... Then I went to work for a so-called "Tier-1" and learned in short order that this policy does not scale, especially when abusive customers with DS3s are waving around fully loaded lawyers.
... If your well lawyered customers complains, wave the AUP at them, if your AUP doesn't allow you to disconnect customers who imperil your network and the Internet at large, rewrite it.
on the one hand, i just want to say, this works. dave rand had written the original abovenet AUP and while many lawyersticks were brandished, nothing ever happened except that spammers had to seek their services elsewhere. (note: some said that e-bay in the early days was a spammer, but i disagreed.) (note: abovenet today is a different entity than the abovenet i'm describing.) on the other hand, i just want to say, many isp's are in business to make money not save the world, and if a stronger AUP would mean fewer customers, then the management team is going to have a very hard time justifying a stronger AUP to their shareholders. while at MAPS, i often encountered spammers whose explaination was, "this is the behaviour others exhibit and if we don't do it we'll be noncompetitive, but if you can get the others to stop, we'd love to stop also." my response was (predictably) "you have to do the right thing, right now, and it doesn't matter what other people do, MAPS will get around to them eventually." this ideological divide was much more complex than the usual "good vs. evil". since we're talking about laziness, let's look at two ways in which we (nanog "members" and others like us around the world) have been lazy, for decades, and have therefore helped to create the current miserable "abuse" situation. 1. there is no single and widely used abuse reporting format that can be automated at both the victim and responding sides. therefore ntlworld (and others) would have huge costs in trying to parse and understand abuse reports, and so they don't do it, and then they offer up javascript-based web pages to try to automate their end, which makes it impossible to automate the other (victim) end, and so doesn't scale no matter what. 2. there is no single, compelling, honest ethical standard like "the good housekeeping seal of approval" in our industry. instead we have Trust-E whose seal is used by abusers worldwide (their privacy standard still does not require verification of permission, even though everybody knows that SMTP isn't trustworthy) and other similar ventures, many of whom went out of existence with the dotcom crash, or which are similarly spineless. as individuals, we are not lazy. you want evidence? look at the dozens of incompatible attempts to solve #1 and #2 above. these were legitimate, heart felt attempts by qualified and dedicated individuals. but nothing "sticks", partly because disallowing outbound abuse only reduces revenue and only increases expense (while only reducing expense and only increasing revenue for competitors), and partly because nobody wants to adopt an existing standard since it's so much more fun to invent something new. given solutions to #1 and #2 above, well designed and well marketed, it could become possible to require compliance as part of RFP's and peering contracts, and management teams worldwide would be able to look their shareholders in the eye and say that compliance isn't noncompetitive because there are forces that will make the competition have to comply also. but while as individuals we might have lots of energy for this fight, as a community we are lazy, and we'd rather think about next generation router design than next generation abuse design. and yet it always seems to surprise us when the greedy undereducated middle managers, salespeople, and lawyers keep finding new ways to make the abuse problem worse. lazy, lazy, lazy. -- Paul Vixie