Slashdot Mirror
Swedish ISP Blocks Computers That Send Spam
snuppepuppan writes "One of Sweden's largest ISPs, Telia starts to block computers that send spam. 'The computers that Telia will block are primarily those that have been infected with "trojans" which are being used, without the customer's knowledge, to send enormous amounts of spam.'"
If more ISPs took spam complaints seriously and acted on them quickly the net would be a better place. However it is has been my experience that abuse desks are mostly staffed by the clueless.
For me the dominant source of spam that I get now comes from infected computers, since DNSBLs have rendered fixed spaming IPs impotent.
In a related story, Microsoft sues Telia, commenting, "C'mon, it would only be a matter of time before all Outlook and IE users get banned from the net."
__ Someday, but not this morning, I'll finally learn to use the preview button.
More ISP's should do the same.
Period.
ISP's taking some level of responsibility for the actions of their subscribers is *tremendously* important. Spam exists because of the complacency of two entities: ISPs that allow (or even sell bandwidth to) spammers to use their networks; and Microsoft, for making it so easy for computers to be enslaved by spammers (sorry I know that's flaimbait, but it's true.)
The linux hacker
Telia is mostly known for their suckage over here. They've made several false starts, including blocking SMTP completely at their border making it impossible to host ones own mail server.
I guess if they've finally given up on that idoicy and actually go after the specific hosts that are a problem -- like we in the community has said for years is the correct solution -- then I'm all for it.
Just sad that it's making news the way it is. I think the news should be that they wasted at least two years reaching this "insight"!
Would be interesting to know if this was because the suits finally listened to their techs, or if it's because the techs finally gained a clue.
Belief is the currency of delusion.
We have a local ISP and we are probably his largest customer. We've had problems since he is a startup and he traced them to trojans/worms/etc. so he sent them a warning to fix their system and then when they didn't, he shut them off. It's worked very well for us, keeps the number of infections down, keeps his network up and running, and keeps people accountable for the security of their computers.
And if anyone is wondering why we're going with a startup for business, it's because the only choice between 144kbps DSL and a full T1 is this guy.
I have no
The users blocked are notified about it, and Telia will help them sort things out. Probably by giving suggestions to clean up trojans, etc. since these are often the reason someone spam without knowing. They also only seem to block well-known, heavy duty, spammers right now, since they haven't yet implemented a spam filter, but are considering it.
/. news post incorrectly states.
So, even if the customers won't be given a time period to stop spamming, they're still not left unaware about it, as the
Telia says they're also attempting to detect spam hosts much quicker than earlier, when it could take up to a week or more to shut a host on their network down, when the damage was already done.
Beware: In C++, your friends can see your privates!
It makes perfect sense to block off the trojan infected PCs that are sending SPAM. But I don't believe it is fair not to notify the user of said infected PC. Some of these people may have friends who have Telia email accounts, and if they're being blocked, it means they can't receive mail from them. So, while I agree with Telia's decision, they should give the courtous of notifying the individuals first.
TeliaSonera is a company formed by the merger of swedish Telia and finnish Sonera. Sonera is one of the largest Internet/telecommunications providers in Finland and their e-mail systems have become a laughingstock during the last month. Reason: they don't work. There have been delays of several days in message delivery, some messages are lost entirely and their SMTP server seems to be down.
Sonera is blaming this 100% on the W32.Swen.A virus and while there is ongoing debate regarding Sonera's e-mail administrators' competency, that certainly explains why Telia is scrambling to remedy this problem in Sweden. [Un]fortunately (ignore the part in brackets if you are a privacy advocate) the Finnish legislation doesn't allow Sonera to perform the same thing as even automatic monitoring of e-mail traffic is not permitted by the communication privacy laws.
It used to be one knew they had a virus because an ambulance would fly around the screen or the computer would stop working. But given the amount of these things coming in through P2P I'm not surprised they aren't seeing all of the extra traffic on the little set of computers in the system tray.
Hopefully, the ISP will be similarly proactive in restoring access when the traffic stops. I'd hate to think somebody's dynamic IP address stops working ala Something Awful because of somebody else's bad Net habit.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
This is certainly good news. Now their customers who are infected will figure things out pretty quickly!
