[88917] in North American Network Operators' Group
Re: Quarantine your infected users spreading malware
daemon@ATHENA.MIT.EDU (Michael Loftis)
Thu Feb 23 16:02:11 2006
Date: Thu, 23 Feb 2006 15:01:17 -0600
From: Michael Loftis <mloftis@wgops.com>
To: nanog@merit.edu
In-Reply-To: <43FE0866.7070809@linuxbox.org>
X-MailScanner-From: mloftis@wgops.com
Errors-To: owner-nanog@merit.edu
--On February 23, 2006 9:09:26 PM +0200 Gadi Evron <ge@linuxbox.org> wrote:
> I don't really see how any ISP will terminate an account for just one
> complaint, after all, it's losing money..
>
> We have seen a few good examples of pretty big ISP's who said here how
> quarantine works for them.
>
> Got an example on how ISP's are kicking users out?
Speakeasy suspended my service for a week over a single report from
someone. The mail never even travelled through or via any of my systems,
the header bit that was called in was forged. It took a week to get them
to give me the information they'd gotten in complaint. There was a forged
Received header (completely fabricated, including the 'Qostfix' MTA) and
also a forged HELO or EHLO of a non-existent host when it actually relayed
it off onto someone elses MTA.
I can't remember the exact ISP...might've been RoadRunner or TW in Toronto,
but a friend had her DSL or CableModem suspendded, ended up changing
providors. There was an infection, it was cleaned, they were allowed back
on, then the ISP either received an old/backlogged complaint or something
and they cut them off again,, but the machines were all clean (indeed
watching the network for traffic over several days revealede nothing that
they claimed to be the problem).
--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
