Eircom.net and SPAM...................!

Dinarius

The virus attachments, so called "Microsoft Security Updates" or "Microsoft Security Patches" or any other of the dozen or so guises that they come in, have now reached epidemic proportions.

A couple of months ago, I was receiving about three or four of these a day. I have just downloaded 120 emails (119 SPAM!) of which 27 were these MSF viruses!

I normally use a wireless broadband connection (in Brussels), but, here in Dublin, I only have a 56k (actually, about 38k and slowing!) dial-up connection.

With these "patches" or "updates" varying in size from 117kb to 159kb, in my experience, they massively increase the download time of email on a 56k connection.

Every six year old child, with a day's experience on the internet, knows that Microsoft NEVER! send anything via email. If they do email you, it will only be to direct you to their website.

It would be the simplest thing in the world for Eircom to set up a message rule which blocks any message with Microsoft in the subject or from lines AND including an attachment. This would kill this plague of SPAM while allowing through genuine MSFT correspondence.

Eircom are now the only major ISP in these islands who still haven't installed anti-spam software.

Dire!

Dinarius

Just found a solution.

I'm using Outlook 2002.

Tools/Send Receive Settings/...........Define Send Receive Groups/Edit

Then check the box which says, "Download only item description for items larger than.."

I've set it at 20Kb. Plenty for the average email.

Not sure if this can be done with earlier versions or with Outlook Express, but it probably can.

D.

jd

Originally posted by Dinarius


It would be the simplest thing in the world for Eircom to set up a message rule which blocks any message with Microsoft in the subject or from lines AND including an attachment. This would kill this plague of SPAM while allowing through genuine MSFT correspondence.

devil is in the detail..:)
what if someone in microsoft sends an eircomnet customer an atachment?..
actually a high proportion of this particular spam gets filtered..problem is any kind of mail filtering does mean the mail relays take a performance hit..

Dinarius

Read my post. ;-)

Micorsoft never send attachments with emails. They only direct you to their site.

If, say, someone in Microsoft in Sandyford sent you an email with an attachment (a private correspondence, for example) then it would have a genuine Microsoft email address. None of the spam viruses do.

I can't see any reason why this couldn't be set up.

D.

Nuphor

Dinarius is totally correct. Microsoft never EVER send attachments with emails. Even if it's something small, they upload it to their site instead.

jd

Originally posted by Nuphor
Dinarius is totally correct. Microsoft never EVER send attachments with emails. Even if it's something small, they upload it to their site instead.

actaully i did get doc attachments from someone in ms (twas a few years ago though) ..
you have to be very careful re false positives in situation like this.

Dinarius

jd,

Again, read my (last) post. ;-)

Any Eircom anit-virus message rule could simply allow through messages from genuine Microsofts addresses.

All the rest, the viruses, could be deleted.

D.

jesus_thats_gre

They do on occassion. What if an employee send you a personal email with an attachment for example?

Dinarius

Holy s***!!!

Do you people ever read before you post????!!!!!!

D.

;-)

dahamsta

Procmail rule for Gibe:

:0 HB:
* .*[url]http://www.microsoft.com/info/cpyright.htm.*[/url]
/path/to/quarantine

("Copyright" is spelt wrong in the footer. If you want to be sure, to be sure, you should probably add rules for size and possibly even a string in the executable, but this is catching everything for me. No false positives so far.)

jd

Originally posted by Dinarius
jd,

Again, read my (last) post. ;-)

Any Eircom anit-virus message rule could simply allow through messages from genuine Microsofts addresses.

All the rest, the viruses, could be deleted.

D.

How do you verify with 100% accuracy?
as I said a lot of these cviruses are caught..but it is non-trivial...

seamus

I think Dinarius, the point is that no matter what you filter out, you run the risk of deleting genuine email.

What if, not being able to locate a patch or update, someone gets their friend in Microsoft to email them the necessary patch?

