Home page logo
/

nanog logo nanog mailing list archives

Re: Quarantine your infected users spreading malware
From: Michael Loftis <mloftis () wgops com>
Date: Thu, 23 Feb 2006 15:01:17 -0600




--On February 23, 2006 9:09:26 PM +0200 Gadi Evron <ge () linuxbox org> wrote:

I don't really see how any ISP will terminate an account for just one
complaint, after all, it's losing money..

We have seen a few good examples of pretty big ISP's who said here how
quarantine works for them.

Got an example on how ISP's are kicking users out?

Speakeasy suspended my service for a week over a single report from someone. The mail never even travelled through or via any of my systems, the header bit that was called in was forged. It took a week to get them to give me the information they'd gotten in complaint. There was a forged Received header (completely fabricated, including the 'Qostfix' MTA) and also a forged HELO or EHLO of a non-existent host when it actually relayed it off onto someone elses MTA.

I can't remember the exact ISP...might've been RoadRunner or TW in Toronto, but a friend had her DSL or CableModem suspendded, ended up changing providors. There was an infection, it was cleaned, they were allowed back on, then the ISP either received an old/backlogged complaint or something and they cut them off again,, but the machines were all clean (indeed watching the network for traffic over several days revealede nothing that they claimed to be the problem).

--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]