Dear [My Name in UPPER CASE, very friendly]
We have reason to believe that a computer connected through your Rogers
Cable Modem has been infected by virus. The amount of traffic and
traffic patterns being generated are consistent with a Trojan Virus.
Typically, these types of viruses do not affect the performance of your
computer and instead carry out attacks and malicious activities behind
the scenes, without your knowledge. This type of network activity has
the potential to negatively impact the overall service. For your
reference, we have included a technical summary of the activity for your
reference at the bottom of this e-mail message.
To protect your computer and to safeguard other customers on the Rogers
Yahoo! Hi-Speed Internet network, we urge you to remove the virus as
quickly as possible. This can usually be done by using an updated
Anti-Virus program to scan all the computers connected to your cable modem and
choosing to remove the viruses.
If you are unable to remove the virus within 48 hours, we will have to
take additional steps to protect other customers and the Rogers Yahoo!
Hi-Speed Internet network including temporary service deactivation.
Should this occur, we can reactivate your connection once the virus has
been removed by calling into our call center.
If the network activity below is not the result of a Virus, we ask that
you reconfigure any programs or hardware which is generating the
network activity detailed below to reduce the amount of traffic or redirect
it to another DNS Server.
High volumes of requests causing Error or Canned (127.0.0.1) responses
usually indicate a Worm, Virus, or Bot infection. These viruses will
usually attempt to connect to a controlling server or attempt to perform
a Denial of Service attack on a specific server on the Internet. Once
the desintation is identified, the owner of the server may remove or
change the DNS entry causing future Virus infected computers to fail
resolving the name. this causes an error to be generated.
EUA Management Team
Rogers Yahoo Hi-Speed Internet
IP Add, Errors, Queries
220.127.116.11, 120, 231
Date Time, Src, Query, Query type
2005-04-27 00:03:20.79363, 18.104.22.168, fresno.com., Internet Addr ?
2005-04-27 01:03:01.52843, 22.214.171.124,
mail.mwh.com.brntfd.phub.net.cable.rogers.com., Internet Unknow
2005-04-27 01:03:13.94833, 126.96.36.199,
188.8.131.52.sbl.spamhaus.org., Internet Addr ?
2005-04-27 01:03:14.77028, 184.108.40.206,
220.127.116.11.in-addr.arpa., Internet PTR ?
2005-04-27 01:03:14.78227, 18.104.22.168, tm.net.my., Internet Addr ?
2005-04-27 0:03:20.79446,22.214.171.124,fresno.com.,Internet Addr
2005-04-27 1:03:1.55726,126.96.36.199,Error:,3(Name Error)
2005-04-27 1:03:14.48904,188.8.131.52,Error:,3(Name Error)
2005-04-27 1:03:14.79525,184.108.40.206,tm.net.my.,Internet Addr
2005-04-27 1:03:20.9845,220.127.116.11,Error:,3(Name Error)
Thank You Rogers for identifying me as a virus carrier. Now, I shall rip it apart. The sample period of 231 requests with 120 failures is pretty short. If that triggers their “virus” warning system, it’s pretty weak. The failures were generated by Anti-Spam methods (which check for domain existance and addressing) so, failures are a Good Thing™
So I replied. “This is as a result of anti-spam measures that use DNS to verify return addresses. But, since it’s a problem for you, I have switched my DNS servers. Thanks!” Following that, their ‘autoreply’ form the abuse account got flagged as spam by their own (Yahoo!’s) system. Hahaha…
Kudos go to them for attempting to notify users. And I guess I’m lucky they didn’t disconnect me. 48 hours is pretty a weak timeframe considering I don’t use that email address for anything! The only reason I checked was because of my modem-upgrade notice. heh… Fun.
So, I guess now I can’t use their DNS so that’s yet another part of their service that I won’t use leaving me with nothing but a connection.