Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Politech: FC: Road Runner's security director replies to Politech over probes

FC: Road Runner's security director replies to Politech over probes

From: Declan McCullagh <declan_at_well.com>
Date: Mon, 17 Mar 2003 00:08:44 -0500

Previous Politech message:

"Email a RoadRunner address, get scanned by their security system"
http://www.politechbot.com/p-04556.html 

---
Date: Sun, 16 Mar 2003 13:25:00 -0500
To: declan_at_well.com
From: "W. Mark Herrick, Jr." <markh_at_va.rr.com>
Subject: Politechbot article on RR Scanning
Hello Declan,
I was pointed to the thread on Politechbot through another person, and I 
saw the article on http://www.politechbot.com/.
I thought that I'd comment on your article, since it is at the top of your 
page and pretty fresh on the minds of your readers. Feel free to post my 
response on that web page, or in your mailing list.
So, just to set one ground rule here - we're talking about proxy and relay 
testing, not full-out penetration testing. With that in mind...
The author in the article has made a fatal flaw in his mail to you, that 
being that are scans are proactive in nature.
"I'm curious whether this preemptive measure is effective at all."
His assertion that our scans are proactive could not be further from the 
truth. At no time has Road Runner performed any PROACTIVE scanning on any 
IP address that does not belong to Road Runner.
Road Runner's scans are completely REACTIVE in nature. IP addresses 
connecting to our mail gateways are TCP-scanned for open proxy servers on a 
variety of ports, and then, if those ports are open, we attempt to mail 
ourselves via either HTTP CONNECT or SOCKS. Success equals blocking via our 
local block list.
We perform no REACTIVE scanning on an IP address unless one of the 
following conditions is met:
1. We have spam in hand.
2. We have received a direct connection to our inbound SMTP servers from 
that IP.
In addition, regardless of whether or not there has EVER been an issue with 
the network, we will not REACTIVELY scan ANY IP address when there is a 
request from the *network owner* that we not do so. We have no wish to be 
abusive, and as such, we limit scans of an IP to one per week.
This is all clearly explained at http://security.rr.com (and 
http://securityscan.sec.rr.com).
So, just to clarify some other misconceptions:
We have absolutely NO objection to REACTIVE open proxy or relay scanning of 
IP addresses from a system that either:
1. Has spam in hand (a la MAPS RSS).
2. Has received a direct connection from our subscriber IP address or SMTP 
server (a la AOL, Outblaze).
Why should we? IRC servers perform a similar function all day long.
Our stance on proactive scanning, however, has not changed in the 5 years 
that I have been with Road Runner.
 From the article:
"Under their logic, I feel entitled to poke and prod their customers, just 
to make sure they don't spam me.  Is that fair?  I promise to provide an 
opt-out if anyone complains."
I believe that the author is indicating that there is a relationship 
between our REACTIVE testing, and his desire to PROACTIVELY test our 
network. This is where we take issue.
We have, and will continue to have, a severe issue the proactive scanning 
of our networks. This includes individual users or so-called 'scanning 
services', that accept requests from anywhere to perform 'on-demand' scans 
(e.g., hatcheck.org). We also have a serious issue with blocklist systems 
that *proactively* scan IP addresses (e.g., DSBL), without first requiring 
(and keeping on hand) proof (e.g., spam-in-hand) that the IP address is a 
source of spam, open to third party relay, or has an open proxy service.
We have an even BIGGER problem when those same services tell us to pound 
sand when we tell them to stop scanning our space (specific examples 
include the now-defunct ORBS and ORBZ block lists, and most recently DSBL). 
As such, we will not work with those entities under any circumstances.
To close, the problem of open relays and proxies has exploded. To 
demonstrate this, since the inception of our scanning initiative (1st week 
in January), we have identified over 50,000 open proxy servers that 
constantly barrage our 3 million members with spam all day long. We MUST 
take steps to combat that abuse, in a responsible manner, or else our 
business will suffer. As the person responsible for the security of our 
network, I will not allow that to happen.
Regards,
Mark Herrick
Director - Operations Security
Road Runner
-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Received on Mar 17 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos