mrchris
We don't miss you Bush
Premium
join:2002-10-01
North Babylon, NY
 ·Verizon FIOS
 ·Optimum Online
2 edits | My way
1) Send an email to customer notifying they are infected/being used as spam relay, and giving information on how to remove the worm/virus/relay.
2) A letter to the customer stating the above and telling they failed to clean their machine of relay/worm/etc.
3) Final warning via written letter and email telling them it is their last warning to purge their system of the virus/etc before they are disconnected.
4) Termination of the customer(s) and a written letter telling them they will be reactivated once their machine is clean and secured. Contact info for customer to notify the ISP they are clean and secure so they can have access again.
--
Firefox |
|
CrazyJr
join:2003-02-27
Oakland, CA | And that's how it should be.
It's an everyday occurrence having to delete spam mail in my home e-mail. Using Outlook Express' message filtering does not work. |
|
Krispy
Premium,VIP
join:2001-12-11
the stix
| reply to mrchris
Re: My way
said by mrchris:
1) Send an email to customer notifying they are infected/being used as spam relay, and giving information on how to remove the worm/virus/relay.
2) A letter to the customer stating the above and telling they failed to clean their machine of relay/worm/etc.
3) Final warning via written letter and email telling them it is their last warning to purge their system of the virus/etc before they are disconnected.
4) Termination of the customer(s) and a written letter telling them they will be reactivated once their machine is clean and secured. Contact info for customer to notify the ISP they are clean and secure so they can have access again.
While a wonderful idea the length of time this would take would negate the ability to stop the spread of the worm, the spewing of spam, etc. Plus...do you (the supposed clean and secure customer) really want to pay the extra costs associated with this because others have not secured their machine?
I try my best to warn subscribers (via email) before having to temporarily suspend but sometimes it is necessary to immediately suspend to not only protect the net but to also protect the subscriber.
These days I'm more of the opinion that an additional measure in the way of a quarantine pen needs to be implemented for all subscribers. Basically a new (or recently suspended) subscriber would not be able to get on the network until a MSR (minimum security requirement), ie: all windows critical patches applied or whatever, was met. Sure you'll still have the threat-of-the-day to contend with but at least this way the importance of security is clear at the onset. |
|
wentlanc
You Can't Fix Dumb..
join:2003-07-30
Maineville, OH | reply to mrchris
Agree with everything. One addition though....
Block port 25 to reduce the number of improperly secured mail relays out there. Only open for customers who request it, and then monitor them more closely.
puritan |
|
ChrisDAT
Google Keyword Compsysnyc
join:2002-02-26
Hollis, NY
| Maybe not the best idea
I really don't think ISPs having control over access to the internet will solve the issue.
The infectors/spammers, etc... are winning whe "war" if the average joe is being penalized for their crime. It's better than a trojan that deletes files!
If an ISP can identify an infected PC they can certainly block the offending traffic type until the user complains and they tell them that they have to fix their problem before the ISP will remove the block. Cutting the user off defeats the purpose of providing service in the first place.
There is no way to expect an average or even advanced user to be able to stay on top of this issue -- The best in the business can't keep ahead.
The ISPs need to attack the source, block the URLs that start the whole thing, scan for viruses in transit. It's in their best interest to protect themselves, but don't cut off grandma because she isn't up on the latest security tweaks. |
|
LrdVader
Premium
join:2003-12-18
San Diego, CA
| reply to mrchris
Re: My way
Due to the tremendous amount of spam and/or virus-laden email that can be spewed in the interval between 1 and 4, I think the connection needs to be shut down on the spot.
Sure, there will always be borderline cases, and in those kinds of situations, a polite email or call to the customer asking what's up is a good idea. But a lot of these machines are really blatant, spewing out tens of thousands or even hundreds of thousands of messages per day. When spam is obviously pouring out, and spam complaints are pouring in, I think the appropriate response is to brick the modem first and sort out the mess later.
I've had my primary email address for almost 9 years, and it's getting hit hard by the spam zombies. It was actually pretty clean, until about a year ago, when the zombie mess started. Now I'm getting blasted with close to 150 spams per day. It's time to take a hard line with the people who don't care enough to ensure that their machines aren't causing large-scale internet pollution. |
|
Varangian
join:2002-12-08
Collinsville, IL
|  Hmm
Telling them isnt good enough.
Shut them off to stop the putrefaction from spreading further.
Then inform them that a: they can run their spam zombie farm elsewhere.
or
They can pay a third party tech (not the isps, thats a conflict of interest)to come out and sanitize their machine.
Or..
The ISp could give them one in house mandatory clean up free of extra charge THEN if it recurrs -> see above |
|
sdd75
join:2001-10-14
Maryville, TN
1 edit | common sense
Lease private ip's to all customers initially. (If the ISP does not want the customer to run a server, then that is the easiest way to enforce the rule so to speak. It avoids the touchy issue of account termination.)
