CPCNet Hong Kong Limited has failed to take action when presented with evidence that its IP addresses have been used to transmit viruses to Yui Kee. As reported in the November and December 2004 issues of this newsletter, CPCNet has previously taken a very strict position, insisting that its network must not be used for the transmission of viruses under any circumstances. When Yui Kee pointed out that this would prevent the transfer of samples in the fight against viruses and refused to accept the new Terms and Conditions, CPCNet terminated Yui Kee's connection.
Yui Kee carefully examined its anti-virus gateway logs and identified thirteen occasions between July 2004 and January 2005 when an IP address owned by CPCNet transmitted a message containing a virus to Yui Kee's mail server. On 29 January, 2005, Yui Kee sent this evidence to CPCNet. Further incidents occurred on 12 February, 13 February and 23 February, and a report was sent to CPCNet on each occasion. Each report requested an explanation of the potentially criminal act, and pointed out that the incidents violated CPCNets Terms and Conditions. To date, CPCNet has provided an "explanation" for just one of the incidents, stating that their server was bouncing an undeliverable message to the apparent sender. The message in question contained W32/Netsky-P, which is known to forge the sender's address. Yui Kee publishes SPF records for its domains, so CPCNet could have checked the origin of the message and rejected it. Worse, CPCNet's server constructed a bounce message that contained the virus itself, and sent it to an innocent party without anti-virus scanning. CPCNet has not responded to these points.
In a telephone conversation, CPCNet staff said that the company could not respond because Yui Kee was not a CPCNet customer. Of course, Yui Kee is not a CPCNet customer because CPCNet terminated the relationship. It is not clear why this would absolve CPCNet of responsibility for continued incidents of virus transmission from CPCNet's IP addresses.
Yui Kee's Chief Consultant, Allan Dyer, commented, "CPCNet wants to have its cake and eat it. If they insist on this ridiculously strict policy, they must be prepared to take action when there are clear violations, as in these cases. We will continue to question this company's hypocrisy."