On Wed, 19 Nov 1997, James D. Butt wrote: ) Here is what I received from abuse@ibm.net ) ) ------------------------------------------------------------------------- ) DUP 11/19/97 10:56:24 ) ) Thank you for notifying us. ) ) This individual has been warned regarding the consequences of sending ) Unsolicited Commercial Email. ) Continued violations will result in an account cancellation. Please ) inform us if any other abuse originated from<ibm.net> customers. That's truly wondrous as, after sending:

From djr@narnia.n.ml.org Wed Nov 19 17:37:59 1997 Date: Mon, 17 Nov 1997 20:25:48 -0500 (EST) From: Daniel Reed <djr@narnia.n.ml.org> To: support@ibm.net, abuse@ibm.net Subject: OWNED (fwd)

I have reason to believe one of your customers, perhaps still connectected to your service, has been maliciously attacking the NANOG mailing list (nanog@merit.edu). Today the NANOG mailing list was subscribed to itself, it received a bounce that showed us (the subscribers) an attempt to subscribe it to several lists at a remote server, and was also subscribed to some Marilon Monroe fan mailing list. We then received this message, and as the headers indicate, it appears to be originating from some ibm.net dialup user. Received: from microsoft.com (166.72.5.121) by www.RVC.CC.IL.US ^^^^^^^^^^^^ (EMWAC SMTPRS 0.81) with SMTP id <B0000000019@www.RVC.CC.IL.US>; Mon, 17 Nov 1997 18:56:25 -0600 root@narnia:~# host 166.72.5.121 121.5.72.166.IN-ADDR.ARPA domain name pointer slip166-72-5-121.il.us.ibm.net root@narnia:~# -- Daniel Reed <n@narnia.n.ml.org> System administrator of narnia.n.ml.org (narnia.mhv.net [199.0.0.118]) Some people mistake genius for insanity. ---------- Forwarded message ---------- Return-Path: owner-nanog@merit.edu Received: from merit.edu [198.108.1.42] by mail.n.ml.org (Sendmail 8.8.8) via ESMTP (UAA16049-199711180120) for address <djr@narnia.n.ml.org> on Mon, 17 Nov 1997 20:20:11 -0500 (EST) Received: from localhost (daemon@localhost) by merit.edu (8.8.7/8.8.5) with SMTP id TAA04909; Mon, 17 Nov 1997 19:43:41 -0500 (EST) Received: by merit.edu (bulk_mailer v1.5); Mon, 17 Nov 1997 19:43:36 -0500 Received: (from majordom@localhost) by merit.edu (8.8.7/8.8.5) id TAA04897 for nanog-outgoing; Mon, 17 Nov 1997 19:43:34 -0500 (EST) Received: from www.RVC.CC.IL.US (www.RVC.CC.IL.US [207.142.145.2]) by merit.edu (8.8.7/8.8.5) with SMTP id TAA04884 for <nanog@merit.edu>; Mon, 17 Nov 1997 19:43:16 -0500 (EST) Received: from microsoft.com (166.72.5.121) by www.RVC.CC.IL.US (EMWAC SMTPRS 0.81) with SMTP id <B0000000019@www.RVC.CC.IL.US>; Mon, 17 Nov 1997 18:56:25 -0600 Date: Mon, 17 Nov 1997 18:56:25 -0600 Message-ID: <B0000000019@www.RVC.CC.IL.US> From: Bill Gates III <billg@microsoft.com> Subject: OWNED Sender: owner-nanog@merit.edu To: undisclosed-recipients:; /* snipped many lines of garbage */ I received back:

From helpdesk@ibm.e-mail.com Wed Nov 19 17:38:33 1997 Date: Tue, 18 Nov 1997 16:15:13 EST From: helpdesk@ibm.e-mail.com To: DJR@NARNIA.N.ML.ORG Subject: OWNED (FWD) Ref #: USINET 2048052

MAIL FROM:<Problem Mgmt> RCPT TO:<DJR@NARNIA.N.ML.ORG> DATA Date: Tue, 18 NOV 97 16:14:53 est From: Problem Mgmt To: <DJR@NARNIA.N.ML.ORG> Cc: Subject: OWNED (FWD) Ref #: USINET 2048052 An incident reported by you has been updated. The incident # is listed below. Do not respond to this e-mail. For Account: USINET Incident Number: 2048052 Status: PENDING Sev: 4 Last Updated: Tue, 18 NOV 97 16:14:53 PROBLEM UPDATED. ************************************************************************* Summary: OWNED (FWD) ------------------------------------------------------------------------- RESP 11/18/97 16:14:49 Hello, Based on the information you ave sent we are unable to match the time and ip of the header to the time and ip on our dial gateways. This header look's a bit strange, the ip does not contain a "slip" in front of it. I think that this header has been manipulated in form way. Regards, Postmaster@ibm.net ************************************************************************* Please do not respond to this address. Respond to notify@vnet.ibm.com to which I replied, pointing out the fact that the IP address in question, when reverse resolved (which I had even included in my original message) did, in fact, begin with "slip" and end with "ibm.net." However, when I replied to notify@vnet.ibm.com, as I was told to by the note at the bottom of the message, I received no less than 6 messages telling me I should have sent that reply to postmaster@ibm.net. I then wrote an almost-sorta- mildly nasty note to notify@vnet.ibm.com telling them to please get their act straight and figure out who it is, in fact, I should be contacting. I then received several more emails telling me *that* should have gone to postmaster@ibm.net as well. However, I believe that all of the insightful messages announcing that "it appears we were just mailbombed, oh my!" were arguably more detrimental to the flow of information on this list than the actual subscription and message bombs that prompted them. After one of the 56 mailing lists I host on narnia is mailbombed, I make it a habit of closing all postings to that list. Not to prevent further mailbombs, as I usually find out about it too late, but to prevent the flood of "oh my, what'll we do, someone stop this madness!" messages that almost always outbomb the mailbomb. -- Daniel Reed <n@narnia.n.ml.org> System administrator of narnia.n.ml.org (narnia.mhv.net [199.0.0.118]) What was the best thing before sliced bread?