Re: ISPs' willingness to take action

27 Oct 2003

      ----- Original Message ----- 
From: "Eric Kuhnke" <eric@fnordsystems.com>
To: <nanog@merit.edu>
Sent: Monday, October 27, 2003 8:40 AM
Subject: RE: ISPs' willingness to take action

>
> This is definitely a business opportunity for any ISPs that wish to take
> advantage of it...  Hire clueful abuse desk people, set up a good IDS, run
> spamassassin on your mail servers, and offer free antivirus software to
the
> broadband connected bare win32 PCs.  I am sure midsize ISP marketing
> departments will be able to brand this with a slick name and print
brochure
> or TV commercial.
* But customers of broadband ISP aren't going to want to pay more than $40 a
month for any such thing you add, and just how clueful do you want help desk
people (I don't think you meant abuse desk ... there probably isn't even
one) ? $20 an hour? $26 an hour? That isn't gonna happen. And the PRINT and
Commercials cost money as well. Which is fine for signing up new customers
... and there is always that customer churn.

You can say you raised the bill because you added IDS, and Spamware, and
Virusware, and because they get free AV and Firewall software ... and the
majority of customers are going to have a fit. They think the whole thing is
the responsibility of the ISP at the current rate (or even cheaper!). "You
let that virus come into my computer" ... "It came over YOUR network!!!!".

>
> "Tired of spam and junk on the internet?  Sick of Pop-ups?  Worried about
> the spread of worms and viruses?  We're better than the competition, and
> here's why...!"
* Because we're more expensive ;-)

>
> >We implemented an IDS system.  The ROI comes from the inbound attacks
> >being detected/prevented/shunned.  But it's also listening to the
> >outbound stuff, so when we see that a customer has the flavor of the
> >week, we cut him off, give him a call and some friendly advice, and
> >everyone's happy.  When we see IRC joins and port scans from a customer
> >server, we give him a call, advise him that he's been rooted, and offer
> >to assist in his recovery (can you say business opportunity, folks?).
> >
> >Blocking ports is fine as long as you let people know what you're
> >blocking and why, offer alternative solutions and offer to unblock if
> >it's an absolute requirement.  Often, once properly educated about the
> >risks, a lesser experienced admin will be excited about the opportunity
> >to do it the more secure way, and will begin preparations, so I've found
> >the "unblock" is usually temporary.
>

* I love that wishful thinking. But I kept seeing the same experienced
admins (or so they said) with the same spam complaints, pointing at their IP
Address (even after it was changed). And home users who said they got rid of
the virus but it was still there pumping away just like before you called
them.

We had some users that were happy we had cut them off, and told them that
they had a problem (virus or otherwise).

---
Alan Spicer (a_spicerNOSPAM@bellsouth.net)
http://aspicer.homelinux.net/
http://telecom.dyndns.biz/
Systems and Network Administration,
and Telecommunications