Swedish ISP Blocks Computers That Send Spam 265
snuppepuppan writes "One of Sweden's largest ISPs, Telia starts to block computers that send spam. 'The computers that Telia will block are primarily those that have been infected with "trojans" which are being used, without the customer's knowledge, to send enormous amounts of spam.'"
a great idea (Score:5, Interesting)
For me the dominant source of spam that I get now comes from infected computers, since DNSBLs have rendered fixed spaming IPs impotent.
Re:a great idea (Score:4, Insightful)
That's where they are staffed at all. There are all too many ISPs who appear to be happy to turn a blind eye to this type of activity, in spite of the fact that it costs them money.
Re:a great idea (Score:2, Insightful)
Or people who aren't allowed to help... (Score:2)
Re:a great idea (Score:5, Insightful)
Re:a great idea (Score:2)
Re:a great idea (Score:4, Insightful)
Depends on the ISP. Generally speaking mid-sized ISPs have pretty good abuse desks, mainly because they are big enough to have a decent technical team, yet small enough to not be swamped by abuse reports. That said, this kind of thing is a no brainer for the scripted response type of first line support used by large ISPs. Basically it boils down to "look for an IP in the mail headers that falls within a set of provided IPs and if present, click some widget to block outbound email from that IP". All you need then is some process to advise the customer of the problem and remove the block once the problem is resolved.
As you say, DNSBLs (non-dynamic ones anyway) have been rendered largely obsolete by the spamnets of compromised machines. There are so many of the damn things that a spammer can use an IP for a couple of days, discard it and not need to use it again for a couple of months, by which time it is probably off the DNSBLs again. This approach adopted by Telia (and Demon Internet in the UK, others?) is the only efficient way a large ISP can deal with this issue without incurring massive labour costs that I can think of.
Re:a great idea (Score:5, Informative)
That's why, as I've said before, we love SpamCop. When we see a SpamCop report, we know we will have everything we need to knock someone off the network. Very seldomly have we gotten a SpamCop report on something that was not spam. As for the rest of the abuse mail? Maybe 1% or 2% have enough information to track the user, and are actual abuse issues. And usually, they were already banned from a SpamCop report.
Anyway, I've rambled on enough. But for those who don't work abuse for a large ISP, now you have a small glimpse of what the abuse mail looks like.
Re:a great idea (Score:2)
Not to respond to Anonymous Coawrds, but in case anyone else was wondering the same thing...
I don't make policy. And those that do want a human to read over all support / abuse mail. So, while an auto-responder is fine, having a script delete mail that does not meet criteria is simply not going to fly with management.
Personally, I would love to have a script that parses the mail, runs some checks to verify it is indeed spam, go th
In a related story... (Score:5, Funny)
Re:In a related story... (Score:2)
Microsoft vs Telia would be a case in which I'd very much like to see both parties loose.
Re:In a related story... (Score:2)
these lame "jokes" are really getting old. why don't you use the four brain cells you have left for something more productive?
It's not a joke, though Outlook is. The parent post was +5 informative in my book. :)
Good. (Score:4, Insightful)
More ISP's should do the same.
Period.
Re:Good. (Score:3, Informative)
ISPs must provide a QOS in Finland, and Sonera were fined recently (last few weeks) for being unable to deliver mail as they were so bogged down with spam.
So they're not doing it for altruistic reasons, they're doing it because it costs them big-time if they don't. I'm still glad they're doing it though.
All of this was filtered from stories in the Helsingin Sanomat
via
A good way and a bad way. (Score:3, Interesting)
The way my ISP, Cox, tried to do things is bad. They forced all trafic through their SMTP server. They had already blocked incoming mail, so you could not run a mail server on your own. The new policy keeps you from even being able to send you own mail. This sucks in many ways. The most important way it sucks is that
This is a great thing (Score:4, Insightful)
Re:This is a great thing (Score:2, Insightful)
Not so gray an area (Score:5, Funny)
The conversation with the helpdesk guy was kinda amusing, though.
HDG: "Are you familiar with a program called Zone Alarm?"
