IP spoofing and spamming

Karl Denninger karl at Mcs.Net
Wed Oct 29 01:54:08 UTC 1997

On Wed, Oct 29, 1997 at 03:42:15AM +0200, Hank Nussbacher wrote:
> At 07:34 PM 10/28/97 -0600, Karl Denninger wrote:
> >The Internet works because people don't abuse other's resources.  If people
> >abuse my resources, I stop allowing the abuse.  If they threaten to sue, I
> >laugh and tell them to go right ahead.  We write our contracts so that we 
> >can shut off people who spam, even on the first offense.  
> I would be interested in seeing a copy of that contract.  When suits
> (lawyers) get involved, how do you show that a violation has happened?
> Remember, no complaint has come to you and you would have had to sniff his
> line and open his smtp pkts to see he was spamming which would invoke a
> countersuit.
> -Hank


We reserve the right to do exactly that.  Further, the logs which come from
the offended parties are certainly useful.

You can't spoof the source address of an SMTP connection to sendmail if you
expect *replies* and the ability to know if anything's working (if you're
not spamblocked already).  

You can route it funny, but that's not the point.

Sooner or later I'll get wind of it.  Someone will track the source of the
packets back to us (remember, people thought smurfing was untraceable - 
they were wrong) and then I'll get a call.  At that point I have cause to 
investigate.  When I do, you're busted.  Something as simple as turning on
IP accounting (a normal system monitoring thing) on the suspect interface 
will flag the "funny" source addresses, and at that point I have cause to 
look into it further - including taking a dump of the packets involved.

The ECPA *ALWAYS* permits this kind of investigation, even absent explicit 
language in the contract (which we have as well).

We *always* reserve the right to monitor for performance, and further, we
have the right to look into alleged violations of our agreement or the law.
Its part of our job.  If you're violating the contract, and we can prove 
it, you're screwed.  If you sue in the US under such circumstances you're 
asking to be slapped with sanctions and/or a countersuit yourself.

By the time you "catch" us in that kind of situation we've got more than 
enough evidence compiled and the game's up.  My answer to people who want 
to sue us under such circumstances is "Here's our counsel's name and number;
serve us there please." as I laugh while hanging up the phone.

Acting surruptitiously (ie: your example) to avoid detection just makes the 
original act look even worse when it comes time to go in front of a judge.

Someone who tries that is likely to end up with their assets in our computer
room instead of theirs. 

We just don't worry about situations like that.  Log it, prove it, send
notice, shut down the line and move on.

Karl Denninger (karl at MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/~karl     | T1's from $600 monthly to FULL DS-3 Service
			     | NEW! K56Flex modem support is now available
Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines!
Fax:   [+1 312 803-4929]     | 2 FULL DS-3 Internet links; 400Mbps B/W Internal

More information about the NANOG mailing list