T-Online abuse address ignoring complaints
For the past two months, I have received many automated warnings that supposedly my mailserver was sending spam and/or virusses. It turned out quickly that the real sender of this junk is a T-Online user with a dialup account who sends out daily runs of probably his/her whole addressbook and sometimes spoofs the e-mail address I used to subscribe to this list. The person may be reading this list, so if your IP address today is 'pD951F606.dip.t-dialin.net[217.81.246.6]', you badly need to clean up your system. I has been sending virusses steadily since March 19th. I have sent numerous complaints about this to the abuse address of T-Online and T-IPnet already, with logfiles indicating the times and IP addresses from where the junk came from. To no avail, they have done nothing so far, other than complaining once about the encoding of the attachments, which they thought was base64 while in fact it was 7bit (readable in any mailreader). What other options do I have to stop this system for further distributing virusses? Best regards, Arjen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 04 June 2004 09:01, Arjen de Korte wrote: <snip>
I have sent numerous complaints about this to the abuse address of T-Online and T-IPnet already, with logfiles indicating the times and IP addresses from where the junk came from. To no avail, they have done nothing so far, other than complaining once about the encoding of the attachments, which they thought was base64 while in fact it was 7bit (readable in any mailreader).
You and many, *many* other people. I've complained to t-online innumerable times about the behaviour of their users, and have received no feedback whatsoever. I've come to the conclusion that t-online (and especially t-dialin) users are a wretched hive of scum and villainy; and that the company itself simply doesn't care. If I could convince my bosses that blocking t-online ranges at the border was a good idea, I'd have a much easier job as a sysadmin.
What other options do I have to stop this system for further distributing virusses?
Shovels, pitchforks and other implements of destruction liberally applied to the person responsible. There's no simple way of stopping someone else joe-jobbing you. It would help if anyone knew the correct German police department to complain to. I for one would particularly like to find whoever was 217.234.167.14 (pD9EAA70E.dip.t-dialin.net) at 23:53 on 14/5/04 and point out to them that what they were doing was illegal and punishable by time in prison. (It goes without saying that t-online were informed and there has so far been no response.) best wishes, Gideon Hallett. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwC/N9kmEmNaPyk0RAigdAJ9OUMs24i+vo67kmot8bcu6sYPyCACfVtVc zUCNCKFL0CfehpgC6LPlAr4= =cu8Y -----END PGP SIGNATURE-----
Gideon Hallett schrieb am Freitag, 4. Juni 2004 10:16:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Friday 04 June 2004 09:01, Arjen de Korte wrote: <snip>
I have sent numerous complaints about this to the abuse address of T-Online and T-IPnet already, with logfiles indicating the times and IP addresses from where the junk came from. To no avail, they have done nothing so far, other than complaining once about the encoding of the attachments, which they thought was base64 while in fact it was 7bit (readable in any mailreader).
You and many, *many* other people. I've complained to t-online innumerable times about the behaviour of their users, and have received no feedback whatsoever. I've come to the conclusion that t-online (and especially t-dialin) users are a wretched hive of scum and villainy; and that the company itself simply doesn't care.
If I could convince my bosses that blocking t-online ranges at the border was a good idea, I'd have a much easier job as a sysadmin.
What other options do I have to stop this system for further distributing virusses?
Shovels, pitchforks and other implements of destruction liberally applied to the person responsible. There's no simple way of stopping someone else joe-jobbing you.
It would help if anyone knew the correct German police department to complain to.
Hello, we have had a lot of trouble with Deutsche Telekom & T-Online in the past, too. After several terrible meetings somebody called: "Regulierungsbehörde für Telekommunikation und Post" (http://www.regtp.de/) as they are not only responsible for phone numbers & stuff, but also should provide contacts for electronical problems. As far as I remember the answer my collegue got was: contact " Bundesamt für Sicherheit in der Informationstechnik" (http://www.bsi.de/) Well, I had to leave the company in the meanwhile (7 month ago), so I have no idea what happend next. But maybe its worth to give it a try ...
I for one would particularly like to find whoever was 217.234.167.14 (pD9EAA70E.dip.t-dialin.net) at 23:53 on 14/5/04 and point out to them that what they were doing was illegal and punishable by time in prison.
(It goes without saying that t-online were informed and there has so far been no response.)
best wishes,
Gideon Hallett.
c y Torsten
Gideon Hallett wrote:
I've come to the conclusion that t-online (and especially t-dialin) users are a wretched hive of scum and villainy; and that the company itself simply doesn't care.
Nonsense. The T-Com dialin infrastructure is the base of a huge number number of non-permanent internet connections, both for private and for business use (modems, DSL, etc.). T-Online and other German ISPs buy connectivity from T-Com. Among these users are, if you permit the pun, the good, the bad and the ugly -- just like everywhere else in the world.
