Trial accounts (Re: MAKE SPAM ...etc...)

As a result, *ALL* SMTP mail traffic from Interramp's networks
has been blocked at the router level here.

I would encourage *EVERY* responsible ISP to do the same.

I doubt many (esp. large providers) will start filtering IP/SMTP
traffic because (1) filters suck precious CPU, (2) they'd have to
maintain frequently changing filter lists, (3) and they'd increase
potential liability for traffic monitoring/filtering.

Note: Below is a long non-operational, non-routing rant. Don't say
      I didn't warn you. You may also want to followup to me
      personally rather than the list (thus the Reply-To header).

I personally have been disappointed at PSI's unwillingness to
police its trial members. It's more than Usenet or mailing lists.
I get InterRamp spam directly to misspelled user accounts at a
domain I manage. For the first incident, I sent repeated mail to - no reply. For another I tried to
additionally involve CERT because the message content advertised
special SPAMing software that might bring on more clever SPAMers.
I believe CERT's attitude (perhaps rightly so) was to sit on the
sidelines. While I've given up on chasing down SPAM (not my job)
and usually just delete them, I sometimes forward them on to people
who might care to know about them (too-good-to-be-true deals go to
an SEC friend, trademark violations are forwarded to a companys'
whois contacts).

... but it's more than just SPAM. People are going to use trial
accounts for more sinister problems: anonymous hacking and anonymous
credit card fraud. The following true is a true story:

  In July my bank company called me to ask if I knew anything
  about multiple $39.95 purchases. "Uh no, why?" It turns
  out that someone was using my credit card to access "Club
  Love", a Web-based porn service. "What!?!" (Yes, this not
  something I do.) They racked up over $1100 in charges. I
  quickly had my card cancelled (great, no Visa/ATM for a
  week) and then at the advice of my bank called "Club Love"
  to ask for a credit. They didn't credit me until they
  had a threat of a charge-back on them. I wanted to help
  them chase the ba&tard down too. They had Web logs, and
  they knew from where the requests came, apparently some
  pool-address dialup account. It's happened before, and in
  a previous occurence the ISP refused to track down the caller.
  I'm assuming it was a trial or anonymous account since crime
  is grounds for dismissal in anyone's service.

  I know that it's possible that IP addresses can be traced
  back to PPP interfaces which can be traced back to calls
  which (with some dialup manufacturers) can be traced back
  to the caller's ANI info, but I've hit a brick wall. To
  get any of this info out of an ISP would require a court
  order at a minimum. I have no recourse because I haven't
  lost any money, and I'm told that felony credit card fraud
        has a $2500 minimum so my local DA won't care. My bank is
  concerned, but they have no recourse since they didn't lose
  money. Only "Club Love" has lost money, and I use "lost"
  loosely because like the First Virtual risk model (*) there
  is no tangible loss from a person's downloading bits from a
  Web site.


Mostly-victimless crimes like this are likely to become more common
as users see that no one is inclined to catch them. SPAM is nothing
in comparison to a presidential e-mail death threat or hacking into
some online bank's financial system - but it'll likely happen one day
which is why some might want to think twice about their trial account

So how does this apply to NANOG? We're just Internet jockeys, right?

In addition to being the routing resource for your company, your
marketing people probably ask your opinion about new products or
at least force new products down your (or your coworkers') throats.
One day you'll be asked/told about the idea of mailing out drink
coasters (er, I mean "trial account floppies") to people. Here are
some considerations you may want your marketing people to ponder
if/when that happens:


- How many support man-hours will be spent chasing, responding to,
   removing, and in general dealing with customer SPAM?

- What policies will you have in place to discourage SPAM?

- ... or (like some) do you just take the PR hit and not deal with it?


- How much data can you have about every session or transaction?

- Of that data, what's public information and what's private?
   Most would consider dial ANI info, account information, E-mail,
   Web transactions, and IP packets contents to be private data.
   Some would consider IP packet headers and e-mail headers to
   be public. Usenet postings are certainly public.

- How much of that data do you maintain? All of it? None?
   Some, but not all? If you choose not to maintain some data,
   how liable are you? Do you have enough disk space? How do
   you manage offline storage/backups?

- How willing are you to research through that information for
   a third party? Some third parties to consider:
  A hacker, your employees, another customer, a sysadmin
  at another service provider, local law enforcement (court
  order required?), federal law enforcement, secret service.


- Do you provide limited or unlimited Internet access? Do you
   enable your customers (access to news poster, Web/FTP accessable
   disk space)? At least with online services, their trial customers'
   effected only other customers, not 30+ million people around the
   world. For potential SPAMers, consider keeping your trial customers
   from using a non-local posting distrbution (how will they know the
   difference? ;^), and limiting them to only e-mail to a fixed number
   of messages (20?) or keep it inside your service. For hackers,
   consider firewalling your customers so that they can only use
   popular ports like Web, Netrek, and Kali, and not Telnet, X-Windows,
   SMTP, etc...

- When your trial customers access the internet, whose domain
   name shows up on the PTR records or the e-mail address? This
   is important because the person in the Whois database as a
   technical or administrative contact is usually the one that's
   called or e-mailed when there are problems.

- Do your potential customers know up front that they're liable for
   how they use their account? Do they know you're not (willing to be)
   liable for their actions?

If you give these questions to your marketing people and if you're
lucky, they will have more than enough to chew on to keep them busy
for a couple months so that you can get back to router configurations
and peering problems. If they insists on going ahead with the trial
subscriber disks anyway, insist that they need to hire a team of at
least two FTE support people per 800 customers who are at least as
smart as you (good luck :^), hire a couple system administrators who
are also programmers (whee!), and put an online-savvy attorney on
retainer (even harder to find!). Oh yeah, they'll have to buy you
the RAID farms you've always wanted and buy into your previously
ignored security philosophies since you can no longer trust your
customers to be good people. If that doesn't work, perhaps only
Dogbert can help.