Me: "Sure. Are you familiar with the SMC Barricade router?"
Why is this news? (Score:5, Interesting)
Telia is mostly known for their suckage over here. They've made several false starts, including blocking SMTP completely at their border making it impossible to host ones own mail server.
I guess if they've finally given up on that idoicy and actually go after the specific hosts that are a problem -- like we in the community has said for years is the correct solution -- then I'm all for it.
Just sad that it's making news the way it is. I think the news should be that they wasted at least two years reaching this "insight"!
Would be interesting to know if this was because the suits finally listened to their techs, or if it's because the techs finally gained a clue.
Re:Why is this news? (Score:2, Insightful)
It's unbeleiveably rare.
Re:Why is this news? (Score:4, Informative)
Yes, but bostream is no better. They make customers who want to use an email with FROM-header other than foo@*.bostream.foo setup their own SMTP-server. I preferred Telia's approach.
I don't think their press release will affect the ammount of spam in my inbox. Telia is all too clueless for that. I am however happy that I get a pretty low ammount of spam when compared to US figures. I'm down to less than one junk mail per hour and still not prepared to pipe all messages through SpamAssassin (too high false negatives due to most mail being sent in Swedish).
Still, Telia has alot to do with the ammount of incoming spam. Most of the spam that arrive in my Telia inbox doesn't even have my email in the TO-header (but has it in X-Original-To). The other types of spam I get is the ones that look like:
Received: [*Snip*] Sat, 1 Nov 2003 15:50:49 +0100 (CET)
Date: Wed, 28 May 2003 23:14:06 +0000
I hate spam I can't directly see which box it is sent to, which date it was sent or that has ASCII-art topics.
Re:Why is this news? (Score:3, Informative)
I've never had a mail in Swedish marked spam by SpamAssassin - the only false positives I've had (three in 6 months) were mails from mailing lists where the poster indeed had weird headers.
Re:Sorry? (Score:3, Informative)
Because the mere fact that you choose to purchase an email account from one provider doesn't mean that you choose to abandon any and all other email accounts that you may have for various purposes, perhaps.
I may have an email account for responding to work-related email and another for personal messages, for one example.
Re:Sorry? (Score:3, Informative)
When signing up for their $2.5/mo mail service, one of the main features advertised is being able to send mail. However, they do in fact require you to set the FROM header to your new mail account.
This sucks big time because:
1. I didn't want to spend 4 minutes configuring Postfix to send my mail.
2. When I informed them of the problem they sent me a Win32 MTA (despite the fact that I said I was using Linux).
3. I d
Re:Sorry? (Score:2)
If you read his email, he's saying exactly that - he DOESN'T WANT OR NEED a mail account with Bostream.
Why not relay all mail (regardless of domain) from your own server?
Maybe because "his own server" (like the University account he mentioned) won't relay for him when he's not connected to it's network, and (since it's a university server) he doesn't have the authority or ability to change it.
Re:Why is this news? (Score:3, Informative)
That might just have been because AOL began bouncing all e-mail from Telia -- mainly due to the same problem as they have now. What would you have done?
I think this is a good thing. it stops the relays now and those affected will notice it, call the support, and be informed of why they were cut off.
Re:What should have been done? (Score:4, Insightful)
Maybe they should have blocked the ones sending out SPAM, instead of everybody! Do you honestly think that innocent companies and individuals should be punished? Oh, and without notice by the way.
The ISP is not innocent; it is their job to enforce policies and to be a good citizen on the net. Unfortunately to block an ISP you do block customers by extension, but this is the only way to get ISPs to do something.
Clueless? (Score:2, Funny)
1. The ISP AOL begins bouncing all e-mail from the ISP Telia due to large amounts of SPAM from some of Telias DSL customers.
2. Telia blocks all of their DSL customers (companies and individuals) outgoing SMTP (port 25) traffic.
3. eddy states [slashdot.org] (correctly) that: Telia is mostly known for their suckage over here. They've made several false starts, including blocking SMTP completely at their border making it impossible to host ones own mail server.
