Slashdot Mirror
Spam Blacklist Targets Hijacked Telewest Customers
davidmcg writes "BBC.co.uk reports that UK cable firm Telewest has had almost one million email address blacklisted by an anti-spam firm. The Spam Prevention Early Warning System blacklisted the email addresses because a large number of the machines using them have been hijacked by spammers. Telewest have stated that they knew about the problem and have been working with customers to regain control of their machines."
odd that the ISP never made an issue of their "Efforts" to clean up their customerbase before ending up in SPEWS. Some people say wholesale blacklisting is ineffective, some whine about false positives, I bet these guys really want to get out of the spotlight so they stop looking incompetant. Well done spews, whoever you are. By the way this article makes a serious mistake:
SPEWS does not exist (TINS (there is no SPEWS)). SPEWS therefore cannot make announcements of any sort whatsoever, though they do have the Lumber Cartel (TINLC) to speak for them.
BBC.co.uk reports that UK cable firm Telewest has had almost one million email address blacklisted by an anti-spam firm.
So... ISP allows spam zombies to run free on its network, anti-spam firm overreacts by putting entire network on blacklist.
Is this really out of the ordinary? Weren't they doing this to US ISPs like Comcast until they started disconnecting zombie PCs?
Is there anything really out of the ordinary here?
They're just listing IP ranges. A complete non-newsworthy item. Consumer machines on broadband/dialup should be going through their ISPs smarthosts anyway ... which seems to be standard practice these days, to the point many isps block smtp or redirect port 25 to their own smarthosts.
Nothing to see here, move along.
isp's - block port 25 by default, and in account management allow users to unblock it. 99% of people will neveruse it, and those that do will account for such a small number you won't get many support calls for it. shit loads less work then fixing 16000 machines.
If you mod me down, I will become more powerful than you can imagine....
I think this is a good example of how the democratization of the net has really screwed things up in some ways. The net was never intended to be so centralized (undecentralized?), with huge ISPs serving millions of customers. Of course there's going to be zombie networks. The net wasn't designed to have millions of individual users directly connected from essentially unsupervised subnetworks. Notice that you never hear about a company or university having a significant percentage of their machines taken over, especially not for a long time. Originally, the network was just large organizations connecting their managed networks to the backbones, usually from behind firewalls. But an ISP doesn't watch it's clients computers the way a sysadmin would (nor should they) and thus we have the present, sorry, situation of millions of Microsoft moms unwittingly playing host to a global crime wave.
It's a good thing we have such secure consumer operating systems, or this could turn into a real problem!
No need to call the 16,000.
I expect the vast majority of telewest's customers are set up as per telewest's instructions as far as email goes i.e. they use telewest's smtp servers. If that is the case, their email is not blocked. It is only those who run an email server that will have a problem.
Not really a problem either, just make postfix (or whatever mta you're using) send mail via telewest's smtp server itself (relayhost directive). Those who run an email server will notice soon enough and take appropriate action. If they can't work it out then they probably shouldn't be running a server anyway.
SPEWS is not a "anti-spam firm". Check their website at http://spews.org/ for more explanation. And anyone too conserned about false positives should do their due dilligence when picking the DNSBLs they use and notice that SPEWS blocks fairly large netblocks. And there probably will be a lot of legitimate mail sent from bad neighborhoods. SPEWS is a very good tool for blocking spam and educating ignorant ISPs, but it's not suited for everyone.
It would'nt be all that hard to clean this network up. Just block port 25 and allow specific requests thru. Notify email providers/server operaters about the decision a few days in advanced so they can get placed on the list and then put it to work. It would definatly be cheaper then someoen calling 1600 people or having to vewrify they meet with your requirments. Just shoot them an email and say thier service will be diconected if the problem isn't fixed or justified. Those that are infected will be stoped while those that are effected would have an out. If someone requesting an exception is actualy sending spam, it shouldn't be that hard t determin after that and remove them from service completlety. After the situation calms down, open the ports back up.
