Slashdot Mirror
Spam Blacklist Targets Hijacked Telewest Customers
davidmcg writes "BBC.co.uk reports that UK cable firm Telewest has had almost one million email address blacklisted by an anti-spam firm. The Spam Prevention Early Warning System blacklisted the email addresses because a large number of the machines using them have been hijacked by spammers. Telewest have stated that they knew about the problem and have been working with customers to regain control of their machines."
"Telewest blamed recent virus outbreaks for the sudden rise in the number of hijacked home PCs. "We are currently contacting affected customers to help them clean their PCs which, as you can imagine, is a time-consuming task," it said."
I sympathise with them, I've tried banging my head against the wall before and it's not fun!
odd that the ISP never made an issue of their "Efforts" to clean up their customerbase before ending up in SPEWS. Some people say wholesale blacklisting is ineffective, some whine about false positives, I bet these guys really want to get out of the spotlight so they stop looking incompetant. Well done spews, whoever you are. By the way this article makes a serious mistake:
SPEWS does not exist (TINS (there is no SPEWS)). SPEWS therefore cannot make announcements of any sort whatsoever, though they do have the Lumber Cartel (TINLC) to speak for them.
BBC.co.uk reports that UK cable firm Telewest has had almost one million email address blacklisted by an anti-spam firm.
So... ISP allows spam zombies to run free on its network, anti-spam firm overreacts by putting entire network on blacklist.
Is this really out of the ordinary? Weren't they doing this to US ISPs like Comcast until they started disconnecting zombie PCs?
Is there anything really out of the ordinary here?
They're just listing IP ranges. A complete non-newsworthy item. Consumer machines on broadband/dialup should be going through their ISPs smarthosts anyway ... which seems to be standard practice these days, to the point many isps block smtp or redirect port 25 to their own smarthosts.
Nothing to see here, move along.
Seems Telewest are actually attempting to rectify this situation, although you have to wonder how it is their responsisbilty.
FTFA: One hijacked PC on the Telewest network was sending out more than 100,000 e-mail messages per day, he said.
In cases like these if the offending computer is cleaned with (insert time frame here) then perhaps some negative reinforcement should be considered. fines etc???
serenity now!
isp's - block port 25 by default, and in account management allow users to unblock it. 99% of people will neveruse it, and those that do will account for such a small number you won't get many support calls for it. shit loads less work then fixing 16000 machines.
If you mod me down, I will become more powerful than you can imagine....
I think this is a good example of how the democratization of the net has really screwed things up in some ways. The net was never intended to be so centralized (undecentralized?), with huge ISPs serving millions of customers. Of course there's going to be zombie networks. The net wasn't designed to have millions of individual users directly connected from essentially unsupervised subnetworks. Notice that you never hear about a company or university having a significant percentage of their machines taken over, especially not for a long time. Originally, the network was just large organizations connecting their managed networks to the backbones, usually from behind firewalls. But an ISP doesn't watch it's clients computers the way a sysadmin would (nor should they) and thus we have the present, sorry, situation of millions of Microsoft moms unwittingly playing host to a global crime wave.
It's a good thing we have such secure consumer operating systems, or this could turn into a real problem!
Telewest is probably no worse than any other.
for a medium size ISP 16,000 machines spewing crap is a huge issue.
my humble, unimportant opinion is that the users themselves should be responsible for making sure their computers are safe
I run the AHBL and I am a firm believer in this. You are responsible for your car on the highway, you are responsible for the actions of your children if you have them, and you should be responsible for the damage your computer does to the public network. Currently in the open-proxy and comp-sys-ddos (obviously compromised machines) we have listed over 1.3 million machines. I honestly think that we can do better than to have 1.3 million machines which have been responsible for spewing crap since the inception of the AHBL 2 years ago.
No need to call the 16,000.
