Please no religionics. Part of the below is true - part is what will happen in the near future: I have a spammer I am trying to block. He is multihomed to me and ISP X. He has address a.b.c.d from me and address a.b.c.e from ISP X. Users started seeing spams from a.b.c.e and complained to ISP X. He shut off SMTP to the customer but the spamming continued. Turns out the user defaults out to me no matter what, so his address was a.b.c.e when coming out of me. For me that is a spoofed address. I then go to block his spoofed address. User then says, it is a valid address and I have no business blocking his IP addresses, whether he has them from me or ISP X. I then say I'll block SMTP and the user says, "show me one letter from a user on the Internet complaining to you that I am spamming". Since his dns is located elsewhere and since the IP addresses are not mine, the users aren't complaining to me - but to ISP X and perhaps ISP Y (providing him secondary DNS service). All the ISP X & Y attempts to shut out the spam aren't affective due to the multihoming. What do we do in these cases? Thanks, Hank
On Oct 29, Hank Nussbacher <hank@ibm.net.il> wrote:
I have a spammer I am trying to block. He is multihomed to me and ISP X. He has address a.b.c.d from me and address a.b.c.e from ISP X. Users started seeing spams from a.b.c.e and complained to ISP X. He shut off SMTP to the customer but the spamming continued. Turns out the user defaults out to me no matter what, so his address was a.b.c.e when coming out of me. For me that is a spoofed address. I then go to block his spoofed address. User then says, it is a valid address and I have no business blocking his IP addresses, whether he has them from me or ISP X. I then say I'll block SMTP and the user says, "show me one letter from a user on the Internet complaining to you that I am spamming". Since his dns is located elsewhere and since the IP addresses are not mine, the users aren't complaining to me - but to ISP X and perhaps ISP Y (providing him secondary DNS service). All the ISP X & Y attempts to shut out the spam aren't affective due to the multihoming.
Are you under any contractural obligation to transit that IP address? The user in question seems to think you are, but you should check that as well; most contracts that I've seen do not mention multihoming specificially, and this could be the perfect loophole for you to use while you give him the 30 days notice or whatever it takes to disconnect him completely. ********************************************************* J.D. Falk voice: +1-650-482-2840 Supervisor, Network Operations fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net "The People You Know. The People You Trust." *********************************************************
On Wed, Oct 29, 1997 at 03:11:21AM +0200, Hank Nussbacher wrote:
Please no religionics. Part of the below is true - part is what will happen in the near future:
I have a spammer I am trying to block. He is multihomed to me and ISP X. He has address a.b.c.d from me and address a.b.c.e from ISP X. Users started seeing spams from a.b.c.e and complained to ISP X. He shut off SMTP to the customer but the spamming continued. Turns out the user defaults out to me no matter what, so his address was a.b.c.e when coming out of me. For me that is a spoofed address. I then go to block his spoofed address. User then says, it is a valid address and I have no business blocking his IP addresses, whether he has them from me or ISP X. I then say I'll block SMTP and the user says, "show me one letter from a user on the Internet complaining to you that I am spamming". Since his dns is located elsewhere and since the IP addresses are not mine, the users aren't complaining to me - but to ISP X and perhaps ISP Y (providing him secondary DNS service). All the ISP X & Y attempts to shut out the spam aren't affective due to the multihoming.
What do we do in these cases?
Thanks, Hank
Shut him off. The bottom line is this: You have no obligation to accept traffic from anyone - unless you have a contract to the contrary. If you have a contract to the contrary, and don't have in there provisions sufficient to prevent spamming, then you're negligent and deserve what you get (including blocked by others who get tired of you being a spam-source). The Internet works because people don't abuse other's resources. If people abuse my resources, I stop allowing the abuse. If they threaten to sue, I laugh and tell them to go right ahead. We write our contracts so that we can shut off people who spam, even on the first offense. We also enforce those policies and DO shut off people who spam. I simply don't want their money - regardless of how much they pay, they cost me more than they bring in when all is said and done. This is true REGARDLESS of who the customer is. We further insist that OTHERS who want to talk to us not abuse our resources. Those who can't fathom this deserve to be firewalled off from each and every service they abuse. If the abusers turn to denial of service attacks and/or deliberate attempts to raise other's costs of doing business (rather than communicating), then dropping BGP sessions and/or refusing announcements from that ASN are appropriate as well. You don't *HAVE* to put up with it. If you do, from your customers or others, its a *choice. That *choice* has consequences. The 'Net only works because people don't do abusive things. If the norm becomes doing abusive things then there will be explicit permission filters in routers and on services rather than denial filters. Do you really want to live on a network like that? I don't. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex modem support is now available Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines! Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
I'm no lawyer, but i'd do the following: * Have an AUP that has something akin to the following paragraph: If you spam, either through us or through another ISP, then your account with us will be terminated with extreme prejudice. You will also be charged <some exorbitant sum of money> for our work in tracking your spam down and repairing our reputation. Then, you can talk to the other ISP, explain the situation, request that they forward 10 or so of the complaints to you, and boot the idiot. Granted, I don't know how this would work as far as contract law goes, but it seems to make some amount of sense. -dalvenjah Hank Nussbacher put this into my mailbox:
Please no religionics. Part of the below is true - part is what will happen in the near future:
I have a spammer I am trying to block. He is multihomed to me and ISP X. He has address a.b.c.d from me and address a.b.c.e from ISP X. Users started seeing spams from a.b.c.e and complained to ISP X. He shut off SMTP to the customer but the spamming continued. Turns out the user defaults out to me no matter what, so his address was a.b.c.e when coming out of me. For me that is a spoofed address. I then go to block his spoofed address. User then says, it is a valid address and I have no business blocking his IP addresses, whether he has them from me or ISP X. I then say I'll block SMTP and the user says, "show me one letter from a user on the Internet complaining to you that I am spamming". Since his dns is located elsewhere and since the IP addresses are not mine, the users aren't complaining to me - but to ISP X and perhaps ISP Y (providing him secondary DNS service). All the ISP X & Y attempts to shut out the spam aren't affective due to the multihoming.
