COX blocking own users outbound email

[Jeff Kinz]

On Sun, Sep 03, 2006 at 04:02:25PM -0400, Ben Scott wrote:

Thanks for responding Ben. <Grin> I was expecting you to.

In my last post tried to say what I thought was needed and why it
couldn't happen. As the current situation makes it very difficult to solve
the problems in the ways I'm discussing here, its really neat that you
are interested in discussing it. Especially (IIRC) you work inside the
ISP business you are bound to have specific technical insights about why
these things can't be done.


> > From: Jeff Kinz <jkinz at kinz.org>	
> > To: gnh <gnhlug-discuss at mail.gnhlug.org>, blug <discuss at blu.org>
> 

>   Isn't it supposed to be poor form to cross-post controversial subjects?
No.  This is a long running thread that has been present in both of these
email lists literally for years. But if you like I can post it
separately in each list next time.  I certainly discuss it both places.
(and these aren't newsgroups, its germane to both lists. UNIX, Linux, Open
Source and the internet are in many ways all part of each other.)

> On 9/3/06, Jeff Kinz <jkinz at kinz.org> wrote:
> > Long time internet users viewed port 25 traffic as part of the inherent
> > bundle of services and "internet connection" provided by any ISP should
> > include.
> 
>   Some view it that way.  Others say, "Hey, if I'm an operator, I get
> to be in control of my network.  It's not your network, it's mine.  If
> you don't like it, go somewhere else."

The problem here is that we have a business running part of the public
infrastructure.  Sadly, human nature being what it is, this never works
out for the best. The business never chooses to run the infrastructure
in the way that is in the best interests of the people it serves. 

In fact officers of a public company could possibly even be sued if they
did so, since it would cost money and that could be in conflict with
their fiduciary responsibility to their stockholders

The supposed choice implied by "If you don't like it, go somewhere
else." is non existent.  Its a false choice frame-up. There is no
"somewhere else" to go to get away from this problem.

Like most people in the USA I currently have two or fewer choices for
high speed residential broadband access.  Even when including dial up
providers the same restrictions are in effect because of the standards
created by the duopoly.  They all do this so there is no real
choice.  

" It's not your network, it's mine."  
Yup - Our information highway is a toll road. for now. 

And thats the problem  The infrastructure material/physical assets are
owned by the wrong entity. The tail is wagging the dog.

Why do you think the cable/phone duopoly HATES Muni-Wi-Fi projects so
much? :-)  They could lose their monopoly!

The first problem is that the network belongs to the phone/cable
company.  This is the most important thing to correct.  The
networks will have to be more like the local road system.  The
towns/cities/counties/states need to be the owners of the infrastructure
and the ISP's need to compete to earn the opportunity to run pieces of
it. (Want to keep the economies of scale

We need technology companies competing to earn the right to run each
part of the network just like construction firms compete to build parts of
the road system.  Currently the phone and cable companies can't lose
their business, and their behavior reflects that.

With real competition each year a company can lose the business. If they
haven't done a good job or tried to milk it for too much money.  For
the very first time in history the phone company would actually have
a direct business reason to do a good job at a low price instead of a
premium price.

> 
> > (When they took the Jews  away I kept quiet because I wasn't a Jew, when they
> > took the teachers away I kept quiet because I wasn't a teacher...)
> 
>   Can I invoke Godwin's Law here?  (It was trade unionists who came
> after the Jews, BTW, not teachers.)
OK, unionists.. 

Removed from its context, doesn't respond to the point, and doesn't
make any other point either? why put it in? (I mean if it was funny or
something I could see it, but..)

The point of the original context was that history has shown, many
times, that if you let a small group of people get persecuted for unfair
reasons, you are enabling the persecutors to do it to whomever they
want for any reason and get away with it. 

While not a cataclysm like WWII, recent events, SBC stating they will
charge content providers like Google, yahoo, youtube; twice for carrying
their bits over the internet; show that this is happening. The duopoly
does not view the internet as part of the public infrastructure, but as
part of their private profit factory.  As public utilities, that is not
what the phone company and the cable company are supposed to behave
like.  Unfortunately they are no longer public utilities.  Legislative
changes (lobbied for by guess who.. ) over the past 2 or 3 decades have
slowly changed the legal status and oversight/control system which were
supposed to make sure these entities operated for the public good into
private enterprises with hardly any oversight at all.

For more info on how the electric power industry did the same thing see
a book called "the power struggle", its excellent.


> 
> > The answer is the same as it was years ago.  When a user misbehaves and
> > their connection provider doesn't take care of it, the other connection
> > providers cut them off from the internet completely.
> 
>   Interesting.  So when a single given ISP does not provide port 25
> outbound, that's evil censorship, but if all ISPs block everything
> from an entire ISP, that's the way things are supposed to work.  Huh?

Stopping illegal behavior is "Censorship" ? 
I'm talking about illegal behavior, and enforcing the restriction of
that behavior.  Not, as has already been done by some ISP's, restricting
their customers access to websites whose politics are in opposition to
the ISP's politics. (Rogers Cable, Canada IIRC)

Instead of having an eternal policy of "Harm all innocent users" which is
the current ISP standard, we would have short durations of disconnection
for specific ISP's who have failed to do their job. Those durations would
be as short as the ISP's responsiveness to the problem.

Those ISP's who fail to correct their behavior simply go out of
business. And we wouldn't miss them since they would be they ones who
were too accommodating of the spammers and pedophiles.

