 
mrchris
We don't miss you Bush
Premium
join:2002-10-01
North Babylon, NY
 ·Verizon FIOS
 ·Optimum Online
2 edits | My way 1) Send an email to customer notifying they are infected/being used as spam relay, and giving information on how to remove the worm/virus/relay.
2) A letter to the customer stating the above and telling they failed to clean their machine of relay/worm/etc.
3) Final warning via written letter and email telling them it is their last warning to purge their system of the virus/etc before they are disconnected.
4) Termination of the customer(s) and a written letter telling them they will be reactivated once their machine is clean and secured. Contact info for customer to notify the ISP they are clean and secure so they can have access again.
--
Firefox | |
|  | 
Krispy
Premium,VIP
join:2001-12-11
the stix
| Re: My way said by mrchris:
1) Send an email to customer notifying they are infected/being used as spam relay, and giving information on how to remove the worm/virus/relay.
2) A letter to the customer stating the above and telling they failed to clean their machine of relay/worm/etc.
3) Final warning via written letter and email telling them it is their last warning to purge their system of the virus/etc before they are disconnected.
4) Termination of the customer(s) and a written letter telling them they will be reactivated once their machine is clean and secured. Contact info for customer to notify the ISP they are clean and secure so they can have access again.
While a wonderful idea the length of time this would take would negate the ability to stop the spread of the worm, the spewing of spam, etc. Plus...do you (the supposed clean and secure customer) really want to pay the extra costs associated with this because others have not secured their machine?
I try my best to warn subscribers (via email) before having to temporarily suspend but sometimes it is necessary to immediately suspend to not only protect the net but to also protect the subscriber.
These days I'm more of the opinion that an additional measure in the way of a quarantine pen needs to be implemented for all subscribers. Basically a new (or recently suspended) subscriber would not be able to get on the network until a MSR (minimum security requirement), ie: all windows critical patches applied or whatever, was met. Sure you'll still have the threat-of-the-day to contend with but at least this way the importance of security is clear at the onset. | |
| | wentlanc
You Can't Fix Dumb..
join:2003-07-30
Maineville, OH | Agree with everything. One addition though....
Block port 25 to reduce the number of improperly secured mail relays out there. Only open for customers who request it, and then monitor them more closely.
puritan | |
| | | tdkyo
join:2002-12-07
Rochester, NY | Re: My way That might take too much time and money for ISP to regulate it. | |
| | | | | | LrdVader
Premium
join:2003-12-18
San Diego, CA
| Due to the tremendous amount of spam and/or virus-laden email that can be spewed in the interval between 1 and 4, I think the connection needs to be shut down on the spot.
Sure, there will always be borderline cases, and in those kinds of situations, a polite email or call to the customer asking what's up is a good idea. But a lot of these machines are really blatant, spewing out tens of thousands or even hundreds of thousands of messages per day. When spam is obviously pouring out, and spam complaints are pouring in, I think the appropriate response is to brick the modem first and sort out the mess later.
I've had my primary email address for almost 9 years, and it's getting hit hard by the spam zombies. It was actually pretty clean, until about a year ago, when the zombie mess started. Now I'm getting blasted with close to 150 spams per day. It's time to take a hard line with the people who don't care enough to ensure that their machines aren't causing large-scale internet pollution. | |
| | 
Nevster
Premium
join:2002-04-06
Dalhousie, NB
| During times of increased virus activity (Like the last two weeks) I closely monitor outbound SMTP activity. If I see a customer with about as much activity as our mail servers, I simply block SMTP at their cable modem.
Since many customers read mail with web browsers now, many don't even notice that their SMTP capabilities were blocked. Those customers who just happen to be sending more mail out than the ISP servers usually call (or more often than not) use their hotmail accounts to inquire.
If I discover that they're running BSD or linux, and it was just bad luck that they happened to be sending a lot of mail at the time, the customers usually understand, and I annotate their accounts accordingly so I don't shut them off again.
When a customer calls in reporting their mail is broken, our CSRs explain the virus, ask the customer to run a virus scan and go to windowsupdate to ensure their systems are secure. If the customer says they've done that, then we take their word for it, and re-enable their SMTP. No hassles... Unless of course, we get spammed from their IP immediately after lifting the filter.
Yeah, it's not a perfect way, but it does keep the collateral damage down, and offer some education to customers who're suddenly really willing to learn. It doesn't bother people who're keeping their systems up-to-date, patched and uninfected.
