Quarantine your infected users spreading malware

Michael Loftis mloftis at wgops.com
Thu Feb 23 21:01:17 UTC 2006

--On February 23, 2006 9:09:26 PM +0200 Gadi Evron <ge at linuxbox.org> wrote:

> I don't really see how any ISP will terminate an account for just one
> complaint, after all, it's losing money..
> We have seen a few good examples of pretty big ISP's who said here how
> quarantine works for them.
> Got an example on how ISP's are kicking users out?

Speakeasy suspended my service for a week over a single report from 
someone.  The mail never even travelled through or via any of my systems, 
the header bit that was called in was forged.  It took a week to get them 
to give me the information they'd gotten in complaint.  There was a forged 
Received header (completely fabricated, including the 'Qostfix' MTA) and 
also a forged HELO or EHLO of a non-existent host when it actually relayed 
it off onto someone elses MTA.

I can't remember the exact ISP...might've been RoadRunner or TW in Toronto, 
but a friend had her DSL or CableModem suspendded, ended up changing 
providors.  There was an infection, it was cleaned, they were allowed back 
on, then the ISP either received an old/backlogged complaint or something 
and they cut them off again,, but the machines were all clean (indeed 
watching the network for traffic over several days revealede nothing that 
they claimed to be the problem).

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

More information about the NANOG mailing list