Anyone else heard from their ISP for having IRC connections?

[sadpandatech]

 I received an interesting email from ATT this morning;


  IMPORTANT COMPUTER SAFETY NOTICE from AT&T Internet Services Security Center -“IRC Traffic Detected”

Our investigation shows that the following IP was assigned to your log-on session at the indicated time and was using IRC connections to a computer network which is possibly a Botnet.

Date: (UTC) => Your IP:
2011-10-18 04:45:24 => My Business T1 IP
2011-10-17 04:23:13 => My Business T1 IP
2011-10-16 02:47:36 => My Business T1 IP


IRC Botnet infected systems commonly send or receive commands that can SPAM email, spread malicious software, and perpetrate identity theft.

IRC traffic on ports other than those normally used by IRC can be an indication of backdoor trojans or bots.


IRC Botnet infected systems commonly send or receive commands that can SPAM email, spread malicious software, and perpetrate identity theft.

IRC traffic on ports other than those normally used by IRC can be an indication of backdoor trojans or bots.

Although the activity is likely unintentional, it is still in violation of AT&T's Acceptable Use Policy. To review the AT&T Acceptable Use Policy, go to:  http://www.corp.att.com/aup/


   It was certainly news to me that they had a 'policy' against connecting to IRC servers on non default ports.  The times they reference are in direct correlation to my firing up the Bitcoin Client.. ;p
  I made sure to contact them on it none the less, because they do have a history of disabling accounts if they truely do suspect one of being 'zombiefied'.  I did not mention Bitcoin or anything but basicly told them that unless they had something in their policy about what remote IRC ports I am allowed to connect to, to please not send me further messages about it. I'm an asshole when it comes to them people. I pay for a home connection and 2 businesses worth of internet and phone servicve with them. Total about 4 grand a month, so they can kiss my shiny, white ass....

  But, it does make me wonder if they have jumped on the security bandwagon that has it in mind to flag Bitcoin related communications as infectious transmissions...?  And, will they decide to block it? They certainly are more than capable with their NAT setup to do so....  The next release of Bitcoin will have to include a built in http proxy just to fuggin work if something like that were to happen. Something to think about.

   And, also something for you agenda pushing Botnet fuckers to think about. I will be extremely pissed if because of your agenda you get 'Bitcoin' traffic in general banned..... Or is that your true goal!?!? hmmm *tinfoil hat feels warm*



  EDIT;  In hind sight. I am using whatever default nodes Bitcoin picks out. Is it possible there is/was a node in the list that just happened to be on the 'list' of servers?

[1713549013]

1713549013

[eleuthria]

The intent of the notice seems to not be that IRC is bad, but that botnets/trojans are.  My reading of that is that having a botnet/virus/trojan on your computer means you're violating their AUP due to potentialy illegal activities, not that the IRC connection itself is against the AUP.

It's most likely trying to notify you that you may have a virus, and you need to take a look.  The notice itself doesn't seem to be mentioning anything about a potential suspension of service if it isn't "fixed" on your end.

[phillipsjk]

Yes, Bitcoin uses IRC for finding other nodes, much like botnets do.

Yes somebody has mentioned that before on the forum.

You are using a business connection, so it appears you actually are allowed to host servers. Most home users are not allowed to host servers.

[Exonumia]

You can disable bitcoin's IRC bootstrapping by placing:

noirc=1

in your bitcoin.conf file.

You could also use the command line option: add -noirc after the bitcoin launch for example: "bitcoin.exe -noirc"

They are more warning you that you might have an infection than warning you against using IRC.

[sadpandatech]

The intent of the notice seems to not be that IRC is bad, but that botnets/trojans are.  My reading of that is that having a botnet/virus/trojan on your computer means you're violating their AUP due to potentialy illegal activities, not that the IRC connection itself is against the AUP.

It's most likely trying to notify you that you may have a virus, and you need to take a look.  The notice itself doesn't seem to be mentioning anything about a potential suspension of service if it isn't "fixed" on your end.