If I could convince my bosses that blocking t-online ranges at the border was a good idea, I'd have a much easier job as a sysadmin.
If you could convice your bosses to do so, I'd very much doubt their intelligence. Why not block China or the USA aswell? Why not live on an IT island? Millions of people suffer from viruses spoofing sender addresses, and in every country there are infected computers. There is no "realm of evil" that can be isolated.
I for one would particularly like to find whoever was 217.234.167.14 (pD9EAA70E.dip.t-dialin.net) at 23:53 on 14/5/04 and point out to them that what they were doing was illegal and punishable by time in prison.
Oh boy... I advise you have a beer and get some sleep. -- Mit freundlichen Grüßen / Yours sincerely Dipl. Inform. Ralph Seichter HORUS-IT Ahornweg 10 D-57635 Oberirsen Tel +49 2686 987880 Fax +49 2686 987889 http://horus-it.de/
Hi, On Sat, 2004-06-05 at 12:57, Ralph Seichter wrote:
Gideon Hallett wrote:
I've come to the conclusion that t-online (and especially t-dialin) users are a wretched hive of scum and villainy; and that the company itself simply doesn't care.
Nonsense. The T-Com dialin infrastructure is the base of a huge number number of non-permanent internet connections, both for private and for business use (modems, DSL, etc.). T-Online and other German ISPs buy connectivity from T-Com. Among these users are, if you permit the pun, the good, the bad and the ugly -- just like everywhere else in the world.
That's certainly true. But also true is that T-Online doesn not react to reports about the bad behaviour of some of their customers.
If I could convince my bosses that blocking t-online ranges at the border was a good idea, I'd have a much easier job as a sysadmin.
That can't be the solution. Whoever needs to take such measures has already failed at setting up and secure a proper network.
If you could convice your bosses to do so, I'd very much doubt their intelligence. Why not block China or the USA aswell? Why not live on an IT island? Millions of people suffer from viruses spoofing sender addresses, and in every country there are infected computers. There is no "realm of evil" that can be isolated.
So sometimes it would make the job so much easier by just blcoking packets from certain operating system types :-o
I for one would particularly like to find whoever was 217.234.167.14 (pD9EAA70E.dip.t-dialin.net) at 23:53 on 14/5/04 and point out to them that what they were doing was illegal and punishable by time in prison.
Maybe in your country. You have to find out whether the person actually broke German law. But I have to agree that it's pointless to contact T-Online. They never reacted to my complaints either. I find T-Online addresses to be the common mixture like most other providers too. What's really disturbing are those senseless university networks where almost every IP from a given range seems to be affected by some worm or other and is hammering away against my firewall... That's where operating system related packet dropping would come in handy... regards, Tobias W.
Hi,
That's certainly true. But also true is that T-Online doesn not react to reports about the bad behaviour of some of their customers.
They have a huge network, so they have a lot of bad guys. Anyway: psi.net, rr.com, nearly all .br, .ru and .ro providers do not answer to complaints. No US company ever answered us, as foreigners, when complaining about all sorts of DoS, spam, virus and rootkit-attempts. This AFAIK is common policy for all ISPs worldwide. Stay cool, have a beer and secure your systems. Regards, Dieter
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 05 June 2004 12:58, Tobias Weisserth wrote: (You will, I hope, excuse me for following up to both messages here; but this *is* getting a bit off-topic, and stopping additional subthreads is probably advisable.)
On Sat, 2004-06-05 at 12:57, Ralph Seichter wrote:
Gideon Hallett wrote:
I've come to the conclusion that t-online (and especially t-dialin) users are a wretched hive of scum and villainy; and that the company itself simply doesn't care.
Nonsense. The T-Com dialin infrastructure is the base of a huge number number of non-permanent internet connections, both for private and for business use (modems, DSL, etc.). T-Online and other German ISPs buy connectivity from T-Com. Among these users are, if you permit the pun, the good, the bad and the ugly -- just like everywhere else in the world.
That's certainly true. But also true is that T-Online doesn not react to reports about the bad behaviour of some of their customers.
This is the crux. Every network has compromised boxes and malicious users from time to time. But as the owner of an infrastructure, you have the duty to ensure that your users comply with the AUP; and you have the duty to respond to external complaints. If you're not prepared to do that, then you shouldn't be in the position of authority. (And any company that is too big to discipline its users is a) monolithic and b) a danger to the wider 'net.)
If I could convince my bosses that blocking t-online ranges at the border was a good idea, I'd have a much easier job as a sysadmin.
That can't be the solution. Whoever needs to take such measures has already failed at setting up and secure a proper network.