The IDP wasn't "censorship" in the old days and it still isn't.  If you
want your network to be connected to the whole network, you make sure it
doesn't harm the network or you get disconnected. Another "good" ISP
will take over either the customers or the bankrupt ISP's facilities and
customers.  During the time when this new policy is being put in place
there will be some pain, but its a good trade off because its going to
fix the problem.
 
> 
> > In the "old days" a college's IT department had a budget, they spent it.
> > done.
> 
>   In the "old days", using the Internet for commercial purposes was
> forbidden, and it was basically an ivory-tower research network.  When
> one opens the doors to the world, one has to realize that the bad will
> enter with the good.

So a mixture of commercial and personal activities can't be well behaved
or regulated?  

I disagree. No system is ever perfect, but, again taking the
road/highway system as an example you can achieve a specific level of 
proper behavior if you are willing to do so. If you break the rules
severely enough on the road you will eventually get caught and get a
ticket, do that enough times and you lose your driving privileges.

The duopoly lacks the will to do this because they see no profit in it.
Again, they have no interest in running their business in a way which
is in anyway considerate of the fact that it is nominally part of the
public infrastructure.  Because of that, sometime down the road, they
will lose the benefits of being part of a duopoly because eventually a
true public network infrastructure will be built.

> 
> > Is there room for the IDP today?  The ISP's will say no, simply because
> > such a thing would requires expensive efforts and would impact their
> > cash flow.
> 
>   It's a tough situation to be in.  Vast amounts of spam originate
> from all over the place.  Presently, in many cases, this spam
> originates from compromised machines, which together are operated by
> the vast majority of Internet users.  Do you suggest we IDP everybody?

Nope - an effective solution to zombied systems is easy to implement
and very very precise.

My log files identify thousands of unique IP's attempting to attack my
system thru various means. These attack vectors are easily identified.
I have, at various times, reported these IP's and the times of their
attacks back to their ISP's.  Nothing was done.

If the ISP simply disabled those accounts ability to connect to anything
but a web page saying "your system has been taken over for illegal use.
Please get it fixed and then contact us by ..." they could
easily shut down all the zombied systems until they had been cleaned.


These actions are easily automated and once a zombie system has been
identified by an outside report it is easy to automate a process that
would monitor and verify that the account's computer has been taken over
thereby eliminating any possibility of fraudulent accusations being used
to harm those who did not have a zombied system.

Anyone who has worked at an ISP knows it is trivial to identify the
owner of any account that has logged on even when dynamic IP's are used.
all you need is the IP and the time. easy.

As for automating the reports of zombied attacks, add a plug in to 
symantec, norton and the software based firewalls.  You can even have
each report signed with a PGP block to verify that its a real report.
Each vendor and ISP would have a unique signature that verifies they
are actually the source of the report.

Once this technique is widely deployed, (which basically means Comcast
and the two remaining RBOCS), the volume of spam traffic will be
substantially reduced and we can turn to the ISP's and countries who
are letting the spammers get connected.  A short chat with them, and a
shared database of known offender data signatures will help quite a bit.


> 
>   The situation is nowhere near as black-and-white as many people seem
> to think it is.  In particular, nobody seems to realize that network
> operators aren't fscking magic wizards.  We're techs like many others
> here are, and we're trying to do the best we can in a very imperfect
> world.

The problem is not the techs or the technology.  Everything I've
proposed is doable with current technology and even old technology.  


The problem is that the ISP's have no interest in doing it because it
costs money.  The techs need to be given the resources (machines,
manpower, and connectivity) and the directive to make it happen. The
ISP's will not do this until they have no choice.  Would the ISP's have
to increase prices to pay for this? and would the increase cause them to
lose customers?  Comcast and the two remaining RBOCs certainly don't
need to increase prices to pay for it.  Their NOCs are already
highly centralized and automated.  Adding these capabilities would be a
matter of adding some scripts and a database. 

Even if the current Mega-routers can't do the monitoring needed, adding
some high end PC's with the appropriate network interface in a vampire
tap configuration would allow them to bring sufficient extra horsepower to
bear on the data stream without disrupting the operation of the NOC.

Of course ... those taps are already in place thanks to the generosity
of the last four or five federal administrations.... :)

> > Further it would impact peering contracts and SLA agreements where
> > applying the IDP would mean breaking committed, legal contract
> > terms.
> 
>   Bullshit.  Just about any agreement (SLA, TOS, AUP, etc.) already
> has exceptions for activity which harms the operator's network.

Oh, good. Well then, shut off the offending ISP's even if you have
peering agreements with them.  I'm sure you won't get sued. :)

> 
> > As a final issue, those same laws would have to be put in place on a
> > world wide basis.
> 
>   That's a big part of the problem.  And just like building a wall
> around the US and isolating ourselves from the rest of the world isn't
> a practical solution to brick-and-mortar security, firewalling out the
> rest of the world isn't a practical solution to the spam problem,
> either.

Um, you appear to be agreeing with my statement above that it would have
to be done on a world wide basis.  Clearly any organization or country
that cuts itself off from the rest of the internet is giving itself the
IDP. ;-)  "cutting off your nets to spite your face". :-)


> On 9/3/06, Jeffrey Creem <jeff at thecreems.com> wrote:
> > I don't know what the right answer is, but it is not the current
> > path that we are on.
> 
>   That I agree with -- both parts.


I told you, we need an Emperor!  I'm still available. :-)


Note : 
There are multiple different ways ISP's can assist their customers with
getting their systems cleaned up and they are all revenue opportunity's.
for the ISP as well as being things that help the customers be sure that
their financial identity information is not going to be stolen.
(assuming its not already too late.)


-- 
Jeff Kinz, Emergent Research, Hudson, MA.
Speech Recognition Technology was used to create this e-mail