In fact, i think it is sort of careless for ISPs to not at least monitor thier common ports for malicious activity. The added trafic from infections could be increasing bandwidth requirments as well as costing the ISPs more money in added equiptment. It just seems logical to try and keep costs down. Whats the chance that 1600 existing users are going to set up a mail server in about a month from each other and then flood the network with trafic that would appear to be comming from thousands of users? This should be spoted easily without some third party needing to get involved. My networks scan email and attachments comming and going at the server level and all it took was a couple of extra seconds to set up. Also snort lets me know of any wierd trafic pattern changes and i can check the difference in logs from several months ago if neccesary. It only take a couple of minutes a day. For this effort you get less people calling and complaining too.
...but you can stand and fight.
Wait until one of those PEOPLE gets a virus or trojan on their PC and your address is harvested. Or they forward you - and 600 other people - a joke. Or god forbid they post it on their website as part of their friends list, or what have you.
Try having an email address like bob@some.tld. Try hosting a domain and forwarding root@, webmaster@, postermaster@, abuse@, et cetera to your account. Spammers have lists of simple and obvious usernames that they send to every domain they can think of hoping for hits.
I want the public at large to be able to contact me in some instances, so I publish my email addresses unobfuscated. I have 'bob@some.tld'-style email addresses. I forward root@ (and et cetera) to my other accounts for my domains. I couldn't hide even if I wanted to hide.
If you run your own email servers, take a look at this advice. Since the time I took the advice (a couple months ago) I have received *one* spam and that was appropriately tagged as spam and filtered into my spam folder. As far as I can tell there haven't been any false positives.
(I realize the irony in my use of a gmail address for my slashdot account, but that's not about spam. That's about a whole different issue: anonymity.)
Well, if banging your head against a wall doesn't work, how about shutting down internet access for affected machines. The machine owners would get the hint rather quickly. Secondly, make a liquidated damages clause in the user agreement. Something like, "if your machine is hijacked and you are found to have sent in excess of 25,000 email messages, you owe us $250 -- oh and BTW, here some tools to use to prevent becoming infected."
What changed under Obama? Nothing Good
No can do. High percentage of hijacked machines are in a state that no security software can rescue them from.
Reinstall windows is the only thing that helps. After that the security software is a good thing.
However, having seen dozens and dozens of computers where the user was clueful enough to buy a security software, only to find out the system was already in a state where no security software will even install, I'm quite confident that most of these 0wned setups are already way beyond what F-Secure, Norton or the likes can do while installing.
And sadly reinstall windows can usually just get them owned again (recovery disks having no service packs, so the thing will get first Sasser-derivate into the system 30 seconds after the recovery install is done)
What computer manufacturers would really need to do is to ship everyone a free replacement recovery disc to get the system up with all patches. Funded by MS because it's their holey software. However, this would actually cost money, so instead people are left on their own.
The real reason - they're just as lazy fucks/ignorant n00bs as their customers.
They keep singing the same old song, but its their customers that are causing the problem. Police them. Fixed IP. You're a zombie - you're gone. Let them sing "The Monster Mash" for all I care.
And the politicians/dickheads won't do anything because they are allowed to spam you (nice going guys - pass laws against spam, but include an exemption for yourself). Make politicians have a fixed IP (dr00l).
The best part about fixed IPs - if we bookmark them instead of doing a dns lookup, we couldn't have to worry about dns outages. Or stupid domain name wars. We do it with 10-digit phone numbers and 4-digit extensions - wtf can't we do it with a n 8-to-12 digit number on the net? Because the average user is STOOPID!
SPEWS did the right thing. Telewest fucked up.
Now if SPEWS would BLACKHOLE AOL, I'd notice a lot fewer probes. And while they're at it, maybe, as a public service, blackhole any site containing crapfloods from Maureen O'Gara.