4. BetterThanCaesar asks [slashdot.org] (regarding Telias S
Re:Why is this news? (Score:2, Informative)
It may be a bit upsetting not to be able
My work's ISP does a variation of this (Score:5, Interesting)
And if anyone is wondering why we're going with a startup for business, it's because the only choice between 144kbps DSL and a full T1 is this guy.
Re:My work's ISP does a variation of this (Score:5, Insightful)
Customers are *not* unaware of it (Score:5, Informative)
So, even if the customers won't be given a time period to stop spamming, they're still not left unaware about it, as the
Telia says they're also attempting to detect spam hosts much quicker than earlier, when it could take up to a week or more to shut a host on their network down, when the damage was already done.
Re:Customers are *not* unaware of it (Score:5, Informative)
Mod parent up (Score:2)
Re:Customers are *not* unaware of it (Score:2)
Not quite sure how I read that news post.
Tell the Infected Individual First (Score:2, Insightful)
Re:Tell the Infected Individual First (Score:4, Insightful)
Also, people shouldn't choose to use technology that they don't have a good understanding of unless it's been set up properly by someone else beforehand. By that, I'm not meaning that the average member of the public shouldn't surf the Internet with their PC - one of these things should be happening:
1. They use a computer system that's been set up securely by the vendor
2. They apply all the latest security patches as soon as they're released
3. They understand about computer security and secure their system themselves.
If you own a computer connected to the Internet, then it's up to you to decide what you do with it, and what you let other people do with it.
Re:Tell the Infected Individual First (Score:2)
Re:Tell the Infected Individual First (Score:3, Insightful)
It is not nice to be cut off without warning, but if your machine is infected or comprimised in some way then it needs to be isolated.
True, an email warning would be helpfull, but some people only read their email once a week or less. In the mean time their machine could still be on, and relaying junk all over the place.
Best cut them off and have them contact Customer Services to be reconnected. Ok they probably might want to join another company afterwards...
Or send them an physical letter.
T
You get stung, you react. (Score:5, Informative)
Sonera is blaming this 100% on the W32.Swen.A virus and while there is ongoing debate regarding Sonera's e-mail administrators' competency, that certainly explains why Telia is scrambling to remedy this problem in Sweden. [Un]fortunately (ignore the part in brackets if you are a privacy advocate) the Finnish legislation doesn't allow Sonera to perform the same thing as even automatic monitoring of e-mail traffic is not permitted by the communication privacy laws.
Re:You get stung, you react. (Score:2, Interesting)
Re:You get stung, you react. (Score:3, Informative)
[Un]fortunately (ignore the part in brackets if you are a privacy advocate) the Finnish legislation doesn't allow Sonera to perform the same thing as even automatic monitoring of e-mail traffic is not permitted by the communication privacy laws.
Actually, Sonera got a special permit from the Finnish communications bureau last week for scanning all emails for virii and trojans. What I wonder is, if they can't config their mail servers, can they config the scanning properly?
Another matter is that I nev
I'll buy that... (Score:3, Insightful)
In these instances filters like SpamAssasin may even add to the problem since they often consume more overhead
Good. (Score:3, Interesting)
It used to be one knew they had a virus because an ambulance would fly around the screen or the computer would stop working. But given the amount of these things coming in through P2P I'm not surprised they aren't seeing all of the extra traffic on the little set of computers in the system tray.
Hopefully, the ISP will be similarly proactive in restoring access when the traffic stops. I'd hate to think somebody's dynamic IP address stops working ala Something Awful because of somebody else's bad Net habit.
Re:Good. (Score:2, Informative)
Re:Good. (Score:3, Interesting)
A bit extreme maybe but still better than just shutting the thing down..
Good news! (Score:3, Interesting)
This is certainly good news. Now their customers who are infected will figure things out pretty quickly!
Of course, this would have been easier if they just blocked egress port 25 traffic (which would not include their own SMTP server, of course!). Imagine all ISPs blocking egress port 25 traffic for their DHCP clients (e.g. most cable modem, dial-up, and DSL), and shutting off their corporate clients who spew spam! That would effectively eliminate spam, since IP addresses left still sending spam (directly or due to a trojan/virus) would quickly end up on DNSBLs.
