As a result, *ALL* SMTP mail traffic from Interramp's networks has been blocked at the router level here.
I would encourage *EVERY* responsible ISP to do the same.
I doubt many (esp. large providers) will start filtering IP/SMTP traffic because (1) filters suck precious CPU, (2) they'd have to maintain frequently changing filter lists, (3) and they'd increase potential liability for traffic monitoring/filtering. Note: Below is a long non-operational, non-routing rant. Don't say I didn't warn you. You may also want to followup to me personally rather than the list (thus the Reply-To header). I personally have been disappointed at PSI's unwillingness to police its trial members. It's more than Usenet or mailing lists. I get InterRamp spam directly to misspelled user accounts at a domain I manage. For the first incident, I sent repeated mail to postmaster@interramp.com - no reply. For another I tried to additionally involve CERT because the message content advertised special SPAMing software that might bring on more clever SPAMers. I believe CERT's attitude (perhaps rightly so) was to sit on the sidelines. While I've given up on chasing down SPAM (not my job) and usually just delete them, I sometimes forward them on to people who might care to know about them (too-good-to-be-true deals go to an SEC friend, trademark violations are forwarded to a companys' whois contacts). ... but it's more than just SPAM. People are going to use trial accounts for more sinister problems: anonymous hacking and anonymous credit card fraud. The following true is a true story: In July my bank company called me to ask if I knew anything about multiple $39.95 purchases. "Uh no, why?" It turns out that someone was using my credit card to access "Club Love", a Web-based porn service. "What!?!" (Yes, this not something I do.) They racked up over $1100 in charges. I quickly had my card cancelled (great, no Visa/ATM for a week) and then at the advice of my bank called "Club Love" to ask for a credit. They didn't credit me until they had a threat of a charge-back on them. I wanted to help them chase the ba&tard down too. They had Web logs, and they knew from where the requests came, apparently some pool-address dialup account. It's happened before, and in a previous occurence the ISP refused to track down the caller. I'm assuming it was a trial or anonymous account since crime is grounds for dismissal in anyone's service. I know that it's possible that IP addresses can be traced back to PPP interfaces which can be traced back to calls which (with some dialup manufacturers) can be traced back to the caller's ANI info, but I've hit a brick wall. To get any of this info out of an ISP would require a court order at a minimum. I have no recourse because I haven't lost any money, and I'm told that felony credit card fraud has a $2500 minimum so my local DA won't care. My bank is concerned, but they have no recourse since they didn't lose money. Only "Club Love" has lost money, and I use "lost" loosely because like the First Virtual risk model (*) there is no tangible loss from a person's downloading bits from a Web site. (*) http://www.fv.com/info/overview.html#insights Mostly-victimless crimes like this are likely to become more common as users see that no one is inclined to catch them. SPAM is nothing in comparison to a presidential e-mail death threat or hacking into some online bank's financial system - but it'll likely happen one day which is why some might want to think twice about their trial account offering. So how does this apply to NANOG? We're just Internet jockeys, right? In addition to being the routing resource for your company, your marketing people probably ask your opinion about new products or at least force new products down your (or your coworkers') throats. One day you'll be asked/told about the idea of mailing out drink coasters (er, I mean "trial account floppies") to people. Here are some considerations you may want your marketing people to ponder if/when that happens: SPAM - How many support man-hours will be spent chasing, responding to, removing, and in general dealing with customer SPAM? - What policies will you have in place to discourage SPAM? - ... or (like some) do you just take the PR hit and not deal with it? Logging - How much data can you have about every session or transaction? - Of that data, what's public information and what's private? Most would consider dial ANI info, account information, E-mail, Web transactions, and IP packets contents to be private data. Some would consider IP packet headers and e-mail headers to be public. Usenet postings are certainly public. - How much of that data do you maintain? All of it? None? Some, but not all? If you choose not to maintain some data, how liable are you? Do you have enough disk space? How do you manage offline storage/backups? - How willing are you to research through that information for a third party? Some third parties to consider: A hacker, your employees, another customer, a sysadmin at another service provider, local law enforcement (court order required?), federal law enforcement, secret service. Services - Do you provide limited or unlimited Internet access? Do you enable your customers (access to news poster, Web/FTP accessable disk space)? At least with online services, their trial customers' effected only other customers, not 30+ million people around the world. For potential SPAMers, consider keeping your trial customers from using a non-local posting distrbution (how will they know the difference? ;^), and limiting them to only e-mail to a fixed number of messages (20?) or keep it inside your service. For hackers, consider firewalling your customers so that they can only use popular ports like Web, Netrek, and Kali, and not Telnet, X-Windows, SMTP, etc... - When your trial customers access the internet, whose domain name shows up on the PTR records or the e-mail address? This is important because the person in the Whois database as a technical or administrative contact is usually the one that's called or e-mailed when there are problems. - Do your potential customers know up front that they're liable for how they use their account? Do they know you're not (willing to be) liable for their actions? If you give these questions to your marketing people and if you're lucky, they will have more than enough to chew on to keep them busy for a couple months so that you can get back to router configurations and peering problems. If they insists on going ahead with the trial subscriber disks anyway, insist that they need to hire a team of at least two FTE support people per 800 customers who are at least as smart as you (good luck :^), hire a couple system administrators who are also programmers (whee!), and put an online-savvy attorney on retainer (even harder to find!). Oh yeah, they'll have to buy you the RAID farms you've always wanted and buy into your previously ignored security philosophies since you can no longer trust your customers to be good people. If that doesn't work, perhaps only Dogbert can help. -- Eric Ziegast ziegast@im.gte.com