A twist we saw spammers using on dialup accounts in Miami could come to cyber cafes and could be ugly. They were dialing in and then using the IP address to send spam out some other connection elsewhere where RPF wasn't in use. The return packets all came back on their dialup into us, but bypassed our filters that were then only on outbound packets. Since these were wholesaled dial ports, we know there are no valid servers customers needed in RIPE annd APNIC blocks and in long ACLs blocking various MSN servers, AND we know the dialup user's account. In a free cafe, you know none of that. Having an inbound mirror image of the outbound ACL helped initially, and then a coworker crafted a reflexive access list that really stopped them. Inbound packets had to have matching outbound ones or were tossed. We had visions of their finding a $spam$ friendly ISP that would sell them a SPAM OC-3 as long as he got no spam complaints. It could have served many spam machines running with dynamic IPs from many different ISPs and many user accounts on each - all at once. In the free cyber cafe that does not NAT and that does not know who the users are, there is potential for similar abuse.