Hi.. That's the problem, Sir! Many (I daresay the majority) of people take my hardnosed position. I know that there are people and services with good intentions, but I respectfully suggest that those good intentions shall not pass my borders. If an anti-spam mail relay testing service proactively scans my mail servers for smtp related issues, I will not complain because spam friendly relays and proxies are evil and must be shut down. If my service provider wishes to scan my network and hosts they can do so after they get obtain my permission. Just because my networks happen to connect to the internet doesn't give up any dominion over those networks. If some unknown entity (whether it's a service or an individual) (for whatever reason) scans my networks and hosts proactively for whatever justificatiojn, I still find that to be excessive trespass. Just because you can reach my network does not give you grounds to play with my toys. More below: Richard Irving wrote:
Scanning is always a precursor to an attack, or to determine if any obvious methodology can be used to attack. At least that's how it has been historically viewed.
See my other post. MAPS assists users in closing their "innocent" relay capable systems. And, FWIW, pro-active probing -can- provide a great service to the "less than clueful" end users.
I agree with all of your positive reasons why such a service is great but you should be dealing with it by blackingholing their ASN nstead and soon when everyone does so, they'll get their act together or be cut off. Since your network was victimized you should be proactive about contacting the people responsible. You can even scan their hosts at this point since you're engaged in defensive operations. If they're a responsible provider (it sounds like you're talking about some sort of hosting provider here) they'll have a NOC, and you can escalate it until you reach a clue. I don't see anything else as being more than busybodies poking where they don't beloong. Cheers! Len
Scenario:
[snip]