Greets again all, I noticed something kind of interesting when I made my last post to NANOG. I can understand people wanting to do spam checking, but IMHO this is a bit excessive and inconsiderate. I'm guessing njabl.org is doing this to everyone who posts to the list, so I thought others might want to know about it in case they have not noticed it in their own logs. BTW, if you are curious about the "spammers_waste_oxygen" portion, that was grabbed off my SMTP banner. Cheers, C *********************************************** Dec 22 08:21:50 mailgate sendmail[492]: hBMDLnHS000492: before-reporting-as-abuse-please-see-www.njabl.org [209.208.0.15] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Dec 22 08:21:50 mailgate sendmail[495]: hBMDLoHS000495: ruleset=check_rcpt, arg1=<relaytest@rr.njabl.org>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <relaytest@rr.njabl.org>... Relaying denied Dec 22 08:21:50 mailgate sendmail[495]: hBMDLoHT000495: ruleset=check_mail, arg1=<relaytestsend@spammers_waste_oxygen;>, relay=rt.njabl.org [209.208.0.15], reject=553 5.1.8 <relaytestsend@spammers_waste_oxygen;>... Domain of sender address relaytestsend@spammers_waste_oxygen does not exist Dec 22 08:21:50 mailgate sendmail[495]: hBMDLoHU000495: ruleset=check_mail, arg1=<"relaytestsend@rt.njabl.org"@spammers_waste_oxygen;>, relay=rt.njabl.org [209.208.0.15], reject=553 5.1.8 <"relaytestsend@rt.njabl.org"@spammers_waste_oxygen;>... Domain of sender address relaytestsend@rt.njabl.org@spammers_waste_oxygen does not exist Dec 22 08:21:51 mailgate sendmail[495]: hBMDLoHV000495: ruleset=check_mail, arg1=<relaytestsend>, relay=rt.njabl.org [209.208.0.15], reject=553 5.5.4 <relaytestsend>... Domain name required for sender address relaytestsend Dec 22 08:21:51 mailgate sendmail[495]: hBMDLoHW000495: ruleset=check_mail, arg1=<relaytestsend@localhost>, relay=rt.njabl.org [209.208.0.15], reject=553 5.5.4 <relaytestsend@localhost>... Real domain name required for sender address Dec 22 08:21:51 mailgate sendmail[495]: hBMDLoHX000495: ruleset=check_rcpt, arg1=<relaytest@rr.njabl.org>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <relaytest@rr.njabl.org>... Relaying denied Dec 22 08:21:51 mailgate sendmail[495]: hBMDLoHY000495: ruleset=check_rcpt, arg1=<relaytest@rr.njabl.org>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <relaytest@rr.njabl.org>... Relaying denied Dec 22 08:21:51 mailgate sendmail[495]: hBMDLoHZ000495: ruleset=check_rcpt, arg1=<relaytest@rr.njabl.org>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <relaytest@rr.njabl.org>... Relaying denied Dec 22 08:21:52 mailgate sendmail[495]: hBMDLoHa000495: ruleset=check_rcpt, arg1=<relaytest@rr.njabl.org>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <relaytest@rr.njabl.org>... Relaying denied Dec 22 08:21:52 mailgate sendmail[495]: hBMDLoHb000495: ruleset=check_rcpt, arg1=<relaytest@rr.njabl.org>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <relaytest@rr.njabl.org>... Relaying denied Dec 22 08:21:52 mailgate sendmail[495]: hBMDLoHc000495: ruleset=check_rcpt, arg1=<relaytest@rr.njabl.org>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <relaytest@rr.njabl.org>... Relaying denied Dec 22 08:21:52 mailgate sendmail[495]: hBMDLoHd000495: ruleset=check_rcpt, arg1=<relaytest@rr.njabl.org>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <relaytest@rr.njabl.org>... Relaying denied Dec 22 08:21:52 mailgate sendmail[495]: hBMDLoHe000495: ruleset=check_mail, arg1=<postmaster@spammers_waste_oxygen;>, relay=rt.njabl.org [209.208.0.15], reject=553 5.1.8 <postmaster@spammers_waste_oxygen;>... Domain of sender address postmaster@spammers_waste_oxygen does not exist Dec 22 08:21:53 mailgate sendmail[495]: hBMDLoHf000495: ruleset=check_rcpt, arg1=<relaytest%rr.njabl.org@spammers_waste_oxygen;>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <relaytest%rr.njabl.org@spammers_waste_oxygen;>... Relaying denied Dec 22 08:21:53 mailgate sendmail[495]: hBMDLoHh000495: ruleset=check_mail, arg1=<relaytestsend@spammers_waste_oxygen;>, relay=rt.njabl.org [209.208.0.15], reject=553 5.1.8 <relaytestsend@spammers_waste_oxygen;>... Domain of sender address relaytestsend@spammers_waste_oxygen does not exist
Chris Brenton wrote:
Greets again all,
I noticed something kind of interesting when I made my last post to NANOG. I can understand people wanting to do spam checking, but IMHO this is a bit excessive and inconsiderate.
