to fix problems. We were pressured to get a certain number of calls dealt with - so if we fobbed off a customer with crap, we'd look good. If on the other hand we genuinely tried to fix a problem, seeing it through to the end, we'd get a happier customer, but moaned at by management. The problem is not just cluelesness - I often had the tech knowhow to fix problems - but that it's volume of calls not fix rates that count.

Telia

[vonFinkelstien]

I am still miffed at Telia for sending me a cease and desist order when their random snooping of the net traffic revealed that I was downloading an episode of the Simpsons (I have no TV, so I relied on p2p for my Simpsons fix).

I know I was doing something against their policy and against the law (maybe). But it still miffed me that they were looking at what their customers were down/up loading.

Re:Telia

[swordgeek]

So let me get this straight.

You were knowingly breaking your contract with them and likely the law, and when they used the part of their contract that says "we can monitor you to our hearts content" to prove it, they told you to stop it. That's all they did? And you're MIFFED at them for this??!!
They could have cut your service and passed your name to the police to possibly make a test case of you. Count yourself lucky that they were so forgiving.

Re:Telia

[vonFinkelstien]

I did not know it was against their contract (who reads such things), but that did not miff me. What miffed me was that look to see what is being downloaded viewed by users.

That is an invasion of privacy.

Re:Telia

[swordgeek]

Um...no. Sorry, you're wrong.

There is no invasion of privacy here, because Telia explicitly denied (in the contract that you're too damned lazy to read--that doesn't remove your responsibility to be held by it) and guarantee or expectation of privacy. If you thought otherwise, then it was because you deluded yourself, despite fair and reasonable attempts by Telia (the other party to the contract) to make their authority clear to you.

I don't like contracts like this, but if you agree to one, then you've got NO ONE at all to blame but yourself. In other words, it's your own damned fault.

Re:Telia

[vonFinkelstien]

Your sternness seems a little misplaced. Perhaps your English is not very good. I'll help you out a bit, since I teach English.

The key word is "miffed." According to Hyperdictionary Miff is " [n] a state of irritation or annoyance."

I was not angry with Telia. I was just miffed. I stopped all illegal downloads, as per their request. I still haven't read the ADSL contract (why bother--it is nothing about being lazy--do you read your telephone sign up contract?), but I would hazard a guess that no where does it say, "We will be doing periodic snooping of IP content."

I think I was justifiably annoyed and irritated (not angry, however).

Re:Telia

[Raccim]

Well they are not snooping the traffic. Their abusedepartment get complaints from tv/movie companies that "snoop" on Dcc, kazaa etc.... They in turn tell the isp:s that their customers is breaking the law (if you share copyrighted materiel in Sweden you are breaking the law). I have read this BS over and over again that telia is "snoopin" what their customers is sharing. They even tell you in the letter you get that the reason they know you are sharing is because some tv/movie company has found the material on some filesharing program.

Re:I don't get any spam? Why??

[Dunark]

I have Earthlink, and they allow me to create and destroy email addresses via their support website. I made a half-dozen new addresses that are all 15-character random strings, and none of those new addys gets any spam at all. If one of them ever starts getting spam, I'll delete it and create a new one to take it's place.

My original email address (dating back to 1995) gets spammed mercilessly, but I don't use it anymore.

The Internet

[Prince+Vegeta+SSJ4]

everybody knows This is the internet

why is this happening?

[Ffakr]

quick question..

If I'm the president of Globaldex Inc.* and a Trojan is spamming products for my company, why doesn't someone of authority (aka. Law Enforcement) come to me and ask a few questions. You know, crazy stuff like, who did I contract to send out email advertisements and such.
I'd imagine that if 1000 computers got broken into by a Trojan, and they are spamming for Globaldex, it would be reasonable to consider Glabaldex an accomplice until they were able to clear themselves.

Why exactly are prople getting away with this?

* Gloabaldex is not real BTW

Re:why is this happening?