Or even a non-Microsoft friend to email the patch with the subject line "Critical update patch from Microsoft"?

It's a rare one, but it's a possibility. The goal, when using filter software, is to filter out all the viruses, and deliver all the genuine mail.

Best would be (if possible) to filter messages by the source IP until the machine owner can verify they're virus-free. But that's a labour-intensive solution.

Frank Grimes

How would Eircom's mail server know if the email address is genuine?

Dinarius

Frank,

In the last week, I have received 11 emails from various parts of the Microsoft behemoth.

I have just opened them all, and the addresses ALL end in microsoft.com.

Eircom could set up this mail filter in a matter of minutes.

D.

Frank Grimes

As other people said, that could block legitimate emails too.

Dinarius

"What if, not being able to locate a patch or update, someone gets their friend in Microsoft to email them the necessary patch?"

If anything with an address ending in microsoft.com is allowed through, then any email containing an attachment would get through too.

Right?

All those MSFT spam patches and updates come from other addresses.

I really don't see this as a problem, but the alarming increase in those virus spams certainly is.

D.

seamus

If anything with an address ending in microsoft.com is allowed through, then any email containing an attachment would get through too.

Right?

All those MSFT spam patches and updates come from other addresses.

What about my other example?

I could certainly see myself emailing microsoft patches to my parents or non-tech friends, cos it's simpler than trying to walk them through it.

There are all sorts of crazy algorithms that use code from the virus itself as markers, and all sorts of other crazy confusing theoretical things that can be used to filter email. As jd said though, load on the server becomes high.

Filtering based on simple strings and simple regular expressions is fine and acceptable for a personal account where you can check your filtered mail, but for a major ISP, it just wouldn't be on. It takes a little more work to get it right.

Dinarius

Frank,

You may have a point. I'm no expert.

D. ;-)

Our man in Havana

Originally posted by Dinarius
Frank,

In the last week, I have received 11 emails from various parts of the Microsoft behemoth.

I have just opened them all, and the addresses ALL end in microsoft.com.

Eircom could set up this mail filter in a matter of minutes.

D.

Have you checked the reply to address on them?

Its the Duma in Moscow!

xxxx@duma.gov.ru

mneylon

The supposed MS emails with the attached executables are a virus. It first emerged a few weeks ago. Most of the emails are HTML heavy with a 'Microsoft' logo and details of a patch - which is attached to the mail.
Needless to say the patch is a virus and running it will make a lovely mess of your PC.

Solution:
1. Block all executables being downloaded via email.
2. Switch email provider

Valentia

They could close all tinet accounts for a start. That'd get rid of 99% of my spam!

& don't ask - I did ask but typically they can't do it :mad:

Krouc

Spam and eircom go hand in hand.
They have been banned by many operators because they were/are relaying spam. While there is no real 100% fix they could do a lot more. I have seen cases where people couldnt send emails to people abroad because of bans placed on Eircom.net. While it didnt effect a lot of customers it was still a problem. Eircom dont filter mail at all so you will get pretty much everything. (If they do filter its only a very recent thingy)

One other thing is that *some* people bring it on themselves placing their email everywhere to be harvested. Care on both ends is needed.

Krouc

mneylon

Unfortunately a lot of people do not realise how easy it is to harvest emails. A client of ours accused us of giving out their email address, and said that they had never used their email anywhere public. A quick search discovered that they had signed a number of guestbooks which revealed their address in it's full form...

Dinarius

Valentia wrote,

"They could close all tinet accounts for a start. That'd get rid of 99% of my spam!"

Indeed they could.

Typically, in true Irish fashion, they totally screwed up on the switchover from tinet.ie to eircom.net.

When I ask them about this, they told me that approximately 20,000 PRIVATE customers (anyone with a business changed over immediately) out of a total of 300,000 (a couple of years ago.) had not changed their address. So, they just let them carry on. The result is that those 20k morons are holding probably the best part of 500k now to ransom.