It would be hard to relay off a computer that isn't publicly routable.
Perform stateful packet inspection on port 25. Log all outbound requests, and send a weekly email to the customer containing the information. The default address is the customer's primary address. (Viruses don't have to 'relay') This would appear more as a service to the customer rather than aggressive enforcement of vague policy. Offer the customer the option of blocking port 25 at the ISP level. This would allow the person who is actually advertising via email to continue to work. If someone is intentionally sending numrous emails, thus electing to leave port 25 unblocked, the report should include a polite warning that complaints made against the account will be reviewed and will potentially result in an ISP enforced block of port 25 on that account. Hey, the ISP wants to make money too. It does them no good to just cancel accounts.
The customer pays a little extra for a public and static ip. Port 25 is still inspected.
This would require almost zero additional resources. |
|
Nevster
Premium
join:2002-04-06
Dalhousie, NB
| reply to mrchris
Re: My way
During times of increased virus activity (Like the last two weeks) I closely monitor outbound SMTP activity. If I see a customer with about as much activity as our mail servers, I simply block SMTP at their cable modem.
Since many customers read mail with web browsers now, many don't even notice that their SMTP capabilities were blocked. Those customers who just happen to be sending more mail out than the ISP servers usually call (or more often than not) use their hotmail accounts to inquire.
If I discover that they're running BSD or linux, and it was just bad luck that they happened to be sending a lot of mail at the time, the customers usually understand, and I annotate their accounts accordingly so I don't shut them off again.
When a customer calls in reporting their mail is broken, our CSRs explain the virus, ask the customer to run a virus scan and go to windowsupdate to ensure their systems are secure. If the customer says they've done that, then we take their word for it, and re-enable their SMTP. No hassles... Unless of course, we get spammed from their IP immediately after lifting the filter.
Yeah, it's not a perfect way, but it does keep the collateral damage down, and offer some education to customers who're suddenly really willing to learn. It doesn't bother people who're keeping their systems up-to-date, patched and uninfected.
And curiously, we've not had an actual upset customer with this method, but I'm sure some fictitious customers are bound to complain...
|
|
Seven1
join:2002-07-24
Lexington, KY
·Insight Communicat..
| Umm
Lets not forget zombie PCs used for DoS attacks. I run a small IRC server to handle live support for customers of my web hosting business, and a couple of months ago a person tried to park a lovely botnet on my server. There were about 250 of them. About 225 had Verizon IPs, the rest had Asian IPs. I emailed the list of hostnames to Verizon abuse and as per usual with ISP abuse departments, I got no response. Whats worse though, is that I sincerely doubt they did a damn thing about it.
Point being: ISPs won't even deal with customers that are backdoored zombies used in malicious attacks, so what makes us think they'll deal with spam relaying and worm spreading customers? I'm sorry but I have absolutely no faith in ISP abuse departments, because time and time again they have proven their uselessness. |
|
GNXPower
Got Boost?
Premium
join:2003-12-18
Huntington Beach, CA
1 edit | Disconnect them...
...then let them call and get it turned back on. Not hard and they can't exactly ignore it. As for laws, how the hell are you going to enforce it? We have more than enough laws, just ISPs that don't give a crap about enforcing their own TOS/AUPs. When these lamer ISPs get blacklisted (eg for spam), they'll start paying attention...and when they do they'll police their own subs.
--
Bush is a Fascist. Republicanism used to be about individual liberty and smaller government. Bush represents neither. He is a religious zealot who is looking to turn this nation into a theocracy. I'm a life long Republican who will vote AGAINST Bush. |
|
LrdVader
Premium
join:2003-12-18
San Diego, CA
1 edit | reply to ChrisDAT
Re: Maybe not the best idea
said by ChrisDAT  :
The infectors/spammers, etc... are winning whe "war" if the average joe is being penalized for their crime. It's better than a trojan that deletes files!
It's not about penalizing people. It's about protecting the network. It's perfectly reasonable to disconnect a machine that is actively having a negative affect on the network. In fact, it's the responsible thing to do.
said by ChrisDAT :
If an ISP can identify an infected PC they can certainly block the offending traffic type until the user complains and they tell them that they have to fix their problem before the ISP will remove the block. Cutting the user off defeats the purpose of providing service in the first place.
Since most of these worms send mail directly to the victim's SMTP server, if you block that, most users won't notice the difference. Thus, you end up just masking the symptom, not solving the problem. If the problem's big enough for the ISP to block traffic, it's big enough for the user to be contacted.