[Cyno01]

Yes, but they could follow the trail then at least. They may not have busted Wally World, but they probably came down on the sub-contractor or whoever down the line was responsible. Follow the money, find whos responsible, fine the hell out of em.

Re:why is this happening?

[Ffakr]

My point was, when you start an investigation like this, you have to start with Globaldex.
Hey, Globaldex is spamming people from a trojan on their machines. Computer laws can be tough... DOJ says we're hauling you into court unless you have someone you'd like to tell us about.
Gloabldex knows who they hired to spam.
It doesn't matter if Glabaldex get's slammed, as long as the real criminals get identified.

As for competitors doing this in the name of Globaldex, well that'd be like framing someone for murder wouldn't it? It sucks, but the cops go after the person who looks guilty. If everything works right, the facts lead to the real source.

Spammers and breakin the law

[djdavetrouble]

Ok, so spam and email are still largely unregulated. In the past months, we have witnessed such tactics as trojans that send spam, trojans that ddos anti spam sites, not to mention the blatant header forging, joe-jobs, etc...

This blatantly criminal behavior upsets me much more than unsolicited email. The line has been crossed from sending spam to criminal hacking of innocent people's computers. I am not sure what the solution is, but this type of thing is not tolerated in other communication types, such as mail or the telephone. Spam has been a problem for at least 10 years now, and I know that the wheels of beauracracy turn slowly, but a nuisance has become a criminal enterprise with no ethics or limits...

Servers on a DSL line

[RT+Alec]

I have many clients on DSL lines, too. They have arrainged with their ISP for a static IP address, and the ISP pretty much lets them do whatever they want to. Any malicious activity, and they know where to find them.

Videotron does it, too...

[pruneau]

Well, It did not happen to me, but I had from a reliable source that videotron (my own ISP as well) started blocking computer infected with some most popular worms/trojan.

I do not know how they do the detection part, but one of my colleagues came for advice on how to clean/up secure his own PC, because it was shut down from the network.

Their method is really simple:

• John Doe machine is infected
• It is shut down from the network
• John Doe calls to investigate what's wrong
• Get an explanation, is reconnected to allow him to download some anti-virus/pers. FW, etc...
• Everybody is happy

I like this attitude, because even if it does not prevent on-purpose spam, it at least prevent unknowable people to spread nastywares. The only problem beeing that the help desk should point to the IPS URL where they explain how to secure your machine. I hope they will get it right...

Only thing that works...

[gweihir]

... is to kick those of the 'net, that are not capable of administrating their box. In my opinion that should actually be required by law.

Vastly less spam?

[Convergence]

This is exactly like the arguments that those who are willing to give up freedom in exchange seldom get either.

I doubt spam will increase much if at all. And now we have ISP mailservers --- or should we say ISP spy&censorship boxes that are the middlemen in all email.

The next time a law says that 'ISPs shall monitor their users for subversive material', its as easy as installing a program.

Use of port 25

[RT+Alec]

There is something wrong with using port 25 for initial mail submission. Submitting a mail message by an end user is a different activity then two SMTP servers transmitting mail to each other.

Initial mail submission is a potential security violation, and certain restraints on relaying mail are important. Here is where SSL and SMTP+AUTH make sense. The user submits the mail, and then can forget about it-- the SMTP server will now handle the rest, including queuing the message in case the remote MX host is down, etc.

Mail transport is between two SMTP servers. MX hosts are looked up, and each tried in a specified order until the message is delivered to an appropriate recieving SMTP server. In some cases, the message is queued for hours or days.

These are different activities, and ought to be handled as such. That is why the alternate ports are used for initial mail submission. While it is true that STARTTLS will work over port 25, it is a disservice to the users of that mail server to configure it that way. What about remote users who's ISP is (responsibly) blocking port 25? Or, as another poster pointed out, silently relaying all outgoing port 25 traffic to their own server? The alternate ports solve this problem quite well.