It is irresponsible for ISPs to operate otherwise. Simple steps to be a good netizen:
Re:Good news! (Score:3, Insightful)
Eliminate spam? Spare me.
Currently, less t
Re:Good news! (Score:2)
So, by your own numbers, shutting down direct-to-MX email from DHCP clients should eliminate about 85% of spam - that is a worthy target.
I say 85% because if you had real figures showing a percentage less than 85% you would have used the lower number to make your point.
Re:Good news! (Score:2)
That 85% comes from an analysis of the addresses that hit my 400 spamtraps over the course of three months.
85% were from IPs I'd never seen before and that don't listen on port 25. It's entirely possible that they aren't DHCP clients, but they aren't open relays, or known main sleeze, and there's not a lot of other possibilities left. But there are other possibilities, hence my "less than 85%"
comment.
If you count viruses as spam
Re:Good news! (Score:5, Insightful)
Then they cease to be Internet Service Providers and become Interweb Service Providers. Why should "consumers" be subject to inferior Internet service? Why wouldn't/couldn't an ISP monitor egress port 25 traffic for suspicious spikes? I won't be doing business with ISPs that try pulling stunts like that.
Vastly less spam? (Score:2)
I doubt spam will increase much if at all. And now we have ISP mailservers --- or should we say ISP spy&censorship boxes that are the middlemen in all email.
The next time a law says that 'ISPs shall monitor their users for subversive material', its as easy as installing a program.
SMTP servers (Score:2)
No need to use your ISP's servers at all. Have the admin of the mail server you wish to use configure the server to use SMTP+AUTH on a different port. Even better, use SMTP+AUTH+SSL. No blocking, the chain of responsibility is intact, everybody is happy.
Re:Good news! (Score:4, Insightful)
Blocking entire ports is like using like using a sledge hammer to affix a staple. First the majority of spam email wouldn't be affected. And if you're delivering mail via some other protocol spammers will still get through. Port blocking is not really a good policy, except on an individual basis where there is proof of such activity; or in cases where the client is paying for an intentionally crippled partial Internet access.
There is nothing wrong with using port 25. And if you want to use TLS/SSL, you should still use port 25 via the well established STARTTLS extension to the SMTP protocol. There is no reason to waste additional port numbers on experimental protocols when the SMTP protocol already does all that and is fairly mature with lots of supported software.
Oh, and I for one rely on having egress port-25 traffic from my home DSL. I am not a spammer, but I am a network administrator of a large company and find it very useful to "test" my own servers from an external unrelated addresses.
Use of port 25 (Score:2)
There is something wrong with using port 25 for initial mail submission. Submitting a mail message by an end user is a different activity then two SMTP servers transmitting mail to each other.
Initial mail submission is a potential security violation, and certain restraints on relaying mail are important. Here is where SSL and SMTP+AUTH make sense. The user submits the mail, and then can forget about it-- the SMTP server will now handle the rest, including queuing the message in case the remote MX host is d
Re:Use of port 25 (Score:2)
So if an ISP were truely responsible then they should be blocking port 80 too, huh? Think of all the abuse that goes over port 80!
Yes, I will grant that mail transport and mail submission are two separate tasks. That is why sendmail for instance isolates each activity with separate processes and even security barriers (user/group permissions, etc.). But just because it's two tasks doesn't mean my own computer is incapable of doing both or that I must be forced to allow my ISP to handle one half of it (
Re:Good news! (Score:2)
How does this help with accounts opened with stolen CC numbers? They already used it once to open the account, why do they care if they lose a security deposit from it?
Re:Good news! (Score:2)
There are plenty of DSL and Wireless providers that allow you to run servers. I maintain about 30 such servers for small businesses. this policy would completely eliminate the ability of these businesses to economically run their own email/web servers. None of these servers send spam, they are not open relays, they are well maintained servers that deserve to be on the net, blocking them would be draconian and stupid.
