They can also be reported to their ISPs who *should* do something about
Unfortunately with nowadays full raw socket support from all bowadays
systems, it is possible to completely spoof the ip address.
Spoofing a TCP connection (needed for mail and news) where you are
not on the same wire as the machine you are spoofing still requires
some effort (but it's not impossible). TCP requires a handshake,
which is hard to do if the target machine sends the handshake to
the machine you are spoofing, not you, and that machine keeps
responding with a RST packet because it knows nothing about the
connection you just set up, causing your target to tear it down.
Even if the machine you are spoofing is down, you need to know/predict
the TCP sequence number to use for the connection, which is hard
if you can't get hold of replies that the target machine is sending.
If you are on the same wire as the machine you are spoofing, this
gets easier, but it also makes it easier to find the spoofer.
"spoofing" a TCP connection from a machine where you can actually
control the machine in question isn't really even spoofing, since
the packets really do come from (are relayed by) the machine in
question, but it makes it hard to identify who's controlling them.
This is the point of many viruses - setting up remote-controllable
machines that can be used to relay SPAM..
UDP and ICMP floods using forged source addresses are fairly easy,
especially if the purpose is just to flood the target, not get
useful information from it.
There may be limits to how much you can send packets with fake
source addresses, coming under the heading in the above link of
"Network Egress Filtering". Done well, this means you can't fake
source IP addresses except for those "close" to you. That means
the complaints go to the correct ISP and he can narrow down the
source more quickly. Now if only all ISPs did this ...
Gordon L. Burditt