Slashdot Mirror
Spam Blacklist Targets Hijacked Telewest Customers
davidmcg writes "BBC.co.uk reports that UK cable firm Telewest has had almost one million email address blacklisted by an anti-spam firm. The Spam Prevention Early Warning System blacklisted the email addresses because a large number of the machines using them have been hijacked by spammers. Telewest have stated that they knew about the problem and have been working with customers to regain control of their machines."
"Telewest blamed recent virus outbreaks for the sudden rise in the number of hijacked home PCs. "We are currently contacting affected customers to help them clean their PCs which, as you can imagine, is a time-consuming task," it said."
I sympathise with them, I've tried banging my head against the wall before and it's not fun!
odd that the ISP never made an issue of their "Efforts" to clean up their customerbase before ending up in SPEWS. Some people say wholesale blacklisting is ineffective, some whine about false positives, I bet these guys really want to get out of the spotlight so they stop looking incompetant. Well done spews, whoever you are. By the way this article makes a serious mistake:
SPEWS does not exist (TINS (there is no SPEWS)). SPEWS therefore cannot make announcements of any sort whatsoever, though they do have the Lumber Cartel (TINLC) to speak for them.
Spam is a huge problem and any ISP may obviously be subject to blacklisting due to infected machines,Telewest is probably no worse than any other. What I find interesting, though, is that the article states they think 16,000 machines are infected. And the slashdot article claims "have been working with customers to regain control of their machines.". Good luck, I am glad it's not me who's job it is to call all those 16.000 users... (my humble, unimportant opinion is that the users themselves should be responsible for making sure their computers are safe, but .. I'm not important)
9/11: Never forget it was a false-flag operation
Not the address I use here on slashdot but my regular email addy (which has been active for about 4 years) is virtually spam-free.. at least I don't see much of it. My domain is registered through EasyDNS, with the "plus" package you can setup email aliases for your domain.. everything is filtered through their spamhaus/sbl/dsbl/etc blacklists.. then I use thunderbird with junk mail filtering.
:(
On average I see one spam make it through my junk mail filter in thunderbird. I've set it up for my mom/dad/brother & sisters as well. Now they laugh at the amount of spam their friends get compared to their own, which is comparable to mine.
I'm a techno-goof with hardly any understanding of networks and stuff.. If i can do it this easily, anybody can.
I think maybe spam is overrated.. with the right technology in place, it can be defeated. Although indiscriminite blacklisting by Orbs or whoever doesn't really help the situation
BBC.co.uk reports that UK cable firm Telewest has had almost one million email address blacklisted by an anti-spam firm.
So... ISP allows spam zombies to run free on its network, anti-spam firm overreacts by putting entire network on blacklist.
Is this really out of the ordinary? Weren't they doing this to US ISPs like Comcast until they started disconnecting zombie PCs?
Is there anything really out of the ordinary here?
They're just listing IP ranges. A complete non-newsworthy item. Consumer machines on broadband/dialup should be going through their ISPs smarthosts anyway ... which seems to be standard practice these days, to the point many isps block smtp or redirect port 25 to their own smarthosts.
Nothing to see here, move along.
Seems Telewest are actually attempting to rectify this situation, although you have to wonder how it is their responsisbilty.
FTFA: One hijacked PC on the Telewest network was sending out more than 100,000 e-mail messages per day, he said.
In cases like these if the offending computer is cleaned with (insert time frame here) then perhaps some negative reinforcement should be considered. fines etc???
serenity now!
"Telewest have stated that they knew about the problem and have been working with customers to regain control of their machines."
Somehow I have a bit of trouble believing this. How hard would it be for a large company like Telewest to send it's subsribers a CD with anti-virus/adware removal tools on it? Or an email with such software in it? Or even call users and tell them they have an issue?
I don't think they've done jack crap myself. And anything they have done is some token gesture to salvage their image.
Don't take life so seriously. No one makes it out alive.
isp's - block port 25 by default, and in account management allow users to unblock it. 99% of people will neveruse it, and those that do will account for such a small number you won't get many support calls for it. shit loads less work then fixing 16000 machines.
If you mod me down, I will become more powerful than you can imagine....