Servers on a DSL line (Score:2)
I have many clients on DSL lines, too. They have arrainged with their ISP for a static IP address, and the ISP pretty much lets them do whatever they want to. Any malicious activity, and they know where to find them.
Background (Score:4, Interesting)
Trojanised PCs on broadband are the likely cause, and the block is most probably a measure designed to prevent such from happening again.
Re:Background (Score:2, Informative)
Workable Solution??? (Score:3, Interesting)
For most users this would be adequate notification and encouragement to fix the problem.
Re:Workable Solution??? (Score:4, Funny)
Repeat after me: the internet is not the www and vice-versa
good idea (Score:2)
Statistical analysis (Score:5, Insightful)
This is news? TOS Enforcement is new? (Score:5, Insightful)
Finland Too (Score:2, Interesting)
Swedish Telia and Finnish Sonera (both stemming from the old national telephone companies, thus big players) merged into TeliaSonera last year, but still appear under the original names in the respective countries. Certainly they have a single policy on this.
And Sonera especially has lately had serious, even nation-wide trouble delivering emails, due to worms flooding the system. Actually I wonder why it was Telia th
Thank Heavens!! (Score:2, Interesting)
This is a heaven sent, and more ISPs should follow suit.
WHY? (Score:4, Funny)
Re:WHY? (Score:2)
Maybe that's the real reason we went to war... It wasn't Weapons of Mass Destruction, it was Weapons of Mail Distribution.
We used to do this at DirecTV Broadband (Score:2, Interesting)
On the otherhand, we also double charged customers, charged $10/mo. extra to turn on NAT in our routers and on occasion continued to bill for months after they canceled (I saw a
Censorship. (Score:3, Interesting)
Just make spam illegal and arrest the fuckers. No need to quash user rights in the process. Of course, I'm American so I have no idea what kind of freedom of speech rights you have in Sweden. Maybe you're already used to this kind of thing.
Re:Censorship. (Score:2, Informative)
Re:Censorship. (Score:2, Interesting)
Many ISP:s already will block you if you try to share mp3:s etc and they get prodded by your "favourite" record association. And since that type of behavior is already taking place - desirable or not - I personally am almost happy to see one ISP now doing something more constructive with their surveillance as well by trying to stop spam, which really is bad.
But then again, I live in Sweden
Sweden? (Score:3, Funny)
Re:Sweden? (Score:4, Funny)
The wonderful telephone system
And mani interesting furry animals
Re:Sweden? (Score:2)
trojans... (Score:3, Insightful)
Leper VLAN (Score:5, Interesting)
If I ran an ISP... (Score:4, Interesting)
1. All users would get a static IP (since there's an expectation that they are always on, there's no point in NOT doing so. In the dialup days you'd have fewer IP addresses than customers, for broadband you can't really do that). Customers having static IPs would make abuse much easier to trace.
2. The initial sign-up would say "Would you like to be protected by our firewall?" with the default option set to YES. The vast majority of normal home users would get some default level of security (known troublesome services, including outbound port 25 filtered, and incoming CIFS filtered etc, plus all Microsoft executables for their ISP email address rejected automatically). People who select NO to this option will be warned of the dangers of doing so, but will have no filtering at all applied to their accounts.
3. A system such as Snort would be run analysing incoming/outgoing traffic and looking for trouble. If a user is trojaned and sending out crap, they get the plug pulled.
Re:If I ran an ISP... (Score:2)
Yes... this is a very good idea... so why aren't you the president of an ISP? Get your butt in gear my friend because the NET needs you to lead the way!
As for the "commercial" reason in belgium cited in another reply... the reason for statics not being viable is that they cost more...
Well, that is a concocted abuse of the system.
How would you like it if every time you picked up your cell phone the telco injected a new telephone number? This would allow you to make outgoing calls. If you want to
Re:If I ran an ISP... (Score:2)
The market is saturated. I live on an island whose population is 76,000 and we have not one, but FOUR ISPs already. (One ISP only caters for business though). The wires are sold by a monopoly telco, Manx Telecom (they sell ADSL wholesale to the ISPs).
