Rogers Abuse! Also Known As A False Positive

Dear [My Name in UPPER CASE, very friendly]

We have reason to believe that a computer connected through your Rogers
Cable Modem has been infected by virus. The amount of traffic and
traffic patterns being generated are consistent with a Trojan Virus.

Typically, these types of viruses do not affect the performance of your
computer and instead carry out attacks and malicious activities behind
the scenes, without your knowledge. This type of network activity has
the potential to negatively impact the overall service. For your
reference, we have included a technical summary of the activity for your
reference at the bottom of this e-mail message.

To protect your computer and to safeguard other customers on the Rogers
Yahoo! Hi-Speed Internet network, we urge you to remove the virus as
quickly as possible. This can usually be done by using an updated
Anti-Virus program to scan all the computers connected to your cable modem and
choosing to remove the viruses.

If you are unable to remove the virus within 48 hours, we will have to
take additional steps to protect other customers and the Rogers Yahoo!
Hi-Speed Internet network including temporary service deactivation.
Should this occur, we can reactivate your connection once the virus has
been removed by calling into our call center.

If the network activity below is not the result of a Virus, we ask that
you reconfigure any programs or hardware which is generating the
network activity detailed below to reduce the amount of traffic or redirect
it to another DNS Server.

High volumes of requests causing Error or Canned (127.0.0.1) responses
usually indicate a Worm, Virus, or Bot infection. These viruses will
usually attempt to connect to a controlling server or attempt to perform
a Denial of Service attack on a specific server on the Internet. Once
the desintation is identified, the owner of the server may remove or
change the DNS entry causing future Virus infected computers to fail
resolving the name. this causes an error to be generated.
Sincerely,

EUA Management Team
Rogers Yahoo Hi-Speed Internet

IP Add, Errors, Queries
24.112.78.42, 120, 231

Date Time, Src, Query, Query type
2005-04-27 00:03:20.79363, 24.112.78.42, fresno.com., Internet Addr ?
2005-04-27 01:03:01.52843, 24.112.78.42,
mail.mwh.com.brntfd.phub.net.cable.rogers.com., Internet Unknow
2005-04-27 01:03:13.94833, 24.112.78.42,
37.25.191.218.sbl.spamhaus.org., Internet Addr ?
2005-04-27 01:03:14.77028, 24.112.78.42,
169.223.234.203.in-addr.arpa., Internet PTR ?
2005-04-27 01:03:14.78227, 24.112.78.42, tm.net.my., Internet Addr ?

Date Time,Dst,Query,Response
2005-04-27 0:03:20.79446,24.112.78.42,fresno.com.,Internet Addr
129.8.57.70
2005-04-27 1:03:1.55726,24.112.78.42,Error:,3(Name Error)
2005-04-27 1:03:14.48904,24.112.78.42,Error:,3(Name Error)
2005-04-27 1:03:14.79525,24.112.78.42,tm.net.my.,Internet Addr
202.71.97.48
2005-04-27 1:03:20.9845,24.112.78.42,Error:,3(Name Error)

Thank You Rogers for identifying me as a virus carrier. Now, I shall rip it apart. The sample period of 231 requests with 120 failures is pretty short. If that triggers their “virus” warning system, it’s pretty weak. The failures were generated by Anti-Spam methods (which check for domain existance and addressing) so, failures are a Good Thing™

So I replied. “This is as a result of anti-spam measures that use DNS to verify return addresses. But, since it’s a problem for you, I have switched my DNS servers. Thanks!” Following that, their ‘autoreply’ form the abuse account got flagged as spam by their own (Yahoo!’s) system. Hahaha…

Kudos go to them for attempting to notify users. And I guess I’m lucky they didn’t disconnect me. 48 hours is pretty a weak timeframe considering I don’t use that email address for anything! The only reason I checked was because of my modem-upgrade notice. heh… Fun.

So, I guess now I can’t use their DNS so that’s yet another part of their service that I won’t use leaving me with nothing but a connection.

Yell down a hallway with no one listening?

About SmartSsa

a mindless soul flushed down the toilet
  • Quigley

    hehehe

    you know, every time I think of switching to cable, someone gives me a good reason not to. often, that someone is you. woover 🙂

  • SmartSsa

    the only reason I still use cable is because of the pseudo static-ip that I get. Heh.

