# Is my new ISP spying on me?



## Nick (Apr 23, 2002)

I suspect that Adelphia cable broadband is attempting to access my pc. My suspicions are based on a ZoneAlarm Pro firewall alert that popped up while I was conducting a series of internet speed and security tests this morning. It is important to know that, within the past week, I have made two significant changes to my Internet access and system security.

First, last week I changed my primary Internet access to Adelphia cable broadband. It is germain to the story that, at one point during the sign-up process, I was literally forced to read the very lengthy user agreement before I could proceed. Now, I'm glad I did. The Adelphia user agreement contained some of most onerous and prohibitive language I have ever read in any user agreement, mostly related to illegal and/or excessive usage, and providing for Adelphia (and its assigns!) to have broad legal rights to access my system for "audit" purposes. Of course, I _had_ to agree to the terms in order to complete the sign-up process and gain access to the Internet through Adelphia (for the time being).

I never thought I would soon be addressing these same issues. Read on.

Yesterday, I upgraded my ZoneAlarm subscription from the 'free' version to the ZA Pro 15 day trial. I'm glad I did. While doing some speed and security tests this morning using the free services of www.auditmypc.com, ZA Pro blocked and alerted me to several attempts to access my system, including one particular attempt - from Adelphia's *Internet Policy Enforcement* unit, with the email address of *[email protected]*. (See *Whois* detail of the attempted hack and source location map below.)

It's possible, if not likely that the additional traffic generated by my speed and security tests alerted Adelphia's fraud/abuse functions and triggered the attempt to access my computer. For what reasons, I don't know, and _that_ is the essence of my concerns. Specifically,

1) what information could Adelphia access if they _had_ been able to get into my computer?
2) has my Adelphia account likely been tabbed for closer and/or continuing scrutiny?
3) is blocking access to one's system through use of a firewall known to be a violation of any ISP's TOS, and, if so, could such firewall blocking result in termination of an Internet account?
4) has anyone reading this post experienced problems with their ISP as a result of blocking access -or- as a result of conducting speed and/or security tests?

At this juncture, I am asking the readers of this forum to offer your thoughts as to what is happening here, based on your general knowledge and personal experiences. Also, if you will, describe any experiences you may have had with your ISP in connection with alledged violations of TOS..

Thank you.

*Whois Information*

Adelphia Cable Communications ADELPHIA-CABLE-7 (NET-69-160-0-0-1) 
69.160.0.0 - 69.175.255.255
Adelphia 69-164-192-0-Z2 (NET-69-164-192-0-1) 
69.164.192.0 - 69.164.255.255

# ARIN WHOIS database, last updated 2005-02-12 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

CustName: Adelphia
Address: 1 North Main Street
City: Coudersport
StateProv: PA
PostalCode: 16915
Country: US
RegDate: 2004-04-19
Updated: 2004-04-19

NetRange: 69.164.192.0 - 69.164.255.255 
CIDR: 69.164.192.0/18 
NetName: 69-164-192-0-Z2
NetHandle: NET-69-164-192-0-1
Parent: NET-69-160-0-0-1
NetType: Reassigned
Comment: 
RegDate: 2004-04-19
Updated: 2004-04-19

OrgAbuseHandle: IPE-ARIN
OrgAbuseName: Internet Policy Enforcement 
OrgAbusePhone: +1-866-473-2909
OrgAbuseEmail: [email protected]

OrgTechHandle: CKI8-ARIN
OrgTechName: Kio, Carolyn 
OrgTechPhone: +1-888-512-5111
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2005-02-12 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

*Whois* hacker location map below


----------



## SimpleSimon (Jan 15, 2004)

It depends on what software they forced you to install (if any).

Rule of thumb that applies to any and all ISPs:

If you are REQUIRED to install software on your machine in order to connect, find another ISP. There is NO reason to REQUIRE anything more than basic Microsoft stuff.

That being said, you may find you WANT things like web acceleration - and that's fine, just as long as the connector will work without it.


----------



## Mark Holtz (Mar 23, 2002)

Well, Nick, part of the reason behind the draconian policies is that residential broadband is designed for residential use, not business use. If someone sets up a mail, ftp, or web server, that would eat up a lot of bandwidth for that segment of cable users. Thus, port scanning is used to detect whether or not you have an active server. Also, peer-to-peer file sharing programs can be a problem because the ISP might be responsible for the copyright violations.

Likewise, the provider does not want to set up a broadband connection only to have it be used to pump out a lot of SPAM. Some broadband providers, such as SBC and FrontierNet (both in Sacramento area), have engaged in "Port 25 blocking". Port 25 is used for outgoing mail, and by blocking port 25, they disallow access to outside mail servers and make you use their mail server. This really isn't a problem if you use their e-mail server and hosting. However, some mail servers are using Sender Policy Framework (SPF) which checks to make sure that the e-mail address you are using is coming from THAT mail server, otherwise it gets rejected. (Once again, SPAM reasons). In order to get around that, some web hosting companies use an alternative port # as well as SMTP authentication in order to allow users to send out e-mail.

