Swedish ISP Blocks Computers That Send Spam

snuppepuppan writes "One of Sweden's largest ISPs, Telia starts to block computers that send spam. 'The computers that Telia will block are primarily those that have been infected with "trojans" which are being used, without the customer's knowledge, to send enormous amounts of spam.'"

a great idea

[batray]

If more ISPs took spam complaints seriously and acted on them quickly the net would be a better place. However it is has been my experience that abuse desks are mostly staffed by the clueless.
For me the dominant source of spam that I get now comes from infected computers, since DNSBLs have rendered fixed spaming IPs impotent.

Re:a great idea

[BrokenHalo]

abuse desks are mostly staffed by the clueless.

That's where they are staffed at all. There are all too many ISPs who appear to be happy to turn a blind eye to this type of activity, in spite of the fact that it costs them money.

Re:a great idea

[Zocalo]

abuse desks are mostly staffed by the clueless

Depends on the ISP. Generally speaking mid-sized ISPs have pretty good abuse desks, mainly because they are big enough to have a decent technical team, yet small enough to not be swamped by abuse reports. That said, this kind of thing is a no brainer for the scripted response type of first line support used by large ISPs. Basically it boils down to "look for an IP in the mail headers that falls within a set of provided IPs and if present, click some widget to block outbound email from that IP". All you need then is some process to advise the customer of the problem and remove the block once the problem is resolved.

As you say, DNSBLs (non-dynamic ones anyway) have been rendered largely obsolete by the spamnets of compromised machines. There are so many of the damn things that a spammer can use an IP for a couple of days, discard it and not need to use it again for a couple of months, by which time it is probably off the DNSBLs again. This approach adopted by Telia (and Demon Internet in the UK, others?) is the only efficient way a large ISP can deal with this issue without incurring massive labour costs that I can think of.

Re:a great idea

[Keith_Beef]

There are all too many ISPs who appear to be happy to turn a blind eye to this type of activity, in spite of the fact that it costs them money.

Well, in France, many ISPs have premium rate phone numbers for the helpdesk. So, if you're on a dial-up connection, the ISP makes money hand-over-fist! First, you pay to download the spam (because the ISP doesn't block it). Then you pay for the pleasure of listening to 10 minutes of vivaldi's Four Seasons, before explaining to helpdesker No.1, who then passes you on to helpdesker No.2, who wants all the same details again... you get the picture. Finally, if you manage to get any help at all, you'll be sent an e-mail with a 650KByte MS Word attachment, with details of how to set up spam filtering *on your home computer*, so as to filter out spam *after you've downloaded it* Stupid, those ISPs? No, they have a profitable, if immoral, business model. Keith.

Re:a great idea

[gizmonic]

My guess is that part of the problem is that most abuse desks are flooded with inane crap. At least ours is. I can't tell you how many emails we get from people who forward a spam to us, and do not include full headers. I mean, they had to find the IP and track down who owned it to get the spam report to us, so how can they then forward us the spam and not include headers? Amazingly, that accounts for well over half the abuse mail we get. Then there are the people who send a message saying "Stop sending me spam" and include an IP address, followed by a copy of our ARIN netblocks, as if we didn't know who we were, and that's it. No spam, no timestamp. Nothing. Then there are the myriad of people who simply write our abuse desk with nothing more than "Please remove me from your mailing list." And it goes on and on and on like that. Of course, now that all the nice new viruses are out there, we also get a ton of "One of your users attacked me on port 135" emails. (We have port 135 blocked on our routers to keep from our users from infecting the net, but on the same NAS, they can still get to each other.) The best ones are from people who send us email claiming they are being attacked by one of our DNS servers because their firewalls are capturing logs of the DNS requests.

That's why, as I've said before, we love SpamCop. When we see a SpamCop report, we know we will have everything we need to knock someone off the network. Very seldomly have we gotten a SpamCop report on something that was not spam. As for the rest of the abuse mail? Maybe 1% or 2% have enough information to track the user, and are actual abuse issues. And usually, they were already banned from a SpamCop report.

Anyway, I've rambled on enough. But for those who don't work abuse for a large ISP, now you have a small glimpse of what the abuse mail looks like.

In a related story...

[bobdotorg]

In a related story, Microsoft sues Telia, commenting, "C'mon, it would only be a matter of time before all Outlook and IE users get banned from the net."

Good.

[clfrd]

More ISP's should do the same.

Period.

Re:Good.

[You're+All+Wrong]

Telia is now "TeliaSonera", after merging with the Finnish company Sonera. This anti-spam move is not just in Sweden, it's in Finland too.

ISPs must provide a QOS in Finland, and Sonera were fined recently (last few weeks) for being unable to deliver mail as they were so bogged down with spam.

