Horrible Service Agreements

So far, we have accepted a proposal pending contract approval for TWO
different potential upstreams. Both quoted a price of around 2500 per
month including local loop. However, the contract terms include what I'm
terming an anti-spam clause which generally states that if us or any of our
clients or their clients decide to "prevent others from enjoying the
internet" (paraphrasing) they can terminate us immediately and make us pay
for the remainder of the year term.

Unless you're just new to the Internet, you know that spam is a very
pervasive problem. I'm very glad to see at least some hint that some
backbone providers are starting to clamp down.

Each (or maybe better said one or more) of the contracts also included
other terms which I felt were totally unreasonable. Such as not being able
to mention the name of your upstream. Makes it kinda hard to tell
potential clients who you are connected to. Another required us to
upgrade our equipment based on whatever specifications they felt was
necessary at that point. And there were more.

You must convert to BGP5 if/when such an animal comes out, for example.

As for not mentioning the name, I do find that kind of quirky, especially
since it's easy to figure out (well at least for the net savvy among us).

Now, I understand the need to be able to terminate spam havens. I also
understand the need to require your customers to use compatible and
reliable equipment.

So do I.

So is the strange clause about hiding the backbone name the one you are
worried most about?

Let me explain my problem -- Lets assume that customer "a" decides to
purchase an account on our system to send out spam. We don't know he's
planning to do this, but he does succeed in sending out 10,000 messages
before we find out. Under both agreements, we can be immediately
terminated without notice and be required to pay for the remaining time on
the 12 month agreement. Regardless if we terminate the offending user as
soon as we find out or not.

You make contract clauses all your customers have to sign that requires
them to pay all costs and overhead for any problems they cause.

Another example. Lets assume that someone in our upstream decided that we
MUST have a $250,000 router to connect to their system. If we can't
provide such a beast, we are immediately terminated and required to pay
for the remaining year term.

On a T1? Not likely. I can't see them requiring any kind of upgrade that
isn't required of all other like customers. More likely this clause is
there to make sure that you don't run some buggy version of software and
not do something about it.

Both of the potential upstreams have been wholly unwilling to negotiate a
contract in good faith to resolve these issues.

If they perceive you as a "mom and pop" outfit, they are likely to do this.
What is your relationship to The Montana Internet Cooperative?

I know that nanog is probably not the best forum for this, but I figured
it might be a good place to start to look for a provider which can:

   a) Sell us a T1 line, with BGP4, with local loop to NPA NXX 406 443
       for about $2500/month, on a year term or less.

   b) Not have such rediculous contract language.

Given the remoteness of Montana, local investment by the backbones does
not generally give good returns. I can't give you a T1+loop at that price
because hauling the line in is too expensive.

There has to be a market there to make it worth while.

If you had ALL of Helena signed up as a customer, could you afford the cost
of hauling your own T1 all the way to Denver or Seattle or Minneapolis to
connect up to a major backbone there? Would a T1 be enough for the town?

I'd also like to hear what types of contracts are actually signed by
providers and if they are actually read before they are signed.

In my previous job, contract terms were negotiated. But it is a lucrative
and competitive market here in Dallas Texas. It was a non-ISP business and
a backbone eager to get lots signed up.

What providers have come to Montana?
Where are you willing to haul your own line to?

You might need to expect to pay more.

> month including local loop. However, the contract terms include what I'm
> terming an anti-spam clause which generally states that if us or any of our
> clients or their clients decide to "prevent others from enjoying the
> internet" (paraphrasing) they can terminate us immediately and make us pay

Unless you're just new to the Internet, you know that spam is a very
pervasive problem. I'm very glad to see at least some hint that some
backbone providers are starting to clamp down.

I don't think anyone disagrees that spam is a major problem and not an
acceptable thing to have customers doing. What Forrest was complaining
about was much too harsh an anti-spam policy. I doubt Forrest would have
a problem with "If your network is repeatadly used to distribute spam and
no effort is made to stop this, service may be terminated." What he was
complaining about was that they were basically saying "If your network is
ever used to distribute spam, we have the right to terminate service
immediately and levy severe financial penalties." This would mean that if
they ever have a customer spam, even if they nuke the account as soon as
they know about the spam, they might lose that T1 and a lot of money.
Whoever wrote those clauses was either way too naive, militant, or just
entirely without clue.

You make contract clauses all your customers have to sign that requires
them to pay all costs and overhead for any problems they cause.

Good luck collecting on that when some 12 year old sends out make money
fast. Are you willing to bet your connection to the net on that?

You might need to expect to pay more.

