Re: Dutch ISPs to collaborate and take responsibility for botted clients

[Rich Kulawiec <rsk () gsp org>]

On Sun, Oct 04, 2009 at 04:33:43AM -0700, Owen DeLong wrote:
> Uh... Here I differ.  The rest of the internet should put up with
> the  abuse flowing out of your network for 3 days to avoid disruption
> to you? Why?  Sorry, if you have a customer who is sourcing malicious
> activity, whether intentional or by accident, I believe the ISP should
> take whatever action is necessary to stop the outflow of that malicious
> behavior as quickly as possible while simultaneously making all reasonable
> effort to contact the customer in question.

Exactly correct.  The number one priority, which trumps all others,
is making the abuse stop.  Yes, there are many other things that can
and should be done, but that's the first one.

Let me also point out that there's a problem with offering simple, automated
removal (as was suggested in the message that you replied to): resident
malware on abuse-sourcing zombies will very quickly be reprogrammed to
avail itself of that mechanism (on a per-ISP basis if necessary, if
this becomes widespread).  So there should be no automated removal process:
the intervention of humans should be required, doubly so as in most cases
the putative/former owner of the infected system is unaware of any of this.

---Rsk