So they're not doing it for altruistic reasons, they're doing it because it costs them big-time if they don't. I'm still glad they're doing it though.

All of this was filtered from stories in the Helsingin Sanomat
via my "doesn't speak Finnish" brain, so may be not quite true.
(HS had suffered because of the Sonera e-mail problems, I remember, so they had a particular bias (anti-spam, not anti-Sonera) in
their report).

Anyway - agreed. Period.

YAW.

This is a great thing

[the+man+with+the+pla]

ISP's taking some level of responsibility for the actions of their subscribers is *tremendously* important. Spam exists because of the complacency of two entities: ISPs that allow (or even sell bandwidth to) spammers to use their networks; and Microsoft, for making it so easy for computers to be enslaved by spammers (sorry I know that's flaimbait, but it's true.)

Why is this news?

[eddy]

Telia is mostly known for their suckage over here. They've made several false starts, including blocking SMTP completely at their border making it impossible to host ones own mail server.

I guess if they've finally given up on that idoicy and actually go after the specific hosts that are a problem -- like we in the community has said for years is the correct solution -- then I'm all for it.

Just sad that it's making news the way it is. I think the news should be that they wasted at least two years reaching this "insight"!

Would be interesting to know if this was because the suits finally listened to their techs, or if it's because the techs finally gained a clue.

Re:Why is this news?

[Anime_Fan]

Telia is mostly known for their suckage over here. They've made several false starts, including blocking SMTP completely at their border making it impossible to host ones own mail server.

Yes, but bostream is no better. They make customers who want to use an email with FROM-header other than foo@*.bostream.foo setup their own SMTP-server. I preferred Telia's approach.

I don't think their press release will affect the ammount of spam in my inbox. Telia is all too clueless for that. I am however happy that I get a pretty low ammount of spam when compared to US figures. I'm down to less than one junk mail per hour and still not prepared to pipe all messages through SpamAssassin (too high false negatives due to most mail being sent in Swedish).

Still, Telia has alot to do with the ammount of incoming spam. Most of the spam that arrive in my Telia inbox doesn't even have my email in the TO-header (but has it in X-Original-To). The other types of spam I get is the ones that look like:
Received: [*Snip*] Sat, 1 Nov 2003 15:50:49 +0100 (CET)
Date: Wed, 28 May 2003 23:14:06 +0000
I hate spam I can't directly see which box it is sent to, which date it was sent or that has ASCII-art topics.

Re:Why is this news?

[BetterThanCaesar]

blocking SMTP completely

That might just have been because AOL began bouncing all e-mail from Telia -- mainly due to the same problem as they have now. What would you have done?

I think this is a good thing. it stops the relays now and those affected will notice it, call the support, and be informed of why they were cut off.

Re:Why is this news?

[Troed]

I'm down to less than one junk mail per hour and still not prepared to pipe all messages through SpamAssassin (too high false negatives due to most mail being sent in Swedish).

I've never had a mail in Swedish marked spam by SpamAssassin - the only false positives I've had (three in 6 months) were mails from mailing lists where the poster indeed had weird headers.

My work's ISP does a variation of this

[quizwedge]

We have a local ISP and we are probably his largest customer. We've had problems since he is a startup and he traced them to trojans/worms/etc. so he sent them a warning to fix their system and then when they didn't, he shut them off. It's worked very well for us, keeps the number of infections down, keeps his network up and running, and keeps people accountable for the security of their computers.

And if anyone is wondering why we're going with a startup for business, it's because the only choice between 144kbps DSL and a full T1 is this guy.

Re:My work's ISP does a variation of this

[NorwBlue]

Actually, I did not wonder why You went with a startup for business. I Used to be Head of Computing in a company that spend around 2 mill $ and when we dropped the biggest computer supplier in Norway for a small startup, guess what : We went from being a ok account in a huge company to being the biggest account in a small company (It more than trippeled its sales). We suddenly got really good service, better prices and every one we called for help/support/service bent backwards for us(when we wanted them to, wich wasn't that often*evil grin of power*) So my advice to everyone managing a net is : don't follow the big fish, but find a place where You ARE the biggest fish. A bit off topic maybe, but if everyone did the same when it came to ISP services, YOU to would have leverage if you wanted your ISP to implement something similar.

Customers are *not* unaware of it

[Jugalator]

The users blocked are notified about it, and Telia will help them sort things out. Probably by giving suggestions to clean up trojans, etc. since these are often the reason someone spam without knowing. They also only seem to block well-known, heavy duty, spammers right now, since they haven't yet implemented a spam filter, but are considering it.

So, even if the customers won't be given a time period to stop spamming, they're still not left unaware about it, as the /. news post incorrectly states.

Telia says they're also attempting to detect spam hosts much quicker than earlier, when it could take up to a week or more to shut a host on their network down, when the damage was already done.

