Customers squeezed, as ISPs close in on viruses

High-speed Internet service providers are increasingly putting their customers in the security hot seat, as they try to fight recent virus attacks that turn computers into spam factories.

News.context

What's new:
High-speed Internet service providers are increasingly putting their customers in the security hot seat, in a bid to fight recent virus attacks that turn computers into spam factories.

Bottom line:
The problem has gotten so bad that broadband companies are considering whether it's time to substantially beef up policing on their networks--something they've avoided in the past, due to concerns over costs and potential privacy violations.

More stories on this topic

Broadband companies have said they routinely monitor customer accounts for signs of abuse and take action when it's appropriate. Although such policies have been in place for years, they're now being invoked more than ever, due to the spread of viruses that allow spammers to spew out millions of junk e-mail messages under victims' noses.

The virulence of these virus attacks has sparked a fierce debate over countermeasures, security experts said. The problem has become so bad that broadband companies are considering whether it's time to substantially beef up policing on their networks--something they've avoided in the past because of the cost and potential privacy concerns involved.

"Nowadays, a person sending spam is Granny, and she has no idea she's doing it," said Joe Stewart, a senior security researcher at Lurhq, a corporate security company. "(ISPs) can pull the plug, but it's hard and time-consuming to spend time on each user on tech support."

High-profile viruses such as Sobig, MyDoom and Bagle have preyed on available bandwidth, lax security and ignorance among ISPs and consumers alike to turn unknowing Net users into bulk e-mailers. The problem has prompted broadband ISPs, such as cable and Baby Bell phone companies, to step up network scanning and enforcement of security policies. These policies include the use of account suspensions to prod customers into using better security practices.

The debate touches on far-reaching questions about the direction of Internet security policy and about the roles of ISPs and individuals in maintaining safe networks. Should the primary responsibility for security fall to broadband ISPs or subscribers?

A sweeping report on Internet security the White House issued in September 2002 concluded that the best antidote for security lapses is to better educate and motivate people into adopting better security practices, such as installing firewalls and keeping antivirus software up-to-date.

Since then, however, changes in the nature of virus attacks have made that model increasingly untenable for broadband ISPs, and some are beginning to rethink their historically hands-off policies, antispam experts said.

"Their attitude was: 'We can't possibly be monitoring everything going on in customers' computers,'" Ray Everett-Church, chief privacy officer at antispam software company TurnTide, said about broadband ISPs. "But they found they had to participate when those activities had negative consequences for their entire network."

Finding the right balance
Viruses such as Sobig and Bagle disguise themselves as cleverly worded e-mails that can install exploits on a PC, once their attachments have been downloaded. Once these "Trojan horse" programs are installed, the viruses create a hole that lets spammers relay bulk e-mails, using the victim's address--adding another layer of anonymity for the spammer.

The spread of these Trojan horse viruses has caused considerable damage and annoyance. ISP networks and user in-boxes have become clogged with higher levels of spam, and more work is needed to fix exploits in networks and in PCs. One study found that this year, North American ISPs will spend up to $245 million in dealing with these viruses.

Broadband ISPs are taking different approaches to the problem. Many have implemented policies that identify, quarantine and sometimes suspend or shut down accounts that have been infected. Others leave it up to their customers to keep their antivirus software up-to-date.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

These policies are by no means foolproof. Virus writers are usually one step ahead of software fixes and can still find a way to get viruses to high-speed Net users. Broadband ISPs are caught in an endless cat-and-mouse game that often translates into greater costs, as they increase efforts to educate users and disinfect PCs.

Comcast, the nation's largest cable operator and broadband ISP, is considered by some e-mail watchers to be one of the biggest virus targets. The cable giant said it has implemented antispam software on its network and that it continually monitors activity to find potential victims, or purveyors, of spam viruses.

"Most customers who send spam are doing so unknowingly," Jeanne Russo, a Comcast spokeswoman, said in an e-mail statement. "Once identified, the accounts are quarantined and contacted to resolve the issue. After the problem has been resolved, the customer is restored to full network access."

Cox Communications, which also runs a cable ISP, scans for potentially compromised accounts and then suspends or quarantines accounts until the owner patches the security hole. The company forces people to send e-mail through internal mail servers rather than to set up their own servers. Spammers often use such servers to piggyback on a network's bandwidth, thereby sending more e-mails at a faster rate.

 Unwanted e-mail isn't going away anytime soon.

But Cox also tries to mix in publicity campaigns aimed at pushing users to update their PC operating systems and patch weak points.

"ISPs need to encourage users to enable automatic patch updates for their Windows systems, evangelize weekly visits to www.windowsupdate.com and www.officeupdate.com, and offer crosslinking or bundles with the latest antivirus and firewall software vendors," Jeff Hartley, a manager of security and abuse for Cox, said in an e-mail statement.

Local phone giants, which are the largest suppliers of digital subscriber line (DSL) access, also face similar problems. Verizon Communications, the largest local phone company in the United States, takes a more user-centric approach. It suspends subscriber accounts only in "egregious" instances of spam abuse but mainly tries to prod its users into taking action.

"We can't sit there and say: 'You're spamming--we're going to knock you off the wire,'" said Scott Lebredo, a senior technical manager at Verizon Online. "It's your access. You're responsible for it, but you must be educated about how to combat it."

Whose fault is it, anyway?
Still, the question remains whether the techniques broadband ISPs are implementing are enough. Some say the onus is on ISPs, which should play a role in protecting their networks for the greater good of their subscribers and the Internet at large. Critics say ISPs should manage their networks to ensure that all users are safe.