Of course, this would have been easier if they just blocked egress port 25 traffic (which would not include their own SMTP server, of course!). Imagine all ISPs blocking egress port 25 traffic for their DHCP clients (e.g. most cable modem, dial-up, and DSL), and shutting off their corporate clients who spew spam! That would effectively eliminate spam, since IP addresses left still sending spam (directly or due to a trojan/virus) would quickly end up on DNSBLs.
It is irresponsible for ISPs to operate otherwise. Simple steps to be a good netizen:
- Don't use port 25 for initial mail submission. The fact that this port is used for both mail transport (between systems) and initial mail submission (which is really a different activity if you think about it) is a mistake. Use port 587 with SMTP+AUTH, or port 465 with SMTP+AUTH+SSL
- Implement one of the reverse lookups for incoming SMTP traffic (RMX or SPF:Sender) when one of the competing proposals become a standard (and your software catches up)
- Block egress port 25 traffic from your network
These apply to any businesses that supplies IP connectivity to any other computers (offices, schools, WISPs, in addition to standard ISPs). To not do so is to be a part of the problem.The Finnish side of Telia, TeliaSonera, has been in deep sh*t the last few weeks. Their email has been clogged up, apparently at least partly due to the fact that they have been listed in a few blacklists. Even the comms authority has intervened and told them to put their act together.
Trojanised PCs on broadband are the likely cause, and the block is most probably a measure designed to prevent such from happening again.
I'm sorry if I haven't offended anyone
For most users this would be adequate notification and encouragement to fix the problem.
of traffic can easily be used to find and stop spammers. I am amazed that all ISP are not doing this.
How is this news? My local ISP has been doing this for years. It's called "enforcing terms of service" on offending accounts.
Okay, I know this is offtopic as hell ....
Then don't post it here -- send it (in the form of a question) to Ask Slashdot.
-kgj
FWIW, this is soon likely to take place with Sonera, Finland's biggest ISP, as well.
Swedish Telia and Finnish Sonera (both stemming from the old national telephone companies, thus big players) merged into TeliaSonera last year, but still appear under the original names in the respective countries. Certainly they have a single policy on this.
And Sonera especially has lately had serious, even nation-wide trouble delivering emails, due to worms flooding the system. Actually I wonder why it was Telia that took these measures first -- I haven't read of similar trouble there. (Yeah, maybe I didn't get the email.)
At least major ISPs are recognizing that trojans and spammers are a major issue. I wish more ISPs would maintain a blacklist of trojaned and spamming computers, that takes some of the hassle up farther upstream, so it isn't wasting my bandwidth when I recieve a crap load of spam, or trojan attacks (Code Red comes to mind).
This is a heaven sent, and more ISPs should follow suit.
---
Mike
I'm going to kick the next person that I see with their karma rating in their sig.
Shouldn't this be "YRO" instead of "Spam"? One man's spammer is another's Information Minister.
When I worked for DTV BB DSL we'd cut off the access of our customers that were spamming/had trojans or were mass scanning the network. We'd send a email to thier contact address to let them know. (I'm not sure how we expected them to check.) Usually they'd call us to ask why thier service was off and then get transfered to abuse.
On the otherhand, we also double charged customers, charged $10/mo. extra to turn on NAT in our routers and on occasion continued to bill for months after they canceled (I saw a case of two years once.) Of course our service agreement says anything after 6 months is undisputable.
I'm against spam, but I'm more against ISPs deciding what I can do with the service I pay for. If they decide spam is bad, how long before they decide mp3s or porn should be on the "get blocked" list? Or perhaps they'll decide to block access to certain sites like pro-NRA ones? Oh wait, Symantec has already got that covered.
Just make spam illegal and arrest the fuckers. No need to quash user rights in the process. Of course, I'm American so I have no idea what kind of freedom of speech rights you have in Sweden. Maybe you're already used to this kind of thing.
Why not try a holiday in Sweden this year?
dominionrd.blogspot.com - Restaurants on
there might be a little problem with the immediate cutting of the line: how do i get rid of the trojan without internet connection (e.g. to download a path or tool form symantec). it would be better to leave at least one port open for these reasons, and if the computer is clean again the customer can call the isp to be fully able to access the net again.
".Sig Stealer" was here
Some Universities have an interesting way of solving the problem. Infected systems are switched to a VLAN that restricts them to accessing a web site that contains information, software and patches on how to clean up their computer.
