Re: Open, anonymous services and dealing with abuse
Everybody thinks if its not us, we don't have problem so we dont want to spend anything to fix it - bu its not true, you already are paying for it due to increased cost of operation. The cost of fixing your own network even 50% of other ISPs did it, would in the end be smaller. The cost of building a network is a step function. If you didn't have to provision the capacity to handle the traffic from spammers and DDoS attacks, then you could delay spending these significant chunks of money. In fact, I suspect that this was an important factor in killing off companies during the telecom collapse. These companies were driven to expand their networks faster than could be justified by the paying customers because of the large amount of traffic generated by non-paying customers. DDoS and spam have to be tackled in two different ways but both of these problems will not be solved until we address the roots of the issue and not the symptoms. In both cases, the root of the issue is that network operators are unable to cooperate effectively in tracking down network abuse. I know that a lot of people in the ISP industry have a basically anarcho-libertarian political viewpoint and that viewpoint has helped them make the right kind of decisions in building most of the technical architecture of the Internet. But this has also blinded people to the advantages of co-operative action. There is nothing wrong with network operators meeting together in a forum to jointly make decisions about best practices for running the Internet's email system or for tracking down the true sources of network abuse. This is basically the same kind of thing that the IETF does for network protocols and the MPLS forum and the ATM forum, etc. Once again, I call on the companies who participate in the various NANOG forums to get your email engineers and email architects and email managers all together in a single forum to hash out the issues. We have solutions, too many of them, but we cannot deploy these things succesfully without broad agreement. Remember what Tony Hain and Phil Karn have said about end-to-end. If you get a bunch of network engineers together and ask them to stop spam they will inevitably want to configure their routers which leads to filtering and ACLs. Anyone who believes that would be a mistake should be supporting the concept of an Internet Email Operators Forum because the people responsible for the application will be able to find a solution at the application layer. --Michael Dillon
Re: Open, anonymous services and dealing with abuse
On Mon, 16 Feb 2004, Daniel Reed wrote: paid regularly, or their budgets are kept low, etc. Many will have RFC 2142 contacts, but appear to discard incoming mail. Some, such as Charter Communications, do not even have these mandatory addresses (mail is not accepted for [EMAIL PROTECTED]). while they do not conform to the RFC, they receive accept mail at/for [EMAIL PROTECTED] [This would be the domain w/o outsourced MX...] And on the other hand, it is the CDC that would perform an outbreak isolation, not the restaurant staff. You're talking about a concerted effort. So far, I haven't seen the levels of cooperation between providers that is required. I'm all for everyone holding hands and squashing out issues. But until you get past the isolationist mindset (you must be sick of me saying that by now) good luck... I think we're both in agreement that until * starts saying If I don't stop this today, it will hurt me tomorrow, that the cooperation required to address and stop these issues will be nil. -mark
Re: Open, anonymous services and dealing with abuse
On 2004-02-17T11:56-0600, Mark Turpin wrote: ) On Mon, 16 Feb 2004, Daniel Reed wrote: ) And on the other hand, it is the CDC that would perform an outbreak ) isolation, not the restaurant staff. ) I think we're both in agreement that until * starts saying If I ) don't stop this today, it will hurt me tomorrow, that the ) cooperation required to address and stop these issues will be nil. I am not sure it will take any major coordinated effort. For many outbreak incidents, the CDC would respond in the U.S., other agencies would respond elsewhere. Coincidentally enough, CNN.com just posted an article Your PC could be a 'spam zombie' http://www.cnn.com/2004/TECH/ptech/02/17/spam.zombies.ap/. The provider mentioned appears to be turning off customers [unwittingly] involved in abuse without any major coordinated effort behind them. (And I am sure there other examples of providers taking such action.) -- Daniel Reed [EMAIL PROTECTED] http://naim-users.org/nmlorg/ http://naim.n.ml.org/ Murphy's Law is recursive. Washing your car to make it rain doesn't work.