And curiously, we've not had an actual upset customer with this method, but I'm sure some fictitious customers are bound to complain...
| |
| CrazyJr
join:2003-02-27
Oakland, CA | And that's how it should be. It's an everyday occurrence having to delete spam mail in my home e-mail. Using Outlook Express' message filtering does not work. | |
| | 
xdeadhead
220, 221, Whatever It Takes.
Premium
join:2000-11-08
Mechanicsburg, PA | Re: And that's how it should be. try mailwasher pro. | |
| 
ChrisDAT
Google Keyword Compsysnyc
join:2002-02-26
Hollis, NY
| Maybe not the best idea I really don't think ISPs having control over access to the internet will solve the issue.
The infectors/spammers, etc... are winning whe "war" if the average joe is being penalized for their crime. It's better than a trojan that deletes files!
If an ISP can identify an infected PC they can certainly block the offending traffic type until the user complains and they tell them that they have to fix their problem before the ISP will remove the block. Cutting the user off defeats the purpose of providing service in the first place.
There is no way to expect an average or even advanced user to be able to stay on top of this issue -- The best in the business can't keep ahead.
The ISPs need to attack the source, block the URLs that start the whole thing, scan for viruses in transit. It's in their best interest to protect themselves, but don't cut off grandma because she isn't up on the latest security tweaks. | |
| | LrdVader
Premium
join:2003-12-18
San Diego, CA
1 edit | Re: Maybe not the best idea said by ChrisDAT  :
The infectors/spammers, etc... are winning whe "war" if the average joe is being penalized for their crime. It's better than a trojan that deletes files!
It's not about penalizing people. It's about protecting the network. It's perfectly reasonable to disconnect a machine that is actively having a negative affect on the network. In fact, it's the responsible thing to do.
said by ChrisDAT :
If an ISP can identify an infected PC they can certainly block the offending traffic type until the user complains and they tell them that they have to fix their problem before the ISP will remove the block. Cutting the user off defeats the purpose of providing service in the first place.
Since most of these worms send mail directly to the victim's SMTP server, if you block that, most users won't notice the difference. Thus, you end up just masking the symptom, not solving the problem. If the problem's big enough for the ISP to block traffic, it's big enough for the user to be contacted.
Unfortunately, if the user isn't being affected by the block, they don't have as much incentive to fix the problem. If the connection is completely disabled, the user will definitely notice that, and have an incentive to fix the problem. It also prevents the worm from doing other things later that haven't been blocked yet. Take a worm like Blaster, for example. If the ISP blocks outbound SMTP traffic because the worm is furiously mailing itself out, and figures they've done their part, then when the worm activates and goes to DDoS its target, there's nothing to stop it. If the ISP completely disables the connection until the user cleans up the problem, this can't happen.
said by ChrisDAT :
There is no way to expect an average or even advanced user to be able to stay on top of this issue -- The best in the business can't keep ahead.
No, but we can certainly expect the average user to display a bit of common sense. Most current worms are not being automatically spread by exploits that bypass security. User action is required to execute the trojan (especially in the case of Bagle.whateveritsuptonow, where a user has to actually manually enter a password to unzip the file and run the offending executable). It's not unreasonable to expect people to eventually get it through their heads that it's a bad idea to just blindly open any random program that a stranger drops in their inbox.
said by ChrisDAT :
The ISPs need to attack the source, block the URLs that start the whole thing, scan for viruses in transit. It's in their best interest to protect themselves, but don't cut off grandma because she isn't up on the latest security tweaks.
After the initial release of the worm, the primary source *is* infected PCs spewing it out to others. Disabling those infected PCs *is* attacking the source. I know it may seem harsh, but if grandma's PC is sending out 100,000 pieces of spam a day, it's irresponsible to *not* disconnect it until it's cleaned up. | |
| 
Varangian
join:2002-12-08
Collinsville, IL
|  Hmm
Shut them off to stop the putrefaction from spreading further.
Then inform them that a: they can run their spam zombie farm elsewhere.
or
They can pay a third party tech (not the isps, thats a conflict of interest)to come out and sanitize their machine.
Or..
The ISp could give them one in house mandatory clean up free of extra charge THEN if it recurrs -> see above | |
| sdd75
join:2001-10-14
Maryville, TN
1 edit | common sense Lease private ip's to all customers initially. (If the ISP does not want the customer to run a server, then that is the easiest way to enforce the rule so to speak. It avoids the touchy issue of account termination.)