Especially considering his remoteness. $2500/month for port and loop sounds
pretty good to me. Many of the "bigger" backbone providers charge that just
for the port fee.

> Now, I understand the need to be able to terminate spam havens. I also
> understand the need to require your customers to use compatible and
> reliable equipment.

So do I.

So is the strange clause about hiding the backbone name the one you are
worried most about?

Actually, no. What I'm worried about is that under both contracts we've
seen so far (From two different providers) if a single customer sends spam
(or even flames another user, the way they're written) and our upstream
finds out, then they have the right to terminate immediately without
notice to us AND then require us to pay for the remaining service.

Sprint's policy is much better which basically states:

   "Complaints about customers or end-users of a Sprint IP customer
    will be forwarded to the Sprint IP customer's hostmaster
    for action. If irresponsible or illegal activity continues, then
    the Sprint IP customer's Products and Services may be
    subject to termination or other action as Sprint deems
    appropriate without notice."

> Another example. Lets assume that someone in our upstream decided that we
> MUST have a $250,000 router to connect to their system. If we can't
> provide such a beast, we are immediately terminated and required to pay
> for the remaining year term.

On a T1? Not likely. I can't see them requiring any kind of upgrade that
isn't required of all other like customers. More likely this clause is
there to make sure that you don't run some buggy version of software and
not do something about it.

I have no problem with that. We'd just like to be able to get out of a
contract under the (unlikely) circumstance that we are either unable or
unwilling to comply with their requirements - Without paying up to
$20,000.

> Both of the potential upstreams have been wholly unwilling to negotiate a
> contract in good faith to resolve these issues.

If they perceive you as a "mom and pop" outfit, they are likely to do this.
What is your relationship to The Montana Internet Cooperative?

This is for the Montana Internet Corporation. (Haven't changed the names
on the internic records yet.) I'm on the board of directors and one of
the system administrators.

Given the remoteness of Montana, local investment by the backbones does
not generally give good returns. I can't give you a T1+loop at that price
because hauling the line in is too expensive.

There has to be a market there to make it worth while.

If you had ALL of Helena signed up as a customer, could you afford the cost
of hauling your own T1 all the way to Denver or Seattle or Minneapolis to
connect up to a major backbone there? Would a T1 be enough for the town?

We could "afford" to drag a T1, although it would put a fairly deep
strain on our resources. That isn't the issue. Basically, if we
stick with MCI, AT&T, etc. (I.E telcos) we can easily get T1
service + loop for under $3k. I'm just leery of getting 30 days further
down the road with ISP #3 just to find that they have the same terms in
their contract which they won't let us see until we agree to a proposal
which takes them 30 days to produce.

-forrestc@imach.com

The contract probably includes a clause that if a clause is found to be
unenforceable, then that clause will be deleted, and the remaining clauses
will continue in effect.

However, do not let yourself be cornered into paying different rates for
different traffic content. I would cross out those clauses. Otherwise,
they will be able to charge you more for a "spam line" later. If its truly
unacceptable, then walk away.

I suspect legally, things will go the same way for spam as they did for
telemarketing, bulk postal mail, commercial tv and radio. Money talks.
Which is why investors built these commercial networks anyway.

I suspect that much spam can't be stopped, without a constitutional
amendment. MCI can't disconnect phone service from telemarketing
companies, MailBoxes Etc can't refuse to deliver bulk mail, and I doubt a
major company can disconnect major spammers who send legal messages.
Indeed, someone might even suggest some actively target and solicit such
companies for service for the tremendous revenue they produce.

Eventually, someone will sue over spam, and the issue will be settled.

Furthermore, I suspect the "concern" is mostly smoke too. Despite all the
claims of spammer problems, I have not seen any significant change in the
amount spam I receive over the last 6 months, and I seem to get a lot from
the same sources. They don't get shut off, and then pop up somewhere else,
as one would expect if anyone was actually doing anything about spam.
Complaints about AGIS spewed on this group, but no else has done anything
measurable, either.

How many ISP's are really going to disconnect spammers? Has anyone
actually disconnected a spam customer? How come cyberpromo and savoynet are
still connected? They must connect to someone who connects to someone...
who has an AUP that is being violated. Why isn't their provider
disconnected?

I think its pretty clear that it doesn't matter to the network service
providers what the contents of your packets are. You will have paid for
them no matter what they contain. The customer is paying for, and is
therefore entitled to, some amount of bandwidth of whatever garbage they
choose to send and receive.

Likewise, it doesn't (shouldn't) matter to the phone company whether your
leased T1 is carrying internet traffic or voice traffic to a PBX somewhere.
It should be the same rate regardless of the content of the traffic.