I expect the vast majority of telewest's customers are set up as per telewest's instructions as far as email goes i.e. they use telewest's smtp servers. If that is the case, their email is not blocked. It is only those who run an email server that will have a problem.
Not really a problem either, just make postfix (or whatever mta you're using) send mail via telewest's smtp server itself (relayhost directive). Those who run an email server will notice soon enough and take appropriate action. If they can't work it out then they probably shouldn't be running a server anyway.
About three years ago a usenet death penalty was issued against Telewest. Before it came into force they stopped all messages spreading out from their main newsserver and began scanning their customers for open newsservers and open proxys.
I think maybe spam is overrated.. with the right technology in place, it can be defeated. Although indiscriminite blacklisting by Orbs or whoever doesn't really help the situation :(
Overreated? You have lots of people working on solving the spam problem for you. LOTS of effort goes into maintaining those blacklists your provider uses to provide an acceptable spam level for you, and you find it meets your needs.
The only reason you think it might be overrrated is that you are not realizing what an effort is being put forth for you.
.
When my cable company had any issues with spam from any of their customers, they simply cut off their internet until the customer had their computer fixed. Seems easier than what this cable company is going through. User can either pay to have their computer cleaned and secured, or do it themselves. They then advise the Cable company to put them back on. Lot better for every other customer who is responsible enough to maintain their PCs.
SPEWS is not a "anti-spam firm". Check their website at http://spews.org/ for more explanation. And anyone too conserned about false positives should do their due dilligence when picking the DNSBLs they use and notice that SPEWS blocks fairly large netblocks. And there probably will be a lot of legitimate mail sent from bad neighborhoods. SPEWS is a very good tool for blocking spam and educating ignorant ISPs, but it's not suited for everyone.
Yes, if that is what it takes to get their attention. Many ISPs adopt an "it's not my fault" approach to users abusing their networks, and anybody who runs any kind of mail server without taking steps to secure it is guilty of abuse.
Similarly, in this day and age, there is no excuse for users not to know that their machines have been zombied. The simple fact is that unless they are running reliable firewalls or anti-virus programs, they already will have been zombied. I know it is possible to secure a Windows box, but most OEM installations are left totally insecure, and a majority of people never change their computer settings once the machine is on or under their desk.
Spews doesn't block email addresses. As a matter of fact, they don't block anything. Spews is a database of IP addresses.
Underholdning.info
Just sit back and enjoy it, you fool!
Show me on the doll where his noodly appendage touched you.
It would'nt be all that hard to clean this network up. Just block port 25 and allow specific requests thru. Notify email providers/server operaters about the decision a few days in advanced so they can get placed on the list and then put it to work. It would definatly be cheaper then someoen calling 1600 people or having to vewrify they meet with your requirments. Just shoot them an email and say thier service will be diconected if the problem isn't fixed or justified. Those that are infected will be stoped while those that are effected would have an out. If someone requesting an exception is actualy sending spam, it shouldn't be that hard t determin after that and remove them from service completlety. After the situation calms down, open the ports back up.
In fact, i think it is sort of careless for ISPs to not at least monitor thier common ports for malicious activity. The added trafic from infections could be increasing bandwidth requirments as well as costing the ISPs more money in added equiptment. It just seems logical to try and keep costs down. Whats the chance that 1600 existing users are going to set up a mail server in about a month from each other and then flood the network with trafic that would appear to be comming from thousands of users? This should be spoted easily without some third party needing to get involved. My networks scan email and attachments comming and going at the server level and all it took was a couple of extra seconds to set up. Also snort lets me know of any wierd trafic pattern changes and i can check the difference in logs from several months ago if neccesary. It only take a couple of minutes a day. For this effort you get less people calling and complaining too.
Next time, if BBC News is "crawling", please look at your own link. BBC News is about as good as Google at staying up the whole time. A couple of extra visitors from SlashDot will get lost in the underflow.
PenguiNet: the (shareware) Windows SSH client
...but you can stand and fight.
