[UDP] Usenet Death Penalty Notice: VIDEOTRON.CA, VIDEOTRON.NET (Le Groupe Videotron Ltee)
Yves Bellefeuille
>From: David Ritz <dr...@suespammers.org>
Newsgroups: news.admin.net-abuse.policy
Subject: [UDP] Usenet Death Penalty Notice: VIDEOTRON.CA, VIDEOTRON.NET
(Le Groupe Videotron Ltee)
Date: Mon, 6 May 2002 07:13:41 +0000 (UTC)
Message-ID: <dritz-D063CA....@news.supernews.com>
-----BEGIN PGP SIGNED MESSAGE-----
This message is being sent, bcc, to a few interested parties.
Posted and mailed.
Posted to news.admin.net-abuse.policy, news.admin.net-abuse.misc,
news.admin.net-abuse.bulletins, news.admin.net-abuse.usenet,
alt.videotron.general and qc.general.
Please direct follow ups to news.admin.net-abuse.policy. Please see
<http://www.killfile.org/~tskirvin/nana/nanap-charter.html> prior to
posting to this moderated newsgroup.
========================================================================
Over the past few months, Le Groupe Videotron Ltee has been the
source of vast quantities of Usenet spam. Despite countless
complaints, reports, and phone calls, Le Groupe Videotron Ltee
seems unwilling to take the necessary proactive steps to curb this
ongoing abuse. By May, 2002, the situation reached and maintained
unconscionable levels of abuse.
The underlying issue facing Le Groupe Videotron Ltee, is one which
many broadband providers are currently facing. Some, such as
roadrunner.com and attbroadband.com (MediaOne) have been willing
to take the proactive measures necessary to assure the security
and integrity of their respective networks. These include near
constant scanning of their respective networks, to identify open
proxies before they become the source of massive, wholesale
attacks on the network's infrastructure. MediaOne took the
recommended step of blocking all external port 1080 traffic on
their network, at their borders. (socks, after all is an intranet
protocol.)
When proxies do get hijacked, these providers have worked in a
fairly conscientious fashion, to contact their users and help them
secure or disable the open proxies. When the customer cannot be
contacted, the proxy is taken down. (I've watched packets stop
being returned, within fifteen (15) minutes of alerting them to
the security breach.)
Other providers don't seem to recognize or respond to these
ongoing attacks on the networks infrastructure, even following
repeated reports and follow up messages.
That is most certainly the case with Le Groupe Videotron Ltee.
Nothing seems to get through to them. Heavily and openly abused
proxies may get some attention, but it can take three or more
weeks. Additionally frustrating is that while wasting big U$ on
"overseas" calls, only to talk to first tier support personnel,
the promised return calls are often not received.
As a case in point, the AnalogX proxy which was operating at
modemcable032.140-203-24.que.mc.videotron.ca [24.203.140.32]
finally came down, some time late on 05 May 2002. It was still up
and allowing forwarding, earlier on that date, when I checked it.
My initial security alert for this proxy was sent on Mon, 29 Apr
2002 02:25:28 -0500. It contained detailed analysis of the proxy,
as well as more than sufficient evidence that it was being abused.
This included two telnet captures with date stamps from their NNTP
server and NTP synchronized date stamps, proxy analyses from
<http://cache.jp.apan.net/proxy-checker/>, a DSRS static report
<http://dsrs.nntp.sol.net/reports/custom.20022904072044.html>, and
seven (7) sets of sample headers.
On 1 May 2002 15:56:49 -0400, a human response was sent to me. A
senior system engineer claimed that this wasn't an AnlogX proxy,
apparently ignoring not only the content of my initial report,
which contained a detailed analysis, but the nmap scan which he
had apparently run, which clearly showed the proxy open at port
1080.
I responded providing suggested changes to "nmap-services". I
also again requested immediate port 1080 router blocking at
Videotron's borders. This message was also duly acknowledged with
a human response.
An additional reply from me, suggesting it might be a really good
idea to disable the proxy, included this DSRS static report. See
<http://dsrs.nntp.sol.net/reports/custom.20020105212527.html>.
On Thu, 2 May 2002 13:06:37 -0500, I sent yet another message to
Videotron, noting this already heavily abused proxy was still wide
open. By the time I was composing this fourth message, so much
spam had come through this proxy, in the prior thirteen hours,
that DSRS timed out when trying to produce a static report. I
suggested that they run the DSRS query themselves, having
previously established a Videotron account for this service.
