The offending party gets their Internet connectivity from some company (called
an "upstream ISP"). Most if not all agreements with upstream ISP providers have
requirements to investigate the source of any complaints they receive, including
complaints of abuse (email laden with a virus, denial of service attacks,
spamming, downloading copyrighted material, etc.). If the downstream user does
not investigate and address the complaint, the contracts provide for their
service to be terminated.

I've had to investigate spam email, virii and downloading of copyrighted
material (Sony Music and Sony Pictures Entertainment (movies)). In each case
the ultimate action that was taken was to terminate the account of the offender
after (the generally required) two warning notices. If I had not closed the
account of the offending party, my bulk Internet access account could have been
terminated.

Use the reverse lookup at http://www.arin.net/whois/index.html using the IP
address in the email to determine who owns the IP address block where the email
came from. You may have to search down several levels as bulk providers sub
divide the address blocks to other downstream providers. When you find the
contact for the lowest level of the address block you're looking for, contact
the administrative or other designated contact in the ARIN information about
the problem. If you do not receive a satisfactory result within a few days,
contact their upstream provider and so on, until you get the offending action
stopped.

The bulk providers such as Time-Warner, Sprint, El Paso Global Networks (EPGN)
BBN Planet, XO Communications, etc. all have abuse policies that require the
downstream providers to stop the offending activity or their service will be
terminated.

I've found that if the problem is coming from a company, the management at that
company generally doesn't want their connectivity terminated due to a single or
a few users sending out problem emails.

Good luck and also, it shouldn't take too long to get the problem resolved.

Quoting Greg Stigers <[log in to unmask]>:

> I'm curious what others would do in my situation. I've described how I can
> try to find the sender of a viral email, which I should disclaim may be
> useless to identify dial-up users, although if they send a legitimate email
> from their transient IP address, I have them. That said, having identified
> an infected user, or his or her employer, then what? Who do we notify, and
> how?
>
> The two options are being discussed. One is to have our recipient notify the
> sender that his or her PC is infected, and let the user seek whatever help
> can be had from IT. The other is for me as the system admin to attempt to
> identify the IT contact by whois or other means, or contact the infected
> user, at my discretion, offering the emails as evidence, and some level of
> assistance. There are probably other options, and I would welcome hearing
> them.
>
> There is also the question of where to draw the line. Do we assume that our
> AV is sufficient, and only respond if an affected user complains about
> receiving the denatured viral email? Do we only notify business partners,
> and for instance wash our hands of the problem if the infected sender is a
> friend, relative, or incidental business contact with whom we have no
> particular relationship (with a shrug to all those vendors who have
> contacted us on their own initiative)?
>
> Greg Stigers

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *