obvious intent (Re: the Intercage mess)

Thu Sep 25 13:31:20 UTC 2008

On 9/25/08, Paul Vixie <vixie at isc.org> wrote:
>  so, now begins the search for the line that mustn't be crossed.  if they
>  have N spamming customer or M "captured" machines running C&C and they
>  disconnect such customers after P warnings or Q days, then will the
>  community still rise up in arms and if so will that still be enough
>  negativity to cause their (new?) provider to lose connectivity?  if not,
>  then what about P-1 or Q+1 or M*2 or N/2?
>
>  discovering the process by which N, M, P, and Q are discovered, will be
>  even uglier than everything we've seen on this topic to date.

I work the at the abuse department of one of the big ISPs, and I have
to note that finding effective values for those four varables is
sticky business from the abuse preventers' side too.

We get tens of thousands of abuse complaints every single day. Even
filtering out the frequent-flyer abuse miscomplainers (certain ISPs
seem to have no outbound filtering -- to cope with the very large
number of times when their customers seem to confuse "Report Spam"
with "Move to Trash", for instance), there's still a butt-load of data
to be analysed and acted on, and only a finite number of monkeys with
typewriters to churn through it.

At best, it's a trans-global game of whack-a-mole, suspending orgs and
consumers who have never heard the word "firewall", or at least have
never learned router ACL config. Add to this the potential legal
and/or press minefield of being accused of wiretapping,
traffic-shaping, and other nefarious deeds, and we have to tread very
gently indeed around certain abuse detection and prevention issues.

In short, it's a big hairy beast, and it's even scarier if you take a
closer-than-normal look.

Paul
(not an official spokesperson, nor a policy-maker, of any ISP or
similar company)