Vulnerability Development: Re: Publishing Nimda Logs

["Bernie Cosell" <bernie () fantasyfarm com>]

On 7 May 2002, at 15:32, Blue Boar wrote:

> Bernie Cosell wrote:
> > On 7 May 2002, at 13:49, Blue Boar wrote:
> > > ... My 
> > > ISP gave me some sort of email address when I signed up for DSL, and I have 
> > > never once bothered to see if there is mail in there. ...
> > And this is the *ISP's* problem?  Geez.  As if setting up your POP client 
> > to poll one more mailbox is a real burden [as opposed to the ISP having 
> > to handle tens of thousands, if not hundreds of thousands or more, of 
> > random customer mailing addresses, so as to spare you the burden].
> Yup.  If the ISP ever intended to use that to contact me, they would have 
> had to tell me.
It is actually stated in the account confirmation that customers are 
given [which tells them that they HAVE an account, how much they're going 
to be billed, confirms that we have the right account info for them,].

It didn't, and doesn't, feel like an AUP matter to me.

> > I can't speak for other ISPs, but I can tell you that the ISP I consult 
> > for assigns customers a mailbox when they get an account with us, and ALL 
> > 'company' info is sent to that mailbox --- support notices, outage 
> > announcements, availability of softwre upgrades, virus and spam reports, 
> > etc, etc (they can have several mailboxes, but there is *always* a 
> > primary mailbox associated with every account, both individual and 
> > commercial).  I can't *imagine* a customer being so arrogant as to argue 
> > that they can't be bothered to monitor the mailbox and so we should 
> > change our support scripts and support procedures to accommodate them... 
> > what a hassle ... 
> And do you ever let them know you will be doing so?  Does it say that they 
> must check the mailbox in the AUP?
No, in the 'agreement' they get when they set up the account [that's also 
where it confirms their monthly rate, and other info about their account, 
permitted access, phone numbers, which optional-services they've signed 
up for (website maintenance, attached domains, multiple mailboxes, etc)].

> > [and what should we do when a customer gives us 
> > "notreallyme () funnyaddr com" and the mail bounces because they changed 
> > addresses and didn't tell us?  Now we have to deal with THAT bother.] 
> Same as whatever you do if they don't check the box you gave them.
No, actually -- not checking the box is like not opening your mail... 
most of the time it doesn't matter [e.g., if we had an announcement that 
the primary mail server was going to be down from 2am to 4am so that we 
could cut over to a new UPS system, for most folk it'll hardly matter if 
you actually read that or not] and by and large the problems associated 
with such things are YOURS.

Bounces back to a control mailbox makes the problems OURS and are harder 
to ignore, although ignoring the administrative overhead, I suppose we 
could set up a special "customers-without-a-clue" bounce-address for them 
to go to so we didn't have to worry about it -- if they can ignore the 
mailbox, we can ignore the bounce... seems only fair, right..:o) 

    [although I note in this case it AGAIN shifts admin burden to the
    ISP rather than the customer: if something goes awry, the customer
    will probably complain "I *TOLD* you to change my contact email from
    A to B" [whether they actually remembered to or not -- a customer so
    unclued or so busy as not to be able to add one pop-box to their
    list of monitored boxes is probably not going to be real diligent
    about notifying EVERYONE when they decide that they're getting too
    much spam at THAT yahoo addr, and it is time to move to a new one].] 


> > Life's too short and ISP's have too much else to do.
> Oh, I guess that would be nothing, then.  So, the ISP never attempts to 
> make positive contact with the user, then?  Never cuts them off if they 
> don't respond?  Never picks up the phone to call their billing number?
We do, but it is expensive.  We can cut folk off if they're not 
responsive to something they HAVE to get in touch with us about [by 
tweaking the RADIUS auth for their account, for example], and that 
generally works: they call 'I can't log in'... oh... here, talk to the 
folks in accounting... or 'here, talk to the folks in operations'.  That 
takes one-on-one people time, which is a pretty costly affair...  life's 
a LOT easier if folk just read their email..:o)

Also, while I agree that it is a chicken and egg situation, since we 
*HAVE* told customers that there is a 'primary' mailbox, we can and do 
use the neat feature of qpopper to send 'broadcast' messages without 
actually having to SEND thousands of separate messages [which doesn't 
have an actual hook for "send REAL email bulletin board messages to 
<THESE> accts only" but maybe it does.. I'm not a real operations guy]

But I guess this isn't a forum for ISP policy.  Fact is that if we tell 
you "this is your contact mailbox and we'll email your monthly invoices 
and your domain expiration notices and operations announcements, etc, etc 
to that address" and you choose not to read that mailbox, then, well, I 
guess we'll hear from you on the phone when either something goes awry or 
you find out that we've had to (temporarily) crowbar your account.

In either case, if it were a real *burden* to monitor a random pop 
mailbox I'd be more sympathetic, but it is so close to trivial that 
accommodating that sort of request is certainly not something I'd put 
high on MY to-do list.

  /Bernie\
-- 
Bernie Cosell                     Fantasy Farm Fibers
mailto:bernie () fantasyfarm com     Pearisburg, VA
    -->  Too many people, too few sheep  <--