Spam Blacklist Targets Hijacked Telewest Customers

davidmcg writes "BBC.co.uk reports that UK cable firm Telewest has had almost one million email address blacklisted by an anti-spam firm. The Spam Prevention Early Warning System blacklisted the email addresses because a large number of the machines using them have been hijacked by spammers. Telewest have stated that they knew about the problem and have been working with customers to regain control of their machines."

Responsibility

[NoGuffCheck]

Seems Telewest are actually attempting to rectify this situation, although you have to wonder how it is their responsisbilty.

FTFA: One hijacked PC on the Telewest network was sending out more than 100,000 e-mail messages per day, he said.

In cases like these if the offending computer is cleaned with (insert time frame here) then perhaps some negative reinforcement should be considered. fines etc???

Almost a million addresses?

[jim_v2000]

"Telewest have stated that they knew about the problem and have been working with customers to regain control of their machines."

Somehow I have a bit of trouble believing this. How hard would it be for a large company like Telewest to send it's subsribers a CD with anti-virus/adware removal tools on it? Or an email with such software in it? Or even call users and tell them they have an issue?

I don't think they've done jack crap myself. And anything they have done is some token gesture to salvage their image.

Re:Almost a million addresses?

[Seraphim1982]

Somehow I have a bit of trouble believing this. How hard would it be for a large company like Telewest to send it's subsribers a CD with anti-virus/adware removal tools on it? Or an email with such software in it? Or even call users and tell them they have an issue?

You're first two suggestions would likely expose Telewest to possible litigation. I can imagine users blaming Telewest if the software they were sent managed to screw up their computer in a way that resulted in data lost.
You're third suggestion is likely to take some time given that it is an issue with thousands people.

Re:Good luck calling around

[trelanexiph]

Telewest is probably no worse than any other.
for a medium size ISP 16,000 machines spewing crap is a huge issue.
my humble, unimportant opinion is that the users themselves should be responsible for making sure their computers are safe
I run the AHBL and I am a firm believer in this. You are responsible for your car on the highway, you are responsible for the actions of your children if you have them, and you should be responsible for the damage your computer does to the public network. Currently in the open-proxy and comp-sys-ddos (obviously compromised machines) we have listed over 1.3 million machines. I honestly think that we can do better than to have 1.3 million machines which have been responsible for spewing crap since the inception of the AHBL 2 years ago.

Telewest faced usenet death penalty 3yrs ago

[throwaway18]

About three years ago a usenet death penalty was issued against Telewest. Before it came into force they stopped all messages spreading out from their main newsserver and began scanning their customers for open newsservers and open proxys.

Self help solution

[wallior]

When my cable company had any issues with spam from any of their customers, they simply cut off their internet until the customer had their computer fixed. Seems easier than what this cable company is going through. User can either pay to have their computer cleaned and secured, or do it themselves. They then advise the Cable company to put them back on. Lot better for every other customer who is responsible enough to maintain their PCs.

Re:Good luck calling around

[BrokenHalo]

and any ISP may obviously be subject to blacklisting due to infected machines,Telewest is probably no worse than any other.

Yes, if that is what it takes to get their attention. Many ISPs adopt an "it's not my fault" approach to users abusing their networks, and anybody who runs any kind of mail server without taking steps to secure it is guilty of abuse.

Similarly, in this day and age, there is no excuse for users not to know that their machines have been zombied. The simple fact is that unless they are running reliable firewalls or anti-virus programs, they already will have been zombied. I know it is possible to secure a Windows box, but most OEM installations are left totally insecure, and a majority of people never change their computer settings once the machine is on or under their desk.

Is blocking port 25 really useful?

[tx_kanuck]

I only ask since I don't know. Isn't it possible to run an SMTP server on a different port then 25? It only has to send out from a zombie machine, not recieve mail, so why not run it on say....port 2000? Or is it the fact that it has to send *to* port 25 that's getting blocked?

Re:easy fix for this crap

[zerbot]

It is also necessary to block inbound packets with source port 25. Spammers often use split piping. Packets from the spammer to the victim are sent from a high bandwidth connection, but with the originating IP set to the hijacked PC, so that the victim sends the acks and small amount of SMTP conversation from the victim server to the hijacked PC (these packets have a source port of 25) thus disguising the spammer's fat pipe, and allowing them to keep from having their more expensive and difficult to set up bandwidth from getting disconnected all the time. If a hijacked PC gets fixed they just move on to another.

Irresponsible to let infected machines stay online

[D4C5CE]

"have been working with customers to regain control of their machines."

Not knowing the particular details of what went on at that provider, but hardly anyone can claim to "have been working with customers" without even (probing and) shutting down their Internet connections in the first place as soon as they knew that

• these customers' PCs were infected
• they were (at least about to be) hijacked
• the users were unaware or incapable of fixing the problem, i.e. it was demonstrably out of control for the systems' owners.

With 3+ GHz CPUs, 512-1024 MB RAM, 300+ gigs of HDD and on a 3+ Mbit/s broadband connection, every ISP knows that off-the-shelf PCs can still appear to work under an amazing (crap)load today, and they have more potential to wreak havoc than entire major companies or universites a decade ago ... I have seen (completely unsuspecting) home users' machines infected with no less than 200 different (!) "manifestations" of malware on them at once, several times this year already - from the kind of guys who don't even grasp the concept of a rescue disk, to whom a computer can only be "broken", and who just go and buy a new machine, every year or so, when their previous one comes down to a crawl. Even worse, the "old" machine (full wormload included) is usually passed on (and networked again) to primary-school kids or elderly relatives who are even more clueless.