  Yes, m8 I caught the jist of their note. They send out thousands of these emails a day to many of their customers who also happen to end up being customers to one of my shops. ;p  The part you missed in the message that I was intending to convey was the paranoid aspect of them messaging for this particular incident. I have had this service connection with them for going on 4 years now when they bought bellsouth back out, here at my location. I have many, many times in the recent past run IRC nodes, connections, servers and other varying services on unusual ports. Where this makes me paranoid is it is the first time they have ever contacted me so specificly about any one thing.....

  And, the notice itself does not need to mention suspension, as they make sure to cover that in their ToS, if one were to violate their AUP. Seperate papers all together. And the point is, they can claim botnet/virus/trojan if they have made such a distinction for Bitcoin communications. Did you read that part in my OP??  I doubt they would in my case, but they very much will suspend an account for AuP/ToS violations if they so desire....

 I am suspecting it is an extension of the recent flagging by security firms of certain software that mines and of recent botnet activity that relies heavily on such software and thier connections to irc. The issue I see with it is large telecoms, etc making a love trangle out of it that may end up including Bitcoin itself... Yes, I'm that kinda crazy..... But, hopefully am just being paranoid....

Yes, Bitcoin uses IRC for finding other nodes, much like botnets do.

Thanks, Phil. I had no idea Bitcoin used irc for finding nodes..   

You can disable bitcoin's IRC bootstrapping by placing:
noirc=1
in your bitcoin.conf file.
You could also use the command line option: add -noirc after the bitcoin launch for example: "bitcoin.exe -noirc"
They are more warning you that you might have an infection than warning you against using IRC.

  Thats not a bad idea, actually. Thanks, Exonumia

   Still guys, please look back over the points I had about ATT specificly pointing out this traffic. To reiterate, irc and other strange traffic is no where near unusual on my network, them sending a notice specificly about IRC nodes used for Bitcoin communicae, however, IS.....

[MoonShadow]

I received an interesting email from ATT this morning;


  IMPORTANT COMPUTER SAFETY NOTICE from AT&T Internet Services Security Center -“IRC Traffic Detected”

Our investigation shows that the following IP was assigned to your log-on session at the indicated time and was using IRC connections to a computer network which is possibly a Botnet.

This comes up on a regular basis.  AT&T uses a traffic monitoring program intended to identify botnet command & control traffic, which regularly false positives on the IRC traffic that the standard bitcoin client produces to 'bootstrap' peer nodes upon startup.  You could just ignore it, and set the client to not annouce your IP address on the IRC channel, and the client will use the saved list of IP addresses to startup; or you could call AT&T support and have your address whitelisted for this.  They are aware of the bitcoin false positives by now, as many times as this has come up.

[sadpandatech]

I received an interesting email from ATT this morning;


  IMPORTANT COMPUTER SAFETY NOTICE from AT&T Internet Services Security Center -“IRC Traffic Detected”

Our investigation shows that the following IP was assigned to your log-on session at the indicated time and was using IRC connections to a computer network which is possibly a Botnet.

This comes up on a regular basis.  AT&T uses a traffic monitoring program intended to identify botnet command & control traffic, which regularly false positives on the IRC traffic that the standard bitcoin client produces to 'bootstrap' peer nodes upon startup.  You could just ignore it, and set the client to not annouce your IP address on the IRC channel, and the client will use the saved list of IP addresses to startup; or you could call AT&T support and have your address whitelisted for this.  They are aware of the bitcoin false positives by now, as many times as this has come up.

  I am also familair with their monitoring methods........

  Although, that's slightly reassuring for you to say. I was very hesitant to mention 'bitcoin' to them when I spoke to support earlier.  So you are fairly confident that AT&T has not recently decided the irc network bitcoin uses is bad? Just seems like I woulda got one of these 'false positives' long ago, as I have been running bitcoin clients with the default bootstrap to irc settings for going on 9 months now...

[sadpandatech]

This:

http://ktetch.blogspot.com/2011/03/at-equates-irc-to-bot-nets-suggests-wep.html

And this:

https://daemonfc.wordpress.com/2011/07/08/att-thinks-irc-is-malware/

  Ahhhh, thank you very much for the links. Nice to know they arn't necessarily picking on Bit traffic or that this is something new!  Still seems so strange that only now their shit software decided to flag my traffic...

  So TL;DR = AT&T thinks IRC in general is evil and just doesn't know any better?

