----- Original Message ----- From: "Erik Haagsman" <erik@we-dare.net> To: "Paul G" <paul@rusko.us> Cc: <nanog@merit.edu> Sent: Monday, November 29, 2004 4:30 PM Subject: Re: "Make love, not spam"....
I agree and I'm surprised you even mentioned the wordt justice...since when is retaliating bad practices with more bad practises that are hardly likely to take out the real target considered a good idea..?
'justice' was mentioned in the message i quoted. it appears i was not remiss - i got an email from a guy running a small town isp telling me, essentially, that: 1. if i get hit with cc fraud, it is my own darn fault for not asking every single $9.99/mo customer to fax me their retina scan. 2. incurring a humongous bandwidth bill instead of being out said $9.99 is adequate punishment for my 'stupidity' 3. he likes the kind of justice where a provider gets harmed instead of the abusive customer, because Good ISPs Recognize Bad Guys On Sight. i've got news for you: 1. when you run a sufficiently large operation, credit card fraud is approached as a risk mitigation excercise - you find a golden middle in terms of verification which is cost-effective, ie reduces the incidence of fraud to an acceptable level while not costing an arm and a leg in terms of labour costs and encumbrance to the very large majority of legitimate customers placing an order. the problem with getting ddosed is that this cost-effectiveness calculation goes out the window because your risk is no longer a measure of the price a customer is paying for the service, but rather a measure of how much traffic lycos' botnet can direct at you. for you, it may be bounded by the single t1 termed in your basement, while for me it may be bounded by a gig-e feed i get from my upstream. 2. cc fraud was just an example, and probably a bad example at that, since you can come up with a holier than thou argument against the example rather than the practice of shoving traffic my way that neither i nor my clients asked for. let's try again. customer pays for a dedicated server with a valid credit card. we charge them the monthly fee and keep the credit card on file. customer proceeds to spam, or better yet installs an insecure formmail script, or his box gets owned. he gets ddosed by lycos, racks up large overage bill and gets terminated by us for breach of AUP. we notify the customer and try to bill him for the overage charges. lo and behold, customer put a Do Not Honor request on transactions initiated by us. we're stuck with the bw bill. alternatively, customer charges back and their issuing bank is braindead and we lose the chargeback. or customer was paying by check. whatever. see the point? while we may be willing to risk the monthly charge because we won't ask customers paying by check for a large security deposit, we aren't willing to risk an arbitrarily high bw bill from folks who think they're doing the 'net a favour by ddosing For Our Own Good. "consumption" is equivalent to "denial", the only difference being in the reason the service will no longer be available - administrative (ie financial) and technical respectively. while we all would like to see spam-related services not being available, there exist means to that end that are not acceptable, such as hunting spammers with shotguns or ddosing their (in many cases unknowing) providers. -p --- paul galynin