Our position on server usage (re: Rogers, Bell [Sympatico HSE] and other subscribers)

Announcement: February 20th, 2002

Hello everyone,

Right around Valentine's Day, the Rogers "End User Agreement Team" began sending e-mails to subscribers running servers, threatening to disrupt service for those who don't comply with their order to "remove all servers immediately". Whether users are running casual servers, or are abusers, doesn't appear to matter to Rogers. Bell has apparently taken similar action with its subscribers.

[E-mail From Rogers's EUA Team]
Here is the standard text from one of these e-mails:

"Dear Subscriber: It has been brought to our attention that your provisioned IP address (24.xxx.xxx.xxx) is being used to operate a server on the Rogers network (please see the bottom of this notice). Please be advised that all servers are a violation of section 7.(k) of our End User Agreement and Acceptable Usage Policy: 7. Use of Rogers. You agree to comply with those policies regarding permitted and prohibited uses of Rogers as may be posted by Rogers on the Rogers website from time to time (the "Acceptable Use Policy" or "AUP"). Without limiting the generality of the foregoing, you agree that you will not use the Equipment or the Service to, directly or indirectly: (k)operate a server in connection with Rogers including but not limited to mail, news, file, gopher, telnet, chat, web, or host configuration servers, multimedia streamers, or multi-user interactive forums. Your account will be checked in the future. To avoid any interuption in service, please remove all servers immediately while connected to the Rogers network. Thank-you for your assistance with this matter. Sincerely, Rogers End User Agreement Team http://rogers.home.com/help/content/download/rh_policies/ Response to connection to IP 24.xxx.xx.xx: 220 Serv-U FTP-Server v2.5 for WinSock ready... IP found behind modem Serial#: xxxxxxxxxxxx Found on: xx/xx/2002"

[RBUA Policy On Server Usage]
Our stance on server usage has always been that "casual" servers are allowed to be run in conjunction with any and all broadband internet services. A casual server is defined as that which is private (i.e. non-advertised), low bandwidth- particularly during peak hours- carries only legal material and is secured against outside intrusion. Here is an even clearer and more in-depth description, listed at https://www.rbua.org/announce/11-09-01.php:

"DHCP will not, in any way, hinder your ability to run a server. Just keep in mind that Rogers doesn't trust us subscribers to run our own servers. This is actually quite understandable, given the amount of carnage I've borne witness to, caused by misconfigured servers. Some that I've come across were, unfortunately, just downright abusive, run by a few of our well-meaning, but clueless compatriots. Please allow me to stress that unless you know exactly what you're doing, don't attempt to run a server on your connection. Revisiting an old issue, if you do want to run a server, you must take a number of precautions before and while running the server:

First off, make sure that it doesn't contain security holes that are wide enough for a truck to be driven through. Look up all the latest exploits for your server and plug them up with the latest patch(es). This is especially important if you are running some of Microsoft's server software, such as their web server, IIS.

Second, take the time to configure it correctly. If you don't know even how to configure it, don't run it first and ask questions later. Learn what you need to know before you place the server online. Also, it's generally a good idea to restrict access to your server, so only people you know can gain access to it. For instance, if you run an SMTP (outgoing mail) server and some stranger ends up spamming 10000 messages through you, Rogers will take you down and we wouldn't be able to help you.

Third, be very mindful of how much bandwidth is used by your server, and at what times during the day and night it is most active. Rogers has stated to us at several points in the past that only "casual" servers are allowed on the R@H service. This is defined as servers that are "low" bandwidth, particularly during peak hours (~4:30 PM to ~1:30 AM EST). Servers must be private (i.e. not advertised on websites, search engines, etc.) and secured against outside intrusion, as detailed in the last two points. Although Rogers has never clearly stated the definition of "low" bandwidth, just being careful about this will ensure that you don't cause any problems and that you don't run into any of them, either. Constant and saturated server activity, though, especially during peak hours, is bound to draw some red flags.

Lastly, if you don't understand all of this terminology, or don't know how to perform the above precautionary measures, then I strongly recommend against running any servers at this time. Seriously. You're liable to do more harm- both to your own connection and those of others- than good."

[Service Providers' Rights]
If you follow these rules, neither Rogers, Bell, nor anyone else can make you remove your server(s). They have no legal recourse to do so, unless you have done something that makes you into an "abuser". In that case, you can be disconnected, or have your service disrupted, if you don't heed your service provider's initial warning(s). We, at the RBUA, cannot- will not- help anyone who is fairly labelled an abuser. Otherwise, we most certainly WILL.