[MoonShadow]

I received an interesting email from ATT this morning;


  IMPORTANT COMPUTER SAFETY NOTICE from AT&T Internet Services Security Center -“IRC Traffic Detected”

Our investigation shows that the following IP was assigned to your log-on session at the indicated time and was using IRC connections to a computer network which is possibly a Botnet.

This comes up on a regular basis.  AT&T uses a traffic monitoring program intended to identify botnet command & control traffic, which regularly false positives on the IRC traffic that the standard bitcoin client produces to 'bootstrap' peer nodes upon startup.  You could just ignore it, and set the client to not annouce your IP address on the IRC channel, and the client will use the saved list of IP addresses to startup; or you could call AT&T support and have your address whitelisted for this.  They are aware of the bitcoin false positives by now, as many times as this has come up.

  I am also familair with their monitoring methods........

  Although, that's slightly reassuring for you to say. I was very hesitant to mention 'bitcoin' to them when I spoke to support earlier.  So you are fairly confident that AT&T has not recently decided the irc network bitcoin uses is bad? Just seems like I woulda got one of these 'false positives' long ago, as I have been running bitcoin clients with the default bootstrap to irc settings for going on 9 months now...

I can't say, directly, because I refuse to do business with AT&T for personal reasons.  But based upon the experiences of others, the notice is automaticly generated after so much traffic that looks like botnet traffic.  The first tier support personel will have no idea what you are talking about anyway, and couldn't do anything to help regardless.  You need the real tech support desk, usually third tier.  Personally, I run the client in a 'quiet' mode that neither announces my IP address on the IRC channel, nor accepts incoming connections from IP addresses that are not in my whitelist.  I run the client with the '-connect' flag to only connect to a set number of trusted nodes.  Only the truly talented would be able to find my node.

[sadpandatech]

I received an interesting email from ATT this morning;


  IMPORTANT COMPUTER SAFETY NOTICE from AT&T Internet Services Security Center -“IRC Traffic Detected”

Our investigation shows that the following IP was assigned to your log-on session at the indicated time and was using IRC connections to a computer network which is possibly a Botnet.

This comes up on a regular basis.  AT&T uses a traffic monitoring program intended to identify botnet command & control traffic, which regularly false positives on the IRC traffic that the standard bitcoin client produces to 'bootstrap' peer nodes upon startup.  You could just ignore it, and set the client to not annouce your IP address on the IRC channel, and the client will use the saved list of IP addresses to startup; or you could call AT&T support and have your address whitelisted for this.  They are aware of the bitcoin false positives by now, as many times as this has come up.

 I am also familair with their monitoring methods........

  Although, that's slightly reassuring for you to say. I was very hesitant to mention 'bitcoin' to them when I spoke to support earlier.  So you are fairly confident that AT&T has not recently decided the irc network bitcoin uses is bad? Just seems like I woulda got one of these 'false positives' long ago, as I have been running bitcoin clients with the default bootstrap to irc settings for going on 9 months now...

I can't say, directly, because I refuse to do business with AT&T for personal reasons.  But based upon the experiences of others, the notice is automaticly generated after so much traffic that looks like botnet traffic.  The first tier support personel will have no idea what you are talking about anyway, and couldn't do anything to help regardless.  You need the real tech support desk, usually third tier.  Personally, I run the client in a 'quiet' mode that neither announces my IP address on the IRC channel, nor accepts incoming connections from IP addresses that are not in my whitelist.  I run the client with the '-connect' flag to only connect to a set number of trusted nodes.  Only the truly talented would be able to find my node.

  Sadly, my other choices for upstream after bellsouth sold back into ATT were blocked legally from offering here. fugged up things, mannnn. ;p

  yea, I am overdue to update my settings for -noirc and -connect and get a trusted list setup.  Still paranoid about ATT, I don't trust them. They have been a complete shit service support wise since buying everyone back up....

[sadpandatech]

Yeah I've got AT&FuckMe too. I use mIRC all the time and got this notice. I replied like in the second link I sent you. Quoted below:

"Dear Morons,
 
Internet Relay Chat is a chat protocol, I am not using Windows or Mac OS because I am not a retard. I know what a botnet is, and I know I don’t have one. Please kindly stop sending me this nonsense.
 
