Slashdot Mirror
Spam Blacklist Targets Hijacked Telewest Customers
davidmcg writes "BBC.co.uk reports that UK cable firm Telewest has had almost one million email address blacklisted by an anti-spam firm. The Spam Prevention Early Warning System blacklisted the email addresses because a large number of the machines using them have been hijacked by spammers. Telewest have stated that they knew about the problem and have been working with customers to regain control of their machines."
odd that the ISP never made an issue of their "Efforts" to clean up their customerbase before ending up in SPEWS. Some people say wholesale blacklisting is ineffective, some whine about false positives, I bet these guys really want to get out of the spotlight so they stop looking incompetant. Well done spews, whoever you are. By the way this article makes a serious mistake:
SPEWS does not exist (TINS (there is no SPEWS)). SPEWS therefore cannot make announcements of any sort whatsoever, though they do have the Lumber Cartel (TINLC) to speak for them.
Not the address I use here on slashdot but my regular email addy (which has been active for about 4 years) is virtually spam-free.. at least I don't see much of it. My domain is registered through EasyDNS, with the "plus" package you can setup email aliases for your domain.. everything is filtered through their spamhaus/sbl/dsbl/etc blacklists.. then I use thunderbird with junk mail filtering.
:(
On average I see one spam make it through my junk mail filter in thunderbird. I've set it up for my mom/dad/brother & sisters as well. Now they laugh at the amount of spam their friends get compared to their own, which is comparable to mine.
I'm a techno-goof with hardly any understanding of networks and stuff.. If i can do it this easily, anybody can.
I think maybe spam is overrated.. with the right technology in place, it can be defeated. Although indiscriminite blacklisting by Orbs or whoever doesn't really help the situation
BBC.co.uk reports that UK cable firm Telewest has had almost one million email address blacklisted by an anti-spam firm.
So... ISP allows spam zombies to run free on its network, anti-spam firm overreacts by putting entire network on blacklist.
Is this really out of the ordinary? Weren't they doing this to US ISPs like Comcast until they started disconnecting zombie PCs?
Is there anything really out of the ordinary here?
They're just listing IP ranges. A complete non-newsworthy item. Consumer machines on broadband/dialup should be going through their ISPs smarthosts anyway ... which seems to be standard practice these days, to the point many isps block smtp or redirect port 25 to their own smarthosts.
Nothing to see here, move along.
isp's - block port 25 by default, and in account management allow users to unblock it. 99% of people will neveruse it, and those that do will account for such a small number you won't get many support calls for it. shit loads less work then fixing 16000 machines.
If you mod me down, I will become more powerful than you can imagine....
I think this is a good example of how the democratization of the net has really screwed things up in some ways. The net was never intended to be so centralized (undecentralized?), with huge ISPs serving millions of customers. Of course there's going to be zombie networks. The net wasn't designed to have millions of individual users directly connected from essentially unsupervised subnetworks. Notice that you never hear about a company or university having a significant percentage of their machines taken over, especially not for a long time. Originally, the network was just large organizations connecting their managed networks to the backbones, usually from behind firewalls. But an ISP doesn't watch it's clients computers the way a sysadmin would (nor should they) and thus we have the present, sorry, situation of millions of Microsoft moms unwittingly playing host to a global crime wave.
It's a good thing we have such secure consumer operating systems, or this could turn into a real problem!
No need to call the 16,000.
I expect the vast majority of telewest's customers are set up as per telewest's instructions as far as email goes i.e. they use telewest's smtp servers. If that is the case, their email is not blocked. It is only those who run an email server that will have a problem.
Not really a problem either, just make postfix (or whatever mta you're using) send mail via telewest's smtp server itself (relayhost directive). Those who run an email server will notice soon enough and take appropriate action. If they can't work it out then they probably shouldn't be running a server anyway.
SPEWS is not a "anti-spam firm". Check their website at http://spews.org/ for more explanation. And anyone too conserned about false positives should do their due dilligence when picking the DNSBLs they use and notice that SPEWS blocks fairly large netblocks. And there probably will be a lot of legitimate mail sent from bad neighborhoods. SPEWS is a very good tool for blocking spam and educating ignorant ISPs, but it's not suited for everyone.