RE: Open, anonymous services and dealing with abuse
Well they accept mail at [EMAIL PROTECTED] but they certainly don't do anything about it. I have sent numerous complaints to that address with absolutely nothing happening to fix the problem. The address is a black hole. Roy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Turpin Sent: Tuesday, February 17, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: Re: Open, anonymous services and dealing with abuse On Mon, 16 Feb 2004, Daniel Reed wrote: paid regularly, or their budgets are kept low, etc. Many will have RFC 2142 contacts, but appear to discard incoming mail. Some, such as Charter Communications, do not even have these mandatory addresses (mail is not accepted for [EMAIL PROTECTED]). while they do not conform to the RFC, they receive accept mail at/for [EMAIL PROTECTED] [This would be the domain w/o outsourced MX...] And on the other hand, it is the CDC that would perform an outbreak isolation, not the restaurant staff. You're talking about a concerted effort. So far, I haven't seen the levels of cooperation between providers that is required. I'm all for everyone holding hands and squashing out issues. But until you get past the isolationist mindset (you must be sick of me saying that by now) good luck... I think we're both in agreement that until * starts saying If I don't stop this today, it will hurt me tomorrow, that the cooperation required to address and stop these issues will be nil. -mark
Re: Open, anonymous services and dealing with abuse
Recently, Daniel Reed [EMAIL PROTECTED] wrote: The *truly* unfortunate fact is lots of ISPs like to do things like throw up firewall rules and then expect other people to clean up after the real problems they are simply evading. Consider this: A pathogen is developed that kills anyone with which it comes in contact. People across the world are randomly exposed to the pathogen and begin dying en masse. Short-term public interest would seem to necessitate that hosting public meetings should now be discouraged, if not outright banned. In some areas, ordinances might be passed requiring that any human contact be made only if both parties know each other, and can prove they have adequate air filtration. This isn't the plot to next summer's killer Sci-Fi horror movie; this is what we are dealing with on the Internet today. In either case, the long- term public interest would probably be served more by funding agencies to track down and stop the spread of the pathogen. The problem is, your analogy is too extreme; if people really *were* dying, there'd be more attention paid to it. Unfortunately, if we look at a more real-world case, like herpes, you realize that we don't take contagion very seriously unless people are dying from it. Instead, we end up with ora-gel, anbasol, and other such fun products to take the sting away without actually doing anything. Likewise in the network, we have a similar approach; when the cold sores flare up again, apply a topical solution to take some of the sting away, and then continue life like normal...including spreading that numb-but-still-infectious cold sore to others. Trojaned PCs and zombie proxies relaying spam are like cold sores; they don't kill anyone, they just make things mildly uncomfortable, so we numb them over, and go about our business like normal, even if that includes allowing the infection to spread even further. If proxies *did* kill, then yes, we'd take them seriously; but anything short of that, and real life tells us we won't take them seriously enough to try to do real research into ultimately stamping them out. -- Daniel Reed [EMAIL PROTECTED] http://naim-users.org/nmlorg/ http://naim.n.ml.org/ Matt, feeling pessimistic this morning
Re: Open, anonymous services and dealing with abuse
On Tue, 17 Feb 2004, Daniel Reed wrote: I am not sure it will take any major coordinated effort. For many outbreak incidents, the CDC would respond in the U.S., other agencies would respond elsewhere. To perform a traceback in the US the CDC works with hospitals, doctors, etc. since they have the authority to do so. Which body has that authority within the US (and knows how to use it). Law enforcement comes to mind, but that doesn't scale. Nor is this the right place to discuss that issue ;) Coincidentally enough, CNN.com just posted an article Your PC could be a 'spam zombie' http://www.cnn.com/2004/TECH/ptech/02/17/spam.zombies.ap/. The provider mentioned appears to be turning off customers [unwittingly] involved in abuse without any major coordinated effort behind them. (And I am sure there other examples of providers taking such action.) Everyone knows about/of spam. Does everyone know about DoS? I'm just throwing it out there as an example, I don't really want to get in to who should know what, etc... These problems [as all issues] are a topic that only those passionate few [those typically affected by it] truly seek resolution. I believe it is human (or maybe just American?) nature to not care until something affects you. alas, i'm lacking operational content, so this is my final bit of input on the matter. -mark
RE: Open, anonymous services and dealing with abuse