Re:Use of port 25

[dmeranda]

So if an ISP were truely responsible then they should be blocking port 80 too, huh? Think of all the abuse that goes over port 80!

Yes, I will grant that mail transport and mail submission are two separate tasks. That is why sendmail for instance isolates each activity with separate processes and even security barriers (user/group permissions, etc.). But just because it's two tasks doesn't mean my own computer is incapable of doing both or that I must be forced to allow my ISP to handle one half of it (that would make them an ASP). The main functional difference is that submission is basically an interactive activity whereas transmission is anything but interactive; it's not about preventing me from being responsible for my own email.

However that is not an argument for disallowing SMTP (port 25). In fact one of the strengths of SMTP is its queuing ability...so ideally my mail reader (MUA) would use a mail submission protocol to insert my message into the queue of my MTA running on the same box (or perhaps one amongst my home network). Then my MTA (e.g., sendmail) can sit there happily trying to deliver my mail.

Now if an ISP wants to run an SMTP server for me and I don't mind giving up control of my email, thats an extra service that some may be willing to pay for. Or if an ISP wants to monitor my network usage and block on a case-by-case basis because of abuse then that's being responsible. But blindly disabling the Internet for everybody makes them an INSP (Internet NON-Service Provider).

As far as STARTTLS, it would be a disservice not to configure your SMTP server to use it. Since when is adding security considered a bad thing? Everybody in /. is always griping about how insecure SMTP (supposedly) is, but then turn around and ignore all the features it has.

And furthermore, the primary difficult of preventing spam is identification and authentication of the sender...not of disabling an entire network protocol and substituting another one. Authentication relies on identifying people, and usually involves a complex PKI system which nobody can figure out how to do (think Verisign here), or a haphazard trust-based model like PGP which doesn't scale well. And other experimental protocols do not change that fact. And no, alternative protocols like SMTP+AUTH are not solutions.

SMTP servers

[RT+Alec]

No need to use your ISP's servers at all. Have the admin of the mail server you wish to use configure the server to use SMTP+AUTH on a different port. Even better, use SMTP+AUTH+SSL. No blocking, the chain of responsibility is intact, everybody is happy.

Re:The GPL is a licese to Steal

[SnarfQuest]

Although we met several technical challenges along the way
(specifically, Linux's lack of Token Ring support and the fact that we
were unable to defrag its ext2 file system),


This is probably just another drooling idiot trolling, but...

Why were you trying to defrag the file system? This isn't windows! It is rare that defragging will produce any noticable result (unlike windows, where it is almost a necessity). The reason that you can't find defraggers for ext2 (they actually do exist), is that nobody ever uses them.

MicroSofts "shared source" is considered a joke around here. It lets you LOOK at SOME the code, but you must be a very large "MicroSoft" shop, and you CANNOT make any changes (like fixing bugs), or compile it, or use any of it in your own projects, or do anything useful with it, or tell anyone else about it (NDA). It's absolutely useless.

Remember when MicroSoft was saying they couldn't show the source to anyone, because it would threaten national security. Nothing has changed in the source, but now China gets to look at it. And virus attacks have jumped again.

Your main problem seems to be of the form "it isn't windows so I don't like it". Even your bogus licensing rant is wrong. You really need to talk to someone other than MicroSoft unless you want to keep looking as stupid as this post makes you look.

Way To Go

[ajs318]

While I like the fact that my ports 20, 21 [ftp], 22 [ssh], 80 [apache], 110 [pop], 443 [apache-ssl] and 3306 [sql] are open, any others might well be too many.

I used to get many connection attempts on port 135; but not having any active daemon on it, not much happened {though invariably the far end would be listening on that port}.

I cannot think of a single reason why anybody would want to expose ports specific to a Microsoft LAN to the outside world. Sometimes I wish there was a "networthiness" test for computers like the roadworthiness test for cars.

