On 9/25/08, Paul Vixie <vixie@isc.org> wrote:
so, now begins the search for the line that mustn't be crossed. if they have N spamming customer or M "captured" machines running C&C and they disconnect such customers after P warnings or Q days, then will the community still rise up in arms and if so will that still be enough negativity to cause their (new?) provider to lose connectivity? if not, then what about P-1 or Q+1 or M*2 or N/2?
discovering the process by which N, M, P, and Q are discovered, will be even uglier than everything we've seen on this topic to date.
I work the at the abuse department of one of the big ISPs, and I have to note that finding effective values for those four varables is sticky business from the abuse preventers' side too. We get tens of thousands of abuse complaints every single day. Even filtering out the frequent-flyer abuse miscomplainers (certain ISPs seem to have no outbound filtering -- to cope with the very large number of times when their customers seem to confuse "Report Spam" with "Move to Trash", for instance), there's still a butt-load of data to be analysed and acted on, and only a finite number of monkeys with typewriters to churn through it. At best, it's a trans-global game of whack-a-mole, suspending orgs and consumers who have never heard the word "firewall", or at least have never learned router ACL config. Add to this the potential legal and/or press minefield of being accused of wiretapping, traffic-shaping, and other nefarious deeds, and we have to tread very gently indeed around certain abuse detection and prevention issues. In short, it's a big hairy beast, and it's even scarier if you take a closer-than-normal look. Paul (not an official spokesperson, nor a policy-maker, of any ISP or similar company)