Well at least they are somewhat DNS responsible in that they seperate their user IP space well. SO that it can be blocked. the really annoying ISPS's use stupid things like DSL1234.isp.com And such. Of course doing this does block those 1 in 100 people runing a server on their DSL line and not requesting a reverse DNS change. la.charter.com 550 NO Mail Accepted From DSL va.charter.com 550 NO Mail Accepted From DSL mn.charter.com 550 NO Mail Accepted From DSL ga.charter.com 550 NO Mail Accepted From DSL ct.charter.com 550 NO Mail Accepted From DSL ma.charter.com 550 NO Mail Accepted From DSL ca.charter.com 550 NO Mail Accepted From DSL wi.charter.com 550 NO Mail Accepted From DSL al.charter.com 550 NO Mail Accepted From DSL sc.charter.com 550 NO Mail Accepted From DSL tx.charter.com 550 NO Mail Accepted From DSL nc.charter.com 550 NO Mail Accepted From DSL Nicole On 17-Feb-04 Unnamed Administration sources reported Roy said : Well they accept mail at [EMAIL PROTECTED] but they certainly don't do anything about it. I have sent numerous complaints to that address with absolutely nothing happening to fix the problem. The address is a black hole. Roy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Turpin Sent: Tuesday, February 17, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: Re: Open, anonymous services and dealing with abuse On Mon, 16 Feb 2004, Daniel Reed wrote: paid regularly, or their budgets are kept low, etc. Many will have RFC 2142 contacts, but appear to discard incoming mail. Some, such as Charter Communications, do not even have these mandatory addresses (mail is not accepted for [EMAIL PROTECTED]). while they do not conform to the RFC, they receive accept mail at/for [EMAIL PROTECTED] [This would be the domain w/o outsourced MX...] And on the other hand, it is the CDC that would perform an outbreak isolation, not the restaurant staff. You're talking about a concerted effort. So far, I haven't seen the levels of cooperation between providers that is required. I'm all for everyone holding hands and squashing out issues. But until you get past the isolationist mindset (you must be sick of me saying that by now) good luck... I think we're both in agreement that until * starts saying If I don't stop this today, it will hurt me tomorrow, that the cooperation required to address and stop these issues will be nil. -mark -- |\ __ /| (`\ | o_o |__ ) ) // \\ - [EMAIL PROTECTED] - Powered by FreeBSD - -- Daemons will now be known as spiritual guides -Politically Correct UNIX Page Great places... http://www.nonsenseband.com - My Band http://www.picturetrail.com - Sysadmin http://www.mediatechnique.com - Sysadmin2
Re: Open, anonymous services and dealing with abuse
On Tue, 17 Feb 2004 [EMAIL PROTECTED] wrote: Trojaned PCs and zombie proxies relaying spam are like cold sores; they don't kill anyone, they just make things mildly uncomfortable, so we numb them over, and go about our business like normal, even if that includes allowing the infection to spread even further. If proxies *did* kill, then yes, we'd take them seriously; but anything short of that, and real life tells us we won't take them seriously enough to try to do real research into ultimately stamping them out. But proxies do kill - the trojaned owned PCs are and have been for years used to create distributed DoS attacks which can easily kill a site or even smaller network. There is enourmous potential harm to from them and that is in addition to normal everyday less articulated harm because of spam and more that mail servers and other infrastracture is being used for it. ISPs end up paying for all this. Everybody thinks if its not us, we don't have problem so we dont want to spend anything to fix it - bu its not true, you already are paying for it due to increased cost of operation. The cost of fixing your own network even 50% of other ISPs did it, would in the end be smaller. -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Open, anonymous services and dealing with abuse
1700+ attempts from one IP address to send mail today via one of my servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nicole Sent: Tuesday, February 17, 2004 12:25 PM To: [EMAIL PROTECTED] Cc: Mark Turpin; Roy Subject: RE: Open, anonymous services and dealing with abuse Well at least they are somewhat DNS responsible in that they seperate their user IP space well. SO that it can be blocked. the really annoying ISPS's use stupid things like DSL1234.isp.com And such. Of course doing this does block those 1 in 100 people runing a server on their DSL line and not requesting a reverse DNS change. la.charter.com 550 NO Mail Accepted From DSL va.charter.com 550 NO Mail Accepted From DSL mn.charter.com 550 NO Mail Accepted From DSL ga.charter.com 550 NO Mail Accepted From DSL ct.charter.com 550 NO Mail Accepted From DSL ma.charter.com 550 NO Mail Accepted From DSL ca.charter.com 550 NO Mail Accepted From DSL wi.charter.com 550 NO Mail Accepted From DSL al.charter.com 550 NO Mail Accepted From DSL sc.charter.com 550 NO Mail Accepted From DSL tx.charter.com 550 NO Mail Accepted From DSL nc.charter.com 550 NO Mail Accepted From DSL Nicole On 17-Feb-04 Unnamed Administration sources reported Roy said : Well they accept mail at [EMAIL PROTECTED] but they certainly don't do anything about it. I have sent numerous complaints to that address with absolutely nothing happening to fix the problem. The address is a black hole. Roy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Turpin Sent: Tuesday, February 17, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: Re: Open, anonymous services and dealing with abuse On Mon, 16 Feb 2004, Daniel Reed wrote: paid regularly, or their budgets are kept low, etc. Many will have RFC 2142 contacts, but appear to discard incoming mail. Some, such as Charter Communications, do not even have these mandatory addresses (mail is not accepted for [EMAIL PROTECTED]). while they do not conform to the RFC, they receive