The solution is simple. Take a leaf out of the European Central Bank's book. Email everyone - if someone has already changed they can simply ignore the email - and tell them that as of midnight on December 31 next, tinet.ie addresses will cease to operate.

Then, at that exact time SWITCH THEM OFF!!!

But, everything about Eircom.net is truly crass, so don't hold your breath.

D.

Dinarius

ps.........................

Just ran a quick search, in my Deleted Items folder, for tinet.ie in the Sent To option in Advanced Find.

My Deleted Items folder currently contains 4,306 items. Not all spam.

The search threw up 1,019 tinet.ie emails. All spam.

If that is a representative example, then almost 25% of my spam could be avoided if Eircom discontinued this address.

I rest my case.

D.

java

Name an isp of eircom.nets customer size that doesnt have a spam problem Krouc ?

And while your at it, please tell us how you stop amateur computer users setting up mail servers as open relays? or mail servers without anti virus software?

Dinarius

java,

It's not that they don't have a spam problem elsewhere.

It's that Eircom are doing NOTHING about it.

The current Microsoft Update virus plague, due to the not inconsiderable size of the attachments (about 117kb to 159kb) is rendering the slower dial-up accounts unusable.

I have written to Eircom (again!) about getting rid of the tinet.ie address. I have also CC'd the message to the Telecoms Regulator and to Karlin Lillington of the Irish Times.

I am not holding my breath! ;-)

D.

jd

Originally posted by Dinarius
java,

It's not that they don't have a spam problem elsewhere.

It's that Eircom are doing NOTHING about it.

The current Microsoft Update virus plague, due to the not inconsiderable size of the attachments (about 117kb to 159kb) is rendering the slower dial-up accounts unusable.


D.

Not quite true..
afaik a high proportion of these particular viruses are actually removed, but they are not catching them all..

bricks

Its not Eircom's job to filter email messages.
And even if they did filter email messages from Microsoft that had attachments, where does it all end, you're probably gonna want them to filter other suspect messages in the future.
And do they also need to filter out dodgy packets from getting to your machine?
Also do we really want Eircom deciding what emails should be blocked from our mailbox?

Our man in Havana

Its eircoms job to stop their servers from being used as spam relays.

Páid

I find this is great for filtering / deleting spam http://www.mailwasher.net

There is a free version that handles one email account (paid has unlimited).

You can turn on a feature that checks the origin of a suspect email against known blacklisted email servers which should catch most unwanted email.

Ripwave

Originally posted by Dinarius
It's that Eircom are doing NOTHING about it.

Eircome provide a FREE ISP service. Blocking spam really isn't their job.

The current Microsoft Update virus plague, due to the not inconsiderable size of the attachments (about 117kb to 159kb) is rendering the slower dial-up accounts unusable.

I personally have about 5 eircom.net e-mail accounts. Members of my immediate family have another 5 or 6. Not one of these accounts has received a single copy of the Swen virus that you're complaining about.

I have written to Eircom (again!) about getting rid of the tinet.ie address.

That's a totally seperate issue - you're not getting any Swen messages sent to tinet.ie addresses, I presume?

Deleting the MX record for tinet.ie would get you about a 2 week respite on your spam - spammers may be scum, but they're not stupid, and it would take them just a couple of minutes to replace the tinet.ie addresses with eircom.net addresses (you don't think they wouldn't notice, do you?).

Ripwave

Originally posted by Bond-James Bond
Its eircoms job to stop their servers from being used as spam relays.

And do you have any evidence that eircoms.nets servers are being used as spam relays? (They were in the past, but that issue was fixed. If you have evidence of current activity, post it. If you don't, then stop spreading misinformation.).

Dinarius

Just got this from a UK friend I've been corresponding with......