I think this is a good example of how the democratization of the net has really screwed things up in some ways. The net was never intended to be so centralized (undecentralized?), with huge ISPs serving millions of customers. Of course there's going to be zombie networks. The net wasn't designed to have millions of individual users directly connected from essentially unsupervised subnetworks. Notice that you never hear about a company or university having a significant percentage of their machines taken over, especially not for a long time. Originally, the network was just large organizations connecting their managed networks to the backbones, usually from behind firewalls. But an ISP doesn't watch it's clients computers the way a sysadmin would (nor should they) and thus we have the present, sorry, situation of millions of Microsoft moms unwittingly playing host to a global crime wave.
It's a good thing we have such secure consumer operating systems, or this could turn into a real problem!
About three years ago a usenet death penalty was issued against Telewest. Before it came into force they stopped all messages spreading out from their main newsserver and began scanning their customers for open newsservers and open proxys.
When my cable company had any issues with spam from any of their customers, they simply cut off their internet until the customer had their computer fixed. Seems easier than what this cable company is going through. User can either pay to have their computer cleaned and secured, or do it themselves. They then advise the Cable company to put them back on. Lot better for every other customer who is responsible enough to maintain their PCs.
SPEWS is not a "anti-spam firm". Check their website at http://spews.org/ for more explanation. And anyone too conserned about false positives should do their due dilligence when picking the DNSBLs they use and notice that SPEWS blocks fairly large netblocks. And there probably will be a lot of legitimate mail sent from bad neighborhoods. SPEWS is a very good tool for blocking spam and educating ignorant ISPs, but it's not suited for everyone.
Spews doesn't block email addresses. As a matter of fact, they don't block anything. Spews is a database of IP addresses.
Underholdning.info
Next time, if BBC News is "crawling", please look at your own link. BBC News is about as good as Google at staying up the whole time. A couple of extra visitors from SlashDot will get lost in the underflow.
PenguiNet: the (shareware) Windows SSH client
...but you can stand and fight.
Wait until one of those PEOPLE gets a virus or trojan on their PC and your address is harvested. Or they forward you - and 600 other people - a joke. Or god forbid they post it on their website as part of their friends list, or what have you.
Try having an email address like bob@some.tld. Try hosting a domain and forwarding root@, webmaster@, postermaster@, abuse@, et cetera to your account. Spammers have lists of simple and obvious usernames that they send to every domain they can think of hoping for hits.
I want the public at large to be able to contact me in some instances, so I publish my email addresses unobfuscated. I have 'bob@some.tld'-style email addresses. I forward root@ (and et cetera) to my other accounts for my domains. I couldn't hide even if I wanted to hide.
If you run your own email servers, take a look at this advice. Since the time I took the advice (a couple months ago) I have received *one* spam and that was appropriately tagged as spam and filtered into my spam folder. As far as I can tell there haven't been any false positives.
(I realize the irony in my use of a gmail address for my slashdot account, but that's not about spam. That's about a whole different issue: anonymity.)
I only ask since I don't know. Isn't it possible to run an SMTP server on a different port then 25? It only has to send out from a zombie machine, not recieve mail, so why not run it on say....port 2000? Or is it the fact that it has to send *to* port 25 that's getting blocked?
Now, if that makes sense to anyone, could you please explain it to me? I think I've confused myself.
- these customers' PCs were infected
- they were (at least about to be) hijacked
- the users were unaware or incapable of fixing the problem, i.e. it was demonstrably out of control for the systems' owners.
With 3+ GHz CPUs, 512-1024 MB RAM, 300+ gigs of HDD and on a 3+ Mbit/s broadband connection, every ISP knows that off-the-shelf PCs can still appear to work under an amazing (crap)load today, and they have more potential to wreak havoc than entire major companies or universites a decade agoNone of them had ever received that call from their providers (which could even be automated to some extent):
Telewest has had almost one million email address blacklisted by an anti-spam firm.
SPEWS does not block email addresses, it lists IP addresses. Its up to admins who use SPEWS to decide whether or not to use the listing to block email coming from those IPs.
If the users in those affected IPs use a legitimate email server, they can still send email to their hearts content. Only people running their own mail servers and direct-to-mx traffic would be affected.
Why would you pay $50 to be removed from a spam list that is probably used by only a few people? The only power a spam list has is in how many people use it to filter mail with.
Telewest already block incoming (maybe outgoing) connections to Windows NetBIOS ports. It shouldn't be too hard for them to add port 25 too.