accept mail at/for [EMAIL PROTECTED] [This would be the domain w/o outsourced MX...] And on the other hand, it is the CDC that would perform an outbreak isolation, not the restaurant staff. You're talking about a concerted effort. So far, I haven't seen the levels of cooperation between providers that is required. I'm all for everyone holding hands and squashing out issues. But until you get past the isolationist mindset (you must be sick of me saying that by now) good luck... I think we're both in agreement that until * starts saying If I don't stop this today, it will hurt me tomorrow, that the cooperation required to address and stop these issues will be nil. -mark -- |\ __ /| (`\ | o_o |__ ) ) // \\ - [EMAIL PROTECTED] - Powered by FreeBSD - -- Daemons will now be known as spiritual guides -Politically Correct UNIX Page Great places... http://www.nonsenseband.com - My Band http://www.picturetrail.com - Sysadmin http://www.mediatechnique.com - Sysadmin2
Re: Open, anonymous services and dealing with abuse
I hate to see government get involved in anything, but perhaps some law holding PC owners responsible for SPAM that comes from their unpatched machines AS LONG AS there is ample notification to that user that their machine is compromised. Also, ISP's should be held responsible for allowing unpatched machines to be connected to them and for e-mail to be propagated from their. Sounds like an unfunded mandate, and it probably is, but there is the concept of attractive nusaince in the law now. Again, any law would need to be designed to allow for AMPLE notification to the owner of the offending machine/ISP to allow time for them to fix it. Only then would there be a requirement that their ISP disconnect them or face fines. - Original Message - From: william(at)elan.net [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, February 17, 2004 15:27 Subject: Re: Open, anonymous services and dealing with abuse On Tue, 17 Feb 2004 [EMAIL PROTECTED] wrote: Trojaned PCs and zombie proxies relaying spam are like cold sores; they don't kill anyone, they just make things mildly uncomfortable, so we numb them over, and go about our business like normal, even if that includes allowing the infection to spread even further. If proxies *did* kill, then yes, we'd take them seriously; but anything short of that, and real life tells us we won't take them seriously enough to try to do real research into ultimately stamping them out. But proxies do kill - the trojaned owned PCs are and have been for years used to create distributed DoS attacks which can easily kill a site or even smaller network. There is enourmous potential harm to from them and that is in addition to normal everyday less articulated harm because of spam and more that mail servers and other infrastracture is being used for it. ISPs end up paying for all this. Everybody thinks if its not us, we don't have problem so we dont want to spend anything to fix it - bu its not true, you already are paying for it due to increased cost of operation. The cost of fixing your own network even 50% of other ISPs did it, would in the end be smaller. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Open, anonymous services and dealing with abuse
At 12:43 PM 2/17/2004, John Palmer wrote: I hate to see government get involved in anything, but perhaps some law holding PC owners responsible for SPAM that comes from their unpatched machines AS LONG AS there is ample notification to that user that their machine is compromised. We don't need more new laws. There is already a law - in most parts of the world you can be charged with contributory negligence for failing to secure an attractive nuisance and then a third party is injured or damaged due to your negligence. In any part of the world that doesn't have such a law, a new law in another part of the world wouldn't matter anyway. What is needed is for someone to CARE enough to bother to investigate and prosecute. And yes, it's going to cost more than it's worth to prosecute, at least the first few times. Someone has to decide that the long-term good is worth the price of being the leader in this charge. IMHO, you should sue both the owner of the PC (for negligently failing to properly secure their computer, or to fix it when notified), and sue Microsoft (for neglegently producing and selling software that was so easily compromised) as they are both responsible for the hardware/software that was used to damage your servers/network etc. Microsoft's EULA doesn't apply to you as a third party who is damaged by their faulty software. You should also consider an offer to settle with the PC owner if they agree to jointly sue Microsoft on your behalf. You are not held to the EULA, but they are, but since Microsoft's software is *negligent* it's possible that the EULA doesn't penetrate their inherent liability to not produce a product that causes harm. (A EULA won't protect a ladder maker from negligently building and selling a ladder on which people get hurt when they use it for its intended purpose.) But we won't know until someone digs down into their pockets and funds a lawsuit to try it out. Sorry about the lack of operational content in this post, but sometimes you have to consider the costs and benefits of both operational solutions and other solutions (e.g. legal solution) in order to determine which solution is the best one for your network, both in the short term and in the long term. jc -- p.s. Please do not cc me on replies to the list. Please reply to the list only, or to me only (as you prefer) but not to both.
