Spam Blacklist Targets Hijacked Telewest Customers

davidmcg writes "BBC.co.uk reports that UK cable firm Telewest has had almost one million email address blacklisted by an anti-spam firm. The Spam Prevention Early Warning System blacklisted the email addresses because a large number of the machines using them have been hijacked by spammers. Telewest have stated that they knew about the problem and have been working with customers to regain control of their machines."

SPEWS

[trelanexiph]

odd that the ISP never made an issue of their "Efforts" to clean up their customerbase before ending up in SPEWS. Some people say wholesale blacklisting is ineffective, some whine about false positives, I bet these guys really want to get out of the spotlight so they stop looking incompetant. Well done spews, whoever you are. By the way this article makes a serious mistake:
SPEWS does not exist (TINS (there is no SPEWS)). SPEWS therefore cannot make announcements of any sort whatsoever, though they do have the Lumber Cartel (TINLC) to speak for them.

Hmph

[oPless]

They're just listing IP ranges. A complete non-newsworthy item. Consumer machines on broadband/dialup should be going through their ISPs smarthosts anyway ... which seems to be standard practice these days, to the point many isps block smtp or redirect port 25 to their own smarthosts.

Nothing to see here, move along.

Re:Hmph

[aug24]

many isps block smtp or redirect port 25 to their own smarthosts

This is true... my UK ISP, Nildram, simply blocks port 25 outbound for all machines unless certain conditions are met. Very few home users will have any need for this as they will use Nildram's mail server outbound, so only compromised machines which already run smtp services (and have previously passed the open proxy test) can become an issue - a tiny proportion.

With simple solutions like these, this should be a non-newsworthy item. However, with useless bastards like TeleWest not bothering to do this and permitting unfettered port 25 outbound, it is newsworthy, if only for name-and-shame reasons. Assuming you live in the UK and give a shit, of course ;-)

J.

I miss the old days

[birge]

I think this is a good example of how the democratization of the net has really screwed things up in some ways. The net was never intended to be so centralized (undecentralized?), with huge ISPs serving millions of customers. Of course there's going to be zombie networks. The net wasn't designed to have millions of individual users directly connected from essentially unsupervised subnetworks. Notice that you never hear about a company or university having a significant percentage of their machines taken over, especially not for a long time. Originally, the network was just large organizations connecting their managed networks to the backbones, usually from behind firewalls. But an ISP doesn't watch it's clients computers the way a sysadmin would (nor should they) and thus we have the present, sorry, situation of millions of Microsoft moms unwittingly playing host to a global crime wave.

It's a good thing we have such secure consumer operating systems, or this could turn into a real problem!

Telewest faced usenet death penalty 3yrs ago

[throwaway18]

About three years ago a usenet death penalty was issued against Telewest. Before it came into force they stopped all messages spreading out from their main newsserver and began scanning their customers for open newsservers and open proxys.

Re:Spam prevention good for me.

[ciscoguy01]

I think maybe spam is overrated.. with the right technology in place, it can be defeated. Although indiscriminite blacklisting by Orbs or whoever doesn't really help the situation :(

Overreated? You have lots of people working on solving the spam problem for you. LOTS of effort goes into maintaining those blacklists your provider uses to provide an acceptable spam level for you, and you find it meets your needs.

The only reason you think it might be overrrated is that you are not realizing what an effort is being put forth for you.

Self help solution

[wallior]

When my cable company had any issues with spam from any of their customers, they simply cut off their internet until the customer had their computer fixed. Seems easier than what this cable company is going through. User can either pay to have their computer cleaned and secured, or do it themselves. They then advise the Cable company to put them back on. Lot better for every other customer who is responsible enough to maintain their PCs.

SPEWS isn't a firm

[kaarlov]

SPEWS is not a "anti-spam firm". Check their website at http://spews.org/ for more explanation. And anyone too conserned about false positives should do their due dilligence when picking the DNSBLs they use and notice that SPEWS blocks fairly large netblocks. And there probably will be a lot of legitimate mail sent from bad neighborhoods. SPEWS is a very good tool for blocking spam and educating ignorant ISPs, but it's not suited for everyone.

Email Addresses?

[Underholdning]

Spews doesn't block email addresses. As a matter of fact, they don't block anything. Spews is a database of IP addresses.

You can't run, you can't hide...

[xstonedogx]

...but you can stand and fight.

Wait until one of those PEOPLE gets a virus or trojan on their PC and your address is harvested. Or they forward you - and 600 other people - a joke. Or god forbid they post it on their website as part of their friends list, or what have you.

Try having an email address like bob@some.tld. Try hosting a domain and forwarding root@, webmaster@, postermaster@, abuse@, et cetera to your account. Spammers have lists of simple and obvious usernames that they send to every domain they can think of hoping for hits.

I want the public at large to be able to contact me in some instances, so I publish my email addresses unobfuscated. I have 'bob@some.tld'-style email addresses. I forward root@ (and et cetera) to my other accounts for my domains. I couldn't hide even if I wanted to hide.

If you run your own email servers, take a look at this advice. Since the time I took the advice (a couple months ago) I have received *one* spam and that was appropriately tagged as spam and filtered into my spam folder. As far as I can tell there haven't been any false positives.

(I realize the irony in my use of a gmail address for my slashdot account, but that's not about spam. That's about a whole different issue: anonymity.)

Irresponsible to let infected machines stay online

[D4C5CE]

"have been working with customers to regain control of their machines."

Not knowing the particular details of what went on at that provider, but hardly anyone can claim to "have been working with customers" without even (probing and) shutting down their Internet connections in the first place as soon as they knew that

• these customers' PCs were infected
• they were (at least about to be) hijacked
• the users were unaware or incapable of fixing the problem, i.e. it was demonstrably out of control for the systems' owners.

With 3+ GHz CPUs, 512-1024 MB RAM, 300+ gigs of HDD and on a 3+ Mbit/s broadband connection, every ISP knows that off-the-shelf PCs can still appear to work under an amazing (crap)load today, and they have more potential to wreak havoc than entire major companies or universites a decade ago ... I have seen (completely unsuspecting) home users' machines infected with no less than 200 different (!) "manifestations" of malware on them at once, several times this year already - from the kind of guys who don't even grasp the concept of a rescue disk, to whom a computer can only be "broken", and who just go and buy a new machine, every year or so, when their previous one comes down to a crawl. Even worse, the "old" machine (full wormload included) is usually passed on (and networked again) to primary-school kids or elderly relatives who are even more clueless.

None of them had ever received that call from their providers (which could even be automated to some extent):

"This is Incredible Internet Services Inc. - We regret to notify you that your Internet connection had to be temporarily shut down for violation of our Acceptable Use Policy: (specified ...) You may have overlooked an infection of your PC or an access to your home network accidently left open. To get you back online as soon as possible, a complimentary 30-day trial copy of Soandso Security Software is already in the mail to you. Once you have finished disinfecting and securing your systems, or if you need any additional help, please call customer support at ..."

Should point out....

[Tehrasha]

..that no email addresses have been blacklisted.

Telewest has had almost one million email address blacklisted by an anti-spam firm.

SPEWS does not block email addresses, it lists IP addresses. Its up to admins who use SPEWS to decide whether or not to use the listing to block email coming from those IPs.

If the users in those affected IPs use a legitimate email server, they can still send email to their hearts content. Only people running their own mail servers and direct-to-mx traffic would be affected.

Re:Is blocking port 25 really useful?

[Stephen+Williams]

is it the fact that it has to send *to* port 25 that's getting blocked?

Yeah, that's right. The source port is irrelevant.

-Stephen

Re:Irresponsible to let infected machines stay onl

[dlZ]

I get quite a few machines from Road Runner customers that have received a notice and had their service turned off until the machine was fixed. One customer told them she fixed it (she didn't, was using all Macs) and had her service turned back on, just to be almost immediatly turned off until she had proof from some sort of tech support it was fixed (it wasn't her machines... It was her open wireless router and her clueless neighbor who just connected to whatever popped up first.) I had to fax over a letter on my companies letterhead to have her service turned back on once her router was configured properly.

Have never seen one from a Verizon customer locally, though (RR and Verizon are pretty much the only two providers you see used around here.)