Quarantine your infected users spreading malware

Jim Segrave jes at nl.demon.net
Tue Feb 28 09:29:12 UTC 2006

On Thu 23 Feb 2006 (11:18 -0600), Michael Loftis wrote:
> --On February 23, 2006 8:02:31 AM -0600 Jack Bates <jbates at brightok.net> 
> wrote:
> >We allowed users back online to run Housecall at trendmicro for free so
> >they could get cleaned up and save some money. However, the resuspend
> >rate was so high, we quickly changed to offline cleanup only. It will
> >remain until we perfect our auto defense system.
> >
> >Customers just want things to work. They don't care if they are infected.
> >It's amazing how many customers swear they aren't scanning or sending
> >email, and refuse to understand that their computer is capable of doing
> >things without them knowing.
> What doesn't help is the ISPs out there who are complete dolts and first 
> don't verify reports and second false alarm.  They'll cut a user off on a 
> single complaint without any evidence or verification.  Or worse they have 
> some automated system that false alarms without any way to verify you're 
> cleaned up.  And if you can't get online you can't get cleaned up anyway. 
> Catch 22.  


It puts them in a protected environment where they can get cleaned up
on-line without serious risk of re-infection. They can pop their
e-mail, reply via webmail, but they can't connect to anywhere except a
list of update sites.

It uses honeypots to avoid false positives. 

In short, it works.

Jim Segrave           jes at nl.demon.net

More information about the NANOG mailing list