STE WILLIAMS

Analysis Pipex subscribers struggled to send emails for several days after antivirus biz Trend Micro declared the ISP’s network a source of spam.

Messages sent via Pipex’s servers were either blocked or deliberately delayed by internet providers and businesses that rely on Trend Micro’s services to filter emails.

El Reg stepped in to investigate Pipex’s blacklisting after a reader complained to us about the week-long blockade.

“It is murder for businesses like mine as we don’t know whether Pipex emails will be rejected at the moment – and this type of delay blocking takes three days to bounce back,” he said.

Trend Micro said the decision to classify Pipex’s IP blocks as a source of unwanted email was not taken lightly, and insisted it was right in doing so.

“The IP addresses of the Pipex MTA [mail transport agent] have been sending spam and also malicious emails, probably because they have client PCs on their network that are infected and originating spam,” Rik Ferguson, director of security research and communication at Trend Micro explained.

“We would love for the ISP to work with us to help them get this cleaned up; it’s not a false positive,” he added.

Pipex is owned by TalkTalk, which we have chased for an explanation about the block since Tuesday, 14 May, soon after our reader first got in touch. The blockade was lifted the following day.

“I think you raising the subject was enough – problem has now disappeared,” our chuffed reader said. “The Trend AV-equipped Exchange servers, which were not accepting or delaying my Pipex mail, have now all started accepting it as per usual.”

Despite putting in several emails and phone calls over the course of more than a week, The Reg has yet to receive a substantive explanation from (the ironically named) TalkTalk on how its systems ended up on a spam blacklist.

Even though the email blockade was eventually lifted, the cause and what can be done to prevent a repeat of this blunder is surely worthy of comment.

The same lack of communication from TalkTalk was, we’re told, a key factor in Trend identifying Pipex’s network as a source of spam in the first place.

Silence of the LANs

In a detailed email, Ferguson said that before Trend Micro’s Realtime Blackhole List – a message reputation checking service – slams the ban-hammer on an ISP’s network, the accused telco is given two chances to explain itself.

Only in cases where there is both no communication and no improvement in spam levels is a blacklisting applied. Ferguson said Trend Micro contacted Pipex after monitoring a “fairly wide spectrum” of phishing, unlicensed pharmacy and malware-tainted spam mails spewing out of the broadband ISP’s network. Its grievances – which it’s alleged received no response, hence the ban – can be found here.

IP addresses are removed from the blacklists either automatically if they were under a short-term ban or manually if the spam stops.

Ferguson explained:

There are two kinds of listings that Trend Micro does. The first kind is a fully automated response to spam – when we see our customers being affected by a spam run, we put the origin addresses on a short-term list.  This list is used by our customers to temporarily delay messages from that origin address, or to mark it differently as mail is accepted. These listings are particularly effective against bot-originated spam. The listings automatically expire after a period of time, which varies in response to the frequency of listing.

The second kind is the RBL – the Realtime Blackhole List.  Addresses are added to the RBL by an entirely manual process – there is no automation here. When our investigators find a pattern of spam over time, they will compile an RBL nomination. The nomination consists of representative spam samples, addresses, and other information which the investigator deems appropriate to the case. The nomination is then emailed to the registered abuse address for the address(es) affected. The investigator waits for, and documents, any responses received. If the spam does not stop, the investigator then sends the nomination up for a pending listing, which is reviewed by a manager. If approved, a second notice is automatically sent to the registered abuse address, and the listing is made active.

Once an RBL listing is made, we require the ISP to take effective action to stop the spam.  We monitor this action, and if the investigator sees the spam stop, they will remove the listing.

Because there are multiple people involved with checking an RBL listing, it is exceedingly rare that a mistake is made. In each case of an RBL listing, we have spam-on-hand, and can produce that on request for the ISP. The size of the ISP behind any given IP address is not a factor in our decision to list on the RBL; the fact that we have spam from that address, and that there has been no action to reduce the spam, is.

Because the ISP receives at least two notices from us, we feel that they have adequate time to deal with the problem.

Ferguson added that an internet service provider simply has to answer messages sent to its official abuse email address to keep its IP addresses off the blacklist.

“It’s really that simple. As long as we see regular communications from the ISP, and the spam is reducing, no RBL listing will be made. Many ISPs choose not to man their abuse desk, use automation to ‘direct’ complaints to end users, or (worst of all) spam filter their abuse desk address,” Ferguson explained.

“Naturally, these are often the same ISPs that claim that an RBL listing is a ‘false positive’. We just want the spam to stop,” Ferguson concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/24/pipex_zombie_spam_blacklist/