It would be hard to relay off a computer that isn't publicly routable.
Perform stateful packet inspection on port 25. Log all outbound requests, and send a weekly email to the customer containing the information. The default address is the customer's primary address. (Viruses don't have to 'relay') This would appear more as a service to the customer rather than aggressive enforcement of vague policy. Offer the customer the option of blocking port 25 at the ISP level. This would allow the person who is actually advertising via email to continue to work. If someone is intentionally sending numrous emails, thus electing to leave port 25 unblocked, the report should include a polite warning that complaints made against the account will be reviewed and will potentially result in an ISP enforced block of port 25 on that account. Hey, the ISP wants to make money too. It does them no good to just cancel accounts.
The customer pays a little extra for a public and static ip. Port 25 is still inspected.
This would require almost zero additional resources. | |
| | cbs228
Geeks Of The World, Unite
join:2000-09-04
Saint Louis, MO
| Re: common sense There are some protocols which simply don't play nice with NAT, and giving users a non-routable IP address is bound to complicate things. For instance, IM-client file transfers or almost any IM function other than chat might not work. RTSP streams could not be set up for videoconferencing. Customers could not make VPN connections. Although UPnP can mitigate this somewhat, it won't fix everything. Could ISPs even claim to offer internet access, since it wouldn't work as it should? I, for one, would not pay for broken internet service only to pay more to have it unbroken.
--
"If you stare too long into the abyss the abyss stares back at you." -Nietzsche
GENERAL FAILURE READING ©: DRIVE
(A)bort, (R)etry, (F)rivolous Lawsuits, (B)ribe Congress? | |
| 
Seven1
join:2002-07-24
Lexington, KY
·Insight Communicat..
| Umm Lets not forget zombie PCs used for DoS attacks. I run a small IRC server to handle live support for customers of my web hosting business, and a couple of months ago a person tried to park a lovely botnet on my server. There were about 250 of them. About 225 had Verizon IPs, the rest had Asian IPs. I emailed the list of hostnames to Verizon abuse and as per usual with ISP abuse departments, I got no response. Whats worse though, is that I sincerely doubt they did a damn thing about it.
Point being: ISPs won't even deal with customers that are backdoored zombies used in malicious attacks, so what makes us think they'll deal with spam relaying and worm spreading customers? I'm sorry but I have absolutely no faith in ISP abuse departments, because time and time again they have proven their uselessness. | |
| 
GNXPower
Got Boost?
Premium
join:2003-12-18
Huntington Beach, CA
1 edit | Disconnect them... ...then let them call and get it turned back on. Not hard and they can't exactly ignore it. As for laws, how the hell are you going to enforce it? We have more than enough laws, just ISPs that don't give a crap about enforcing their own TOS/AUPs. When these lamer ISPs get blacklisted (eg for spam), they'll start paying attention...and when they do they'll police their own subs.
--
Bush is a Fascist. Republicanism used to be about individual liberty and smaller government. Bush represents neither. He is a religious zealot who is looking to turn this nation into a theocracy. I'm a life long Republican who will vote AGAINST Bush. | |
| 
newview
Ex .. Ex .. Exactly
Premium
join:2001-10-01
Parsonsburg, MD
| Shut 'em down . . . . . . and let the abuse department sort 'em out.
Most ISPs have an AUP/TOS which specifically addresses this problem. But most are hesitant to enforce it because they are afraid to lose customers.
Well, do you really need a customer who is not in control of his/her own machine? A customer whose machine is spewing thousands of spam messages a day and is jeopardizing the ability of the rest of your customers to use the service as it was meant to be used? Do you really want a customer whose actions (or lack therof) is forcing other ISPs to blacklist you?
Shut 'em down immediately . . . and MAKE them secure their machine to regain their connectivity.
And it they don't secure it, terminate them . . . with extreme prejudice.
--
The Rules of Spam | Maryland's New Anti-Spam Law
Where are we going? And what's with the hand basket? | |
| vic102482
Premium
join:2002-04-30
Upper Marlboro, MD | Disconnect them Send them an email and tell them what they need to do in order to get reconnected. | |
| | | | |
newview
Ex .. Ex .. Exactly
Premium
join:2001-10-01
Parsonsburg, MD | Disconnect them All this manages to accomplish is to allow the spew to continue for 30 or more days. Shut 'em down IMMEDIATELY . . . and I guarantee the customer WILL contact the ISP. | |
| | | | | vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| Re: Disconnect them said by Vamp :
said by vic102482 :
Send them an email and tell them what they need to do in order to get reconnected.
