[Scspamcop] Re: Kudos again to zombie-slaying Sky.com

John Malmberg wb8tyw at qsl.network
Thu Apr 3 10:12:12 EDT 2008 

Sofa King Tyred of Lar Ting wrote:
> Sky broadband has again replied to one of my SpamCop reports to say they 
> took out a zombie PC. They are acting now inside of 5 days of the SC 
> report. Evidence of the zombie IP can be found on the CBL: 
> http://cbl.abuseat.org/lookup.cgi?ip=90.197.194.204
> 
> In the report, it says "The account concerned has been identified and 
> suspended under the terms of the Sky Broadband Acceptable Use Policy."
> 
> I read their AUP at http://www.sky.com/portal/site/skycom/usage and it 
> should be a model for lots of ISPs IMO.

An ISP should be have a procedure do a security scan of an I.P. address 
as soon as they receive a spamcop.net report on it.  DSBL.ORG has a set 
of tests suitable for such purposes.

If the scan shows a hit, then they can isolate it immediately.

An ISP can also zone transfers from the cbl.abuseat.org, list.dsbl.org, 
and unconfirmed.dsbl.org and other lists, and extract their I.P. 
addresses from them.

The security officer for ISP that I used to have posted that they were 
pulling down updates from the cbl.abuseat.org and list.dsbl.org on an 
hourly basis on an internal forum.  He was hired after two other major 
ISPs started refusing e-mail from the them on a regular basis.  Before 
he was hired, the ISP appeared used to let abuse reports queue up for 
more than a week based on then available spamcop.net, senderbase, and 
news.admin.net-abuse.sightings data.

In short, 5 days is way too long for a commercial ISP to allow a zombie 
to be used by criminals.

When I worked in a support group for a private network that was almost 
as large as a small town ISP, the  technicians could isolate a 
compromised system in about 15 minutes, and 10 minutes of that was the 
travel time back to the network management console, since they had other 
duties.  In that situation, network downtime cost more per minute than I 
make in a month now.

Other people claiming to run ISPs have posted here in the past that they 
have automated the procedures for identifying and isolating zombies 
because it saves them operating costs.

So a commercial ISP really has no excuse to allow a zombied machine to 
remain accessible more than a few minutes after they receive an abuse 
report, or for more than an hour after it shows up on a popular public 
DNSbl.

-John
wb8tyw at qsl.network
Personal Opinion Only

More information about the SCspamcop mailing list