Mea navis aericumbens anguillis abundat
If you buy an e-mail account from them, why should you be able to set the "MAIL FROM"-header?
Because the mere fact that you choose to purchase an email account from one provider doesn't mean that you choose to abandon any and all other email accounts that you may have for various purposes, perhaps.
I may have an email account for responding to work-related email and another for personal messages, for one example.
If you're a zombie and you know it, bite your friend!
If I ran a broadband ISP:
1. All users would get a static IP (since there's an expectation that they are always on, there's no point in NOT doing so. In the dialup days you'd have fewer IP addresses than customers, for broadband you can't really do that). Customers having static IPs would make abuse much easier to trace.
2. The initial sign-up would say "Would you like to be protected by our firewall?" with the default option set to YES. The vast majority of normal home users would get some default level of security (known troublesome services, including outbound port 25 filtered, and incoming CIFS filtered etc, plus all Microsoft executables for their ISP email address rejected automatically). People who select NO to this option will be warned of the dangers of doing so, but will have no filtering at all applied to their accounts.
3. A system such as Snort would be run analysing incoming/outgoing traffic and looking for trouble. If a user is trojaned and sending out crap, they get the plug pulled.
Oolite: Elite-like game. For Mac, Linux and Windows
... but: ... Telia will block are primarily those that have been infected with "trojans" which are being used, without the customer's knowledge ...
... Telia is helping customers who are infected to get rid and be more aware of ...
would read better like
Telia will learn that.
CC.
TaijiQuan (Huang, 5 loosenings)
If you buy an e-mail account from them, why should you be able to set the "MAIL FROM"-header?
When signing up for their $2.5/mo mail service, one of the main features advertised is being able to send mail. However, they do in fact require you to set the FROM header to your new mail account.
This sucks big time because:
1. I didn't want to spend 4 minutes configuring Postfix to send my mail.
2. When I informed them of the problem they sent me a Win32 MTA (despite the fact that I said I was using Linux).
3. I didn't want to use the new mail account (I have an own domain that gives me shorter mail adresses than their domain name).
4. I already pay $1/mo for a 100MB mail account.
b-one, which I use for my mail won't let me use their SMTP for things other than PHP scripts (beacause, they say: The ISP is supposed to relay mail, in order to reduce the spamload). Telia locks their SMTP servers to allow outgoing mail only from *.telia.com. Bostream does this for their premium accounts as well, but their standard ADSL service is using a very dynamic IP (*.bredband.skanova.com, which it shares with other ISPs). Thus they can't use an IP range to allow outgoing mail (if you want, you can check this page to see how many IP updates I've had. I've had zero downtime until sometime Thursday last week, but I've had _many_ different IPs.
They really wanted me to be able to send my mail with their server, as that was the way it was intended to be used, and it's not really their fault. It's just that a monopoly (Telia) sucks.elia is, in this regard, a much better ISP. This is much due to the fact that they own skanova (which means the other ISPs bite the dust).
And now for your actual question: Why should I be able to set my FROM-header? Simple: In Sweden, you may get a wide range of mail-adresses, none of which you have an SMTP server for. Take my student.liu.se for example. It will only relay my mail if I am on the student network. Telia will only relay if I am on their network. Bostream won't relay at all. An ISP is supposed to give you a service. And with the ammount of spam today, none other than your ISP wants to give you that service. That's why. Simple as that.
Maybe they should have blocked the ones sending out SPAM, instead of everybody! Do you honestly think that innocent companies and individuals should be punished? Oh, and without notice by the way.
The ISP is not innocent; it is their job to enforce policies and to be a good citizen on the net. Unfortunately to block an ISP you do block customers by extension, but this is the only way to get ISPs to do something.
The conversation with the helpdesk guy was kinda amusing, though.
HDG: "Are you familiar with a program called Zone Alarm?"
Me: "Sure. Are you familiar with the SMC Barricade router?"
Mail? Put "slashdot" in the subject to pass the spam filters.
I checked the stats for my web-site just the other day, and noticed that I still get a lot of requests for things like /scripts/..%255c../winnt/system32/cmd.exe and /default.ida?XXXX...
Most of them comming from hosts on the Telia network. While I think its good they are finally doing something good for once (I left Telia when they blocked SMTP), will they do anything about all these Code Red and Nimda and all other old viri still on many of their customers systems?
