On Sat, May 26, 2001 at 12:41:16PM -0400, Greg A. Woods wrote:
[ On Saturday, May 26, 2001 at 10:35:47 (-0400), Christopher A. Woodfield wrote: ]
Subject: Re: Scanning (was Re: Stealth Blocking)
About two years ago the <vijay> promising local ISP </vijay> I worked for saw the number or ORBS-listed hosts withing its netspace go from ~400 to over 3,000 in one week.
Hmmmm.... you don't say exactly, but two years ago you were probably seeing the results of manual list entries (perhaps even entered as netblocks). Back then you had to be really smart and look at the value of the A RR returned from a DNS query into the database to be able to tell the difference between a proper ORBS entry and one of the supplemental manual entries. These days it's much more difficult to confuse the mechanical part of ORBS with the ego part.
Nah, there was a relay test on the ORBS site for each IP...it was a customer who had put all 254 usable IPs in one of his blocks on a few similarly misconfigured servers. Each IP was tested and listed by ORBS. There were other patterns in the listings, as well as logged relay tests on non-open relays, that suggested wholesale scanning, but the one quotesd was the most egregious. We had one other large web-hosting customer that had accounted for about 500 of the listings tell us later that they proactively scanned their network after the fact and found that ORBS had caught /every/ open relay in their netspace. How you manage to do that without wholesale scanning, you tell me.
Among the listings was a class C where EVERY HOST, 254 IPs, in the block was listed. Granted, each one was an open relay, but the point is that each IP was individually relay tested. When questioned about this, Alan Brown reponded that he had "received an unusually large number of nominations" for hosts in our netspace. Uh huh. Sure.
Do you have the mailer logs from those hosts?
Can you prove that there was no other unauthorised use of them during the time *before* they were tested by ORBS?
I don't have logs, as these were not our servers, but our customers', nor can I prove that none of them had been abused, although we had a pretty good record of shutting down the open relays that we got wind of via ORBS' weekly reports and our own abuse mailbox. -C
-- Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B