"I wouldn't expect to boil my own water; I expect it to treated upstream," said Mark Sunner, the chief technology officer at MessageLabs, which sells a virus detection service for corporate networks. "The correct groundswell needs to be focused on the Internet level, where you can be proactive rather than reactive."

ISPs point out that excessive monitoring could have damaging consequences for their business. To stop viruses from spreading, they could take the extreme measure of scanning their subscriber in-boxes and PC hard drives to make sure that users are not unknowingly harboring malicious viruses. However, ISPs fear that taking this tack would jeopardize user privacy.

"It would be very unfriendly to scan customers' machines," said Mary Youngblood, the manager of the abuse team at ISP EarthLink. "It would be deemed by some people as a privacy violation."

America Online, the nation's largest dial-up ISP, has dealt with virus and spam issues for many years and has used different methods to battle the problem. AOL frequently suspends accounts that may have been infected and forces subscribers to call customer service to fix the problem. It also restricts the amount of outgoing mail each member can send, among other techniques.

"It should not be our responsibility, but AOL has been a good Netizen," said Nicholas Graham, an AOL spokesman. "It's a joint responsibility between providers and consumers."

Where the balance of that responsibility falls will continue to shift, as new variants of viruses continue to emerge and wreak havoc. Right now, it seems that virus writers have easily exploited a loophole substantial enough to keep everyone pointing fingers.

"You can't expect (ISPs) to take on the task of keeping everyone virus-free, because if they did that, their costs would skyrocket," Lurhq's Stewart said. "It really falls on each individual user to be responsible. But unfortunately, people aren't up to the task, technically."

CNET News.com's Robert Lemos contributed to this report.

[TV James]

ISPs should knock users offline

I'm a Verizon DSL subscriber and I'm kind of disappointed that Verizon won't take people offline (or quarantine them) if they are infected and spewing spam all over the internet.

Every morning when I sign in to my work account, I have 10-20 pieces of spam in my inbox and almost none trickles in while I'm working -- it's obviously home users who don't have virus protection on their computers.

The ISPs should start selling virus protection software and actively putting accounts on hold when the computer on their network is infected and attempting to affect other computers, just like any corporate network would.

[keharson]

granny

Per cnet"nowadays,a person sending spam,is granny,and she has no idea she's doing it"Looks to me to me like this would have been an ideal place to have given an example(s) of granny's mistake.

[thenet411]

Its about time!

Even though it is easy for those of us that are employed in the tech sector to say, it is still very true that people should do their part to keep these virus writers and spammers at bay. I mean, do people buy a car and not put gas in it or have the oil changed? Of course not. I have believed for a long time that if people refuse to learn about their computers and not take steps to make sure their computers are secure (how difficult is it really to click on Tools>Windows Update and update your computer? How difficult is it to do the same with their anti-virus software? There are even automated ways to do this! Sheesh!), they should not be allowed to be connected to other computers. If my car was a rusting heap that was spilling gasoline, oil, or antifreeze all over the road, my car would be pulled over and taken off the road until it was fixed! If you think about it, these ignorant computer users are essentially doing the same thing an ignorant driver does when they spill their car's fluids all over the road. They are making a mess of the road and making it dangerous for others to use the road.

Bottom line is, too many people just don't get it. So, kick'em offline until they do!

[philnye]

What about subsidizing anti-virus?

One of the big problems I see with helping subscribers to close their computers to hackers and e-mail spoofing is to subsidize the cost of really good anti-virus software. I am not the standard consumer as I have 3 computers running at home but I must admit I get a little lax about upgrading my anti-virus software anually as 3 user licenses costs me around $80 for the latest and greatest software version or just $60 to maintain present version and continue to download virus updates. Quite a racket if you ask me. I know there are free scanners out there but they don't perform as well nor do they offer active scanning.

Just my $0.02.
Phil Kosarek
MI

[Maelstorm]

This needed to happen along time ago

Unfortunatly, the problem has become so widespread that it will be difficult to get it under control. The ISP is just providing network acces. That's it. The onus for security is on the end user. I have read the Comcast AUP and it specifically states that the user is responsible for security of their own computers...which is how it should be. If you cause a problem on the network, then your connection should be pulled until the problem is fixed.

It's called taking responsibility. The problem is that computers have become so easy to use that even people who are not computer litterate can use them. These are the people who the virus writers target because these are the non-technical people who really don't know any better. But, on the flip side of the coin, how many times have we said "Don't open attachments that you are not expecting."? These people should know better than to open anything in outlook/outlook express, but they keep doing it, which is why worms like MyDoom, SoBig, and NetSky are running amock. If you don't open the attachment, then the virus won't spread.

[gglawits]

Recently, Earthlink blocked outgoing port 25 (SMTP)...

...for all users, because some spammers also were operating from Earthlink accounts (D'oh!).

That denies me the right to send out email as,
say, greg@stampcollectorsclubonline.org (or whatever domain name I have pointing to my static IP Earthlink DSL line).

I have not given notice to Earthlink yet, but have already signed up with another ISP, and once the DSL line has been switched over, I'll give Earthlink the boot.

They really chose the dumbest way of doing it - even AOL's policy of allowing only a limited number of emails per day is better (would have worked for me). Or selectively cutting off customers who flood the internet with spam (I wouldn't have a problem with that either).

I'm still fuming - I'm just looking forward to sending the final "You're fired!" email to Earthlink in a few days.

-Greg

[CMatrix]

Help out ISPs with VirusCop

We had such a bad problem with e-mail borne viri/worms clogging our inboxes that we developed VirusCop. This is a free utility that helps you uncover where the virus spam is coming from and notify the appropriate administrators. As a result we've seen a large reduction in virus spam. Its not perfect though, a tiny number of ISPs (like tpnet.pl) don't seem to care what is going on in their networks.

viruscop.org