It would'nt be all that hard to clean this network up. Just block port 25 and allow specific requests thru. Notify email providers/server operaters about the decision a few days in advanced so they can get placed on the list and then put it to work. It would definatly be cheaper then someoen calling 1600 people or having to vewrify they meet with your requirments. Just shoot them an email and say thier service will be diconected if the problem isn't fixed or justified. Those that are infected will be stoped while those that are effected would have an out. If someone requesting an exception is actualy sending spam, it shouldn't be that hard t determin after that and remove them from service completlety. After the situation calms down, open the ports back up.
In fact, i think it is sort of careless for ISPs to not at least monitor thier common ports for malicious activity. The added trafic from infections could be increasing bandwidth requirments as well as costing the ISPs more money in added equiptment. It just seems logical to try and keep costs down. Whats the chance that 1600 existing users are going to set up a mail server in about a month from each other and then flood the network with trafic that would appear to be comming from thousands of users? This should be spoted easily without some third party needing to get involved. My networks scan email and attachments comming and going at the server level and all it took was a couple of extra seconds to set up. Also snort lets me know of any wierd trafic pattern changes and i can check the difference in logs from several months ago if neccesary. It only take a couple of minutes a day. For this effort you get less people calling and complaining too.
...but you can stand and fight.
Wait until one of those PEOPLE gets a virus or trojan on their PC and your address is harvested. Or they forward you - and 600 other people - a joke. Or god forbid they post it on their website as part of their friends list, or what have you.
Try having an email address like bob@some.tld. Try hosting a domain and forwarding root@, webmaster@, postermaster@, abuse@, et cetera to your account. Spammers have lists of simple and obvious usernames that they send to every domain they can think of hoping for hits.
I want the public at large to be able to contact me in some instances, so I publish my email addresses unobfuscated. I have 'bob@some.tld'-style email addresses. I forward root@ (and et cetera) to my other accounts for my domains. I couldn't hide even if I wanted to hide.
If you run your own email servers, take a look at this advice. Since the time I took the advice (a couple months ago) I have received *one* spam and that was appropriately tagged as spam and filtered into my spam folder. As far as I can tell there haven't been any false positives.
(I realize the irony in my use of a gmail address for my slashdot account, but that's not about spam. That's about a whole different issue: anonymity.)
Well, if banging your head against a wall doesn't work, how about shutting down internet access for affected machines. The machine owners would get the hint rather quickly. Secondly, make a liquidated damages clause in the user agreement. Something like, "if your machine is hijacked and you are found to have sent in excess of 25,000 email messages, you owe us $250 -- oh and BTW, here some tools to use to prevent becoming infected."
What changed under Obama? Nothing Good
Erm... Not as easy as you would have us believe. Firstly, the software has to be sourced, secondly, the licences have to be checked (they could get into trouble, for example, if they gave a CD containing 'free for home use' software to a business), the CD has to be produced and then it has to be distributed to the customers. If the total cost of this broke down to less than GBP1.50 per CD for 16,000 copies, I'd be very surprised.
Of course, the other issue with this is how do you make sure the end user doesn't throw the CD straight in the bin, but follows the instructions?
Nooooooooo. People are just starting to get the hang of not running attachments which arrive out of the blue and look genuine. Want to undo all that good work?
Given that this situation has occurred in the first place, it is clear that Telewest don't have a monitoring policy. a) This would have to be put in place, including expenditure on hardware and labour, and b) a team would have to be set up to make the calls. Given that the end user is likely to ask "What should I do", the person making the call has to have at least an idea of what a computer is, and man-hours aren't cheap.
All three of your proposed solutions would also require Telewest to provide some sort of helpdesk to provide support to their customers, either by providing help with installing/running the software sent, or on cleaning their machine.
