Re: SMTP Scans
From: Hoof Hearted (capbligh2001_at_hotmail.com)
Date: 04/26/03
- Previous message: James C. Slora, Jr.: "RE: New attack or old Vulnerability Scanner?"
- Maybe in reply to: Hoof Hearted: "Re: SMTP Scans"
- Next in thread: Chris Boyd: "Re: SMTP Scans"
- Reply: Chris Boyd: "Re: SMTP Scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bt@seifried.org, mally@ripe.net, shoten@starpower.net, incidents@securityfocus.com, jimit@myrealbox.com, bt.abuse@bt.com Date: Sat, 26 Apr 2003 00:21:57 +0000
Wow! - OK it's safe to say there is some opinion on this. Many thanks to all
those that have taken the time and trouble to comment.
Opinion seems to be divided 99/1 that the scans (as posted) are bad. Kurt
was the only one to point out the POTENTIAL savings. Ergo, assuming all mail
is bad unless proven otherwise.
Admittedly, this is a minor digression on the point, however, it has
validity. The day after posting my initial comments my (personal) router
went south big-style. No big deal, failover was an adsl and $200 & 24 hours
later all was fixed (bugger - now I WILL keep a spare on site!), in the
meantime, some connection sharing solved the immediate inconvenience... and
provided me with a useful list of 'oops' IP's.
Less than 24 hrs of Net life (unprotected by a NAT) scared me witless. I
went from being mildly aggravated by Kurt's comments to wholehearted
agreement. The world DOES seem to be out to get me!
Anyway, back to my point - my ISP is scanning me (at least) twice daily for
an open relay, not only that, they are also scanning our mx listed secondary
too - implying some nslookup work at least. Admittedly, the scans are not
difficult to block, but for me at least, that doesn't change the issue.
Whether I'm an ADSL customer, a DSL customer or even a dial-up user, my
relationship with and obligation to my ISP ends at my modem/router/whatever.
To my mind, when they intrude past that they become hackers.
To the best of my knowledge, none of our hosted domains have ever been
accused of spamming, moreover, our mailservers use numerous UBE lookups,
Header, Body & AV scans. I might point out that our settings were sufficient
to catch (and bar) the BT connections without 'human' intervention.
I must admit to ignorance as to the legal situation here. I'm aware BT
operate AUP's - I'm intrigued to know the result if THEY abuse them.
Anyway - BT response so far - Dear Sir - what time zone are your logs? (...
Hmmmm.)
>From: "Kurt Seifried" <bt@seifried.org>
>Reply-To: "Kurt Seifried" <bt@seifried.org>
>To: "Mally Mclane" <mally@ripe.net>,"Rob Shein"
><shoten@starpower.net>,"'Hoof Hearted'"
><capbligh2001@hotmail.com>,<incidents@securityfocus.com>, "Jimi Thompson"
><jimit@myrealbox.com>
>Subject: Re: SMTP Scans
>Date: Thu, 24 Apr 2003 12:43:20 -0700
>
> > >>For the last few months our ISP (BT) has apparently been scanning our
> > >>mail servers for open relays, this is happening up to
> > >>12 times a day across both Primary & Secondary mail servers.
> > >
> > >I don't condone this, but this is fairly common practice amongst UK
>ISPs.
> > >
> > >Regards,
> > >
> > >
> > >Mally Mclane
> > >RIPE NCC - Operations
> >
> > Why the aggressive schedule? For your "commercial" (as in - not end
> > user) IP space, I would think that weekly or monthly should be
> > sufficient. Especailly considering that, as your ISP, they know the
> > IP addresses of your mail servers, I find this to be excessive and
> > would really like to know what they think they are combating. It
> > sounds like another bean counter making technical decisions again.
>
>Daily scans = up to 24 hours of spam email. Weekly scans = up to 168 hours
>of spam email. Scans every 2 hours = a LOT less spam email sent through an
>open relay. We're talking broadband here, a lot of email can be sent if the
>server is pumping it flat out for a day or a week or a month. Remember that
>the threat model here mostly consists of customers setting up a new server
>as an open relay, or accidently configuring an existing system as an open
>relay (witness the thread on upgrading exchange and opening up relaying).
>
>Or to put it this way: why do you think earthlink, aol and a LOT of spam
>packages label email from cablemodem, dsl and other broadband network
>blocks
>as spam? Hint: it has to do with all the spam coming from them.
>
>Kurt Seifried, kurt@seifried.org
>A15B BEE5 B391 B9AD B0EF
>AEB0 AD63 0B4E AD56 E574
>http://seifried.org/security/
>
>
>
>
_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------
- Previous message: James C. Slora, Jr.: "RE: New attack or old Vulnerability Scanner?"
- Maybe in reply to: Hoof Hearted: "Re: SMTP Scans"
- Next in thread: Chris Boyd: "Re: SMTP Scans"
- Reply: Chris Boyd: "Re: SMTP Scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
