On Thu, 2004-10-28 at 00:02, Nifty Hat Mitch wrote: > Blacklisting for an ISP is not a good thing but it can also be used to > advantage. Designate one subnet as 10complaintsPlus or some such > 'trouble' list. Assign this user and other 'trouble' hosts to this > subnet. Just to save bandwidth, you have some need to scan for virus > symptoms and other problems. When you 'smell' a problem you might > disconnect then move that host to a quarantine net. > > The value of this is that spam detectors can detect the source IP address > and increase the score on the other end of things. In this way you do > not need to terminate service. You will have made one step toward > cause for pulling that service. > > The trigger for action would be complaints in addition other policy based > review (perhaps bandwidth). > > The alternative is that all your nets would be blacklisted because > of one user. If you follow this policy, the likely result is that all your nets would end up blacklisted anyway. Many of the blacklists would initially list only the "problem" net, but seeing that the problem wasn't going away (even if you were eventually booting spammers, you'd be replacing them in the same subnet with the next set of troublemakers), the listing would escalate to include more and more of your IP space until it was all listed. Not all lists do this of course, but some do, and they include SPEWS and many people's private lists, which are much harder to get out of than "public" lists. If it became public knowledge that you were moving spammers to their own subnet rather than just booting them, that would likely result in escalations happening sooner, as you'd be seen as a "spam-friendly provider". They key is to have a strong Acceptable Use Policy and to enforce it. And have a working "abuse" address of course. Paul. -- Paul Howarth <paul@xxxxxxxxxxxx>