Schemes which change rates depending on the content are not in the interest
of the customer. So when you are in the role of customer of your uplink,
don't accept them.

    --Dean

Dean Anderson wrote:

I suspect that much spam can't be stopped, without a constitutional
amendment.

Wow! What a heavy-handed way to fix a problem which has
a purely technological solution.

Cryptography can be used to produce non-transferrable keys
allowing some party to send message to a particular recipient.
Messages can include "right to respond" keys.

The problem with authenticated messaging is how to send a message
to a person who was not in any kind of contact with you before.
Fortunately, this is not much of a problem, with adequate
key distribution scheme, because there's always some kind of
community both parties belong to before they exchange messages
(obviously, since the sending party got to obtain address from
somewhere). Such community message board can provide its members
with keys allowing them to communicate to each other directly.

Now, communities will have to perform some kind of authentication
of its members to exclude abuse. Which means that USENET cannot
be covered by this scheme; but isn't it already nearly dead?

I was always saying that Internet is quite a step forward in
promoting a right to speak. Unfortunately as-is it is very bad
at promoting the right not to listen.

--vadim

Cryptography can be used to produce non-transferrable keys
allowing some party to send message to a particular recipient.
Messages can include "right to respond" keys.

The problem with authenticated messaging is how to send a message

Wow! What a heavy-handed technological alternative to the delete key.

I was always saying that Internet is quite a step forward in
promoting a right to speak. Unfortunately as-is it is very bad
at promoting the right not to listen.

I disagree.

The right not to listen is appropriately exercised by the delete key. What
has been discussed are means to suppress speech by others. The right to
respond? And some people don't have such a right? Sounds like some
communist countries that don't exist anymore. Didn't that cause riots,
wars, insurrection, mass killing, and other bad things?

Usenet perfected the solution to this problem many years ago: kill files,
and personal filters. Of course, that is my point: we have already been
through these problems years ago, and found acceptable technical solutions
for them. But people insist on getting their underwear in a bunch
regarding spam, and inventing new solutions to old problems.

This may be too political for continued discussion on nanog. If people
want to continue, will the next respondent add the relevant parties to the
cc list and remove nanog?

Also, I'm very interested in hard numbers on:

  T1, or T3 spam disconnects made (not just complaints made)
  Revenue forfeited due to these disconnects
  Information on how many spam factories there were, and what they are
doing now. Did they quit, go somewhere else? They must have netly
employees who were known and can be located again.

  Have any *custoemrs* disconnected from you due to spam? This thread
started over the provision in a contract to disconnect the customer. Has
this been used in reverse to get out of a contract with a provider?

  Also, is anyone even considering breaking peering agreements with uplink
spam sources. (AGIS comes to mind, sorry AGIS).

Please email me privately.

Thanks

    --Dean

Wow! What a heavy-handed way to fix a problem which has
a purely technological solution.

I can set up a closed e-mail system now. We all agree that's
technically straightforward. The problem is that it is of great value
to me that any of the 100 million legitimate users on the net can
easily send me e-mail and I can respond to them equally easily, and a
"solution" that cuts them out to get rid of the spammers is cutting
off your nose, both ears, and about nine fingers, to spite your face.

Now, communities will have to perform some kind of authentication
of its members to exclude abuse. Which means that USENET cannot
be covered by this scheme; but isn't it already nearly dead?

Neither can the existing SMTP mail network, unless you want to overlay
a crypto system on that. But you could do that with usenet as well if
you wanted to.

Besides, as soon as the communities got large enough to be
interesting, you'd find spam leaking in via providers who value short
term profit over long term interests, same as now. Spam is a social
problem, not a technical one, which is why technical solutions will
never be more than a stopgap.

There's lots of other places to discuss spam, anyone who doesn't already
know what they are is welcome to e-mail me for a list, or visit
http://spam.abuse.net.

Regards,
John Levine, postmaster@abuse.net, http://www.abuse.net, Trumansburg NY
abuse.net postmaster

John R. Levine wrote:

The problem is that it is of great value
to me that any of the 100 million legitimate users on the net can
easily send me e-mail and I can respond to them equally easily, and a
"solution" that cuts them out to get rid of the spammers is cutting
off your nose, both ears, and about nine fingers, to spite your face.

That's one big mistake. Before anybody will easily send you e-mail
he has to get your address from somewhere and determine somehow that
the person is interested in hearing from you. That process can just
as well include obtaining personal or community authorization.

Neither can the existing SMTP mail network, unless you want to overlay
a crypto system on that.

That's what i'm calling for, instead of asking politicans and lawyers
to come and save us from ourselves.