PS: If I get one more of these I’m going to find out whose idea it was to crapflood my mailbox, and rip their head off and shit down their throat. No seriously. how can you people be so stupid? Do you ever just stop to think that people use IRC for legitimate purposes or may use a non-Windows non-Mac OS operating system which isn’t plagued by this kind of crap to begin with?
 
By the way, I’d like whatever I’ve been paying you for Norton or McAfee or whatever related bloated uselessware refunded if that’s possible, since I have no possible use for it. Would that be cool? I’d love to have the mandatory Windows antivirus tax returned to me at your earliest convenience.
 
Have a wonderful day."

 LMAO, that was basicly the response I had for them in my reply email before I made one of those dreaded calls to a lvl 1 tech to be sure my services would not be tampered with. As moon pointed out, the guy had absolutly no fucking clue what IRC or even ports were, or anything network related at all. Shit service.....

  LOL, on the refund request. Wonder if some poor clerk that may actually read those replies read it. Sadly, I'd be willing to bet any replies to one of those 'notices' is handled automaticly as well. I.E., 'Ok, they replied, not a bot. for now...'   =)

[MoonShadow]

  Sadly, my other choices for upstream after bellsouth sold back into ATT were blocked legally from offering here. fugged up things, mannnn. ;p

Really?  In this modern age?  What backwards city do you live in?

[sadpandatech]

  Sadly, my other choices for upstream after bellsouth sold back into ATT were blocked legally from offering here. fugged up things, mannnn. ;p

Really?  In this modern age?  What backwards city do you live in?

 Don't ask. :/  I am about 500 yards short of being in range for T1+ access to Verizon's upstream at my biz locations atleast. :/  At home, I have other options, cable, satelite, etc. Butttt. I am not cutting down my damn trees for sat and the cable here has some fugged up microwave connection over the local river and no hard line so it is constantly fuzzy at night when the local military base starts buzzing the shit out of all the bandwidth and it disocnnects constantly....

  It had been so long since I had any siliness from ATT that I almost forgot how fugged they are.  At my home connection some 3 years ago now, not long after they took over from Bell, I had an overlooked billing dispute with them for $1.43. Yes, thats One Dollar and Forty Three /100's. (Wife was in charge of home bill at the time and overlooked some new fee and was accustomed to sending them exactly what the bill always was). Well, when the $1.43 became 60 days late they disconnected the Internet service. This was no big deal, called em up, argued over the friggin buck and change and got it back on after assuring them we'd pay the gastly amount we owed on our next bill. All should have been fine at the point, but what was this. Upon reconnection of my modem I notice something odd, the download speed now reads 3.5Meg instead of the 10Meg that we had. Next day I get on the phone again and am informed that upon my temporary disconnection their 'Automated' system reassigned the connection speed to someone on the waiting list. I was also informed that there was absolutly no way to get it back, no matter how many 'grand', as I put it, that I spent with them each month for my business lines, but that they would gladly put me on the 'list'! I was furious but opted to have someone from corporate get in touch with me. Well, before Corp could call, if they even would. More on that in a sec. My modem suddenly stopped being able to connect again all together. Quick little stroll through the unlocked tech log on it revealed 2 very interesting entries that originated from their servers the very second it stopped working. Yea, grab your tinfoil hat for that one. The boxes are tied to your connection speed where I am, locked in to the firmware in the box itself. Even though your modem checks a config assigned to your account each time it logs and gets speed info, etc, it was at one time possible to hack this in the box. Not that I did, had no reason to, but I highly suspect its why they zapped my box. Well, before corp could call back I called them and after about 10 minutes of red faced yelling into the phone had canceled my service with them....

 Sadly that did not last, and after a week of hunting for another service provider for my home address I had no choice but to establish new service for my resisdence as a new 'business' line. It was the only viable choice to get the speed at my resisdence, as I have a need to conduct some of my work at home, and must have the speed to do so. =(

  TL;DR   AT&T Sucks Donkey Balls!


   Cheers

[MoonShadow]

  Sadly, my other choices for upstream after bellsouth sold back into ATT were blocked legally from offering here. fugged up things, mannnn. ;p

Really?  In this modern age?  What backwards city do you live in?

