Responsibility of ISP?

[DK]

What is the responsibility of the ISP when one of their users gets a virus
that sends out hundreds of emails, and one of the email recipients makes
numerous complaints, clearly identifying the source?

To elaborate with the actual story:

I have, since about 8/23, received over 600 emails of a similar nature, from
apparent different sources (different reply-to addresses). They all say
something like "you're approved" or "about that movie", the text in all of
them says something like "see the attached file for details", and they all
have an attachment (which I have not opened).

When I look at the headers, I see that ALL of these emails are coming from
the same IP address (65.31.181.100), which resolves on reverse DNS lookup to
"rr.com" - which is one of the domains for Time-Warner's RoadRunner
Internet.

I have sent about 20 emails to their abuse department, I have called them
(about 4 times), I have called Time Warner Cable, and they STILL have done
nothing.

It seems to me that they should be able to identify the user via the IP
address, notify the user that there is a problem, and, if the problem isn't
resolved, disable the users account. It seems to me that this should be a
relatively simple process. It also seems to me that they could at least
RESPOND to my complaint to let me know what's being done. They haven't even
had the courtesy to do that.

Do I have any recourse, especially of a legal nature?

Also, I'm wondering - I see a lot of people with a similar problem posting
here (about receiving the emails). If any of those are coming from the same
IP address, or from any rr.com or roadrunner.com address, will you please
contact me?

 

[Dudhorse]

What is the responsibility of the ISP when one of their users gets a virus
that sends out hundreds of emails, and one of the email recipients makes
numerous complaints, clearly identifying the source?

To elaborate with the actual story:

I have, since about 8/23, received over 600 emails of a similar nature, from
apparent different sources (different reply-to addresses). They all say
something like "you're approved" or "about that movie", the text in all of
them says something like "see the attached file for details", and they all
have an attachment (which I have not opened).

When I look at the headers, I see that ALL of these emails are coming from
the same IP address (65.31.181.100), which resolves on reverse DNS lookup to
"rr.com" - which is one of the domains for Time-Warner's RoadRunner
Internet.

I have sent about 20 emails to their abuse department, I have called them
(about 4 times), I have called Time Warner Cable, and they STILL have done
nothing.

It seems to me that they should be able to identify the user via the IP
address, notify the user that there is a problem, and, if the problem isn't
resolved, disable the users account. It seems to me that this should be a
relatively simple process. It also seems to me that they could at least
RESPOND to my complaint to let me know what's being done. They haven't even
had the courtesy to do that.

Do I have any recourse, especially of a legal nature?

Also, I'm wondering - I see a lot of people with a similar problem posting
here (about receiving the emails). If any of those are coming from the same
IP address, or from any rr.com or roadrunner.com address, will you please
contact me?

 

[Conor]

What is the responsibility of the ISP when one of their users gets a virus
that sends out hundreds of emails, and one of the email recipients makes
numerous complaints, clearly identifying the source?

Because the source is spoofed therefore it is bogus, not real, a fake.

When I look at the headers, I see that ALL of these emails are coming from
the same IP address (65.31.181.100), which resolves on reverse DNS lookup to
"rr.com" - which is one of the domains for Time-Warner's RoadRunner
Internet.

I have sent about 20 emails to their abuse department, I have called them
(about 4 times), I have called Time Warner Cable, and they STILL have done
nothing.

Because the source is spoofed therefore it is bogus, not real, a fake.

It seems to me that they should be able to identify the user via the IP
address, notify the user that there is a problem, and, if the problem isn't
resolved, disable the users account. It seems to me that this should be a
relatively simple process. It also seems to me that they could at least
RESPOND to my complaint to let me know what's being done. They haven't even
had the courtesy to do that.

Because the source is spoofed therefore it is bogus, not real, a fake.

Do I have any recourse, especially of a legal nature?

No.

**** sake, haven't you learned a thing about viruses?

--
________________________
Conor Turton
(e-mail address removed)
ICQ:31909763
________________________

 

[GSV Three Minds in a Can]

Because the source is spoofed therefore it is bogus, not real, a fake.

The 'from' and 'reply to' are spoofed. The originating IP address, (for
most common viruses), is entirely valid .. so rr.com could do something
about it if they could be bothered.

Haven't you learned a thing about viruses?

 

[D McAuliffe]

The 'from' and 'reply to' are spoofed. The originating IP address, (for
most common viruses), is entirely valid .. so rr.com could do something
about it if they could be bothered.

From:
http://www.computing.net/security/wwwboard/forum/6307.html

written by a JackG states in part:
"Just because you have a "source" IP, does not mean that is were it comes
from. With most virus, it is possible to sort out the true IP address and
the ISP's know how to do this and compare it with their traffic logs that
record the exact time a SMTP server handles the e-mail. But some of the new
virus have their own SMTP server code and can fake all of this header
information and mask the source of the infected machine. So there is almost
no way to trace back to the infected machine. One of the common versions of
the SoBig virus inserts the IP address of 208.29.62.37 as the source.
Another version inserts the IP address of the abuse reporting system of one
large ISP. So if it the SoBig virus, you are wasting your time trying to
track down the source using an IP address."

If I'm understanding the posts correctly, I would need to go to an AV site
to determine if what I'm receiving has its own SMTP engine, and if so don't
bother to complain, otherwise a complaint may do some good.
--

~~~~~~~~~~~~~~~~~~
Dave McAuliffe
<Central Mass> USA
Remove X from address
~~~~~~~~~~~~~~~~~~

 

[Jason Spashett]

It is possible that the IP address you have is not the culprit. I can
imagine how difficult it is for ISP's to sort these things out. It's not as
simple as blocking IP addresses either. I will bet there are a whole host of
other people who have the same problem. I can't see any easy way to sort
this out. You've done the right thing in contacting the ISP though I think.

Have you contacted your ISP as well as the apparent source?

 

[DK]

It is possible that the IP address you have is not the culprit. I can
imagine how difficult it is for ISP's to sort these things out. It's not as
simple as blocking IP addresses either. I will bet there are a whole host of
other people who have the same problem. I can't see any easy way to sort
this out. You've done the right thing in contacting the ISP though I

think.

My biggest problem is that they have totally ignored my complaint. They
haven't even responded to say that they would look into it! Nobody's
bothered to call back even after the messages I've left. I'm rather
disturbed about their apparent lack of concern - I think that's what's
bothering me most.

Have you contacted your ISP as well as the apparent source?

My ISP says they can't really help, since it's coming to an email on one of
my websites, not to my ISP account. I suppose I could talk to the hosting
service.