Speaking here as the sysadmin for a hosting company, I have to say that everything *I* have direct control over has a 100% security record. However, as a company, customers give us money to host their servers; and customers come in a range of aptitudes. A depressingly large number of people have no concept of patching; some don't realise that Win2k's FTP server allows anonymous access by default; others complain that their hard drive appears to be shrinking (usually due to all the warez on it!). It's possible to scan our netblocks every night; but a 24-hour gap is long enough for a box to be rooted in ugly ways. It's also possible to use an IDS to look for evil traffic (and IME it's one of the best ways of detecting cracked boxes); but it's still reactive; and clued crackers *don't* start attacks with massive portscans. There is no simple, proactive, way of preventing unauthorised intrusion (short of disconnecting the box entirely!); and I work for a company - we can hardly start refusing customers on the grounds of technical ineptitude (or we'd be cutting 90% of our potential customer base out). As such, network security in a hosting company has to be mainly reactive; every TCP or UDP socket I want to block at the border has to be justified; the security risk of leaving it open against the commercial risk of closing it.
If you could convice your bosses to do so, I'd very much doubt their intelligence. Why not block China or the USA aswell?
It's considerably harder to block a country, due to the distribution of addresses among the RIRs. http://www.completewhois.com/statistics/data/ips-bycountry/rirstats/DE-cidr.... for example - I count 1488 separate CIDR blocks there; some of which you could aggregate, but it's still a big job. Providers, on the other hand, tend to have nice simple CIDR blocks (since it makes their routing tables nice and small).
Why not live on an IT island? Millions of people suffer from viruses spoofing sender addresses, and in every country there are infected computers. There is no "realm of evil" that can be isolated.
So sometimes it would make the job so much easier by just blcoking packets from certain operating system types :-o
Yes. And it's tempting, sometimes. However, that sort of behaviour is the Redmond Way *g*
I for one would particularly like to find whoever was 217.234.167.14 (pD9EAA70E.dip.t-dialin.net) at 23:53 on 14/5/04 and point out to them that what they were doing was illegal and punishable by time in prison.
Oh boy... I advise you have a beer and get some sleep.
Let's see; the time I spent chasing the customer, advising them that their box had been cracked, backing up what data we could, wiping the box, reinstalling Windows, putting it back in the datacentre - I count some 3 hours spent doing something that was not in itself any form of productive work; and stopped me doing productive work (upgrading to Postfix 2.1 on our mail servers and tuning SMTP reject). That's not including the 30 or so abuse reports I had to deal with. It's inefficient, it's annoying and it costs us money; and since I already work about 50 hours per week, I value my free time quite highly!
Maybe in your country. You have to find out whether the person actually broke German law.
I'd be very, *very* suprised if breaking in, rooting a box, installing FTP servers, scanning other (German!) networks for weak POP passwords and SQL scanning weren't punishable by some time in prison.
But I have to agree that it's pointless to contact T-Online. They never reacted to my complaints either.
Of course, one of the funny things about the incident above was that 2 of the abuse reports came *from* T-Online users - I pointed them straight back to their own provider and said 'Good luck' (- as well as telling them that our customer's box had been disconnected from our network). I had better abuse response from the tiny Indonesian provider I chased about their user than *any* of the T-online reports. (Admittedly, the Indonesian police and prisons are probably a bit scarier to script kiddies.)
I find T-Online addresses to be the common mixture like most other providers too. What's really disturbing are those senseless university networks where almost every IP from a given range seems to be affected by some worm or other and is hammering away against my firewall... That's where operating system related packet dropping would come in handy...
Agreed. I've been tempted to investigate Snort's flexresp rules on a number of occasions; but anything I do that blocks legit traffic loses the company money; and is thus Not On. best wishes, Gideon. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAxB5m9kmEmNaPyk0RAiKPAJ0ZzdfzYkq6qjQdDJla8tXWj3uXrgCdH4eK hQMzW6+vLRfGgDvHdCkuVxg= =fHRX -----END PGP SIGNATURE-----
* Ralph Seichter;
Gideon Hallett wrote:
I for one would particularly like to find whoever was 217.234.167.14 (pD9EAA70E.dip.t-dialin.net) at 23:53 on 14/5/04 and point out to them that what they were doing was illegal and punishable by time in prison.
Oh boy... I advise you have a beer and get some sleep.
Make it two and also make sure they are cold as well. As far as I am concerned if you are dealing with T-online or T-com or T-mobile (in other words Deucthe Telekom) you need lots of patience, and no I do not believe you will get an answer even if you do have the patience. Hence get ice cold beers relax If they are not causing harm to your system but just annoying you remember relax, drink beer if it continues drink another it doesn't worth the hassle with T-* No, do not get drunk :-) -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
participants (7)
-
Arjen de Korte -
Dieter Kirchner -
Gideon Hallett -
Ralph Seichter -
Tobias Weisserth -
Togan Muftuoglu -
Torsten E.