I am a Telewest customer, but I do not use their mail services (MS Exchange!!!) so this would affect me. However, my email provider allows me to connect to an alternative port (IIRC 2525). I believe this is quite common. GMail uses some non-standard port too.
BTW, Telewest is probably one of the best ISPs in the UK. Reasonably priced and they have no bandwidth caps, which unfortunately seems to becomming the trend these days with UK ISPs.
So awhile ago I switched to using their own mail servers and now I'm getting even more blocked. Argh!
Broadband providers will actually have to start taking responsibility for this sort of thing and disconnect zombie infected clients. Not just for the good of the Internet as a whole but so their OWN customers don't jump ship to a small DSL provider to avoid this irritating blacklist nonsense.
Interestingly a couple of years ago, or so, they cut me off because they eroneously claimed that my mail server was relaying. It wasn't, it never was. They refused to take my calls and sort it out and I had no option to cancel the service and write a letter of complaint to their management. I spent another six months on a DSL provider before running back, tail between legs. Maybe they've taken the view that enforcing these tests (which are necessary, I will admit, although they did seem inept at it) costs them customers like me - users of their highest and most expensive tier of service? But surely the biggest problem is zombies on family PCs via the basic service?
Note: Other than that, Telewest/Blueyonder is by far and away the best broadband service I have used. Never any evidence of contention and it's many times more reliable than any DSL service (and I've tried six) with pretty much bugger all down time.
No can do. High percentage of hijacked machines are in a state that no security software can rescue them from.
Reinstall windows is the only thing that helps. After that the security software is a good thing.
However, having seen dozens and dozens of computers where the user was clueful enough to buy a security software, only to find out the system was already in a state where no security software will even install, I'm quite confident that most of these 0wned setups are already way beyond what F-Secure, Norton or the likes can do while installing.
And sadly reinstall windows can usually just get them owned again (recovery disks having no service packs, so the thing will get first Sasser-derivate into the system 30 seconds after the recovery install is done)
What computer manufacturers would really need to do is to ship everyone a free replacement recovery disc to get the system up with all patches. Funded by MS because it's their holey software. However, this would actually cost money, so instead people are left on their own.
I have been around long enough to have some educated suspicions as to some people who might be running SPEWS. Only one of those people posts occasionally to nanae, and never about SPEWS. Few real admins have the time to post much, and I suspect that SPEWS is run as an adjunct to their normal duties as admins of mail servers. They probably started out trading information with each other, and eventually decided to make it public for others to use as long as it didn't land them in SLAPP suit land. The FAQ is quite clear. IP addresses are listed when 1) they emit spam that is received by those who run SPEWS, 2) they are advertised in spam received by those who run SPEWS, 3) they are likely to emit spam because they are under the control as the same entity that is permitting #1 or #2, and the spamming is continuing, or 4) they are likely to emit spam because they are under the control of someone associated with previous spam. SPEWS has most certainly reduced spam to me and to my customers who use it. Since the machines belong to me and my customers, we have the right to refuse email from anybody for any reason whatsoever.
Experience shows that if a provider has one spamming customer that they won't do anything about, then it won't take long before their spamming customers start to proliferate, as spammers clue in that they are a spam friendly provider and start to set up shop. Sometimes providers have moved legitimate customers out of their IPs and put spammers there because the spammers are willing to pay more money than the legitimate customers. They put legitimate customers on IPs that were spamming in order to cause deliberate collateral damage and direct the customer's ire at those who are trying to block spam. They lie about having cut spammers off, they lie about IPs being inhabited only by legitimate customers. There's no reason for a provider to keep even a single spamming customer, and if they balk at removing that customer, the lies and flimflam are almost certain to follow. SPEWS is an early warning system, and as such lists IP's that have an elevated risk of spamming, even if they haven't spammed yet. If you're not interested in an early warning system, don't use SPEWS. Me, I like it. Sorry about the whitespace, I'm just passing through (damn getting paged in the middle of the night and then twiddling thumbs while someone farts around trying to decide what they wanted you for).
I get quite a few machines from Road Runner customers that have received a notice and had their service turned off until the machine was fixed. One customer told them she fixed it (she didn't, was using all Macs) and had her service turned back on, just to be almost immediatly turned off until she had proof from some sort of tech support it was fixed (it wasn't her machines... It was her open wireless router and her clueless neighbor who just connected to whatever popped up first.) I had to fax over a letter on my companies letterhead to have her service turned back on once her router was configured properly.