Re: Open, anonymous services and dealing with abuse
On 2004-02-15T17:33-0500, Sean Donelan wrote: ) The unfortunate fact is lots of people like to operate open, anonymous ) services and then expect other people to clean up after them. ) ) Why don't IRC operators require authentication of their users? ) Why don't SMTP operators require authentication of their users? Why don't HTTP operators require authentication of their users? If I'm researching testicular cancer on the web, that may involve web sites, IRC support channels, or mailing lists. The *truly* unfortunate fact is lots of ISPs like to do things like throw up firewall rules and then expect other people to clean up after the real problems they are simply evading. Consider this: A pathogen is developed that kills anyone with which it comes in contact. People across the world are randomly exposed to the pathogen and begin dying en masse. Short-term public interest would seem to necessitate that hosting public meetings should now be discouraged, if not outright banned. In some areas, ordinances might be passed requiring that any human contact be made only if both parties know each other, and can prove they have adequate air filtration. This isn't the plot to next summer's killer Sci-Fi horror movie; this is what we are dealing with on the Internet today. In either case, the long- term public interest would probably be served more by funding agencies to track down and stop the spread of the pathogen. -- Daniel Reed [EMAIL PROTECTED] http://naim-users.org/nmlorg/ http://naim.n.ml.org/
Re: Open, anonymous services and dealing with abuse
On Mon, 16 Feb 2004, Daniel Reed wrote: On 2004-02-15T17:33-0500, Sean Donelan wrote: ) The unfortunate fact is lots of people like to operate open, anonymous ) services and then expect other people to clean up after them. ) ) Why don't IRC operators require authentication of their users? ) Why don't SMTP operators require authentication of their users? Why don't HTTP operators require authentication of their users? If I'm researching testicular cancer on the web, that may involve web sites, IRC support channels, or mailing lists. If you have a read-write HTTP web site (i.e. send e-mail through web, write web blogs, etc), why don't you have authentication before permiting users to write? This includes news web sites which let you forward stories by entering arbitrary addresses. mailfrom.cgi and friends is as much of a problem. If you want to tell everyone in the world about your new and improved cure for testicular cancer available for the low low price of $119 by sending continious messages on unauthenticated IRC channels, mailing lists and web blogs why should the ISP pierce the veil of anonymitity the IRC operator, mailing list operator, web blog operator wanted? The operator of the anonymous service should deal with the consequences of maintaining that anonymitity. ISPs authenticated their users. But that doesn't mean it is the ISP's responsibility to track down users of anonymous services everytime there is a problem. This isn't the plot to next summer's killer Sci-Fi horror movie; this is what we are dealing with on the Internet today. In either case, the long- term public interest would probably be served more by funding agencies to track down and stop the spread of the pathogen. Restuarant operators are responsible for the safe preparation of the food they serve and the cleanliness of their resturants. It is not up to the highway department to prevent sick people from visiting your restuarant or to monitor the trucks transporting food on the highway. If you want the ISP (highway department) to control it, expect them to set up inspection points on the roads they control and disrupt all traffic. If you don't want ISPs doing this, don't ask them to enforce things they shouldn't be doing.
