We are now well into day four and about to enter day five of this. As of about 9PM EST the mail-bombing of world.std.com by the Sprint client iq-internet.com continues full bore. It had stopped between about 8AM EST until about 8PM EST Sunday 1/5/97 and then restarted leading me to believe someone at iq-internet.com manually restarted the mail-bombing. There is no reason to believe there were any 12 hour connectivity problems between us or similar external explanations, someone at iq-internet.com most likely noticed it had stopped and restarted it. Sprint's position (explained to me at around 8:45PM EST when I called to report this status, also emailed Sprint the logs) is that they will meet during business hours tomorrow (Monday 1/6/97) to discuss this issue. To save hearing the obvious suggestions etc again, increasing traffic on these lists here is a brief FAQ: Q1. Are you (std.com) a Sprint customer? A1: No, we are not. Q2: Why don't you just block it at your router? A2a: It's effectively blocked at our host, which no doubt is faster than the router anyhow (a 16 cpu SGI Challenge XL w/ 1.5GB ram), but this gives me full logs. A2b: Note that blocking it at the router does nothing to free up our bandwidth to the internet we are trying to provide to our customers. Since the path between our router and world.std.com is a 100mb/s FDDI letting it go that one more hop is inconsequential to the harm being done. Q3: Ok, why don't you ask your provider (Alternet) to block it? A3a: A lot of this has to do with Sprint's reluctance to deal with their customer in any timely manner (four days, including two weekdays, would seem sufficient for them to simply put one route block in at iq-internet.com's router.) I want the logs for now, I want the bigger problem which seems to prevent Sprint front-line NOC personnel from fixing operational problems fixed. Burying it as another router block at our end or our backbone provider's end doesn't deal with the real problem here, that Sprint has policies in place preventing them from dealing with malicious, disruptive and damaging customers. A3b: Yes Alternet has offered to do this as soon as I request it. Q4: Why don't you email bomb, SYN attack, etc the host doing this to you? A3: Although I have sent a lot of email to a lot of accounts at the host periodically asking them to stop I don't think malicious behavior will help get to the root problem here which is Sprint's policies forbidding their personnel from intervening into even the most egregious and outrageous abuse of network facilities without self-defeating and lengthy bureaucratic process (I think that's a fair characterization as we go into the FIFTH day of this.) Q5: Ok, why don't you redirect it to addresses at sprint or mailbomb them or something similar to get their attention? A5: Again, self-defeating. But it is nice to know the people who are empowered to make this decision are enjoying *THEIR* weekend. Q6: Do you believe this is an isolated incident or a real failure in policy at Sprint? It seems fairly outrageous that they can't stop a customer whose behavior is so malicious, it doesn't seem possible that the customer doesn't know that this has gone way beyond "spam". A6: I believe this is a total failure of express Sprint policy and not an isolated incident in any way. I have been told many times now by Sprint personnel (at their NOC) that official policy forbids them from acting against this mail-bombing and there exists no process to get a decision made otherwise which takes less than the five days it looks like it is going to take (eg, there's no single manager they can call who has the authority to order the route block or some action be taken, or these people feel they can put such decision-making off until it is convenient for them personally.) Q7: Well, I can see Sprint's reluctance to block this loathsome creature entirely from the net without some process, these are litigious times, but you're saying Sprint refuses to even block the single route between iq-internet.com (the mail-bomber) and your host? Is there any legitimate reason for this site to be able to get to your host? A7: Yes, I am saying that Sprint policy is such that their personnel is not authorized to install even one route block without lengthy bureaucratic process taking several days. Q8: Why do you think this is so? A8a: Because there is an atmosphere of fear, essentially, at Sprint's NOC and their personnel have been completely unempowered from taking operational actions they know are required of them to operate within the greater internet. Essentially, they (Sprint policy-makers) apparently believe that any damage to the greater internet or any host or site is less important than their ability to run internal bureaucratic process at whatever pace and using whatever management style which suits them. A8b: As far as I can tell once they identify a customer as a "spammer" then they can take no action against him, no matter what the actual behavior is. At this point this is clearly an operational/technical problem, the "spam" has been blocked for four days now, the spammer has been told this, yet messages are still being looped from his machine almost non-stop. It is only via some bizarre exercise in "mind-reading" that someone, in my opinion, could surmise that the perpetrator's intention is to deliver advertising to mailboxes at our site. Yet, Sprint personnel are not empowered to do anything about this without lengthy internal process. Q9: Wow, this is quite outrageous, I'd go so far as to say "scary". Many of us sit here naively thinking that large companies such as Sprint selling internet services basically do their jobs within some reasonable range of quality, but this sounds like a very deep and worrisome failure of management at Sprint. How can any network emergencies be taken care of if they won't let their front-line NOC personnel take any operational responsibility, and it takes days and days to escalate internally what seem to be relatively straightforward problems with straightforward solutions which really should be dealt with quickly, in minutes, or certainly a very few hours? A9: No comment. -- -Barry Shein Software Tool & Die | bzs@world.std.com | http://www.std.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989