Dean Anderson <dean(_at_)av8(_dot_)com> wrote:
4) It is possible that their system is compromised.
When I talked with these people, the SYN's & ICMP's all stopped
after they claimed to have fixed their systems.
This would lead any reasonable person to conclude that their system
was compromised (as I said), that the source and destination of SYN's
& ICMP's was exactly what they appeared to be (as I said), and that no
botnet was involved (as I said).
[now we have some options, depending on what Alan finds]
In those options, you leave out the one option I've been telling you
repeatedly is what happened: their machine really was compromised, and
all of the traffic was exactly as it appeared, with no botnets or
forgeries.
To demonstrate his own due diligence, he would need to report what
he found.
I have no responsibility to show my logs to you, or to anyone else
on the planet.
Whether or not you actually have that data is irrelevant. You
didn't use it to make your case to them,
I didn't need to. They could independently verify for themselves
that their machine was compromised, was sending spam, and that their
machine was sending loads of TCP SYN's to my machine. They aren't
spammers because they aren't *intending* to send spam, it's a
side-effect of their network misconfiguration.
I'm surprised that the one realistic interpretation of the events is
the only one you cannot admit might have happened.
I won't respond to the rest of your comments about competence and
credibility. The evidence speaks for itself.
Alan DeKok.