 mrchrisOut and aroundPremium
join:2002-10-01
North Babylon, NY
2 edits | My way 1) Send an email to customer notifying they are infected/being used as spam relay, and giving information on how to remove the worm/virus/relay.
2) A letter to the customer stating the above and telling they failed to clean their machine of relay/worm/etc.
3) Final warning via written letter and email telling them it is their last warning to purge their system of the virus/etc before they are disconnected.
4) Termination of the customer(s) and a written letter telling them they will be reactivated once their machine is clean and secured. Contact info for customer to notify the ISP they are clean and secure so they can have access again.
--
Firefox |
|
 KrispyPremium,VIP
join:2001-12-11
the stix
kudos:1 | said by mrchris:
1) Send an email to customer notifying they are infected/being used as spam relay, and giving information on how to remove the worm/virus/relay.
2) A letter to the customer stating the above and telling they failed to clean their machine of relay/worm/etc.
3) Final warning via written letter and email telling them it is their last warning to purge their system of the virus/etc before they are disconnected.
4) Termination of the customer(s) and a written letter telling them they will be reactivated once their machine is clean and secured. Contact info for customer to notify the ISP they are clean and secure so they can have access again.
While a wonderful idea the length of time this would take would negate the ability to stop the spread of the worm, the spewing of spam, etc. Plus...do you (the supposed clean and secure customer) really want to pay the extra costs associated with this because others have not secured their machine?
I try my best to warn subscribers (via email) before having to temporarily suspend but sometimes it is necessary to immediately suspend to not only protect the net but to also protect the subscriber.
These days I'm more of the opinion that an additional measure in the way of a quarantine pen needs to be implemented for all subscribers. Basically a new (or recently suspended) subscriber would not be able to get on the network until a MSR (minimum security requirement), ie: all windows critical patches applied or whatever, was met. Sure you'll still have the threat-of-the-day to contend with but at least this way the importance of security is clear at the onset. |
|
wentlancYou Can't Fix Dumb..
join:2003-07-30
Maineville, OH | reply to mrchris
Agree with everything. One addition though....
Block port 25 to reduce the number of improperly secured mail relays out there. Only open for customers who request it, and then monitor them more closely.
puritan |
|
|
|
LrdVaderPremium
join:2003-12-18
San Diego, CA | reply to mrchris
Due to the tremendous amount of spam and/or virus-laden email that can be spewed in the interval between 1 and 4, I think the connection needs to be shut down on the spot.
Sure, there will always be borderline cases, and in those kinds of situations, a polite email or call to the customer asking what's up is a good idea. But a lot of these machines are really blatant, spewing out tens of thousands or even hundreds of thousands of messages per day. When spam is obviously pouring out, and spam complaints are pouring in, I think the appropriate response is to brick the modem first and sort out the mess later.
I've had my primary email address for almost 9 years, and it's getting hit hard by the spam zombies. It was actually pretty clean, until about a year ago, when the zombie mess started. Now I'm getting blasted with close to 150 spams per day. It's time to take a hard line with the people who don't care enough to ensure that their machines aren't causing large-scale internet pollution. |
|
 NevsterPremium
join:2002-04-06
Dalhousie, NB | reply to mrchris
During times of increased virus activity (Like the last two weeks) I closely monitor outbound SMTP activity. If I see a customer with about as much activity as our mail servers, I simply block SMTP at their cable modem.
Since many customers read mail with web browsers now, many don't even notice that their SMTP capabilities were blocked. Those customers who just happen to be sending more mail out than the ISP servers usually call (or more often than not) use their hotmail accounts to inquire.
If I discover that they're running BSD or linux, and it was just bad luck that they happened to be sending a lot of mail at the time, the customers usually understand, and I annotate their accounts accordingly so I don't shut them off again.
When a customer calls in reporting their mail is broken, our CSRs explain the virus, ask the customer to run a virus scan and go to windowsupdate to ensure their systems are secure. If the customer says they've done that, then we take their word for it, and re-enable their SMTP. No hassles... Unless of course, we get spammed from their IP immediately after lifting the filter.
Yeah, it's not a perfect way, but it does keep the collateral damage down, and offer some education to customers who're suddenly really willing to learn. It doesn't bother people who're keeping their systems up-to-date, patched and uninfected.
And curiously, we've not had an actual upset customer with this method, but I'm sure some fictitious customers are bound to complain...
|
|
tdkyo
join:2002-12-07
Rochester, NY | reply to wentlanc
That might take too much time and money for ISP to regulate it. |
|
LrdVaderPremium
join:2003-12-18
San Diego, CA | said by tdkyo:
That might take too much time and money for ISP to regulate it.
DSLExtreme does it.
»secure.dslextreme.com/reg_server/ |
|
