> ... Then I went to work for a so-called "Tier-1" and learned in short
> order that this policy does not scale, especially when abusive
> customers with DS3s are waving around fully loaded lawyers.
...
If your well lawyered customers complains, wave the AUP at them, if your
AUP doesn't allow you to disconnect customers who imperil your network and
the Internet at large, rewrite it.
on the one hand, i just want to say, this works. dave rand had written the
original abovenet AUP and while many lawyersticks were brandished, nothing
ever happened except that spammers had to seek their services elsewhere.
(note: some said that e-bay in the early days was a spammer, but i disagreed.)
(note: abovenet today is a different entity than the abovenet i'm describing.)
on the other hand, i just want to say, many isp's are in business to make
money not save the world, and if a stronger AUP would mean fewer customers,
then the management team is going to have a very hard time justifying a
stronger AUP to their shareholders.
while at MAPS, i often encountered spammers whose explaination was, "this is
the behaviour others exhibit and if we don't do it we'll be noncompetitive,
but if you can get the others to stop, we'd love to stop also." my response
was (predictably) "you have to do the right thing, right now, and it doesn't
matter what other people do, MAPS will get around to them eventually." this
ideological divide was much more complex than the usual "good vs. evil".
since we're talking about laziness, let's look at two ways in which we (nanog
"members" and others like us around the world) have been lazy, for decades,
and have therefore helped to create the current miserable "abuse" situation.
1. there is no single and widely used abuse reporting format that can be
automated at both the victim and responding sides. therefore ntlworld (and
others) would have huge costs in trying to parse and understand abuse reports,
and so they don't do it, and then they offer up javascript-based web pages
to try to automate their end, which makes it impossible to automate the other
(victim) end, and so doesn't scale no matter what.
2. there is no single, compelling, honest ethical standard like "the good
housekeeping seal of approval" in our industry. instead we have Trust-E
whose seal is used by abusers worldwide (their privacy standard still does
not require verification of permission, even though everybody knows that
SMTP isn't trustworthy) and other similar ventures, many of whom went out
of existence with the dotcom crash, or which are similarly spineless.
as individuals, we are not lazy. you want evidence? look at the dozens of
incompatible attempts to solve #1 and #2 above. these were legitimate, heart
felt attempts by qualified and dedicated individuals. but nothing "sticks",
partly because disallowing outbound abuse only reduces revenue and only
increases expense (while only reducing expense and only increasing revenue
for competitors), and partly because nobody wants to adopt an existing
standard since it's so much more fun to invent something new.
given solutions to #1 and #2 above, well designed and well marketed, it could
become possible to require compliance as part of RFP's and peering contracts,
and management teams worldwide would be able to look their shareholders in the
eye and say that compliance isn't noncompetitive because there are forces that
will make the competition have to comply also.
but while as individuals we might have lots of energy for this fight, as a
community we are lazy, and we'd rather think about next generation router
design than next generation abuse design. and yet it always seems to surprise
us when the greedy undereducated middle managers, salespeople, and lawyers
keep finding new ways to make the abuse problem worse. lazy, lazy, lazy.