==========================================================================
DSRS posting research results
Search: exact NNTP-Posting-Host: for "24.203.140.32" from 2002/05/02
00:00:00 to 2002/05/02 23:59:59 CDT
1: 4789 1.0000 "Dolf G. Von Helsing 24.203.140.32
z-netz.alt.erotik.ge Little Mouth and 2 C Thu, 3 May 2002 02:2
2: 4377 1.0000 "Marian E. Clark" <e 24.203.140.32
alt.sex.fetish.start lesbians with probin Thu, 2 May 2002 06:4
3: 4027 1.0000 "Adm. Rickie Bucossi 24.203.140.32
alt.sex.supersize Great looking pornst Thu, 2 May 2002 19:2
<...>
71230: 5929 1.0000 24.203.140.32
71231: 7615 1.0000 24.203.140.32
71232: 7270 1.0000 24.203.140.32
TOTALS ------- -------
71232: 403042361 71232.0000
* The second number in each line is the number of bytes for the
article. The third is the Breidbart Index, defined as the square
root of the number of groups posted to.
==========================================================================
While I've been mentioning the likelihood of a UDP proposal for
over a month, my message of 2 May 2002 finished with an ultimatum:
"You have four hours in which to disable this proxy. After that,
you may expect a formal UDP proposal."
The AnalogX proxy at modemcable032.140-203-24.que.mc.videotron.ca
[24.203.140.32] continued to be hijacked in this manner, non-stop,
throughout the day on Friday and Saturday, 03 and 04 May 2002.
==========================================================================
DSRS posting research results
Search: exact NNTP-Posting-Host: for "24.203.140.32" from 2002/05/04
00:00:00 to 2002/05/04 23:59:59 CDT
1: 1214 1.0000 "Guglielmo" <ehentoc 24.203.140.32
alt.sex.submale Pictures of famous h Fri, 4 May 2002 05:1
2: 1253 1.0000 "Nell" <abawveh@etoj 24.203.140.32
alt.binaries.picture Beautiful amateur ba Sat, 4 May 2002 10:4
3: 1183 1.0000 "Thomas" <ujapne@esi 24.203.140.32
fido7.ru.sex.exchang Brunette amateur str Sat, 4 May 2002 21:2
<...>
183049 3645 2.0000 24.203.140.32
183050 2546 1.7321 24.203.140.32
183051 3567 2.2361 24.203.140.32
TOTALS ------- -------
183051: 244267856 197532.4152
* The second number in each line is the number of bytes for the
article. The third is the Breidbart Index, defined as the square
root of the number of groups posted to.
==========================================================================
Of the 183,051 articles posted through this proxy, on 04 May 2002,
no more than 92,820 made it into the Spam Hippo statistics for that
date and no more than 118,005 were cancelled. If anything, the
statistics I used in the preparation of the Request For Discussion
err on the conservative side, when examining actual abuse of the network.
For the purposes of this UDP announcement, it is easier to look at
the NNTP-Posting-Hosts for the spam receiving cancels. Only those
dates where more than 1,000 cancels were issued, are included here,
for the sake of brevity.
