Joe Wein
Fighting spam and scams
on the Internet

Home / Blog / About us
Spam
419/Nigeria
Online fraud
jwSpamSpy
Contact

Email Spam Filter:
jwSpamSpy
Try it for free!

Google
 

NTLI.net ignores virus reports

See also:

Current virus senders do not leave an email address that one could contact. The only trace a recipient can follow to track down the sender is the sender's IP address. From that the ISP responsible for the address range can be determined. However, if the ISP is notified but ignores such notifications or for other reasons takes no action, there is nothing that can be done. The virus sender will remain unaware that he/she is infected and sending out viruses on a daily basis. As a resut, more and more computers are in danger of getting infected.

On March 11, 2004 we first reported receiving viruses (Netsky) from a particular customer at ntli.net, a UK-based ISP. The last virus (so far) arrived on June 2, 2004.

Neither the abuse-address nor the rather complicated webform that NTLI insists people use if they don't want their reports ignored yielded any meaningful results. The fax number given in the webform response was not contactable.

Here is the WHOIS-record:

     inetnum:      80.5.0.0 - 80.5.63.255
     netname:      NTL
     descr:        NTL Baguley - Cable Headend
     country:      GB
     admin-c:      NNMC1-RIPE
     tech-c:       NNMC1-RIPE
     status:       ASSIGNED PA
     mnt-by:       AS5089-MNT
     changed:      hostmaster@ntli.net 20020417
     changed:      hostmaster@ntli.net 20020815
     source:       RIPE
     
     route:       80.0.0.0/13
     descr:       NTL-UK-IP-BLOCK
     origin:      AS5089
     mnt-by:      AS5089-MNT
     changed:     neil.parker@ntl.com 20010426
     source:      RIPE
     
     role:         NTLI Network Management Centre
     address:      NTL Internet
     address:      Crawley Court
     address:      Winchester
     address:      Hampshire
     address:      SO21 2QA
     trouble:      -------------------------------------------------------
     trouble:      For abuse notifications please -
     trouble:      file an online case @ http://www.ntlworld.com/netreport
     trouble:      +44 2920 305142
     trouble:      -------------------------------------------------------
     trouble:      For peering issues/requests please -
     trouble:      email : peering@ntli.net
     trouble:      -------------------------------------------------------
     admin-c:      MH22007-RIPE
     admin-c:      CF2297-RIPE
     admin-c:      CM1377-RIPE
     tech-c:       MH22007-RIPE
     tech-c:       CF2297-RIPE
     tech-c:       CM1377-RIPE
     nic-hdl:      NNMC1-RIPE
     mnt-by:       AS5089-MNT
     notify:       data.planning@ntl.com
     e-mail:       data.planning@ntl.com
     changed:      hostmaster@ntli.net 20020815
     changed:      hostmaster@ntli.net 20020913
     changed:      hostmaster@ntli.net 20030328
     changed:      hostmaster@ntli.net 20030401
     changed:      hostmaster@ntli.net 20030603
     changed:      hostmaster@ntli.net 20030707
     changed:      hostmaster@ntli.net 20040303
     changed:      hostmaster@ntli.net 20040312
     source:       RIPE

Here is a sample of an email notification to NTLI:

Virus from 80.5.30.141

We have received a virus-email from your network.

The virus-email contained the following dangerous attachment:
    File name: all_document.pif
    File type: pif
    BASE64-encoded size: 24034

Here is the mail header of the virus mail:

Received: from mydomain ([80.5.30.141]) by myhost.mydomain 
 with Microsoft SMTPSVC(5.0.2195.6713); Tue, 1 Jun 2004 12:17:37 -0700
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
From: someinnocentguy@someinnocentisp
To: myname@mydomain
Subject: Re: Approved
Date: Tue, 1 Jun 2004 20:16:47 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed; 
 boundary="----=_NextPart_000_0006_00006893.00007D36"
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: <someinnocentguy@someinnocentisp>
Message-ID: >DEWEYde13YDLVBXbpEk00000a96@ourisp>
X-OriginalArrivalTime: 01 Jun 2004 19:17:37.0468 (UTC)
 FILETIME=[199C87C0:01C4480D]

When email notifications did not have any effect, we contacted NTL Internet via their webform. We received the following response:

From: <noreply@ntl.invalid>
To: <myname@myisp>
Sent: Monday, 19 April, 2004 16:25
Subject: Confirmation receipt of report to ntl Acceptable Use Policy team, ref: 6255


****************************************
**PLEASE NOTE THIS IS AN AUTORESPONDER**
****************************************


Dear Joe Wein

please accept this email as confirmation of our having received your 
Internet abuse report/Security related enquiry.

Your report has been assigned the following reference number:6255

Please quote this reference in any further correspondance when 
refering to this complaint.

Regards.

Acceptable Use Policy Team - Internet Abuse & Security
Group Risk Assurance, Financial Control Division, ntl
Tel No. +44 (0)29 2030 5142
Fax No. +44 (0)29 2030 5076
Opening Hrs: Mon - Fri 0800-1600 hrs

http://www.ntlworld.com/help/aup/index.html
http://www.ntlworld.com/netreport
http://www.ntlworld.com/help/aup/netreporthelp.html
********************************
*Latest News and Ongoing Issues*
********************************
Older Articles are available at http://aup.ntl.com

[remainder of NTLI response snipped, JW]
Note that this email arrived from an invalid email address. You can not reply to it, should you wish to engage "in any further correspondance" about the problem. Similar autoresponder messages were received on May 13, May 26 and June 1, 2004. Six weeks after the above first response no action had been taken. When we tried to contact NTLI by fax on June 2, 2004 the above fax number was always busy, even in the middle of the night.

Anti-Virus Resources:
jwSpamSpy is our spam+virus filtering software

Clueless virus filters spam innocent third parties

The Virus Ward: ISPs that appear to ignore reports of infected customer machines
NTL Internet (NTLI.net) ignores virus reports for almost three months
Wellcom.at ignores virus reports for six weeks
Dialog.net.pl ignores virus reports for three weeks
bhartibroadband.com ignores virus reports