On Sun, Oct 04, 2009 at 04:33:43AM -0700, Owen DeLong wrote:
Uh... Here I differ. The rest of the internet should put up with the abuse flowing out of your network for 3 days to avoid disruption to you? Why? Sorry, if you have a customer who is sourcing malicious activity, whether intentional or by accident, I believe the ISP should take whatever action is necessary to stop the outflow of that malicious behavior as quickly as possible while simultaneously making all reasonable effort to contact the customer in question.
Exactly correct. The number one priority, which trumps all others, is making the abuse stop. Yes, there are many other things that can and should be done, but that's the first one. Let me also point out that there's a problem with offering simple, automated removal (as was suggested in the message that you replied to): resident malware on abuse-sourcing zombies will very quickly be reprogrammed to avail itself of that mechanism (on a per-ISP basis if necessary, if this becomes widespread). So there should be no automated removal process: the intervention of humans should be required, doubly so as in most cases the putative/former owner of the infected system is unaware of any of this. ---Rsk