 Don't ask. :/ 

No, seriously, I'm asking.  There may be alternatives for which you are not aware.  If nothing else, a multi-homed service via a linux machine might be able to provide the speed that you need most of the time while providing some connection all of the time.  I have family members that made a mint by establishing the first ISP in a small town, even though they wouldn't let me near their business because I had a rep as a 'hacker', so I might be able to offer you some alternatives.  If you have a line of sight to any cell tower, odds are good that you can get some pretty good burstable speed to handle the higher bandwidth times.

[sadpandatech]

  There is currently cell service here that I use on a laptop when I am out of wireless range. The tower of which is a shared att/sprint tower and is running both of their last gen tech. I.e., 3g for ATT and whatever Sprint calls their equiv service. Verizon has FIOS, but my home is about 2 miles out of their range, no cell tower of their's in range and my bis locations, as I stated earlier are about 500 yards too far from their head ends. I believe one is 500~ yards and the other is even further without dropping a new pole on the adjacent property. Which, I will not even hazzard a guess on what that would cost, if the city would even let one be put in. Can't be put in the ground at said location because the city's main water line is there. >.<

  There is one company running a local(10 mile from each tower, 4.8GHz, 5 towers 110') true WiFi service but he is considered 'competition' for some of my services and is unwilling to sell me the bandwidth I'd want for my home at a reasonable rate. I check every so often, but my house is in the 'woods', if you will, and my motivation is lacking. Other than ATT's suck ass support, I can atleast say they have not been able to screw with my businesses' previously contracted data rates. And, for the bis side their Nat lvl firewalling actually does a half decent job at keeping out the crud that some of the other providers struggle with.

  Aside from that, if someone wants to know where I am bad enough, I am not hard to track down, or they could just PM me. I'd rather not just hand that info out publicly though.


 I'm a Florilicensenwieldinpublican, and my aim is good. The wife's too for that matter.    But, I'd much rather just not have to go there. Unless that damn McClain from across town comes poken aroun' again!


  Cheers, m8
     Derek

[MoonShadow]

   Verizon has FIOS, but my home is about 2 miles out of their range,

Beam antenna on the roof?  If you have a line of sight, a decent yagi antenna mounted on a roof antenna mount (the kind Radio Shack sells for tv antennas) and a couple hours of work on a Saturday and you can have Verizon's 4G/WiMax data rates, which although not cheap, would offer a fine alternative path for a multi-homed setup.  Won't be attractive, though.  Wife might object.

[sadpandatech]

   Verizon has FIOS, but my home is about 2 miles out of their range,

Beam antenna on the roof?  If you have a line of sight, a decent yagi antenna mounted on a roof antenna mount (the kind Radio Shack sells for tv antennas) and a couple hours of work on a Saturday and you can have Verizon's 4G/WiMax data rates, which although not cheap, would offer a fine alternative path for a multi-homed setup.  Won't be attractive, though.  Wife might object.

  Sadly, they do not have WiMax in range of any height of antenna I could have access to on my property. They have FiOS, their new fiber optic setup here in FL. Its fuggin sweet too, 50Meg+ and caries T.V. cable, and regular phone of course over it as well. Too bad I am way out of range of it. ;p Only WiFi capable towers here are 3G ATT/Sprint, and a local company that is selling the same tech that I was 10 years ago, for about 3 times the price of what I was well profitable at. ;p  Probably same situation as my current biz and lack of upstream choices. If I was him, I'd move my bis. In my situation and the non public nature of my hosting it would not benefit me, like it would him.....

  Yea, before I moved the previous ISP I owned had a dual band 4.8GHZ(2.4-5Ghz at 19.3 to ~22db) LNA setup that I could line of sight to my customers and of course to my home that was nearly 5 miles out. It took a friggin 6 grand dual-pole transceiver antenna(God those things have gotten so much cheaper) up a 45' poll at the time to do so.

  Now, I could LoS from my closer biz to my house with about 12 grand worth of equip now and have access there but the speed would not be any better than what I have now and god only knows what the new licensing on the channels is these days. I know it has changed a LOT since FCC whacked out a huge swath of bands from what was pretty much open use previously.



 Cheers