Wait until one of those PEOPLE gets a virus or trojan on their PC and your address is harvested. Or they forward you - and 600 other people - a joke. Or god forbid they post it on their website as part of their friends list, or what have you.
Try having an email address like bob@some.tld. Try hosting a domain and forwarding root@, webmaster@, postermaster@, abuse@, et cetera to your account. Spammers have lists of simple and obvious usernames that they send to every domain they can think of hoping for hits.
I want the public at large to be able to contact me in some instances, so I publish my email addresses unobfuscated. I have 'bob@some.tld'-style email addresses. I forward root@ (and et cetera) to my other accounts for my domains. I couldn't hide even if I wanted to hide.
If you run your own email servers, take a look at this advice. Since the time I took the advice (a couple months ago) I have received *one* spam and that was appropriately tagged as spam and filtered into my spam folder. As far as I can tell there haven't been any false positives.
(I realize the irony in my use of a gmail address for my slashdot account, but that's not about spam. That's about a whole different issue: anonymity.)
- these customers' PCs were infected
- they were (at least about to be) hijacked
- the users were unaware or incapable of fixing the problem, i.e. it was demonstrably out of control for the systems' owners.
With 3+ GHz CPUs, 512-1024 MB RAM, 300+ gigs of HDD and on a 3+ Mbit/s broadband connection, every ISP knows that off-the-shelf PCs can still appear to work under an amazing (crap)load today, and they have more potential to wreak havoc than entire major companies or universites a decade agoNone of them had ever received that call from their providers (which could even be automated to some extent):
Telewest has had almost one million email address blacklisted by an anti-spam firm.
SPEWS does not block email addresses, it lists IP addresses. Its up to admins who use SPEWS to decide whether or not to use the listing to block email coming from those IPs.
If the users in those affected IPs use a legitimate email server, they can still send email to their hearts content. Only people running their own mail servers and direct-to-mx traffic would be affected.
No can do. High percentage of hijacked machines are in a state that no security software can rescue them from.
Reinstall windows is the only thing that helps. After that the security software is a good thing.
However, having seen dozens and dozens of computers where the user was clueful enough to buy a security software, only to find out the system was already in a state where no security software will even install, I'm quite confident that most of these 0wned setups are already way beyond what F-Secure, Norton or the likes can do while installing.
And sadly reinstall windows can usually just get them owned again (recovery disks having no service packs, so the thing will get first Sasser-derivate into the system 30 seconds after the recovery install is done)
What computer manufacturers would really need to do is to ship everyone a free replacement recovery disc to get the system up with all patches. Funded by MS because it's their holey software. However, this would actually cost money, so instead people are left on their own.
is it the fact that it has to send *to* port 25 that's getting blocked?
Yeah, that's right. The source port is irrelevant.
-Stephen
I get quite a few machines from Road Runner customers that have received a notice and had their service turned off until the machine was fixed. One customer told them she fixed it (she didn't, was using all Macs) and had her service turned back on, just to be almost immediatly turned off until she had proof from some sort of tech support it was fixed (it wasn't her machines... It was her open wireless router and her clueless neighbor who just connected to whatever popped up first.) I had to fax over a letter on my companies letterhead to have her service turned back on once her router was configured properly.
Have never seen one from a Verizon customer locally, though (RR and Verizon are pretty much the only two providers you see used around here.)
rm -rf
They are not randomly blocking. They have an escalation policy that expands the netblocks listed from jus the spammers' IP addresses and netblocks to the whole ISP's netblocks, if the problems do not get resolved within a reasonable time period.
I do agree one should be careful of choosing a blocklist to use. SPEWS is one of the most aggressive. It does not fit everyone's needs.
SPEWS does not block whole of China. Only the network providers that do not act on spam complaints. Exactly like the SBL does.
Next time before you insert your foot in your mouth, do some fact checking first.
In Soviet Russia, I ruled you