Assigning a fine (Was: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help))

Leigh Porter leigh.porter at
Mon Jun 18 12:07:08 UTC 2007

Indeed and there is no need to fine them. Simply quarantine them in a
way that allows outbound WWW access and nothing else. Most customers
will not notice anyway. You could also occasionally re-direct them to a
forced-portal that tells them they are infected with something and
describing how to fix it.

Remember, they are victims too...


Frank Bulk wrote:
> Assigning a fine doesn't win any friends.  The customer is already miffed
> that:
> a) we talked to them and wasted their precious personal time
> b) 'accused' them of malicious activity
> c) that we took them offline
> d) that they'll now need to spend $100 at a computer shop or use up goodwill
> credits with computer-savvy friends to fix it up.
> No, fines don't help, at least for the majority of people.  If they care in
> any way they will try to get it fixed ASAP, and if they don't care, well, we
> don't feel too bad then if we have to disconnect them.  Again, that's rarely
> the case because 99% of people really do care.
> Regards,
> Frank
> -----Original Message-----
> From: Jeroen Massar [mailto:jeroen at] 
> Sent: Sunday, June 17, 2007 9:15 AM
> To: frnkblk at
> Cc: 'Sean Donelan'; nanog at
> Subject: Quarantining infected hosts (Was: FBI tells the public to call
> their ISP for help)
> Frank Bulk wrote:
>> The Billy Goat product only seems to detect and notify nefarious activity,
>> but it does nothing for the owned clients.
>> I want something that restricts my owned subscribers to downloading
> updates
>> and tools while preventing them from spewing forth more spam and the like.
> A Billy Goat will nicely quarantine the host that is infected, that is
> the whole goal of the system. What access is still allowed when the host
> is in that quarantine is of course a matter of policy. Allowing them to
> access things like Windows Update and providing at least a good
> virusscanner + SpyBot Search&Destroy etc is most likely a good thing to
> do for these situations.
> IMHO ISPs should per default simply feed port 25 outbound through their
> own SMTP relays. BUT always have a very easy way (eg a Control Panel
> behind a user/pass on a website) to disable this kind of filtering. This
> is what XS4all does and it seems to have a lot of effect but still
> allows anybody who doesn't 'want' this protection to use the Internet
> the way they want it, and not the way that is prescribed before them. Of
> course, when they disable the filter it becomes very easy when something
> does go wrong to laugh at them and not allow them to turn the filter off
> unless they pay a fine or something similar ;)
> For that matter, why don't ISPs start doing that: Introduce a fine. When
> somebody gets infected, and thus doesn't take good care of his/her/it's
> computer fine them. Let them pay say $25 to get fully back on the
> Internet and only allow a very slow rate of traffic in the mean time.
> Of course, the argument most likely goes then that they will swap ISPs,
> but they will quickly run out of those and of course ISPs don't want to
> lose clients over it, as the ignorant are the ones that provide the
> simple cash.
>> Mirage Networks is the closest to it, from my limited knowledge.
> As mentioned, there are most very likely different products in this area
> which can resolve your problem. Also one can always run your own(tm).
> Greets,
>  Jeroen

More information about the NANOG mailing list