|
| Kudos again to zombie-slaying Sky.com |
 |
Thu, 03 Apr 2008 08:59:39 -040 |
Sky broadband has again replied to one of my SpamCop reports to say they
took out a zombie PC. They are acting now inside of 5 days of the SC
report. Evidence of the zombie IP can be found on the CBL:
http://cbl.abuseat.org/lookup.cgi?ip=90.197.194.204
In the report, it says "The account concerned has been identified and
suspended under the terms of the Sky Broadband Acceptable Use Policy."
I read their AUP at http://www.sky.com/portal/site/skycom/usage and it
|
| Post Reply
|
| Re: Kudos again to zombie-slaying Sky.com |
 |
Thu, 03 Apr 2008 09:12:12 -050 |
Sofa King Tyred of Lar Ting wrote:
> Sky broadband has again replied to one of my SpamCop reports to say they
> took out a zombie PC. They are acting now inside of 5 days of the SC
> report. Evidence of the zombie IP can be found on the CBL:
> http://cbl.abuseat.org/lookup.cgi?ip=90.197.194.204
>
> In the report, it says "The account concerned has been identified and
> suspended under the terms of the Sky Broadband Acceptable Use
Policy."
>
> I read their AUP at http://www.sky.com/portal/site/skycom/usage and it
> should be a model for lots of ISPs IMO.
An ISP should be have a procedure do a security scan of an I.P. address
as soon as they receive a spamcop.net report on it. DSBL.ORG has a set
of tests suitable for such purposes.
If the scan shows a hit, then they can isolate it immediately.
An ISP can also zone transfers from the cbl.abuseat.org, list.dsbl.org,
and unconfirmed.dsbl.org and other lists, and extract their I.P.
addresses from them.
The security officer for ISP that I used to have posted that they were
pulling down updates from the cbl.abuseat.org and list.dsbl.org on an
hourly basis on an internal forum. He was hired after two other major
ISPs started refusing e-mail from the them on a regular basis. Before
he was hired, the ISP appeared used to let abuse reports queue up for
more than a week based on then available spamcop.net, senderbase, and
news.admin.net-abuse.sightings data.
In short, 5 days is way too long for a commercial ISP to allow a zombie
to be used by criminals.
When I worked in a support group for a private network that was almost
as large as a small town ISP, the technicians could isolate a
compromised system in about 15 minutes, and 10 minutes of that was the
travel time back to the network management console, since they had other
duties. In that situation, network downtime cost more per minute than I
make in a month now.
Other people claiming to run ISPs have posted here in the past that they
have automated the procedures for identifying and isolating zombies
because it saves them operating costs.
So a commercial ISP really has no excuse to allow a zombied machine to
remain accessible more than a few minutes after they receive an abuse
report, or for more than an hour after it shows up on a popular public
DNSbl.
-John
wb8tyw@qsl.network
|
| Post Reply
|
| Re: Kudos again to zombie-slaying Sky.com |
 |
Thu, 3 Apr 2008 11:31:45 -0500 |
"Sofa King Tyred of Lar Ting" <nobody@devnull.spamcop.net> wrote
in message
news:ft2t95$g8a$1@news.spamcop.net...
> John Malmberg wrote:
> [interesting stuff snipped]
>> So a commercial ISP really has no excuse to allow a zombied machine to
>> remain accessible more than a few minutes after they receive an abuse
>> report, or for more than an hour after it shows up on a popular public
>> DNSbl.
>
> Agreed. I got the "kill report" within 4-5 days of the SC report.
CBL
> showed the IP detected 1.5 days ago I think, so I suspect that Sky let it
> go for more than 3 days. You're dead-on about ISPs having a financial
> interest in pro-actively hunting zombies.
>
> Still, I wonder what the average "kill time" is. Sky must be on
the better
> end of the spectrum?
Outside of corporate networks, I personally haven't heard of infectees
being, in anyway, shut down, notified, or otherwise bothered by being a
zombie other than the hassle factor of multiple infections popping up ads
and generally making the computer a total pain to use.
|
| Post Reply
|
| Re: Kudos again to zombie-slaying Sky.com |
 |
Thu, 03 Apr 2008 11:31:52 -040 |
John Malmberg wrote:
[interesting stuff snipped]
> So a commercial ISP really has no excuse to allow a zombied machine to
> remain accessible more than a few minutes after they receive an abuse
> report, or for more than an hour after it shows up on a popular public
> DNSbl.
Agreed. I got the "kill report" within 4-5 days of the SC report. CBL
showed the IP detected 1.5 days ago I think, so I suspect that Sky let
it go for more than 3 days. You're dead-on about ISPs having a financial
interest in pro-actively hunting zombies.
Still, I wonder what the average "kill time" is. Sky must be on the
|
| Post Reply
|
| Re: Kudos again to zombie-slaying Sky.com |
 |
Thu, 03 Apr 2008 12:54:00 -040 |
Bar0 wrote:
> Outside of corporate networks, I personally haven't heard of infectees
> being, in anyway, shut down, notified, or otherwise bothered by being a
> zombie other than the hassle factor of multiple infections popping up
> ads and generally making the computer a total pain to use.
I'm not arguing with you about how much it's truly done, but the
following article is from 2005:
|
| Post Reply
|
|
|
|
|
|
|
|
|
|