Unfortunately, if the user isn't being affected by the block, they don't have as much incentive to fix the problem. If the connection is completely disabled, the user will definitely notice that, and have an incentive to fix the problem. It also prevents the worm from doing other things later that haven't been blocked yet. Take a worm like Blaster, for example. If the ISP blocks outbound SMTP traffic because the worm is furiously mailing itself out, and figures they've done their part, then when the worm activates and goes to DDoS its target, there's nothing to stop it. If the ISP completely disables the connection until the user cleans up the problem, this can't happen.
said by ChrisDAT :
There is no way to expect an average or even advanced user to be able to stay on top of this issue -- The best in the business can't keep ahead.
No, but we can certainly expect the average user to display a bit of common sense. Most current worms are not being automatically spread by exploits that bypass security. User action is required to execute the trojan (especially in the case of Bagle.whateveritsuptonow, where a user has to actually manually enter a password to unzip the file and run the offending executable). It's not unreasonable to expect people to eventually get it through their heads that it's a bad idea to just blindly open any random program that a stranger drops in their inbox.
said by ChrisDAT :
The ISPs need to attack the source, block the URLs that start the whole thing, scan for viruses in transit. It's in their best interest to protect themselves, but don't cut off grandma because she isn't up on the latest security tweaks.
After the initial release of the worm, the primary source *is* infected PCs spewing it out to others. Disabling those infected PCs *is* attacking the source. I know it may seem harsh, but if grandma's PC is sending out 100,000 pieces of spam a day, it's irresponsible to *not* disconnect it until it's cleaned up. |
|
newview
Ex .. Ex .. Exactly
Premium
join:2001-10-01
Parsonsburg, MD
| Shut 'em down . . .
. . . and let the abuse department sort 'em out.
Most ISPs have an AUP/TOS which specifically addresses this problem. But most are hesitant to enforce it because they are afraid to lose customers.
Well, do you really need a customer who is not in control of his/her own machine? A customer whose machine is spewing thousands of spam messages a day and is jeopardizing the ability of the rest of your customers to use the service as it was meant to be used? Do you really want a customer whose actions (or lack therof) is forcing other ISPs to blacklist you?
Shut 'em down immediately . . . and MAKE them secure their machine to regain their connectivity.
And it they don't secure it, terminate them . . . with extreme prejudice.
--
The Rules of Spam | Maryland's New Anti-Spam Law
Where are we going? And what's with the hand basket? |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD | Disconnect them
Send them an email and tell them what they need to do in order to get reconnected. |
|
xdeadhead
220, 221, Whatever It Takes.
Premium
join:2000-11-08
Mechanicsburg, PA | reply to CrazyJr
Re: And that's how it should be.
try mailwasher pro. |
|
netwire
Premium
join:2001-04-27
Mooresboro, NC
·RoadRunner Cable
 ·Millenicom
·Sprint Mobile Broa..
 ·Vonage
| reply to vic102482
Re: Disconnect them
My way...
I say that if the ISP notices a user is acting as a spam/virus relay then they should be notified via WRITTEN letter, and via telephone, not e-mail as that could get lost. Also, a telephone call or letter can be recorded/documented for proof that the ISP made an attempt to contact the person. If the letter/call is not responded to within 30 days the customers account would be locked down. Their name/address would then go on a "ISP Blacklist" and they would not be able to get service until the have proof of anti-virus/firewall software.
--
Linuix: There is really no better choice. Find the flavour that's right for you, visit www.distrowatch.com today! |
|
Vamp
5c077
Premium
join:2003-01-28
MD
·Verizon FIOS
| reply to vic102482
said by vic102482 :
Send them an email and tell them what they need to do in order to get reconnected.
How you going to get an email when you have no connection?
.
I think there should be warnings, it's the users responsibility to keep there machines free of virus's. They wouldn't have viruses in the first place if they weren't idiots.
--
:: My current desktop :: |
|
cbs228
Geeks Of The World, Unite
join:2000-09-04
Saint Louis, MO | reply to vic102482
If they're disconnected, how are they going to read their email? |
|
cbs228
Geeks Of The World, Unite
join:2000-09-04
Saint Louis, MO
| reply to sdd75
Re: common sense
There are some protocols which simply don't play nice with NAT, and giving users a non-routable IP address is bound to complicate things. For instance, IM-client file transfers or almost any IM function other than chat might not work. RTSP streams could not be set up for videoconferencing. Customers could not make VPN connections. Although UPnP can mitigate this somewhat, it won't fix everything. Could ISPs even claim to offer internet access, since it wouldn't work as it should? I, for one, would not pay for broken internet service only to pay more to have it unbroken.
--
"If you stare too long into the abyss the abyss stares back at you." -Nietzsche
GENERAL FAILURE READING ©: DRIVE
(A)bort, (R)etry, (F)rivolous Lawsuits, (B)ribe Congress? |
|
sorne guy
@66.84.x.x | reply to vic102482
Re: Disconnect them
if they are disconnected, how will they get that email? |
|