Re: Open, anonymous services and dealing with abuse
good while doing that add [EMAIL PROTECTED] to the list of spammers that bug people -Henry On Mon, 16 Feb 2004, Daniel Reed wrote: On 2004-02-15T17:33-0500, Sean Donelan wrote: ) The unfortunate fact is lots of people like to operate open, anonymous ) services and then expect other people to clean up after them. ) ) Why don't IRC operators require authentication of their users? ) Why don't SMTP operators require authentication of their users? Why don't HTTP operators require authentication of their users? If I'm researching testicular cancer on the web, that may involve web sites, IRC support channels, or mailing lists.If you have a read-write HTTP web site (i.e. send e-mail through web,write web blogs, etc), why don't you have authentication before permitingusers to write? This includes news web sites which let you "forward"stories by entering arbitrary addresses. mailfrom.cgi and friends is asmuch of a problem.If you want to tell everyone in the world about your new and improvedcure for testicular cancer available for the low low price of $119 bysending continious messages on unauthenticated IRC channels, mailinglists and web blogs why should the ISP pierce the veil of anonymitity theIRC operator, mailing list operator, web blog operator wanted?The operator of the anonymous service should deal with the consequencesof maintaining that anonymitity. ISPs authenticated their users. Butthat doesn't mean it is the ISP's responsibility to track down users ofanonymous services everytime there is a problem. This isn't the plot to next summer's killer Sci-Fi horror movie; this is what we are dealing with on the Internet today. In either case, the long- term public interest would probably be served more by funding agencies to track down and stop the spread of the pathogen.Restuarant operators are responsible for the safe preparation of the foodthey serve and the cleanliness of their resturants. It is not up to thehighway department to prevent sick people from visiting your restuarantor to monitor the trucks transporting food on the highway.If you want the ISP (highway department) to control it, expect them toset up inspection points on the roads they control and disrupt alltraffic. If you don't want ISPs doing this, don't ask them to enforcethings they shouldn't be doing.
Re: Open, anonymous services and dealing with abuse
On 2004-02-16T12:58-0500, Sean Donelan wrote: ) On Mon, 16 Feb 2004, Daniel Reed wrote: ) On 2004-02-15T17:33-0500, Sean Donelan wrote: ) ) Why don't IRC operators require authentication of their users? ) ) Why don't SMTP operators require authentication of their users? ) The operator of the anonymous service should deal with the consequences ) of maintaining that anonymitity. ISPs authenticated their users. But And in large part, we do. I am an IRC Operator on a large IRC network, called EFnet, and I do report abuse whenever it occurs in my presence. Unfortunately, I have never received an affirmative response from an ISP after reporting such abuse; never received a request for additional information; and certainly never seen the problem host cease to be a problem after reporting. I am perhaps one of the few operators still interested in abuse reporting; many have simply resigned themselves to finding abusers using constantly- evolving techniques and simply banning them from the network when they are found. This helps us in the short term, but is only an arms race in the long term. It is a commonly held belief that any type of subscription service will be repeatedly evaded through technical innovation; the fix must come from the providers. The problem appears to be that many network operators do not think of themselves as anything beyond commercial network providers. Many appear loath to take any effort above and beyond ensuring their users' bills are paid regularly, or their budgets are kept low, etc. Many will have RFC 2142 contacts, but appear to discard incoming mail. Some, such as Charter Communications, do not even have these mandatory addresses (mail is not accepted for [EMAIL PROTECTED]). ) Restuarant operators are responsible for the safe preparation of the food ) they serve and the cleanliness of their resturants. It is not up to the ) highway department to prevent sick people from visiting your restuarant ) or to monitor the trucks transporting food on the highway. And on the other hand, it is the CDC that would perform an outbreak isolation, not the restaurant staff. The CDC would also trace who the infected person had contact with and take steps to verify their health, etc. The restaurant could not possibly hope to have the resources or training to effectively deal with people walking in off the street carrying a deadly pathogen, and still have enough resources to provide a decent service. -- Daniel Reed [EMAIL PROTECTED] http://naim-users.org/nmlorg/ http://naim.n.ml.org/ The pursuit of pretty formulas and neat theorems can no doubt quickly degenerate into a silly vice, but so can the quest for austere generalities which are so very general indeed that they are incapable of application to any particular. -- Eric Temple Bell, Mathematician