Have never seen one from a Verizon customer locally, though (RR and Verizon are pretty much the only two providers you see used around here.)
rm -rf
They are not randomly blocking. They have an escalation policy that expands the netblocks listed from jus the spammers' IP addresses and netblocks to the whole ISP's netblocks, if the problems do not get resolved within a reasonable time period.
I do agree one should be careful of choosing a blocklist to use. SPEWS is one of the most aggressive. It does not fit everyone's needs.
SPEWS does not block whole of China. Only the network providers that do not act on spam complaints. Exactly like the SBL does.
Next time before you insert your foot in your mouth, do some fact checking first.
In Soviet Russia, I ruled you
So how is that a problem with SPEWS? Looks like the Chinese ISPs don't really care about the spam problem.
In Soviet Russia, I ruled you
We had many cases where we were unable to deliver our mails because some moron admin in a big international company with worldwide suppliers and customers was using spews for rejecting mails.
As it happens, quite a bit of the spam I've seen lately has been from Chinese manufacturers trolling for customers. If your netblock was listed by Spews, I'm inclined to believe you had it coming.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
It was still her resposibility. If she said she fixed it, and in fact she had not fixed the wireless router (her ignorance is probably why she didn't think it was the point of the problem), then she told an untruth (maybe not intentionally so). But Road Runner was in the right to immediately cut her back off and require more definitive proof. I'm glad you knew to check the router.
Maybe Verizon is blocking outbound port 25 that goes to other than their own smarthost MTAs. That would stop a lot of zombie spam until the spammers shift their paradigm to having the zombies do smarthost relaying. They are already using the zombies to do mass and distributed signups of new users at Hotmail, Yahoo, etc, so they have ready accounts to do spamming from over there, too. That's hard for the free mail providers to detect as a spammer activity.
now we need to go OSS in diesel cars
I've had run ins with SPEWS, they don't just list IP addresses that are spamming but will also list IPs only slightly associated with a spammer.
Example, I had a long term hosting reselling client, he had sites relevant to the local area he lived in at the time, mostly some sites based around Oregon, etc and they were all perfectly legitimate sites. He had never relayed any spam via my servers.
After a couple of years this fellow had taken to working with some of the big spammers, he was doing this elsewhere and I had absolutely zero knowledge of it as the account he had with us was still perfectly normal.
One day I get a call from our NOC that one of our servers had been disconnected due to a SPEWS listing and they were going to terminate my server entirely. I was shocked, I had no idea why and they finally pointed me to the SPEWS listing on the newsgroups.
What had happened was this person had used an email address on the domain he hosted with me as a contact for another domain he was using elsewhere, all of sudden this made me "spam friendly" apparently.
This person caused trouble on several of my servers also because of secondary DNS, SPEWS actually started listing my secondary DNS boxes because of this.
I was quite pissed off because of all of this because my company had zero knowledge of what this client was doing elsewhere and we had nothing at all to do with any spam deliveries and yet we were branded guilty with little choice in booting the client and then begging SPEWS to delist us.
Our TOS states we don't allow spam to generate from our clients nor do we allow it to generate elsewhere pointing towards their domain names hosted with us. It doesn't state we can dictate what they do elsewhere however and frankly we have no business knowing what our clients do elsewhere.
It took two seperate tries to fix this problem, we were delisted only to be relisted again later for the exact same thing and this was after we had completely removed the client from our servers. Our NOC had access to our server and I told them to look for themselves to see we had long since removed the client but had no control over what DNS servers they listed in their zone records, that was the issue the second time, our DNS servers still appearing in the zone records was enough apparently, even if we'd long since removed the domains and zones from our DNS.
In short SPEWS caused hours of downtime for our clients due to a false accusation, we were never informed by anyone at SPEWS this client had ties elsewhere and we had never had any spam sent via our server.
Quite honestly, had SPEWS been a local office I would have probably shown up with a baseball bat and beat some common sense into them for a while.
SPEWS it one of the RBL's that will NOT be used on any mail server we have control over. They proved to us that they are very prone to over reaction. What really makes me mad is would they have listed AOL if the guy had used his AOL email address instead? How about Hotmail? Gmail? Doubtful.
As I asked them, are they listing the guys cable company? His utility providers? The restaurants he eats at?