Re: IP spoofing and spamming

["J.D. Falk" <jdfalk () priori net>]

On Oct 29, Hank Nussbacher <hank () ibm net il> wrote: 

> I have a spammer I am trying to block.  He is multihomed to me and ISP X.
> He has address a.b.c.d from me and address a.b.c.e from ISP X.  Users
> started seeing spams from a.b.c.e and complained to ISP X.  He shut off SMTP
> to the customer but the spamming continued.  Turns out the user defaults out
> to me no matter what, so his address was a.b.c.e when coming out of me.  For
> me that is a spoofed address.  I then go to block his spoofed address.  User
> then says, it is a valid address and I have no business blocking his IP
> addresses, whether he has them from me or ISP X.  I then say I'll block SMTP
> and the user says, "show me one letter from a user on the Internet
> complaining to you that I am spamming".  Since his dns is located elsewhere
> and since the IP addresses are not mine, the users aren't complaining to me
> - but to ISP X and perhaps ISP Y (providing him secondary DNS service).  All
> the ISP X & Y attempts to shut out the spam aren't affective due to the
> multihoming.

        Are you under any contractural obligation to transit that IP 
        address?  The user in question seems to think you are, but you
        should check that as well; most contracts that I've seen do
        not mention multihoming specificially, and this could be the
        perfect loophole for you to use while you give him the 30 days
        notice or whatever it takes to disconnect him completely.

*********************************************************
J.D. Falk                         voice: +1-650-482-2840        
Supervisor, Network Operations      fax: +1-650-482-2844
PRIORI NETWORKS, INC.              http://www.priori.net

"The People You Know.  The People You Trust."
*********************************************************