How you going to get an email when you have no connection?
Mail I meant mail. I was thinking mail and typed email lol. Ohh the digital age we live in.
Come to think of it, its been more than 2 years since I actually mailed a personal email through the post office./
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!! | |
| | cbs228
Geeks Of The World, Unite
join:2000-09-04
Saint Louis, MO | If they're disconnected, how are they going to read their email? | |
| | | | | 
sorne guy
@66.84.x.x | if they are disconnected, how will they get that email? | |
| | 
Vamp
5c077
Premium
join:2003-01-28
MD
·Verizon FIOS
| Yeah, if only they figure out how to convert matter into a digital signal, you wont ever have to use regular mail for anything (packages,etc).
--
:: My current desktop :: | |
| 
DaDogs
Semper Vigilantis
Premium
join:2004-02-28
Deltaville, VA | Get them all to switch to Linux Get them all to switch to linux? Just kidding... don't kill me. | |
| | 
Pichin
join:2001-07-01
Altamonte Springs, FL |  Re: Get them all to switch to Linux
| |
| 
richk_1957
If ..Then..Else
Premium
join:2001-04-11
Minas Tirith
| what to do mrchris has a good idea, but as other people have mentioned, from steps 1 - 4 a incredible amount of spam could be generated. Here's my suggestion: e-mail a person who suspected of being a spam relay, telling him the specifics and including somehow a plain vanilla AV program (or just a link to one, there has to be some out there)give them a decent interval then cut them off & wait for them to complain
-OR-
Just cut them off, sending them mail at the same time the reason for them being cut off & what to do about it
The bottleneck in that is depending on where you are, your mail delivery may be a problem, so it's possible you could be cut off, solved the problem and get reactivated before you got the mail.. | |
| | 
Da22in
Buck Fush
join:2002-06-10
Charlotte, NC
clubs: 
| cut 'em off Cut them off and send them snail mail. Maybe a courtesy call for the first instance. Inform them to get protection, either through the ISP or other means. Once verified, and the customer understands the concept of regular and frequent updates....return the service. My former ISP actually had virus protection built in to the mail system so everything gets scanned prior to delivery.
Good feature as long as they stay up-to-date on new defs. | |
|
Pichin
join:2001-07-01
Altamonte Springs, FL
·RoadRunner Cable
·Comcast
| Education I do simple computer security consultant work for a private firm and I have to say that the best way to deal with this problem is education, if the ISPs in general send emails to customers with security tips i/e updates, worms and so forth, and tell the customer how to secure their computers and why, more people will do it, When I talk to a client and I asked if they have installed or updated their anti-virus software they usually reply with something like "yes I did it about a month ago" or "well I downloaded the Microsoft update last month", too many people do not have the knowledge that we have or understand the why of these "updates" to worry or care about it , thus not applying it more often. Let teach people the why and they will understand. Those clients of mine that have taken the time to keep up with what I and my peers have told them have been able to keep their system secured and clean. We accomplished this by teaching the Why of "why update or patch".
Just my opinion.
question... Why do we lock our car's and house door?
--
Life is a joke, either you laught with it or it will laught at you. | |
| | 
Skilos
join:2000-08-19
Astoria, NY | Re: Education
question... Why do we lock our car's and house door?
To keep people out, but people can break in. Thats why we have police. | |
|
Skilos
join:2000-08-19
Astoria, NY | No internet for florida? Just wondering, what are the citizens of Florida "60 and over" going to do. Most of them don’t know jack about PC security. Will they all be disconnected? | |
| | 
KeepOnRockin
Music Lover Forever
Premium
join:2002-11-08
Beaverton, OR
·Comcast
1 edit | Re: No internet for florida? No elderly person in Florida should be disconnected.
Disconnecting grandpa or grandma because they unknowingly are transmitting SPAM is as bad as the RIAA suing a 65+ year old for unknowingly sharing music online.
Microsoft is really going places with their Windows XP Service Pack 2 coming up. If security is enabled by default (such as the Windows XP firewall and automatic Windows Updates), then there won't be so many zombies in the future.
Automatic Windows Updates should be manditory! The patch for one of the windows exploits last year was avilable some 6 months before the worm started making it's way around the net.