"BT Openworld have virus and spam software available for their email customers, I have had about 6 notifications from BT that they have blocked the MS update virus email. The spam filter is also great,it is done at their end and about 95% of spam is directed into a spam folder that you can look at via webmail if you want,all spam older than 15 days gets deleted from it. All I get downloaded into Outlook now are genuine emails and just a few spam that the BT filter couldn't decide on. It was great to be able to go on holiday for a fortnight and not have about 700 emails to wade through when I got back."

So, it can be done! Oh, for a real ISP.

Cloudmark is far better than Mailwasher. It can be had on a free one month trial. In conjunction with a broadband connection, it's excellent, leaving you Inbox free of about 90% plus of spam. It works in a similar way to BTOpenworld's service. i.e. There is a spam folder where you can check in case something has slipped throught the net. In my experience, nothing ever has.

D.

mneylon

Originally posted by bricks

And even if they did filter email messages from Microsoft that had attachments, B]

None of those emails came from Microsoft

vibe666

Originally posted by Bond-James Bond
Its eircoms job to stop their servers from being used as spam relays.

correct, that's why they are not used as relays. the only people who have SMTP access to mail1.eircom.net are eircom.net customers and a few other select irish ISP's. this is done by simply restricting the IP range that can send mail through the server.

As for eircom blocking spam, why should they? they are offering a free service (email is free, if you have a subscription account then you are paying for cheaper access not the email account itself, as you aren't required to have an eircom.net email address if you have a sub account).

As for spam, I have had the same eircom.net email address for a year and a half and have never had a single unsolicited email come through the account at all.

If you are getting spam it's for one of 4 reasons:

1. You have signed up for some porn at some point thinking it was gonna get you free smut.

2. You signed up to a perfectly innocent mailing list for model trains, news, football or whatever and despite telling all their customers they never sell your information to others, they did and now you've ended up on about a hundred diofferent lists for porn printer cartridges and viagra and don't know why.

3. Your email address is listed on a website somewhere, whether it be contact details for your own site, or some forum where you've openly left your address and one of the spam bots that trawls web pages for addresses has picked you up and you're now on loads of lists.

4. Or you've been posting on newsgroups with your correct email address listed in your posts and again, spam bots have picked it up and you're now on their books.

the only other way would be for the spamsters to use an already existing mailing list and just tack the eircom.net domain onto the end of the existing addresses. then they send out a whole rake of html rich porno mails and the scripts in them tell said spamsters which address was a sucessful 'hit' when OE of whatever mail client downloads the images in the mail from their server.

So, if you don't want SPAM you need to do the following:

Don't sign up for anything with your main email address. if you must then use a web based email account like hotmail which has spam filtering built in, and keep your eircom address for private use.

Don't leave your email address on any website or newsgroup posts.

Don't have the preview turned on in OE (or whatever mail client you have) and delete any mails that look dodgy without opening them.

If you are getting spam then change your email address to something new and stop using the old one. once you've done that you can click on the 'To' box in an email message and add all yuor email buddies to the list (everyone you have ever replied to should be in there) and send a single email to all of them at once telling them of your new address.

If you really need to keep your existing address (business cards maybe) then use Mailwasher www.mailwasher.net before you open Outlook and set it up to bounce all the spams back to the senders (this generally doesn't do much these days as most spammers fake the return address anyway, but it doesn't hurt).

above all stop whinging at the Rat for providing you with a free email address and not policing what you do with it, a lot of people would be grateful that they don't get everything censored. Have you been to China?

Dinarius

Ripwave wrote:

"Deleting the MX record for tinet.ie would get you about a 2 week respite on your spam - spammers may be scum, but they're not stupid, and it would take them just a couple of minutes to replace the tinet.ie addresses with eircom.net addresses (you don't think they wouldn't notice, do you?)."

Do you honestly believe that if the tinet.ie address was discontinued that there is some guy out there who would sit back in his chair and think,

"Hhhhhhhhmmmmmmmm, that's very interesting. The tinet.ie address was bounced back. I wonder what he's using now. Ah! Yes! It's owned by the same company as Eircom.net. Let's try that................" ;-)

No way!