However, one of the ISPs (Domicilium) has just been granted a license to use the fixed base wireless system to provide 5Mbit/s connectivity, competing with MT's wires. They haven't
Re:If I ran an ISP... (Score:2)
Nice try ... (Score:2, Interesting)
would read better like
Telia will learn that.
CC.
What about all other viruses? (Score:2, Interesting)
Most of them comming from hosts on the Telia network. While I think its good they are finally doing something good for once (I left Telia when they blocked SMTP), will they do anything about all these Code Red and Nimda and all other old viri still on many of their customers systems?
Re:What about all other viruses? (Score:2)
block the hosting ISPs, not the spam source (Score:2)
If you are going to block anybody, block the ISPs that host the web sites and email reply addresses for the spammers - AND LET EVERYBODY KNOW in any error messages you issue. Blocking the real or apparent source of the spam itself is ineffective in the long run.
Re:block the hosting ISPs, not the spam source (Score:2)
The spammers have already thought of that. One thing they do to counter it is to have to URL point to a trojaned PC, and to change the DNS every few minutes to rotate through a large pool of such owned machines.
why is this happening? (Score:3, Interesting)
If I'm the president of Globaldex Inc.* and a Trojan is spamming products for my company, why doesn't someone of authority (aka. Law Enforcement) come to me and ask a few questions. You know, crazy stuff like, who did I contract to send out email advertisements and such.
I'd imagine that if 1000 computers got broken into by a Trojan, and they are spamming for Globaldex, it would be reasonable to consider Glabaldex an accomplice until they were able to clear themselves.
Why exactly are prople getting away with this?
* Gloabaldex is not real BTW
Videotron does it, too... (Score:2, Informative)
I do not know how they do the detection part, but one of my colleagues came for advice on how to clean/up secure his own PC, because it was shut down from the network.
Their method is really simple:
Only thing that works... (Score:2)
Way To Go (Score:2)
I used to get many connection attempts on port 135; but not having any active daemon on it, not much happened {though invariably the far end would be listening on that port}.
I cannot think of a single reason why anybody would want to expose ports specific to a Microsoft LAN to the outside world. Sometimes I wish there was a "networthiness" test
What about Telia commercial spammers (Score:2)
These are not all of Telia's blocks but only ones I have received spam from in the past year. Put tem in your /etc/mail/access file. E.g.:
Hopefully my ISP isn't providing an example (Score:2)
Ask Slashdot (Score:3, Informative)
Then don't post it here -- send it (in the form of a question) to Ask Slashdot.
Re:Ask Slashdot (Score:2)
We might possibly see the question via Ask Slashdot -- isn't necessarily a dead letter office. Probably not: I assume that the editors get way more Ask Slashdot questions than they post, so it's likely that any given question won't get posted. But it could happen; and in any case, it is the appropriate way to initiate a new topic.
It's not my intention to suppress the issue. But I'm against off-topic discussion, because it dilute
Re:The GPL is a licese to Steal (Score:2)
(specifically, Linux's lack of Token Ring support and the fact that we
were unable to defrag its ext2 file system),
This is probably just another drooling idiot trolling, but...
Why were you trying to defrag the file system? This isn't windows! It is rare that defragging will produce any noticable result (unlike windows, where it is almost a necessity). The reason that you can't find defraggers for ext2 (they actually do exist), is that nobody ever
Re:The GPL is a licese to Steal (Score:2)
you can do this already. it is called an SDK, and it is installed with Visual Studio.
Re:I don't get any spam? Why?? (Score:2)
My original email address (dating back to 1995) gets spammed mercilessly, but I don't use it anymore.
Re:Telia (Score:2)
There is no invasion of privacy here, because Telia explicitly denied (in the contract that you're too damned lazy to read--that doesn't remove your responsibility to be held by it) and guarantee or expectation of privacy. If you thought otherwise, then it was because you deluded yourself, despite fair and reasonable attempts by Telia (the other party to the contract) to make their authority clear to you.
I don't like contracts like this, but if you agree to one, then you've go