Firewall software is also a must. | |
| salahx
join:2001-12-03
Saint Louis, MO
| Your ISP cannot be a babysitter As nice as theses ideas sounds, its simply not going to happen mostly for one reason: Cost. ISP's operate on razor-thin margins already and there is cutthroat competition (as computer OEM like Dell, Gateway, HP, etc). Helpdesk are "money sinks" for ISP, if ISP called up every user infested with the virus of the month week day, even with outsourced foreign labor, it would probably negate any profits - unless, of course, they raised the price. Then, of course, there will be endless posts about the evil Bell/Cable conspiracy/monopoly trying to squeeze out of their customers, yada yada yada.
"Jailing" the users by restricting ports, etc, will just drive up call queues (and thus costs) and irritate more advanced users. Start blocking ports, and suddenly they can't use their companies e-mail server, Kazaa stops working, etc. Quite a few businesspeople decide the easiest to give remote access is simply to expose their entire network to the Internet (without using a VPN). Cut them off, and start bitching about lost profits, business, and will simply move to another provider with laxer security.
Forcing all e-mail though an handful or servers (you ISP's) is a bad idea. Soon the government will pass a new "antispam" law saying all e-mail must me routed through server. PGP users may soon find themselves in Guantanamo Bay.
E-mail might work. Apparently, my machine was infected and my ISP sent me a nice password-protected zip file to remove it. How thoughful....
As to holding the user responsible, it simply can't be done. In general, the end user doesn't know any better. They don't WANT to learn. I suspect they CAN'T learn (brain cells start dying around age 20. It appears the ones that control technical-savvy die first). It's more than ignorance - I know, I'm a helpdesk tech, I can explain something to someone 10 times, and have them repeat it 10 times, and they still will not have learned. And sadly, this is fairly typical! Educating the user is out of the question - you'll have better luck training elephants to fly.
Unfortunately its one of those "good, cheap, fast: Pick any two" problems. More responsive abuse desks would require hate hike, and, of course, ISP with non-responsive (or nonexistent!) abuse desk could offer lower prices. The choice of the masses would be clear. Unless you legislate it - but given the stuff coming out of Congress lately, any result law would probably be even more intrusive than USA PATRIOT and suck up to special interests more than the DMCA.
There no magic bullet that'll solve the problem - unless, of course, its a .45 directly through the head of the predators of the ignorant of the Internet (spammers, scammers, "spyware" deployers, semi-legit businesses that prey on ignornace like the "mp3" sites that only tell you how to download Kazaa and those coupon guys, black hats, DDoS zombie leaders, virus deployers, and so forth). Legislation is unlikely, for our government is so concerned with "the economy" that it won't take steps to stop even scummy (and downright illegal, at times) business in fear of a lost job or 2. And even if they did legislate, it would either be as (in)effective as [You] CAN-SPAM act, or give Government/**AA an open door to strip you of all freedom and possessions. | |
|
sickened
@chcgil.ameritech
| bad idea bad idea. I dont like the idea of ISP's having any more excuse to go snooping around my traffic. Getting disconnected because I happened to send 'too many emails' is silly. Give me straight and untampered IP or give me death 
please, no bogus 'get a t1' suggestions. Yeah, like I could afford it... | |
| 
St0ney
join:2001-02-25
uranus | why Why not do it like Universities...and block all p2p ports and IRC... | |
| |
Seven1
join:2002-07-24
Lexington, KY
·Insight Communicat..
| Re: why Why not? How about because people don't want services that are already overpriced, to be underpriviledged. Futhermore, P2P and IRC have nothing to do with this topic. I can't stand you fascists that think everything can be solved by port blocking.  | |
| | |
St0ney
join:2001-02-25
uranus | Re: why it wasnt my idea...im totally against it...my university blocked IRC ports "to stop virus/worm activity". Complete bullshit.
if that was the problem...how come ISP's have done nothing to block ports. | |
| ParanoiaInc
join:2002-08-28
Tucker, GA
| If you have to ask, you're an idiot ISP! This is a business opportunity to make money off of ignorant customers. If an ISP has a customer with an infected computer the ISP should a) notify that customer, b) suggest steps for cleaning up their computer (or face service interruptions), and c) offer to assist them in cleaning up their computer.
Is this really that difficult of a vision to employ? | |
| |
Pichin
join:2001-07-01
Altamonte Springs, FL
1 edit | Re: If you have to ask, you're an idiot ISP! "It is too hard to do such a thing" (been a smartass)
Like I said before: EDUCATION
If the ISP takes the time to help and educate none of us would have to worry!!!! | |
| | | |
|
|
Purging the Weak Link
·
·