What do we do in these cases?
-- Dalvenjah FoxFire (aka Sven Nielsen) "Sir, your wit ambles well; Founder, the DALnet IRC Network it goes easily." e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
Terminate his feed. End of story. Stephen Dolloff (sysadmin@mc.net) On Wed, 29 Oct 1997, Hank Nussbacher wrote:
Please no religionics. Part of the below is true - part is what will happen in the near future:
I have a spammer I am trying to block. He is multihomed to me and ISP X. He has address a.b.c.d from me and address a.b.c.e from ISP X. Users started seeing spams from a.b.c.e and complained to ISP X. He shut off SMTP to the customer but the spamming continued. Turns out the user defaults out to me no matter what, so his address was a.b.c.e when coming out of me. For me that is a spoofed address. I then go to block his spoofed address. User then says, it is a valid address and I have no business blocking his IP addresses, whether he has them from me or ISP X. I then say I'll block SMTP and the user says, "show me one letter from a user on the Internet complaining to you that I am spamming". Since his dns is located elsewhere and since the IP addresses are not mine, the users aren't complaining to me - but to ISP X and perhaps ISP Y (providing him secondary DNS service). All the ISP X & Y attempts to shut out the spam aren't affective due to the multihoming.
What do we do in these cases?
Thanks, Hank
What does your contract say you can do? First and foremost contact your legal department to ensure that you can cut service within the parameters of the contract, or your company can defend itself for terminating the contract without cause. Contact ISP X and ask for any complaints surrounding the customer in question. Explain the situation to them, they should be cooperative. If not, have your legal folks nag them. What does your Acceptable Use Policy state in the area of spamming, forged addresses, etc? If nothing, MODIFY IT NOW. Once you have a copy of some complaints (either directly or from ISP X), that should be enough to take direct action. Dale "Si Hoc Legere Scis Nimium Eruditionis Habes" ================================================================ Dale Drew MCI Telecommunications Sr. Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrew@mci.net Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335 At 09:17 PM 10/28/97 -0600, Stephen Dolloff wrote:
Terminate his feed. End of story.
Stephen Dolloff (sysadmin@mc.net)
On Wed, 29 Oct 1997, Hank Nussbacher wrote:
Please no religionics. Part of the below is true - part is what will happen in the near future:
I have a spammer I am trying to block. He is multihomed to me and ISP X. He has address a.b.c.d from me and address a.b.c.e from ISP X. Users started seeing spams from a.b.c.e and complained to ISP X. He shut off SMTP to the customer but the spamming continued. Turns out the user defaults out to me no matter what, so his address was a.b.c.e when coming out of me. For me that is a spoofed address. I then go to block his spoofed address. User then says, it is a valid address and I have no business blocking his IP addresses, whether he has them from me or ISP X. I then say I'll block SMTP and the user says, "show me one letter from a user on the Internet complaining to you that I am spamming". Since his dns is located elsewhere and since the IP addresses are not mine, the users aren't complaining to me - but to ISP X and perhaps ISP Y (providing him secondary DNS service). All the ISP X & Y attempts to shut out the spam aren't affective due to the multihoming.
What do we do in these cases?
Thanks, Hank
On Wed, 29 Oct 1997, Hank Nussbacher wrote:
to the customer but the spamming continued. Turns out the user defaults out to me no matter what, so his address was a.b.c.e when coming out of me. For me that is a spoofed address. I then go to block his spoofed address. User then says, it is a valid address and I have no business blocking his IP addresses, whether he has them from me or ISP X. I then say I'll block SMTP
Tell him you do ingress filtering on all your leased lines "for security reasons" to prevent IP spoofing, smurf, etc. Since it's done "for security reasons" tell him an exception is out of the question. Also, as him where it is written that you must accept unwanted IP traffic? The internet is a collection of interconnected autonomous networks, most of which are under no obligation to accept packets from anyone.
complaining to you that I am spamming". Since his dns is located elsewhere and since the IP addresses are not mine, the users aren't complaining to me What do we do in these cases?
Show him your AUP, which was hopefully included as part of the contract with him. Hopefully, it has something like: 3.7 The account holder agrees to not, under any circumstances, post messages to newsgroups, mailing lists, or similar public forums if any of said forums pertain to subjects not directly related to the main topic of the posting or if the posting would be considered inappropriate for any other reason. This applies to both business and non-business oriented postings. Such postings will be considered abuse of FDT systems services. (See 7.0) 3.7a The account holder agrees to not, under any circumstances, send unsolicited mass emailings from any Internet account (at FDT or elsewhere), nor to use FDT services for the collection or distribution of address lists to be used for such purposes. The account holder agrees to not, under any circumstances, associate FDT with any such mass mailings. 7.5 FDT accounts which are locked or terminated as a result of violations of this agreement or any applicable laws will not be eligible for any monetary refund, and may be subject to additional administrative charges. This is part of FDT's AUP (www.fdt.net/AUP) which I lifted from another ISP long ago and have modified a lot. It was not written by an attorney and could probably use better legalease, but it at least gets the point across so customers can't act totally shocked when I delete their account for spamming. I actually do have a lawyer edited version, which I've not gotten around to adopting yet. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
participants (7)
-
Dale Drew -
Dalvenjah FoxFire -
Hank Nussbacher -
J.D. Falk -
Jon Lewis -
Karl Denninger -
Stephen Dolloff