amazonaws.com?

Luke S Crawford lsc at prgmr.com
Thu May 29 18:07:05 UTC 2008


Peter Beckman <beckman at angryox.com> writes:

>   If you are taking card-not-present credit card transactions over the
...snip "hard to charge fradulent customers" and also "verifying customer
identity annoys the customer"... points-  


The goal here is to give abuse a negative expected return.
One way to do this is to charge (and collect)  a fee that is greater than 
what the spammer can earn between when they sign up and when you shut then 
down.  There are two ways to do this -  1. raise (and collect) the abuse fee, 
or 2. lower the amount they can earn before you shut them down.  

I am suggesting that we put some effort into 2- If we can reduce the 
amount of time between when a spammer signs up and when they are shut
down, we raise the spammer's costs.  I think there is low-hanging fruit
in this area.  

I believe that the 'strongly authenticate customer, then take legal 
action' model is dictated by the fact that most abuse incidents are not
actually reported to your abuse desk- some abusive customers can go days
or weeks before you receive a complaint.  to give abuse a negative expected
return, then, you need to make the consequence expensive.  (to say nothing
of covering the costs of trying to get good logs/evidence out of those who
are complaining, or trying to figure out if your customer is a spammer
or if your customer was owned by a spammer, and the costs of collecting the
fee.)

I wanted to point out another option providers now have.  IDS technology
has matured.  Snort is free and pretty standard.   Personally, I find 
monitoring incoming traffic to be... of limited utility.  However, 
I believe snort is an excellent tool for lowering the cost of running an 
abuse desk, if you run it on the outgoing traffic.     Snort is pretty good 
about alerting you to outgoing abuse before people complain.  Heck, if you 
trust it, you can have it automatically shut down the abusive customers.







More information about the NANOG mailing list