Feeds

Pipex 'silence' condemned punters' emails to spam blackhole

ISP blocked for a week after 'ignoring' complaints

High performance access to file storage

Analysis Pipex subscribers struggled to send emails for several days after antivirus biz Trend Micro declared the ISP's network a source of spam.

Messages sent via Pipex's servers were either blocked or deliberately delayed by internet providers and businesses that rely on Trend Micro's services to filter emails.

El Reg stepped in to investigate Pipex's blacklisting after a reader complained to us about the week-long blockade.

"It is murder for businesses like mine as we don't know whether Pipex emails will be rejected at the moment - and this type of delay blocking takes three days to bounce back," he said.

Trend Micro said the decision to classify Pipex's IP blocks as a source of unwanted email was not taken lightly, and insisted it was right in doing so.

"The IP addresses of the Pipex MTA [mail transport agent] have been sending spam and also malicious emails, probably because they have client PCs on their network that are infected and originating spam," Rik Ferguson, director of security research and communication at Trend Micro explained.

"We would love for the ISP to work with us to help them get this cleaned up; it's not a false positive," he added.

Pipex is owned by TalkTalk, which we have chased for an explanation about the block since Tuesday, 14 May, soon after our reader first got in touch. The blockade was lifted the following day.

"I think you raising the subject was enough - problem has now disappeared," our chuffed reader said. "The Trend AV-equipped Exchange servers, which were not accepting or delaying my Pipex mail, have now all started accepting it as per usual."

Despite putting in several emails and phone calls over the course of more than a week, The Reg has yet to receive a substantive explanation from (the ironically named) TalkTalk on how its systems ended up on a spam blacklist.

Even though the email blockade was eventually lifted, the cause and what can be done to prevent a repeat of this blunder is surely worthy of comment.

The same lack of communication from TalkTalk was, we're told, a key factor in Trend identifying Pipex's network as a source of spam in the first place.

Silence of the LANs

In a detailed email, Ferguson said that before Trend Micro's Realtime Blackhole List - a message reputation checking service - slams the ban-hammer on an ISP's network, the accused telco is given two chances to explain itself.

Only in cases where there is both no communication and no improvement in spam levels is a blacklisting applied. Ferguson said Trend Micro contacted Pipex after monitoring a "fairly wide spectrum" of phishing, unlicensed pharmacy and malware-tainted spam mails spewing out of the broadband ISP's network. Its grievances - which it's alleged received no response, hence the ban - can be found here.

IP addresses are removed from the blacklists either automatically if they were under a short-term ban or manually if the spam stops.

Ferguson explained:

There are two kinds of listings that Trend Micro does. The first kind is a fully automated response to spam - when we see our customers being affected by a spam run, we put the origin addresses on a short-term list.  This list is used by our customers to temporarily delay messages from that origin address, or to mark it differently as mail is accepted. These listings are particularly effective against bot-originated spam. The listings automatically expire after a period of time, which varies in response to the frequency of listing.

The second kind is the RBL - the Realtime Blackhole List.  Addresses are added to the RBL by an entirely manual process - there is no automation here. When our investigators find a pattern of spam over time, they will compile an RBL nomination. The nomination consists of representative spam samples, addresses, and other information which the investigator deems appropriate to the case. The nomination is then emailed to the registered abuse address for the address(es) affected. The investigator waits for, and documents, any responses received. If the spam does not stop, the investigator then sends the nomination up for a pending listing, which is reviewed by a manager. If approved, a second notice is automatically sent to the registered abuse address, and the listing is made active.

Once an RBL listing is made, we require the ISP to take effective action to stop the spam.  We monitor this action, and if the investigator sees the spam stop, they will remove the listing.

Because there are multiple people involved with checking an RBL listing, it is exceedingly rare that a mistake is made. In each case of an RBL listing, we have spam-on-hand, and can produce that on request for the ISP. The size of the ISP behind any given IP address is not a factor in our decision to list on the RBL; the fact that we have spam from that address, and that there has been no action to reduce the spam, is.

Because the ISP receives at least two notices from us, we feel that they have adequate time to deal with the problem.

Ferguson added that an internet service provider simply has to answer messages sent to its official abuse email address to keep its IP addresses off the blacklist.

"It's really that simple. As long as we see regular communications from the ISP, and the spam is reducing, no RBL listing will be made. Many ISPs choose not to man their abuse desk, use automation to 'direct' complaints to end users, or (worst of all) spam filter their abuse desk address," Ferguson explained.

"Naturally, these are often the same ISPs that claim that an RBL listing is a 'false positive'. We just want the spam to stop," Ferguson concluded. ®

Updated to add

A TalkTalk spokesperson got in touch late on Thursday to confirm "a number of customers’ computers were infected with malicious software and started sending out spam", and added: "We have taken measures to tackle the problem."

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.