===================================================
Cancelled Spam Statistics courtesy of Andrew Gierth
(see news.admin.net-abuse.bulletins)
Date spam source
===================================================
2002.03.09 65778 *.*.que.mc.videotron.ca
2002.03.10 6254 *.*.que.mc.videotron.ca
2002.03.10 4917 *.*.mtl.mc.videotron.ca
2002.03.11 7832 *.*.mtl.mc.videotron.ca
2002.03.12 7274 *.*.mtl.mc.videotron.ca
2002.03.13 23054 *.*.mtl.mc.videotron.ca
2002.03.14 31866 *.*.mtl.mc.videotron.ca
2002.03.15 10936 *.*.mtl.mc.videotron.ca
2002.03.19 3470 *.*.mtl.mc.videotron.ca
2002.03.20 1204 *.*.mtl.mc.videotron.ca
2002.03.21 9823 *.*.mtl.mc.videotron.ca
2002.03.22 5445 *.*.mtl.mc.videotron.ca
2002.03.25 1125 *.*.mtl.mc.videotron.ca
2002.03.26 1316 *.*.mtl.mc.videotron.ca
2002.03.28 2788 *.*.mtl.mc.videotron.ca
2002.04.04 4189 *.*.mtl.mc.videotron.ca
2002.04.06 2630 *.*.mtl.mc.videotron.ca
2002.04.08 1206 *.*.que.mc.videotron.ca
2002.04.09 2757 *.*.que.mc.videotron.ca
2002.04.10 2501 *.*.mtl.mc.videotron.ca
2002.04.11 5783 *.*.mtl.mc.videotron.ca
2002.04.12 2804 *.*.mtl.mc.videotron.ca
2002.04.13 2058 *.*.mtl.mc.videotron.ca
2002.04.14 3263 *.*.mtl.mc.videotron.ca
2002.04.15 1234 *.*.mtl.mc.videotron.ca
2002.04.17 1990 *.*.mtl.mc.videotron.ca
2002.04.20 12146 *.*.mtl.mc.videotron.ca
2002.04.21 4185 *.*.mtl.mc.videotron.ca
2002.04.22 4947 *.*.mtl.mc.videotron.ca
2002.04.22 1472 *.*.que.mc.videotron.ca
2002.04.23 7940 *.*.mtl.mc.videotron.ca
2002.04.24 16913 *.*.timi.mc.videotron.ca
2002.04.24 3159 *.*.mtl.mc.videotron.ca
2002.04.25 22218 *.*.timi.mc.videotron.ca
2002.04.25 20504 *.*.mtl.mc.videotron.ca
2002.04.26 8123 *.*.mtl.mc.videotron.ca
2002.04.27 2592 *.*.mtl.mc.videotron.ca
2002.04.27 1351 *.*.que.mc.videotron.ca
2002.04.28 6600 *.*.que.mc.videotron.ca
2002.04.28 3642 *.*.mtl.mc.videotron.ca
2002.04.29 6377 *.*.que.mc.videotron.ca
2002.04.29 2838 *.*.mtl.mc.videotron.ca
2002.04.30 6444 *.*.mtl.mc.videotron.ca
2002.05.01 6028 *.*.que.mc.videotron.ca
2002.05.01 2266 *.*.mtl.mc.videotron.ca
2002.05.02 57685 *.*.que.mc.videotron.ca
2002.05.03 60234 *.*.que.mc.videotron.ca
2002.05.04 118005 *.*.que.mc.videotron.ca
2002.05.04 6756 *.*.mtl.mc.videotron.ca
===================================================
TOTAL 595922
===================================================
AVERAGE 12162
===================================================
This is simply unacceptable. That there has been no word from
Videotron or it's upstream news peers is outrageous.
================================UDP
NOTICE===============================
Because of the limited response to serious ongoing problems, even
when they have been pointed out repeatedly, a full active Usenet
Death Penalty targeting Le Groupe Videotron Ltee will go
into effect at the close of business, on Friday, 10 May
2002 17:00 PDT, (11 May 2002 00:00:00 GMT).
Please see:
"Usenet Death Penalty FAQ"
<http://www.stopspam.org/usenet/faqs/udp.html>
"The Cancel FAQ"
<http://www.killfile.org/faqs/cancel.html#VIII.D.>
"Spam Glossary"
<http://www.rahul.net/falk/glossary.html#udp>
"Net Abuse FAQ"
<http://www.cybernothing.org/faqs/net-abuse-faq.html#3.19>.
It is sincerely hoped that Le Groupe Videotron Ltee will
take appropriate measures to stem the flow of abuse from their
network before this time. Any assistance which they may require
will be gladly provided.
Should this action become unavoidable, sites not wishing to
participate may alias out the pseudosite Path stamp,
"videotronudp".
Sites not wishing to participate in any active UDP may alias out
the pseudosite Path stamp, "udpcancel".
- --
David Ritz <dr...@suespammers.org>
The suespammers.org mail server is located in California; do not
send unsolicited bulk e-mail or unsolicited commercial e-mail to my
suespammers.org address.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: Finger:dr...@mindspring.com for public keys
iQCVAwUBPNYtB6dkAgrqVVPRAQEuqQP/XgHB7F9Vrle6xrySpGIJRWTMTMhLNSnk
++Xc47KC0dbiBGkxjPL7dF8/DQLje/uiCgWn9DrDn7k+wTcs0zuBCZkuCtwsuxi7
4m6xNZCrnLUm4TfjYH1AHRzt2bQZiiFaAG3+1iG0GDcO9ltaS+baDz3i7zXexQ4G
OW6JFKjc2aQ=
=OyYJ
-----END PGP SIGNATURE-----