These people are dealing in hundreds of millions of emails a month. They don't have time for such niceties. They are sent from giant servers based, mostly, in South Korea, Thailand and China. And to a lesser degree in the US. (If Bush ever decides to bomb these, I for one won't mind.)

Spam addresses are generated principally by either harvesting or (mostly) by computer generated guesswork. Literally! If the computer gets it wrong and the mail is bounced, they don't care. They just keep on trying.

As an aside, that is why including an alphanumeric element in your email address makes it virtually bullet proof. Except to harvesting, of course. But, while davejones@eircom.net looks fine, davejones88qq@eircom.net looks truly awful on a business card or headed notepaper, which is what many of us require.

So, yes, if tinet.ie was discontinued, I WOULD lose about 25% of my spam.

As for Eircom, I got a reply to my email from Customer Services and will post at a later date. Suffice to say for the moment that it wasn't very satisfactory. But, what's new..............?

jd wrote:

"Not quite true..
afaik a high proportion of these particular viruses are actually removed, but they are not catching them all.."

Based on what I understand from the reply I received, this is not so. In any case, the Microsoft Update scam has been running all summer and it is THE most popular, though not the most dangerous, of current viruses. So, why haven't Eircom done anything about it?

Ripwave wrote:

"Eircome provide a FREE ISP service. Blocking spam really isn't their job."

There is NO such thing as a free ISP.

Well plenty of other ISPs think it is part of their job. As far as I am concerned, I no longer have a tinet.ie address. Yet, I get mail (all spam) to that address. I certainly believe that it is their job to stop that.

D.

Valentia

If you are getting spam it's for one of 4 reasons:

5. You had an old tinet.ie account which was changed to eircom.net and the morons wont delete all the tinet accounts as they said they would 4 or 5 years ago!!!

vibe666

ANd why do you get lots of spam on that address? please see reasons 1-4 above.

change your email addrss. it's not hard, and it takes 5 minutes on the eircom.net website.

'oh, but what about all my business cards?'

change them too. if you have the time and energy to whine about it so much then you can afford to get your business cards changed, and in any case why didn't you change the address before you got all these cards printed? it's not like all this spam happened overnight is it.

Dinarius

vibe666 wrote:

"As for spam, I have had the same eircom.net email address for a year and a half and have never had a single unsolicited email come through the account at all."

I've had mine for 7 years, which may explain my spam problem in part. But, for the business reasons you've already mentioned, I need it.

"If you really need to keep your existing address (business cards maybe) then use Mailwasher www.mailwasher.net before you open Outlook and set it up to bounce all the spams back to the senders (this generally doesn't do much these days as most spammers fake the return address anyway, but it doesn't hurt)."

Actually, it will hurt you eventually - a lot! It confirms your email address as live.

Also, with Mailwasher, you have to still clean out your inbox yourself. For me, this is the only one worth using.

http://www.cloudmark.com/

It costs $3.99 a month. It sets itself up with Outlook or Outlook Express. It creates a seperate folder for spam and puts it all in there automatically. The whole thing works on the basis of a community of users working together. Ingenious! Most people who try it for a month stick with it.

D.

Dinarius

Valentia,

I take it we're in agreement?

;-)

D.

Dinarius

Why does it say Moved next to this thread on the main page?

Why does it say that Frank Grimes was the last to post on this thread yesterday? Obviously, he wasn't.

Why is there no Replies Total or Read Total?

At least, that's how it is on my screen!

Thanks.

D.

vibe666

Originally posted by Dinarius
Actually, it will hurt you eventually - a lot! It confirms your email address as live.

Not true I'm afraid. the whole point of mailwasher is that it sends a standard bounce message which is sent whenever an email address is not valid.

all the spammer gets (assuming it's not a faked return address) is a mailer-deamon message to say the address is not valid, and typically if this is received spammers with remove said address from their lists to save bandwidth.

these days though with bandwidth being as cheap as it is, they aren't too bothered.