But you could do that with usenet as well if
you wanted to.

Yes, but it is dying for other reasons, too. For one, it doesn't
scale. There's no particular reason to perpetuate that silliness.

Besides, as soon as the communities got large enough to be
interesting, you'd find spam leaking in via providers who value short
term profit over long term interests, same as now.

My point is: provides should deliver bytes, not play police. The
communities should have tools for self-policing. If you want to
participate in an "open" community where everyone can join, you're
welcome; most of us would want to participate in a bit more closed
communities.

Spam is a social
problem, not a technical one, which is why technical solutions will
never be more than a stopgap.

Goodbye, clue.

The lack of freedom of press for those who don't own the press also
was a social problem. As well as lack of clean water.

Are you're going to tell that political methods solved those problems?
To solve them the societies needed the technology first.

Spam has no political solution, as long as there's no technology to
enforce it. The good news is, with the appropriate technology there's
no need for legistlation or anti-spam activism.

There's lots of other places to discuss spam, anyone who doesn't already
know what they are is welcome to e-mail me for a list, or visit
http://spam.abuse.net.

Thank you for playing a search engine. I'm subscribed to NANOG and talk
about things which are discussed here. If I wanted to participate in
pointless discussions, I would join the socially-bent antispam lists.

As of now, I consider spam an operational problem which calls for
technological solution. As such it is quite relevant in NANOG.

Regards,

--vadim

That's one big mistake. Before anybody will easily send you e-mail
he has to get your address from somewhere and determine somehow that
the person is interested in hearing from you. That process can just
as well include obtaining personal or community authorization.

My address is printed in about two million copies of books that I've written
because I want my readers, most of whom are not technically sophisticated, to
write to me. That's an extreme case, but lots of people put their e-mail
addresses on their business cards and in their newspaper ads because they
view e-mail as a way to contact people, not as a way to throw up walls. Much
though we wish it were otherwise, spammers can read as well as anyone else
and can use those addresses the same as legitimate users. If you put up
technical blocks against spammers, you also put up blocks against lots and
lots of legitimate e-mail users.

The lack of freedom of press for those who don't own the press also
was a social problem. As well as lack of clean water.

Are you're going to tell that political methods solved those problems?
To solve them the societies needed the technology first.

They needed both. (I can tell you a fair amount about clean water, being a
municipal water commissioner*.) But that doesn't have much to do with spam
other than that there are economic externalities in spamming that technical
approaches are unlikely to change anytime soon.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47

* - Yes, my signature says Sewer Commissioner. It's a small town, I do both.

Erm, say you put your address on a webpage.

Now, whats the difference between someone clicking it and sending you some
'signed' email (the key being on the page or embedded in the mailto: tag
or some crap), and an email-address-grabbing-webcrawler grabbing your
email address AND the signing information too? Whoops, that idea goes out
the window.

No matter how you put it on the page, I'm sure someone will write a
program that is intelligent enough to extract the info.

Adrian

But it was laws that curbed junk-faxing, not technology. Nobody modified
their fax machines to stop people from UCF - fear of prosecution did the
trick.

If laws are written right you could at least (1) hold any U.S. business
responsible for spam promoting their business (2) protect
backbone providers from suit for blackholing spamhaus and (3) provide for
prosecution of providers such as AGIS, ACIS, Bell Atlantic etc. who refuse
to act against these electronic-resource thiefs. If a provider is given
notice to shutdown a spammer within x number of days or be penalized for
not complying it could quickly become very difficult to keep a link. For
the rest without web sites/email start levying heavy taxes and fines
against them and sick the IRS on them to collect. In fact if there was a
$10 advertisement tax fee for each spam it would probably be the end of a
lot of it.

Or we could come up with a combination of law and technology somewhere in
the middle with the same results and less government. But the providers
who knowingly continue to allow spam to spew from their networks need to
be held accountable. (The "habitual spamhaus", not the providers who act
upon reports of UCE.)

How difficult would it be technically to have a filter at your gateway
that would shut down or throttle this kind of emailing without killing
performance? Could it be done in a future flavor of BGP? Statistically
by AS perhaps?

Furthermore, I suspect the "concern" is mostly smoke too. Despite all the
claims of spammer problems, I have not seen any significant change in the
amount spam I receive over the last 6 months, and I seem to get a lot from
the same sources. They don't get shut off, and then pop up somewhere else,

How many ISP's are really going to disconnect spammers?

We have, and a lot of other ISP's of varying size have.

actually disconnected a spam customer? How come cyberpromo and savoynet are
still connected? They must connect to someone who connects to someone...

CP is down. Savoynet is supposed to be down, though that's under debate.