North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ISP wants to stop outgoing web based spam

  • From: Sean Donelan
  • Date: Thu Aug 10 01:55:52 2006


On Thu, 10 Aug 2006, Suresh Ramasubramanian wrote:
The MAAWG bcps, for example, state that ISPs must take responsiblity
for mitigating outbound spam and abuse.

The RIAA, for example, states that ISPs must take responsibility for mitigating copyright infringement by its users.

Lots of groups state that ISPs must take responsibility for lots of things.

Abuse is a very open ended term. There is a difference between enforcing network/service rules such as preventing address forgeries, and being responsible for abuse or disputes between users

Is the ISP responsible for mitigating all types of user abuse? Or only
some types of abuse by users? For example, are ISPs responsible for mitigating liable, slander, defamation, harrasment, theft, counterfeting, gambling, intolerance, public morals, etc?


People shouldn't confuse ISPs with law enforcement or courts. ISPs are responsible for enforcing network standards and its contracts. ISPs are not responsible for solving the world's problems. If the RIAA has a
dispute concerning copyright infringement with a user, the RIAA sues
the user to stop the user. ISPs aren't expected, yet, to scan users traffic to prevent copyright abuse.


If you don't care which mosquitoes you kill, you could drain the swamp by cutting off the entire country of Nigeria. But the reality is all
the criminals aren't limited to one place. Almost none of the criminals
would even notice. But you will probably harm a lot of innocent Nigerians by doing that; and the smarter criminals will just migrate to new pastures and keep attacking you. Unlike mosquitoes, criminals aren't
limited to breeding in only certain areas.


The "source" isn't the ISP, the source is the criminal. If you can figure out a way to permanently ban criminals from every ISP in the world other
than putting them in jail, you might have a shot with BCPs for ISPs. But even if there was only one ISP remaining in the world, with a single
unified user database, I suspect criminals would still use their skills
such as identity theft and fraud to get on the net.


The goal needs to be arresting the bad guys. The problem isn't the ISP,
its the criminal. Bad packets rarely spontanously occur on the net. Every exploit, every virus, every worm, every phishing mail started with a person. Letting the bad guys go free is just teaching the criminals how to improve their skills.