Frank Grimes

Originally posted by Dinarius
Why does it say that Frank Grimes was the last to post on this thread yesterday?

I was the last to post to the thread when it was in the IOFFL board, it was moved here (Net/Comms) yesterday.

Dinarius

Vibe666,

Apologies. You're right. I had forgotten that.

But, having used both, Cloudmark is miles better! ;-)

D.

drrnwbb

i have been usign cloudmark for about a year now and i love it, they did mess up a bit though when they introduced the monthly charge. the last free beta took to uninstalling itself, so i switched over to spamassassin pro which (for me) wasnt as good.

but my spam problem is with eircom.net. i get a lot of emails sent to my account that are also cc'd to a lot of other people with eircom.net addresses. and it frequently has either my username or another eircom.net username in the subject matter. my username begins with "d", so in the cc section there is usually about 20 other eircom net addresses beginning with "d". the only thing stopping me from stopping using my eircom.net addy is several years of legacy, ive used it to sign up with a lot of services and it would be a pain in the arse to change them all to another of my email addys.

(note, i went from getting about 1spam a month on the account to getting about 80 a day about a year ago, dont know where it all went wrong)

goddam eircom.net

dw

vibe666

seriously people whats with all the blaming of eircom for the spam? they don't send spam and they don't sell your email address to anyone do they? no they don't or I'd be getting spam too.

and drrnwbb, you just answered your own question there.

The reason you get lots of spam in your own words: 'is several years of legacy, ive used it to sign up with a lot of services'

please see my previous reason for your spam filled inbox.

2. You signed up to a perfectly innocent mailing list for model trains, news, football or whatever and despite telling all their customers they never sell your information to others, they did and now you've ended up on about a hundred diofferent lists for porn printer cartridges and viagra and don't know why.

drrnwbb

Originally posted by vibe666

drrnwbb, you just answered your own question there.

The reason you get lots of spam in your own words: 'is several years of legacy, ive used it to sign up with a lot of services'

hehe.. i knew when i wrote that id get some comment, and you are right of course. but i wasnt blaming eircom.net for the spam problem. if you read my post again you will see that my problem is slightly different. its the format of the emails. sent to eircom.net customers in bulk and this can be seen in the cc part of the email, sometimes with usernames in the message header. im not an IT spam expert so i dont know what eircom can do about it, but my eircom.net spam quantity is at least 10times the amount of other more public email addesses i have with other providers.

dw

jd

Originally posted by Dinarius
Ripwave wrote:

"jd wrote:

"Not quite true..
afaik a high proportion of these particular viruses are actually removed, but they are not catching them all.."

Based on what I understand from the reply I received, this is not so. In any case, the Microsoft Update scam has been running all summer and it is THE most popular, though not the most dangerous, of current viruses. So, why haven't Eircom done anything about it?

Actually they do-when mail relay load increases.Emails with certain payloads are remopved. Eircomnet also use tarpitting-but that's another story..

java

Dinarius, the Microsoft update scam, aka w32.swen was discovered on September 18th according to symantec. Hardly "all summer". Not even summer infact.

Capt'n Midnight

Yeah they could do a bit more.

I take it they have spam control on their internal corporate email.. so they are aware of the problem and have access to reports on junk mails. -

Also how much does squid guard cost ?
If they wanted to they could set up a Second Proxy or number so that customers who wanted to go to blacklisted sites could do so while the punters would be steared away from X-rated / hate / other waste of time sites...

What SMTP software do Eircom use on thier public servers - then people could suggest appropiate packages / blacklists / rules for it... - Depending on who you believe up to 50% of all email is SPAM so Eircom could reduce the workload on their servers by half !!

(note: since the Gov't are trying to get full email retention of 3 years in place - imagine how much SPAM will be need to be archived)