nicejerk Posted May 30, 2004 Share Posted May 30, 2004 I do not know elsewhere to look for answers, so if any of you could help me with the following: For 2 weeks, we were receiving 30-50 e-mails a day from *.*.*.*, containing the sober.g worm. After 10 days, I complained to the ISP, because I was getting concerned, both for the spoofing and perhaps vulnerable clients. Two days later, I followed up on that complaint, because I could see the IP # had changed (user reconnected) and we were still getting same amount of mail, containing the virus from this one user. I was informed, that because of "client policy" the ISP could not give me any information about the client, but said the ISP had issued a warning and disconnected the client. BUT, the ISP only disconnected the client (maybe for a second or so), so the client could reconnect, with a different IP #, and propably "hoping" this problem would "disappear". That of course didn't happen. I was getting mad, because this user was sending spoofed mail, pretending to be sent from us, and thereby damaging our "fine reputation" and only generating traffic on servers. Finally this morning, after reading through lots of mail addresses, I thought I had narrowed the problem down to a specific customer of ours, and luckily I was right. I could inform the user, that he was causing damage, not only to us but to everyone else listed in his mail database. He promised to fix this (I'll give him time until Monday). I am only glad that I found the root of the problem, but the ISP did not do anything to help solving this (except disconnecting the abuser twice, maybe for totally 2 seconds). I think it is very irresponsible way the ISP reacted. 1. I wonder, if this could have continiued forever, if I would not have found the abuser by myself? What are my options? 2. Is there no obligation the ISP has, regarding stopping spam and virus distribution? I sincerely hope anyone of you could advise me on this (common practice, accepted practice). Best regards, nicejerk Link to comment Share on other sites More sharing options...
Miss Betsy Posted May 30, 2004 Share Posted May 30, 2004 There are irresponsible ISP's who do nothing about infected machines, however, in my experience, they are in the minority. I am assuming, of course, since you mention IP addresses, that you understand how to read headers and were reporting to the proper IP address (numbers that look like this xxx.xxx.xx.xxx). I am not sure that you can find the 'infected user' by reading email addresses since most worms/viruses spoof any address that is present in the email. I am not technically fluent, but I don't think anyone but the ISP can determine from the headers who the user is. Therefore I don't really know whether you were reporting to the proper abuse desk or not. You cannot report viruses through spamcop, but you can parse the headers to determine the proper abuse address, then cancel the report. Miss Betsy Link to comment Share on other sites More sharing options...
nicejerk Posted May 30, 2004 Author Share Posted May 30, 2004 All the virus mails were stamped with the same IP address, even though the virus spoofed where it was sent from in the address bar. There is no confusion there. I found the abuser after reading through the returned mails "Mail Delivery Subsytem..Returned Mail...." (returned because of nonexistence/unreachable, but spoofed and sent by the sober.g). That list gave me the hints I needed, to recognise names/version of names that helped me identifing the source. In this case, I identified one e-mail address in that list, that was pretty unique and propably identified the host. To verify that, I contacted and asked the person to tell me the IP number of the PC via http://www.simflex.com/ip.shtml. The persons IP number matched that one from the mails. As I said before, I was very lucky to be able to identify the source, but I would like to have seen more activity/aggressive work from the ISP. Specially after giving them all necessary info, both IP no. and Worm. Irresponsible!! While writing this, I came to think of the 7 years sentence for spamming. There is no mention of ISP in that, so I might be pissing against the wind with my quary. A penny for your thoughts, 'Ottar Link to comment Share on other sites More sharing options...
Miss Betsy Posted May 30, 2004 Share Posted May 30, 2004 While writing this, I came to think of the 7 years sentence for spamming. There is no mention of ISP in that, so I might be pissing against the wind with my quary. A penny for your thoughts, No, the ISP's are 'innocent' because the users are so idiotic that they can't control them. <sarcasm> Seriously, it will be hard to hold the ISP's responsible legally. If they ever do, I intend to fill suit for every porn spam as sexual harassment. Sometimes you can go upstream if the ISP doesn't respond. Actually, most don't respond, but the viruses stop. Miss Betsy Link to comment Share on other sites More sharing options...
turetzsr Posted June 1, 2004 Share Posted June 1, 2004 <snip> 2. Is there no obligation the ISP has, regarding stopping spam and virus distribution? I sincerely hope anyone of you could advise me on this (common practice, accepted practice). Best regards, nicejerk Hi, nicejerk, ...My guess would be that you'd have to write this condition into your agreement with your ISP. If you ISP won't accept such a condition, you might want to try shopping for one who will. ...Since I don't deal with ISPs, I don't know the common or accepted ISP practice. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.