None of them had ever received that call from their providers (which could even be automated to some extent):

"This is Incredible Internet Services Inc. - We regret to notify you that your Internet connection had to be temporarily shut down for violation of our Acceptable Use Policy: (specified ...) You may have overlooked an infection of your PC or an access to your home network accidently left open. To get you back online as soon as possible, a complimentary 30-day trial copy of Soandso Security Software is already in the mail to you. Once you have finished disinfecting and securing your systems, or if you need any additional help, please call customer support at ..."

Pay and you are removed from the list

[tmk]

I have found an interesting offer: pay 50 bucks and you are removed immediately from the spam list. Have a look here

Interesting: The company won't say who they are. They say this was approved by local authorities, but this is bullshit. Local authorities can not brake federal law.

My experiences with Telewest

[Lurks]

I can't win. For ages I've run my own mail server for myself and two other flats in London that run off my 4MB Telewest cable modem. Unfortunately there's a number of these blacklist operators that have mapped out the IP space of the cable modems themselves and I find the odd email gets bounced.

So awhile ago I switched to using their own mail servers and now I'm getting even more blocked. Argh!

Broadband providers will actually have to start taking responsibility for this sort of thing and disconnect zombie infected clients. Not just for the good of the Internet as a whole but so their OWN customers don't jump ship to a small DSL provider to avoid this irritating blacklist nonsense.

Interestingly a couple of years ago, or so, they cut me off because they eroneously claimed that my mail server was relaying. It wasn't, it never was. They refused to take my calls and sort it out and I had no option to cancel the service and write a letter of complaint to their management. I spent another six months on a DSL provider before running back, tail between legs. Maybe they've taken the view that enforcing these tests (which are necessary, I will admit, although they did seem inept at it) costs them customers like me - users of their highest and most expensive tier of service? But surely the biggest problem is zombies on family PCs via the basic service?

Note: Other than that, Telewest/Blueyonder is by far and away the best broadband service I have used. Never any evidence of contention and it's many times more reliable than any DSL service (and I've tried six) with pretty much bugger all down time.

Re:Hmph

[zerbot]

Then make sure the freemail provider is set up to use the standard port for client submission of email, port 773, or better port 465 in order to use SSL.

Re:easy fix for this crap

[zerbot]

You don't need a second network connection. You just have the trojaned PC accept everything. If the connection gets dropped due to a retransmit not happening, big deal. They're paying for that fat pipe to have a good connection, and almost all the mail servers the spammer is trying to get to will also have good pipes, so most of the time there are no lost packets to deal with.

You can use this as an antispam measure, just send a zero window or hold an ack for test and if the sender continues to blow data at you, instant spam sign. If you don't want to or can't muck with your tcp stack, you can pause in the SMTP conversation, but unfortunately some "legitimate" emailers are pipelining their SMTP conversations and not waiting for go aheads but I don't have much sympathy if they get labeled spammers for not following RFC's.

Re:Irresponsible to let infected machines stay onl

[dlZ]

I get quite a few machines from Road Runner customers that have received a notice and had their service turned off until the machine was fixed. One customer told them she fixed it (she didn't, was using all Macs) and had her service turned back on, just to be almost immediatly turned off until she had proof from some sort of tech support it was fixed (it wasn't her machines... It was her open wireless router and her clueless neighbor who just connected to whatever popped up first.) I had to fax over a letter on my companies letterhead to have her service turned back on once her router was configured properly.

Have never seen one from a Verizon customer locally, though (RR and Verizon are pretty much the only two providers you see used around here.)

Re:So... whats out of the ordinary for this?

[Tsu+Dho+Nimh]

"they don't allow outbound port 25 access from end-user machines, everyone has to go through their SMTP server; Comcast doesn't get blacklisted because machines on their network can't spam. "

The current way of spamming is not to use Port 25 ... the spam-bots run the spam out through the ISP's mail server, JUST LIKE THE CUSTOMERS! A spam-bot sending 100-500 emails an hour, 24x7, doesn't sound like much until you figure out how many spam-bots Comcast has. I get spam from comcast ... enough spam that I whitelisted a couple of people and /dev/null the rest.

Re:Amazing

I can second that. SPEWS is garbage run by zealots. Its basicly basically vigilantism. "We will block a million sites to put pressure on one spammer" (who's machine was probably hijacked). "Then we will leave it active for years since we never bother to update our database." And because they are completely unknown they are also completely unaccountable. This group is a joke and this article lends them far more credibility than they deserve.

Bottom line is, SPEWS does not block SPAM, it blocks whole huge ranges of IPs in a blackmailing attempt. If you goal is to block spam, SPEWS is useless. If you want to block legitimate mail, SPEWS is great.

I have yet to encounter any respectable ISP that uses SPEWS as a method for blocking SPAM.

SPAM is a scourge. SPEWS is a worse scourge.

The internet does not need more anonymous vigilante groups. I'm sure since so few people use SPEWS to block they will no doubt resort to DDOSing next.

Re:Irresponsible to let infected machines stay onl

[Skapare]

It was still her resposibility. If she said she fixed it, and in fact she had not fixed the wireless router (her ignorance is probably why she didn't think it was the point of the problem), then she told an untruth (maybe not intentionally so). But Road Runner was in the right to immediately cut her back off and require more definitive proof. I'm glad you knew to check the router.

Maybe Verizon is blocking outbound port 25 that goes to other than their own smarthost MTAs. That would stop a lot of zombie spam until the spammers shift their paradigm to having the zombies do smarthost relaying. They are already using the zombies to do mass and distributed signups of new users at Hotmail, Yahoo, etc, so they have ready accounts to do spamming from over there, too. That's hard for the free mail providers to detect as a spammer activity.