As far as I know, however, using a firewall program should not be against a ISP's TOS, and is actually good insurance against attacks. (Using a anti-virus program is also a good idea). As to what information an attacker can access, I can't really say because they are always discovering new security holes in the Windows OS, mail clients, and web browsers.

I hope that helps.


----------



## Mark Holtz (Mar 23, 2002)

SimpleSimon said:


> If you are REQUIRED to install software on your machine in order to connect, find another ISP. There is NO reason to REQUIRE anything more than basic Microsoft stuff.


What if you have no alternative for broadband access? Where I live, I have only two choices for broadband access: Surewest Telecom and Comcast Cable. Under FCC regulations, my phone company qualifies as a "small phone company", so the competitoin is locked out. I cannot get DSL through my own workplace.

Of course, there are enough ISPs who think that Windows support is "good enough", Mac support is minimal, and Linux is a character from Charlie Brown cartoons. That might work in your favor.


----------



## DonLandis (Dec 17, 2003)

Nick, I'm not surprised by your suspicions about Adelphia. I deal with cable co's all over and I can say with first hand experience that your cable company has a personal track record, the branch manager here in south Florida with treating me like he was Tony Soprano! Seriously! At the time we were negotiating an FCC Leased access contract for air time. I didn't know whether to call the FCC or the FBI that day! Having said that, I will say that what Mark posted makes good sense so the snoop they may be doing is justified and all legal like. I know many "consumers" who do stuff as a business when their contracts say no. I keep a business account with Comcast, not the residential one. It costs more and with Comcast, they give the better speeds first to consumers and me second, after the technology is in place. That's the bad part but I also have mission critical status with them. To me, I'll suffer the speed hit (consumers had 3mbs when I was restricted to 1.5Mbs; today they have me upgraded but it took 9 months) because when my system goes down, rarely, I have an AE I call and he picks up the phone. I have guaranteed same day service if before noon and next day after that. That is on sight service if necessary. Anyway, I have nothing to hide from Comcast so as long as my privacy is protected and they don't snoop to steal my bank account balance, I suppose it's OK with me. So, I would be concerned with Adelphia because of how I was once treated, but Comcast, Cox and Cablevision I deal with all seem very straight forward and mind their own business and have only my best interests in helping me run mine. I believe that!


----------



## SimpleSimon (Jan 15, 2004)

Sounds like you have two choices - one of them should be OK.

BTW, if any of them offer/allow home networking via a WAP or LAN hub in their box, or directly attached to it, you should be OK.


----------



## Nick (Apr 23, 2002)

Mark Holtz said:


> ...Port 25 is used for outgoing mail, and by blocking port 25, they disallow access to outside mail servers and make you use their mail server. This really isn't a problem if you use their e-mail server and hosting...


Interesting you should mention email, Mark. I've had my original email addy through EarthLink (EL) for almost 10 years, since 1995, and I'm not planning on changing it. Over those 10 years, I have had to perform some _"death-defying"_ gymnastics to keep using my original addy as my access options have evolved. I'm no longer using EL for my primary access, but for more than a year now I've been paying EL a small fee to maintain a minimal account just to keep my address. I was previously paying $22 for unlimited EL plus $34 for a BS landline. I also use several web-based email addys, which are not at issue here.

Back to the point of using Adelphia's POP3 mail service, maybe I should, but I'm not going to unless I have to set up a dummy account. About 4-5 years ago I started using "Webbox" (www.webbox.com[/url) as my POP3 mai...t's the way I'd damn well like to keep it! :)


----------



## RJS1111111 (Mar 23, 2002)

Just because you're paranoid doesn't mean they're not out to get you!


----------



## Bogy (Mar 23, 2002)

Nick, of COURSE they are trying to spy on you. Somebody who posts the stuff you do? No doubt about it. My only question would be if it is Adelphia, or the FBI.

Seriously, I have Cox and have never had any problems, and I know my son is downloading a bunch of stuff I would probably just as soon not know about.  I do know that Cox does keep track of usage. There was a case in the news here a year or so ago, but this was a guy who was downloading several full length movies a day. He was using a LOT of bandwidth. Somebody downloading a few files now and then or even a bunch of songs is not going to be bothered. Shoot, last night I downloaded about 300 megs of drivers. That's what broadband is for.


----------



## cdru (Dec 4, 2003)

Nick said:


> It's possible, if not likely that the additional traffic generated by my speed and security tests alerted Adelphia's fraud/abuse functions and triggered the attempt to access my computer. For what reasons, I don't know, and _that_ is the essence of my concerns. Specifically,
> 
> 1) what information could Adelphia access if they _had_ been able to get into my computer?
> 2) has my Adelphia account likely been tabbed for closer and/or continuing scrutiny?
> ...


