IP spoofing and spamming

Hank_Nussbacher2 · October 29, 1997, 1:11am

Please no religionics. Part of the below is true - part is what will happen
in the near future:

I have a spammer I am trying to block. He is multihomed to me and ISP X.
He has address a.b.c.d from me and address a.b.c.e from ISP X. Users
started seeing spams from a.b.c.e and complained to ISP X. He shut off SMTP
to the customer but the spamming continued. Turns out the user defaults out
to me no matter what, so his address was a.b.c.e when coming out of me. For
me that is a spoofed address. I then go to block his spoofed address. User
then says, it is a valid address and I have no business blocking his IP
addresses, whether he has them from me or ISP X. I then say I'll block SMTP
and the user says, "show me one letter from a user on the Internet
complaining to you that I am spamming". Since his dns is located elsewhere
and since the IP addresses are not mine, the users aren't complaining to me
- but to ISP X and perhaps ISP Y (providing him secondary DNS service). All
the ISP X & Y attempts to shut out the spam aren't affective due to the
multihoming.

What do we do in these cases?

Thanks,
Hank

J.D_Falk6 · October 29, 1997, 1:30am

Are you under any contractural obligation to transit that IP
  address? The user in question seems to think you are, but you
  should check that as well; most contracts that I've seen do
  not mention multihoming specificially, and this could be the
  perfect loophole for you to use while you give him the 30 days
  notice or whatever it takes to disconnect him completely.

Karl_Denninger1 · October 29, 1997, 1:34am

Shut him off.

The bottom line is this:
You have no obligation to accept traffic from anyone - unless you
have a contract to the contrary.

  If you have a contract to the contrary, and don't have in there
  provisions sufficient to prevent spamming, then you're negligent
  and deserve what you get (including blocked by others who get tired
  of you being a spam-source).

The Internet works because people don't abuse other's resources. If people
abuse my resources, I stop allowing the abuse. If they threaten to sue, I
laugh and tell them to go right ahead. We write our contracts so that we
can shut off people who spam, even on the first offense.

We also enforce those policies and DO shut off people who spam. I simply
don't want their money - regardless of how much they pay, they cost me more
than they bring in when all is said and done. This is true REGARDLESS of
who the customer is.

We further insist that OTHERS who want to talk to us not abuse our resources.

Those who can't fathom this deserve to be firewalled off from each and every
service they abuse. If the abusers turn to denial of service attacks and/or
deliberate attempts to raise other's costs of doing business (rather than
communicating), then dropping BGP sessions and/or refusing announcements
from that ASN are appropriate as well.

You don't *HAVE* to put up with it. If you do, from your customers or
others, its a *choice.

That *choice* has consequences.

The 'Net only works because people don't do abusive things. If the norm
becomes doing abusive things then there will be explicit permission
filters in routers and on services rather than denial filters.

Do you really want to live on a network like that? I don't.

Stephen_Dolloff · October 29, 1997, 3:17am

Terminate his feed. End of story.

Stephen Dolloff
(sysadmin@mc.net)

Dale_Drew · October 29, 1997, 3:41am

What does your contract say you can do? First and foremost
contact your legal department to ensure that you can cut
service within the parameters of the contract, or your
company can defend itself for terminating the contract
without cause.

Contact ISP X and ask for any complaints surrounding the
customer in question. Explain the situation to them, they
should be cooperative. If not, have your legal folks nag them.

What does your Acceptable Use Policy state in the area
of spamming, forged addresses, etc? If nothing, MODIFY IT
NOW.

Once you have a copy of some complaints (either directly or
from ISP X), that should be enough to take direct action.

Dale

"Si Hoc Legere Scis Nimium Eruditionis Habes"

Jon_Lewis · October 29, 1997, 3:57am

to the customer but the spamming continued. Turns out the user defaults out
to me no matter what, so his address was a.b.c.e when coming out of me. For
me that is a spoofed address. I then go to block his spoofed address. User
then says, it is a valid address and I have no business blocking his IP
addresses, whether he has them from me or ISP X. I then say I'll block SMTP

Tell him you do ingress filtering on all your leased lines "for security
reasons" to prevent IP spoofing, smurf, etc. Since it's done "for
security reasons" tell him an exception is out of the question. Also, as
him where it is written that you must accept unwanted IP traffic? The
internet is a collection of interconnected autonomous networks, most of
which are under no obligation to accept packets from anyone.

complaining to you that I am spamming". Since his dns is located elsewhere
and since the IP addresses are not mine, the users aren't complaining to me
What do we do in these cases?

Show him your AUP, which was hopefully included as part of the contract
with him. Hopefully, it has something like:

3.7 The account holder agrees to not, under any circumstances, post
messages to newsgroups, mailing lists, or similar public forums if any of
said forums pertain to subjects not directly related to the main topic of
the posting or if the posting would be considered inappropriate for any
other reason. This applies to both business and non-business oriented
postings. Such postings will be considered abuse of FDT systems services.
(See 7.0)

3.7a The account holder agrees to not, under any circumstances, send
unsolicited mass emailings from any Internet account (at FDT or
elsewhere), nor to use FDT services for the collection or distribution of
address lists to be used for such purposes. The account holder agrees to
not, under any circumstances, associate FDT with any such mass mailings.

7.5 FDT accounts which are locked or terminated as a result of violations
of this agreement or any applicable laws will not be eligible for any
monetary refund, and may be subject to additional administrative charges.

This is part of FDT's AUP (www.fdt.net/AUP) which I lifted from another
ISP long ago and have modified a lot. It was not written by an attorney
and could probably use better legalease, but it at least gets the point
across so customers can't act totally shocked when I delete their account
for spamming. I actually do have a lawyer edited version, which I've not
gotten around to adopting yet.