>Clearly different. Dial-up's are usually too much trouble for an ISP
>track who was using what when. You know who's responsible for a
>university faculty machine. (I'm aware of the student problem; my
>wife is a university faculty member.) The number of spams I get that
>I can identify as from university faculty machines is zero. I get
>them on occasion from open University relays that are identifiable as
>mail relay machines. If DSL lines are accountable, then they won't
>be major sources of spam unless the ISP that controls them
>deliberately allows spam.
I want to comment on this and make sure everyone is aware of WHY it's
hard to track who's doing what on dialup.
It is certainly not too difficult to track when a user signs on.
Obviously they have to authenticate somehow and you can tell when they do
that. Usually you can tell when they log off too. Assuming you're using
Radius, this is all a no-brainer. It's also pretty trivial to log what
IP address they were given, how long they were on for, how many bytes
they transferred, which particular modem port they used, what speed they
were connected at, why they disconnected, caller ID information, etc.
Some of this is dependent on your network hardware, but things like the
address and connect time are pretty common. (*)
This seems like a lot of information but in reality it's useless for
tracking a spammer. If the spammer connects directly out to an open
relay, there's nothing you can do short of sniffing his traffic. The
victim may send you a log file saying who connected and at what time, but
those logs can't be reasonably assured to be authentic. If it comes down
to someone on the outside purporting to have logs catching someone
spamming, and my user says they didn't do it, I have to take the side of
the user.
On the other hand, when the dialup user is forced to go through my mail
server, a number of countermeasures become possible. Most spammers are
too dumb (or desperate) to slow down their mail, so a simple "uptime"
check every 5 minutes, coupled with a pager alert, checks most problems
before they can really start. The logs are authentic; I trust my own
servers, and I have my routers and dialup servers set up so that spoofing
IP addresses would be next to impossible. I can also go into the queue
and remove spam that hasn't gone out yet.
So as an spam deterrent this is pretty effective. I wouldn't mind
putting all this up on the web page for people to see (although I don't
know whether they'd look). Something like "we WILL catch you in a hurry,
and we WILL delete any spam that's in our queue, and we WILL have logs if
we choose to file a claim for damages (which we can do under California
law)."
shag
(*) I would like to point out that although we don't use any of this
information in anything other than an aggregate format to track capacity
requirements, and we never release it to outside sources, your ISP may
not have the same policies.