Re:Customers are *not* unaware of it

[clfrd]

The post doesn't say the users aren't aware of it, it refers to the users being unware that they're acting as spam relays.

You get stung, you react.

[Gubbe]

TeliaSonera is a company formed by the merger of swedish Telia and finnish Sonera. Sonera is one of the largest Internet/telecommunications providers in Finland and their e-mail systems have become a laughingstock during the last month. Reason: they don't work. There have been delays of several days in message delivery, some messages are lost entirely and their SMTP server seems to be down.
Sonera is blaming this 100% on the W32.Swen.A virus and while there is ongoing debate regarding Sonera's e-mail administrators' competency, that certainly explains why Telia is scrambling to remedy this problem in Sweden. [Un]fortunately (ignore the part in brackets if you are a privacy advocate) the Finnish legislation doesn't allow Sonera to perform the same thing as even automatic monitoring of e-mail traffic is not permitted by the communication privacy laws.

Re:You get stung, you react.

[weldzu]

[Un]fortunately (ignore the part in brackets if you are a privacy advocate) the Finnish legislation doesn't allow Sonera to perform the same thing as even automatic monitoring of e-mail traffic is not permitted by the communication privacy laws.

Actually, Sonera got a special permit from the Finnish communications bureau last week for scanning all emails for virii and trojans. What I wonder is, if they can't config their mail servers, can they config the scanning properly?

Another matter is that I never saw any mention on how long this permit lasts. Also, I believe that the special permit does not really remove the fact that this scanning is against the law. I may be wrong though, maybe there is a mention about special circumstances and comms bureau in the law...

Good news!

[RT+Alec]

This is certainly good news. Now their customers who are infected will figure things out pretty quickly!

Of course, this would have been easier if they just blocked egress port 25 traffic (which would not include their own SMTP server, of course!). Imagine all ISPs blocking egress port 25 traffic for their DHCP clients (e.g. most cable modem, dial-up, and DSL), and shutting off their corporate clients who spew spam! That would effectively eliminate spam, since IP addresses left still sending spam (directly or due to a trojan/virus) would quickly end up on DNSBLs.

It is irresponsible for ISPs to operate otherwise. Simple steps to be a good netizen:

• Don't use port 25 for initial mail submission. The fact that this port is used for both mail transport (between systems) and initial mail submission (which is really a different activity if you think about it) is a mistake. Use port 587 with SMTP+AUTH, or port 465 with SMTP+AUTH+SSL
• Implement one of the reverse lookups for incoming SMTP traffic (RMX or SPF:Sender) when one of the competing proposals become a standard (and your software catches up)
• Block egress port 25 traffic from your network

These apply to any businesses that supplies IP connectivity to any other computers (offices, schools, WISPs, in addition to standard ISPs). To not do so is to be a part of the problem.

Re:Good news!

[piranha(jpl)]

Imagine all ISPs blocking egress port 25 traffic for their DHCP clients ... It is irresponsible for ISPs to operate otherwise

Then they cease to be Internet Service Providers and become Interweb Service Providers. Why should "consumers" be subject to inferior Internet service? Why wouldn't/couldn't an ISP monitor egress port 25 traffic for suspicious spikes? I won't be doing business with ISPs that try pulling stunts like that.

Re:Good news!

[dmeranda]

Blocking entire ports is like using like using a sledge hammer to affix a staple. First the majority of spam email wouldn't be affected. And if you're delivering mail via some other protocol spammers will still get through. Port blocking is not really a good policy, except on an individual basis where there is proof of such activity; or in cases where the client is paying for an intentionally crippled partial Internet access.

There is nothing wrong with using port 25. And if you want to use TLS/SSL, you should still use port 25 via the well established STARTTLS extension to the SMTP protocol. There is no reason to waste additional port numbers on experimental protocols when the SMTP protocol already does all that and is fairly mature with lots of supported software.

Oh, and I for one rely on having egress port-25 traffic from my home DSL. I am not a spammer, but I am a network administrator of a large company and find it very useful to "test" my own servers from an external unrelated addresses.

Background

[upside]

The Finnish side of Telia, TeliaSonera, has been in deep sh*t the last few weeks. Their email has been clogged up, apparently at least partly due to the fact that they have been listed in a few blacklists. Even the comms authority has intervened and told them to put their act together.

Trojanised PCs on broadband are the likely cause, and the block is most probably a measure designed to prevent such from happening again.

Workable Solution???

[tintruder]

Instead of shutting them off, how about redirecting all internet activity of the victim/perpetrator to a static web page they must repeatedly click to bypass?

For most users this would be adequate notification and encouragement to fix the problem.

Re:Workable Solution???

[jhunsake]

internet activity of the victim/perpetrator to a static web page

Repeat after me: the internet is not the www and vice-versa

Statistical analysis

of traffic can easily be used to find and stop spammers. I am amazed that all ISP are not doing this.