What about Telia commercial spammers

[dananderson]

This is not the whole story. Not all of Swedish Telia spam are "viruses." Many (most) are from commercial outfits that use Telia's services with its full knowledge. I wish they would boot them out too. Until they do, I recommend blocking these addresses (all class B, /16): 62.20, 62.107, 194.22, 195.198, 217.208, 217.209, 217.210, 217.211, 213.64, 213.64, 213.166.

These are not all of Telia's blocks but only ones I have received spam from in the past year. Put tem in your /etc/mail/access file. E.g.:

213.64 ERROR:"550 We don't accept unsolicited email from Swedish Telia spammers"

- Dan Anderson (Swedish American who hates Swedish spam as much as Asian spam)

Hopefully my ISP isn't providing an example

[CAIMLAS]

My ISP, in their infinite wisdom, has decided that blocking ICMP (as well as a bunch of other things) is the way to go. They think that providing such 'protection' services will help prevent trogans and hackers. Meanwhile, traceroute and ping do not work. Interesting, because since tehy started their lovely protection racket, the service has gone to utter shit, and I am unable to even tell -how- bad it is. Many times the latency is so bad I'm unable to ssh to remote hosts at all. The connection goes down at least 10 times a day. Etc.

Apparently, though, the ICMP protocol suite is a "business class" service. Wish I didn't sign a year long contract with them 2 months prior to this whole scenario (spurred on by blaster), when they were the best service in the area. :-/

Oh that's just GREAT...

[weeboo0104]

Now where will I get all of my Swedish pr0n?

Customers don't care!

[twitter]

My brother in law told me that he did not care if others were using his computer as a DoS machine, spambot or anything like that so long as he could not tell. I was dumbfounded an otherwise reasonable person could care so little. I'd like his ISP to tell him about things like this by pulling the plug. I suspect most people are like him.

Yanking infected computers off the internet would do lots of good things for the world. It would be the fastest way to kill Microsoft and other inferior software. Nothing much will change until people have to pay for the problems they create.

A good way and a bad way.

[twitter]

Monitoring email volume is good. I'd like it if my ISP monitored activity and shut down machines that started blowing spam out. This simply makes people responsible for their computers.

The way my ISP, Cox, tried to do things is bad. They forced all trafic through their SMTP server. They had already blocked incoming mail, so you could not run a mail server on your own. The new policy keeps you from even being able to send you own mail. This sucks in many ways. The most important way it sucks is that they don't quote email that they can't deliver, not even for their business customers, nor do they provide an adequate time stamp. This leaves people clueless if a mail myseriously fails - you can't tell which of a long serries of messages with the same subject did not make it. Less obviously, it leaves you at the whim of your ISP. They can refuse to send mail to people they don't like and there's nothing you can do about it, short of exchanging shell accounts. This method makes an artificial distinction between "client" and "server" that has no place on a free internet.

So, you see, it's not so simple, not period by a long shot. I don't run shitty software that is liable to get trojans and I've never had this kind of problem. My ISP treats me like a peon and it sucks. I've been punished for other people's problems. Microsoft and Cox both sucks.

Ooh! Spam blocking!

[arothmanmusic]

Maybe they can take the AOL route on keeping out the spam... i.e. deleteing perefectly legitimate email on a regular basis without notifying the sender or intended recipient! I say again... spam removal should be the task of the end-user. Spem prevention should be the task of the ISPs. People who send spam should be kicked off their service, but those who receive it should not be penalized with an "overlord spam filter" that may or may not filter the bad stuff and may or may not let them get the good stuff. Drew

I just moved and ...

[millette]

... dicovered that my new isp is filtering port 25 to any ip other then their own. I was using my own smtp server, and couldn't send any email. A simple nmap showed me that I needed to change that piece of config. All the rest it working perfectly.

I think that's pretty reasonable thing to do for an isp, no? And what if I wanted to get around that, what shoud I do?