[ On Saturday, May 26, 2001 at 10:35:47 (-0400), Christopher A. Woodfield wrote: ]
Subject: Re: Scanning (was Re: Stealth Blocking)
About two years ago the <vijay> promising local ISP </vijay> I worked for saw the number or ORBS-listed hosts withing its netspace go from ~400 to over 3,000 in one week.
Hmmmm.... you don't say exactly, but two years ago you were probably seeing the results of manual list entries (perhaps even entered as netblocks). Back then you had to be really smart and look at the value of the A RR returned from a DNS query into the database to be able to tell the difference between a proper ORBS entry and one of the supplemental manual entries. These days it's much more difficult to confuse the mechanical part of ORBS with the ego part.
Among the listings was a class C where EVERY HOST, 254 IPs, in the block was listed. Granted, each one was an open relay, but the point is that each IP was individually relay tested. When questioned about this, Alan Brown reponded that he had "received an unusually large number of nominations" for hosts in our netspace. Uh huh. Sure.
Do you have the mailer logs from those hosts? Can you prove that there was no other unauthorised use of them during the time *before* they were tested by ORBS? -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>