/ The Arrow
"How lovely you are. So lovely in my straightjacket..." - Nny
In these instances filters like SpamAssasin may even add to the problem since they often consume more overhead than even SMTP daemons do, so that usually goes out the window as well (It's great, but not on a large scale (perl)). It's better to just let the mail pass than to slow it down like that.
So in theory, let's say you have a mid sized ISP with 6 SMTP relays. You can't run an anti-spam service directly on those boxes because the volume would kill them, so you have to break them off on to their own box. Suddenly you've got 10 or 12 boxes to care for, and when you've got something like this where you have maybe let's say 10,000 customers on your core network infected, more perhaps, things get really ugly. So even if you have that anti-spam monitor broken off on to it's own cluster, you can either leave the filtering up to some vague RegEx rules in your SMTP configuration or you can pass it through the anti-spam devices, causing each peice of e-mail to pass through your system twice, making 3 to 4 connections each.
I'm responsible for a fairly large e-mail system, but not nearly the size of any mid to large scale ISP and it's gotten pretty hairy, I can't even imagine what it's like at a Telia or RoadRunner for that matter. People keep forgetting to look at WHY this is happening, other than MS and hapless users. The SMTP protocol allows it all. Want to find a solution? We need to start moving to something else, as painful as that may be.
Luck favors the prepared, darling.
Chain of events:
/. as well since you been modded to a score of 2....eh, hmmm....well I guess we knew the last bit, but I expected more from you.
1. The ISP AOL begins bouncing all e-mail from the ISP Telia due to large amounts of SPAM from some of Telias DSL customers.
2. Telia blocks all of their DSL customers (companies and individuals) outgoing SMTP (port 25) traffic.
3. eddy states (correctly) that: Telia is mostly known for their suckage over here. They've made several false starts, including blocking SMTP completely at their border making it impossible to host ones own mail server.
4. BetterThanCaesar asks (regarding Telias SMTP blocking): What would you have done?
5. I answer: Maybe they (clarification for the clueless: "they" is a reference to the ISP Telia) should have blocked the ones sending out SPAM, instead of everybody! Do you honestly think that innocent companies (another clarification for the clueless: these "companies" are customers of Telia) and individuals should be punished? Oh, and without notice by the way.
6. You claim that: The ISP is not innocent; it is their job to enforce policies and to be a good citizen on the net. Unfortunately to block an ISP you do block customers by extension, but this is the only way to get ISPs to do something.
7. We conclude that you are clueless, and apparently
quick question..
If I'm the president of Globaldex Inc.* and a Trojan is spamming products for my company, why doesn't someone of authority (aka. Law Enforcement) come to me and ask a few questions. You know, crazy stuff like, who did I contract to send out email advertisements and such.
I'd imagine that if 1000 computers got broken into by a Trojan, and they are spamming for Globaldex, it would be reasonable to consider Glabaldex an accomplice until they were able to clear themselves.
Why exactly are prople getting away with this?
* Gloabaldex is not real BTW
I'm not feeling witty so bite me
I do not know how they do the detection part, but one of my colleagues came for advice on how to clean/up secure his own PC, because it was shut down from the network.
Their method is really simple:
I like this attitude, because even if it does not prevent on-purpose spam, it at least prevent unknowable people to spread nastywares. The only problem beeing that the help desk should point to the IPS URL where they explain how to secure your machine. I hope they will get it right...
[Pruneau
The way my ISP, Cox, tried to do things is bad. They forced all trafic through their SMTP server. They had already blocked incoming mail, so you could not run a mail server on your own. The new policy keeps you from even being able to send you own mail. This sucks in many ways. The most important way it sucks is that they don't quote email that they can't deliver, not even for their business customers, nor do they provide an adequate time stamp. This leaves people clueless if a mail myseriously fails - you can't tell which of a long serries of messages with the same subject did not make it. Less obviously, it leaves you at the whim of your ISP. They can refuse to send mail to people they don't like and there's nothing you can do about it, short of exchanging shell accounts. This method makes an artificial distinction between "client" and "server" that has no place on a free internet.
So, you see, it's not so simple, not period by a long shot. I don't run shitty software that is liable to get trojans and I've never had this kind of problem. My ISP treats me like a peon and it sucks. I've been punished for other people's problems. Microsoft and Cox both sucks.
Friends don't help friends install M$ junk.