To answer your questions:
1) Anywhere from nothing to quite a bit. Adelphia doesn't care what's on your computer. They only care if you are costing them more then you need to. Without seeing what threw up the alarm in ZA, it's hard to say. Often the ISP will just knock on the door so to speak to see if there is a response. If there is, they investigate further. Just this knock can throw up the alert in ZA. Best advice is to not run any services that aren't necessary and are prohibited (sounds like you do that already). Firewall everything else to block those rogue applications (sounds like you do this as well). You are always going to get attacked. That's a part of having a broadband connection.

2) Not likely. Again without seeing what the specific "attack" was it's hard to say for sure, but if the attack was just on a list of common ports or just one-time things, then it's nothing to be overly concerned about.

3) No. Anyone who uses a NAT router would have a similar response on the attacker's end. Well, unless the TOS/AUP specifically required you to allow them to access your system but no policy with a legitimate ISP will say something like that.

4) I haven't, but I've had ISPs scan me before.

Overall, I think you are being overly paranoid (not that it's necessarily a bad thing on this topic) but you seem to have the necessary measures in place to prevent a problem. Keep and eye on it but there is no reason to lose sleep over it...unless you really do have something to hide.


----------



## Jordan420 (Nov 11, 2003)

Check into protowall & blocklist manager. Do a google search. It is basicly a list of Ip address that you are blocking


----------



## MarkA (Mar 23, 2002)

"There is NO reason to REQUIRE anything more than basic Microsoft stuff."

There is NO reason to require the use of Microsoft software either.


----------



## Ron Barry (Dec 10, 2002)

Cable companies in general have a tree model (shared bandwidth) in terms of distribution and do not sell by bandwidth agreements like DSL does. They also in most cases do not allow people to host mail servers and Web Servers. They tend to watch outgoing traffic and they do randomely prob ports to check that people are not violating their contract. If you have a residential account, this is normal. What they don't want to happen with residential accounts is someone to set up a WebServer that is getting bombed and thus sucking up all the traffic on the neighborhood. 

As for firewalls, I don't know of any ISP that would prevent you from protecting yourself. If they did, I would dump them in a heart beat. 

I don't think you account as been tagged, but If you are hosting an MP3 server or something with a lot of outband bandwidth they might be monitoring your traffic out and making sure you are not using your residential account for commercial purposes. (i.e. web server).


----------



## Nick (Apr 23, 2002)

Thanks for the responses! 

I am not doing any high bandwidth, just the usual, boring stuff...

-general web surfing/posting to forums
-periodic software downloads/updates
-send/receive individual email/pics
-occasional speed/security checks
-no bulk email/spamming
-not hosting or running a server

I still think it was the speed/security tests that triggered the probe. If that's a problem for Adelphia :whatdidid I'll have Richard come up the coast from Vero to install StarBand...I need another dish on my patio anyway.


----------



## Ron Barry (Dec 10, 2002)

Nick said:


> Thanks for the responses!
> 
> I am not doing any high bandwidth, just the usual, boring stuff...
> 
> ...


Well it possible, but I do know it is common practice for cable internet companies to probe your ports. Was it a common port they were probing? Ie 80 or 8080?


----------



## Scott Greczkowski (Mar 21, 2002)

Most of what they are looking for is not FTP or even web servers (unless you have a large amount of outbound traffic) but they are looking for Open Proxies.

I would not worry about it at all.


----------



## mikeacollins (Jun 18, 2004)

Just because the Whois came back with Adelphia does not mean it was Adelphia that was running a port scan. You are using an ip address assigned to Adelphia just like most of there other customers. It could have been any other Adelphia customer that scanned you. The [email protected] address is used to report abuse to Adelphia. Most ISP have an abuse mailbox for reporting abuse. If someone is attaching you using an Adelphia.net address you can report it using the [email protected] email.

Mike


----------



## Nick (Apr 23, 2002)

The Adelphia source was identified by ZoneAlarm. See the detailed ZA whois report copied in my original post.


----------



## mikeacollins (Jun 18, 2004)

I guess I did not make myself clear. WhoIs only reports the owner of the IP Address not who is actually using it. If you ran a whois for the ip address assigned to your computer it will come back as Adelphia not you. Also, hackers that know what they are doing can either spoof their IP address or use a zombie computer to attack from. The whois report has little value in tracking where the attack came from these days. It was very unlikely that Adelphia themselves ran a port scan.

Mike


----------



## Nick (Apr 23, 2002)

Thanks, Mike. that's good to know, but I still think it was Adelphia nd here's why -- the ZA port scan alert popped up shortly after I ran speed/security tests. Too much of a coincidence. If someone is spoofing Adelphia or routing through their servers, they should know about it.

_What's a 'net girl to do these days to keep her ports intact?_


----------

