Broadband companies have said they routinely monitor customer accounts for signs of abuse and take action when it's appropriate. Although such policies have been in place for years, they're now being invoked more than ever, thanks to the spread of viruses that allow spammers to spew out millions of junk e-mail messages under the noses of victims.
The virulence of these virus attacks has sparked a fierce debate over countermeasures, security experts said. The problem has become so bad that broadband companies are considering whether it's time to substantially beef up policing on their networks--something they've avoided in the past because of the cost and potential privacy concerns involved.
"Nowadays, a person sending spam is Granny, and she has no idea she's doing it," said Joe Stewart, a senior security researcher at Lurhq, a corporate security company. "(ISPs) can pull the plug, but it's hard and time consuming to spend time on each user on tech support."
High-profile viruses such as Sobig, MyDoom and Bagle have preyed on available bandwidth, lax security and ignorance among ISPs and consumers alike to turn unknowing Net users into bulk e-mailers. The problem has prompted broadband ISPs, such as cable and Baby Bell phone companies, to step up network scanning and enforcement of security policies. These policies include the use of account suspensions to prod customers into using better security practices.
The debate touches on far-reaching questions about the direction of Internet security policy and about the roles of ISPs and individuals in maintaining safe networks. Should the primary responsibility for security fall to broadband ISPs, or subscribers?
A sweeping report on Internet security issued by the White House in September 2002 concluded that the best antidote for security lapses is to better educate and motivate people into adopting better security practices, such as installing firewalls and keeping antivirus software up-to-date.
Since then, however, changes in the nature of virus attacks have made that model increasingly untenable for broadband ISPs, and some are beginning to rethink their historically hands-off policies, antispam experts said.
"Their attitude was: 'We can't possibly be monitoring everything going on in customers' computers,'" Ray Everett-Church, chief privacy officer at antispam software company TurnTide, said about broadband ISPs. "But they found they had to participate when those activities had negative consequences for their entire network."
Finding the right balance
Viruses such as Sobig and Bagle disguise themselves as cleverly worded e-mails that can install exploits on a PC, once their attachments have been downloaded. Once these "Trojan horse" programs are installed, the viruses open a hole that lets spammers relay bulk e-mails using the victim's address--adding another layer of anonymity for the spammer.
The spread of these Trojan horse viruses has caused considerable damage and annoyance. ISP networks and user in-boxes have become clogged with higher levels of spam, and more work is needed to fix exploits in networks and in PCs. One study found that this year, North American ISPs will spend up to US$245 million dealing with these viruses.
Broadband ISPs are taking different approaches to the problem. Many have implemented policies that identify, quarantine and sometimes suspend or shut down accounts that have been infected. Others leave it up to their customers to keep their antivirus software up to date.
These policies are by no means foolproof. Virus writers are usually one step ahead of software fixes and can still find a way to get viruses to high-speed Net users. Broadband ISPs are caught in an endless game of cat-and-mouse that often translates into greater costs as the company ups efforts to educate users and to disinfect PCs.
Comcast, the United States' largest cable operator and broadband ISP, is considered by some e-mail watchers as one of the biggest targets for viruses. The cable giant said that it has implemented antispam software on its network and that it continually monitors activity to find potential victims, or purveyors, of spam viruses.
"Most customers who send spam are doing so unknowingly," Comcast spokeswoman Jeanne Russo said in an e-mail statement. "Once identified, the accounts are quarantined and contacted to resolve the issue. After the problem has been resolved, the customer is restored to full network access."
Cox Communications, which also runs a cable ISP, scans for potentially compromised accounts and then suspends or quarantines accounts until the owner patches the security hole. The company forces people to send e-mail through internal mail servers rather than setting up their own servers. Such servers are often used by spammers to piggyback on a network's bandwidth and so send more e-mails, faster.
But Cox also tries to mix in publicity campaigns aimed at pushing users to update their PC operating systems and patch weak points.
"ISPs need to encourage users to enable automatic patch updates for their Windows systems, evangelize weekly visits to www.windowsupdate.com and www.officeupdate.com, and offer crosslinking or bundles with the latest antivirus and firewall software vendors," Jeff Hartley, a manager of security and abuse for Cox, said in an e-mail statement.
Local phone giants, which are the largest suppliers of digital subscriber line (DSL) access, also face similar problems. Verizon Communications, the largest local phone company in the United States, takes a more user-centric approach. It suspends subscriber accounts only in "egregious" instances of spam abuse, but mainly tries to prod its users into taking action.
"We can't sit there and say: 'You're spamming--we're going to knock you off the wire,'" said Scott Lebredo, a senior technical manager for Verizon Online. "It's your access, you're responsible for it, but you must be educated about how to combat it."
Whose fault is it anyway?
Still, the question remains whether the techniques being implemented by broadband ISPs are enough. Some say the onus is on ISPs, which should play a role in protecting their networks for the greater good of their subscribers and the Internet at large. Critics say ISPs should manage their networks to ensure all users are safe.
"I wouldn't expect to boil my own water, I expect it to treated upstream," said Mark Sunner, the chief technology officer at Message Labs, which sells a virus-detection service for corporate networks. "The correct groundswell needs to be focused on the Internet level, where you can be proactive rather than reactive."
ISPs point out that excessive monitoring could have damaging consequences for their business. To stop viruses from spreading, they could take the extreme measure of scanning their subscriber in-boxes and PC hard drives to make sure users are not unknowingly harboring malicious viruses. However, ISPs fear taking this tack would jeopardise user privacy.
"It would be very unfriendly to scan customers' machines," said Mary Youngblood, the manager of the abuse team at ISP EarthLink. "It would be deemed by some people as a privacy violation."
America Online, the US's largest dial-up ISP, has dealt with virus and spam issues for many years and has taken different ways to battle the problem. AOL frequently suspends accounts that may have been infected and forces subscribers to call customer service to fix the problem. It also restricts the amount of outgoing mail each member can send, among other techniques.
"It should not be our responsibility, but AOL has been a good Netizen," AOL spokesman Nicholas Graham said. "It's a joint responsibility between providers and consumers."
Where the balance of that responsibility falls will continue to shift as new variants of viruses continue to emerge and wreak havoc. Right now, it seems virus writers have had an easy time exploiting a large-enough loophole to keep everyone pointing fingers.
"You can't expect (ISPs) to take on the task of keeping everyone virus-free, because if they did that, their costs would skyrocket," said Lurhq's Stewart. "It really falls on each individual user to be responsible. But unfortunately, people aren't up to the task technically."
CNET News.com's Robert Lemos contributed to this report