  • mike

    You can pay $10 for a static IP with DSL. I may consider it when I move back to brantford. I was planning on trying out VOIP though, and with DSL I think you need a phoneline to start off with, which is why I want to go to VOIP to begin with.

  • SmartSsa

    a static IP isnt worth $10/mo when they still don’t officially allow you to run a server, heh. I also don’t see the static ip option for their normal home service. just the business one.

    But, as you’ve also stated, the forced phone service to get dsl is also a negative. I’d probably already have a VoiP line if I could get a brantford number.

  • mike

    Damn. I didn’t realize Vonage doesn’t have brantford numbers. Mother FUCKERS. Oh well, the bill will be less no matter what when I move back. No more LD calls to brantford to talk to family and friends.

  • SmartSsa

    Yeah, I haven’t found any that provide branthole numbers. Eventually, I’m sure… but not yet.

  • Anonymous

    Same issue here – I don’t think they understand we’re trying to block spam as well. Where did you get your DNS? I might have to do the same thing.

    M.

  • SmartSsa

    I run my own server (this one) so I’ve always had alternate DNS available to use. I had just never bothered to override the servers they issue with their DHCP settings.

    The ones that they issued were this: 24.153.22.67, 24.153.23.66

    A handful of their other servers (which may not have the same logging and alert system enabled) are: 24.153.22.13, 24.153.22.14, 24.153.22.142, 24.153.22.141

  • Anonymous

    Fantastic – thanks! I don’t think sendmail recognizes the rotate option in resolv.conf, I wrote a short script that changes the contents of resolv.conf to put different DNS addresses at the top of the list (so as to distribute the load). I run my own server too – and here I’ll show my ignorance of the DNS hierarchy – I thought that even if I ran named, it would still point all requests back to the entries in resolv.conf for domains that I’m not the SOA for.

    Regards,

    M.

  • SmartSsa

    Well, if you run named, you could just put 127.0.0.1 (or the ip of the machine running named) as a nameserver in your resolv.conf file and all your dns requests will just go straight to your local nameserver. It’s still good to have an external server listed just in case though.

  • Anonymous

    And the local nameserver forwards the requests to the root name servers, totally bypassing Rogers?

  • SmartSsa

    Yes, that is how it’s done. And if your local server can’t find an answer the external (if listed) will be attempted….

  • Anonymous

    Brilliant – thanks very much for helping me bypass Roger’s broken IDS. Now if only they don’t cut my service off before I can get home tonight..

    Regards,

    M.

  • Quigley

    hehehe this is great. i love reading things that i don’t fully understand.

    re Vonage: i called them recently for the first time, to set up some business lines on behalf of a client of ours. i tell you, it’s a rare thing that i have had such a frustrating corporate experience. the attendants were completely useless. not a single one of them had any communication abilities whatsoever. they were unfamiliar with both the software and the policies of their own company. they were abrupt. they didn’t tell me till the very end of the (painfully long) conversation that my client had to pay by credit or debit card for the setup fee, thereby rendering the entire damn conversation a waste of everyone’s time. the best part was that when i said i had to get the reference number for the account setup and call them back later with a credit card number, they told me they couldn’t give me a reference number, because they can’t save a single piece of info about prospective accounts until *after* the setup fee is paid, so when i called back, i would have to go through the same frustrating crap again.

    the coolest thing of all about Vonage? their own phone lines were absolute shit. they would fade in and out, hiss, crackle, sound like they were being run through a flanger, and they were almost inaudibly quiet. the swishing of someone’s pant legs walking past my office would drown out the attendant and leave me asking them to repeat themselves. so i don’t know if they use their own product or not, but if they do, they certainly aren’t giving off a great image heh.

    result: other providers are probably fine, but even if the technology is superior and the price lower, i will never buy anything from Vonage.

  • Brandon Smith

    Yesterday I spent 8 Hours trying to get a promotional tablet. The Rogers Store, Customer Service and Tech all had different answers. Because of this I spent 15 dollars to make sure that I would not have overages on my wireless plan. There are still no answer? Is the tablet coming? Did I waste an entire day?. Do I have the data? Do I Leave and pursue a 3 GB tablet plan a month?