[Rogers Policy Change]
This is a significant change in policy for Rogers, with respect to its internet offering. They said nothing to us about this at our last meeting only a couple of weeks ago on February 5th. They failed to tell this to us on our conference call on November 22nd, 2001. They failed to tell this to us at our August 2001 meeting and our April 2001 meeting. Or even at the September 2000 meeting. In fact, the last time this subject was even mentioned was at the June 9th, 1999 meeting. Please see item 16 "Recent changes in the Rogers @Home EUA" at https://www.rbua.org/meetings/mgtmtg2.php to understand exactly what was said at that meeting. This recent action from Rogers is a complete, 180 degree turn from their prior stance on casual server usage.

[Request For Comment From Rogers Management]
The RBUA has asked for Rogers management to comment on this issue, both on Friday of last week and Tuesday of this week. We have yet to receive any sort of response and will certainly post it if we receive it. We definitely would like that response before our conference call with management, to take place in a week's time.

[Request For Comment From Subscribers Who've Experienced Service Disconnection]
We ask that every single subscriber, irrespective of service provider, e-mail us IMMEDIATELY at servers@rbua.org if you've experienced a service disconnection as a result of failing to comply with this, or any other messages forbidding you from running casual servers, as per our definition above. While you're at it, please also copy the same message as a complaint in our form at https://www.rbua.org/members/complaint.php. Please include the message(s) you've received from your service provider, along with the IP address of the scanning computer, if you have it. Multiple submissions, covering each separate disconnection, is greatly encouraged and helpful. We want to hear from Rogers and Bell (Sympatico HSE) subscribers, specifically, but all responses are very welcome and greatly appreciated. You help not only yourself by providing us with an account of your disconnection(s), but potentially hundreds of thousands of your fellow subscribers. We are very interested in seeing if Rogers and others actually follow through with their threats of disconnection. If so, and you've done nothing to warrant those threats, we will take swift action against the service provider(s) in question.

[Circumvention Of Rogers Scans - Other Providers To Follow]
Circumvention is child's play. If you're intelligent enough to run a casual server, then you certainly have the skills to prevent your service provider from detecting any casual servers you may be running (with the exception of SMTP and POP, of course). There are two methods:

Rogers scans only on standard ports, so run your server on a non-standard port. I, myself, have always run a casual FTP server on a non-standard port (although I just changed it to run on the standard port again). As an example, if you run an FTP server don't run it on the standard port 21. Instead, run it on any port between 5000 and 32000. The same goes for HTTP, peer-to-peer (Gnutella, Morpheus, Kazaa, etc), games, IRC, ICQ (yes, this is a server) and just about anything else you can think of. Run your server in the 5000-32000 range and you can't possibly be detected. Of course, if you're an abuser you definitely will be detected due to your bandwidth usage, or complaints generated from outside individuals and/or organizations. Don't abuse and you'll be just fine.

Rogers scans from a number of IP addresses, so just block them with your firewall. The machine used in the majority of the scanning thus far, has been authorized-scan.cs.rogers.wave.ca, or 24.112.32.106. Block it and enable logging so that you have a record of their scanning you. Those of you who don't run firewalls won't know this, which is all the more of a reason you should install one ASAP. Rogers, without a doubt, has more of these scanning machines. We will find them all and post them for subscribers who wish to block their scans. The same goes for Bell and other providers. Further announcements will be made when these machines' IP addresses are revealed. Install a personal firewall today. They block trojan horse viruses and server scanning from your service provider, which are looking more and more like the same thing these days.

Lastly, keeping with my request for comments from disconnected subscribers above, I ask that all RBUA members put these circumventions on hold for now, until they are at least disconnected on several separate occasions. Please tell us about each occurrence, as it happens. Circumvention, although fine and dandy, does not address the root problem here. I posted these circumvention methods mainly to show how absolutely pointless and illogical this scanning really is. If the scanning method can be broken so easily by the very people Rogers and others are targetting, then why perform it in the first place? Don't hide from these scans. Resist. RESIST!

[Final Comments]
The Residential Broadband Users' Association views this issue with the utmost seriousness and gravity. Disallowing subscribers from running casual servers on THEIR OWN COMPUTERS, in light of the fact that the servers aren't affecting their fellow subscribers' service, is vile, draconian and totally unnecessary. This action serves no purpose, except to annoy, anger and irritate subscribers who follow their end user agreements to the letter. The mere act of scanning for casual servers, without just cause, is viewed no differently by us. I, as President and Technical Director of the RBUA, provide my personal assurances that the service providers in question will answer for their actions and be held fully accountable for them. That's it, for now.

Regards,

Chris Weisdorf

President and Technical Director,

Residential Broadband Users' Association

All trademarks belong to their respective owners.
Send your comments concerning this site to the Webmaster (webmaster@rbua.org).
All other questions should be directed to the Appropriate Regional Representative
Content on site ©1999-2005 Residential Broadband Users' Association.
Design and Implementation by Nexus Internet Services