In the UK, the margin on broadband products for volume providers such as Telewest is very low - it's a numbers game. Any action (such as sending CDs, making calls etc.) has an impact directly on their bottom line. They will have done some sort of cost:benefit analysis on tackling this problem and, although I don't know the results, riddle me this: What benefit to the bottom line is there in their reducing the number of infected machines?
Here's what'll happen: Telewest will scream loudly and make sure that their smarthost is removed from the blocklist. Like other ISPs, they won't care if the IPs allocated to their customers are blocked - in fact, it saves them having to do all the work outlined above! After a week or so, everything will settle down and the whole situation will be forgotton. The bean counters will sit back and pat themselves on the back for not unnecessarily spending money on prevention.
So, in summary, nice ideas, but not realistic - this is business and all business cares about is the bottom line.
A clause like that would probably be a "penalty" and therefore unenforceable under English law. In English law you can only recover for your actual loss; a pre-agreed amount is only enforceable if it represents a genuine pre-estimate of the loss. I suspect it would be very difficult, as a legal matter, to show a significant loss.
There may also be a problem with enforceability to the extent you are penalising someone for the actions of a third party; okay the user would have been okay had they kept all their software up-to-date, but is it reasonable to expect the average user to know this?
Why would you pay $50 to be removed from a spam list that is probably used by only a few people? The only power a spam list has is in how many people use it to filter mail with.
No can do. High percentage of hijacked machines are in a state that no security software can rescue them from.
Reinstall windows is the only thing that helps. After that the security software is a good thing.
However, having seen dozens and dozens of computers where the user was clueful enough to buy a security software, only to find out the system was already in a state where no security software will even install, I'm quite confident that most of these 0wned setups are already way beyond what F-Secure, Norton or the likes can do while installing.
And sadly reinstall windows can usually just get them owned again (recovery disks having no service packs, so the thing will get first Sasser-derivate into the system 30 seconds after the recovery install is done)
What computer manufacturers would really need to do is to ship everyone a free replacement recovery disc to get the system up with all patches. Funded by MS because it's their holey software. However, this would actually cost money, so instead people are left on their own.
Yes. Just because the users ARE stupid, doesnt mean they should be allowed to BE stupid.
Try walking around town with a ghetto blaster playing some obscene music and see how quickly the police/someone from the public try to shut you up.
I am a viral sig. Please copy me and help me spread. Thank you.
I don't know about difficulty of showing a loss - Lost customers, admin and helpdesk time due to spam listings adds up in a hurry. That SPEWS listing probably won't go away soon - the amount of time to get delisted tends to reflect the severity of the problem, and if they blocked that large a range they feel it's a severe problem indeed.
Why?
The real reason - they're just as lazy fucks/ignorant n00bs as their customers.
They keep singing the same old song, but its their customers that are causing the problem. Police them. Fixed IP. You're a zombie - you're gone. Let them sing "The Monster Mash" for all I care.
And the politicians/dickheads won't do anything because they are allowed to spam you (nice going guys - pass laws against spam, but include an exemption for yourself). Make politicians have a fixed IP (dr00l).
The best part about fixed IPs - if we bookmark them instead of doing a dns lookup, we couldn't have to worry about dns outages. Or stupid domain name wars. We do it with 10-digit phone numbers and 4-digit extensions - wtf can't we do it with a n 8-to-12 digit number on the net? Because the average user is STOOPID!
SPEWS did the right thing. Telewest fucked up.
Now if SPEWS would BLACKHOLE AOL, I'd notice a lot fewer probes. And while they're at it, maybe, as a public service, blackhole any site containing crapfloods from Maureen O'Gara.
So how is that a problem with SPEWS? Looks like the Chinese ISPs don't really care about the spam problem.
In Soviet Russia, I ruled you
We had many cases where we were unable to deliver our mails because some moron admin in a big international company with worldwide suppliers and customers was using spews for rejecting mails.
As it happens, quite a bit of the spam I've seen lately has been from Chinese manufacturers trolling for customers. If your netblock was listed by Spews, I'm inclined to believe you had it coming.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."