Jon Lewis wrote:
What's so bad about pre-emptive open-relay scanning? What's the difference between an open-relay found/used by a spammer and added to the RSS and an open-relay found by pre-emptive scanner and added to the RSS? Both sites are likely sources of relay spam.
What's so bad about pre-emptive open-relay scanning is that if you feel that is justified, you pretty much have accepted that anybody who pleases may scan anybody else's network for any weakness he or she would like to probe for. And if someone else probed 40,000 of your hosts each for 500 vulnerabilitise, you would have to accept the probers answer that there's nothing wrong with pre-emptive scanning. After all, if someone else gets root on your system, it's a potential threat to him. I am not happy with that result. The difference between an open-relay found/used by a spammer and a pre-emptive scanner is the difference between attack and defense, the difference between searching everyone and searching only those people who you have reason to believe pose a threat. If somebody attacks your network from a machine, you are (at least in my opinion) perfectly justified in running some scans against the attacking machine to better determine who might be responsible for the attack and what type of attack it's likely to be. However, I certainly do agree that both sites might be likely sources of spam. I say might be because a well-managed relay might appear open to innocent probers and might pose very little threat of being used as a major spam source. This is really the same problem as IP source spoofing -- the problem is so serious that people have felt justified in taking drastic measures that block legitimate traffic. And again, like in IP source spoofing, the complexity of the right fix is such that 'quick fixes' are likely to become de-facto permanent operational changes. DS