This is news? TOS Enforcement is new?

How is this news? My local ISP has been doing this for years. It's called "enforcing terms of service" on offending accounts.

WHY?

[sinserve]

Shouldn't this be "YRO" instead of "Spam"? One man's spammer is another's Information Minister.

Censorship.

I'm against spam, but I'm more against ISPs deciding what I can do with the service I pay for. If they decide spam is bad, how long before they decide mp3s or porn should be on the "get blocked" list? Or perhaps they'll decide to block access to certain sites like pro-NRA ones? Oh wait, Symantec has already got that covered.

Just make spam illegal and arrest the fuckers. No need to quash user rights in the process. Of course, I'm American so I have no idea what kind of freedom of speech rights you have in Sweden. Maybe you're already used to this kind of thing.

Re:Sweden?

[Detritus]

See the loveli lakes

The wonderful telephone system

And mani interesting furry animals

Leper VLAN

[Detritus]

Some Universities have an interesting way of solving the problem. Infected systems are switched to a VLAN that restricts them to accessing a web site that contains information, software and patches on how to clean up their computer.

Re:Sorry?

[innocent_white_lamb]

If you buy an e-mail account from them, why should you be able to set the "MAIL FROM"-header?

Because the mere fact that you choose to purchase an email account from one provider doesn't mean that you choose to abandon any and all other email accounts that you may have for various purposes, perhaps.

I may have an email account for responding to work-related email and another for personal messages, for one example.

If I ran an ISP...

[Alioth]

If I ran a broadband ISP:

1. All users would get a static IP (since there's an expectation that they are always on, there's no point in NOT doing so. In the dialup days you'd have fewer IP addresses than customers, for broadband you can't really do that). Customers having static IPs would make abuse much easier to trace.
2. The initial sign-up would say "Would you like to be protected by our firewall?" with the default option set to YES. The vast majority of normal home users would get some default level of security (known troublesome services, including outbound port 25 filtered, and incoming CIFS filtered etc, plus all Microsoft executables for their ISP email address rejected automatically). People who select NO to this option will be warned of the dangers of doing so, but will have no filtering at all applied to their accounts.
3. A system such as Snort would be run analysing incoming/outgoing traffic and looking for trouble. If a user is trojaned and sending out crap, they get the plug pulled.

Re:Tell the Infected Individual First

[jaavaaguru]

I see nothing wrong with the customer's connection being immediately withdrawn. When they find out they either can't connect to the 'net, or just can't send e-mail, they'll call technical suport anyway, and then the ISP can easily inform them of the problem.

Also, people shouldn't choose to use technology that they don't have a good understanding of unless it's been set up properly by someone else beforehand. By that, I'm not meaning that the average member of the public shouldn't surf the Internet with their PC - one of these things should be happening:

1. They use a computer system that's been set up securely by the vendor

2. They apply all the latest security patches as soon as they're released

3. They understand about computer security and secure their system themselves.

If you own a computer connected to the Internet, then it's up to you to decide what you do with it, and what you let other people do with it.

Re:Tell the Infected Individual First

[flurdy]

I disagree.
It is not nice to be cut off without warning, but if your machine is infected or comprimised in some way then it needs to be isolated.

True, an email warning would be helpfull, but some people only read their email once a week or less. In the mean time their machine could still be on, and relaying junk all over the place.

Best cut them off and have them contact Customer Services to be reconnected. Ok they probably might want to join another company afterwards...

Or send them an physical letter.

The best solution though, would be to move suspected customers into a specific firewalled network where all ports were blocked incomming and outgoing and all that was allowed was incomming pop3/imap so they could receive the warning message?

Re:What should have been done?

[rifter]

Maybe they should have blocked the ones sending out SPAM, instead of everybody! Do you honestly think that innocent companies and individuals should be punished? Oh, and without notice by the way.

The ISP is not innocent; it is their job to enforce policies and to be a good citizen on the net. Unfortunately to block an ISP you do block customers by extension, but this is the only way to get ISPs to do something.

Not so gray an area

[87C751]

if they take action against spam, they must take action against kiddie porn, warez etc.

Not necessarily. My ISP (Fuze) recently started blocking outbound port 25 connections unless directed to their SMTP server. Shortly after that, I heated up an older box I have, which used to be the house mailserver. Of course, there was some traffic stuck in its mail queue, which it tried to send. Fuze suspended my service (reported with a web page shown when I tried to go out on the web) until I called the helpdesk. They did this purely based on the appearance of the traffic, and not on the content.

The conversation with the helpdesk guy was kinda amusing, though.

HDG: "Are you familiar with a program called Zone Alarm?"

Me: "Sure. Are you familiar with the SMC Barricade router?"