mailing list archives
Re: Scanning (was Re: Stealth Blocking)
From: woods () weird com (Greg A. Woods)
Date: Sat, 26 May 2001 12:41:16 -0400 (EDT)
[ On Saturday, May 26, 2001 at 10:35:47 (-0400), Christopher A. Woodfield wrote: ]
Subject: Re: Scanning (was Re: Stealth Blocking)
About two years ago the <vijay> promising local ISP </vijay> I worked
for saw the number or ORBS-listed hosts withing its netspace go from ~400
to over 3,000 in one week.
Hmmmm.... you don't say exactly, but two years ago you were probably
seeing the results of manual list entries (perhaps even entered as
netblocks). Back then you had to be really smart and look at the value
of the A RR returned from a DNS query into the database to be able to
tell the difference between a proper ORBS entry and one of the
supplemental manual entries. These days it's much more difficult to
confuse the mechanical part of ORBS with the ego part.
Among the listings was a class C where EVERY HOST,
254 IPs, in the block was listed. Granted, each one was an open relay, but the
point is that each IP was individually relay tested. When questioned about
this, Alan Brown reponded that he had "received an unusually large number
of nominations" for hosts in our netspace. Uh huh. Sure.
Do you have the mailer logs from those hosts?
Can you prove that there was no other unauthorised use of them during
the time *before* they were tested by ORBS?
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods () acm org> <woods () robohack ca>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>