I'm guessing njabl.org is doing this to everyone who posts to the list, so I thought others might want to know about it in case they have not noticed it in their own logs. BTW, if you are curious about the "spammers_waste_oxygen" portion, that was grabbed off my SMTP banner.
Yep, and see below.
***********************************************
Dec 22 08:21:50 mailgate sendmail[492]: hBMDLnHS000492: before-reporting-as-abuse-please-see-www.njabl.org [209.208.0.15] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Dec 22 08:21:50 mailgate sendmail[495]: hBMDLoHS000495: ruleset=check_rcpt, arg1=<relaytest@rr.njabl.org>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <relaytest@rr.njabl.org>... Relaying
Um, welcome to the world of spam nazis. I hate spammers. I loathe and despise them. I hate njabl even more. The last time I called their ISP to complain, I was assured that I must have done something to deserve the aggressive testing. Well, nope, I didn't, and I don't. They just did it again, and by "it", I mean that they hit every machine in my little netblock (I suppose the last post to nanog did it). If they were just picking on the machine I posted from, it'd annoy me, but I'd get over it. Why they feel the need to abuse machines that I've NEVER sent email from, to anywhere, is beyond me. Sure, I recognize that I'm in a block frequented by clueless wonders (i.e. DSL), but it isn't dynamic, I've had it for a while now, and it's never been implicated during the time I've had it. In addition, I think that a post to nanog should not get such treatment. Isn't it bad enough that posting to the Full Disclosure mailing list has added to my spam level by a thousand percent? Sigh. -- Open source should be about giving away things voluntarily. When you force someone to give you something, it's no longer giving, it's stealing. Persons of leisurely moral growth often confuse giving with taking. -- Larry Wall
On Mon, 2003-12-22 at 11:04, Etaoin Shrdlu wrote:
Um, welcome to the world of spam nazis.
I've seen returning MX queries and even source address validation, but never anything this excessive up till now. IMHO its hard to tell if they are looking for spam relays to reduce spam, or because they are looking to generate some spam themselves. ;-)
I hate spammers. I loathe and despise them. I hate njabl even more.
Agreed. My spam is _my_ problem and fixing it should not include making it everyone else's problem. Forget whether its legal, its pretty inconsiderate as many environments flag this stuff as malicious so it triggers alerts.
The last time I called their ISP to complain, I was assured that I must have done something to deserve the aggressive testing.
As a follow up, it also looks like they did a pretty aggressive port scan of my system. Not sure how checking Telnet, X-Windows or RADIUS will tell them if I'm a spammer, but what ever.
Well, nope, I didn't, and I don't. They just did it again, and by "it", I mean that they hit every machine in my little netblock
I've tweaked my perimeter to return host-unreachables to all packets originating from their network (rate limited of course). If that stops them from accepting me mail, oh well I'll survive. Thanks for the confirmation, C
On Monday 22 December 2003 09:03 am, Chris Brenton wrote:
On Mon, 2003-12-22 at 11:04, Etaoin Shrdlu wrote:
Um, welcome to the world of spam nazis.
I've seen returning MX queries and even source address validation, but never anything this excessive up till now. IMHO its hard to tell if they are looking for spam relays to reduce spam, or because they are looking to generate some spam themselves. ;-)
I hate spammers. I loathe and despise them. I hate njabl even more.
Agreed. My spam is _my_ problem and fixing it should not include making it everyone else's problem. Forget whether its legal, its pretty inconsiderate as many environments flag this stuff as malicious so it triggers alerts.
The last time I called their ISP to complain, I was assured that I must have done something to deserve the aggressive testing.
As a follow up, it also looks like they did a pretty aggressive port scan of my system. Not sure how checking Telnet, X-Windows or RADIUS will tell them if I'm a spammer, but what ever.
Well, nope, I didn't, and I don't. They just did it again, and by "it", I mean that they hit every machine in my little netblock
I've tweaked my perimeter to return host-unreachables to all packets originating from their network (rate limited of course). If that stops them from accepting me mail, oh well I'll survive.
Thanks for the confirmation, C
This is not the only list where this is occurring. It has been happening on the spamtools list, as well. We've now dropped them at the firewall. No loss to us. -- Robin Lynn Frank | Director of Operations | Paradigm-Omega, LLC
Robin Lynn Frank wrote:
This is not the only list where this is occurring. It has been happening on the spamtools list, as well. We've now dropped them at the firewall. No loss to us.
It's worth commenting: Triggering relay testing can occur in a number of different ways. Some simply scan all IPs. Some scan particular ranges. Some scan an IP when they receive email from it. RR and AOL do this amongst biggies. Some scan an IP when they receive suspicious/spam email from a given IP. We've done this from time to time. MANY other sites do this. Many consider scanning to be abusive in and of itself, however, there is a considerable amount of agreement that "scanning with email in hand", or, more stringently, "scanning with spam in hand" is perfectly justified, as in "sending me email gives implicit permission to check that you're secure", or, "sending me spam gives permission to check that you're secure" respectively. [Some people say "if they've sent you spam, why test? Simply blacklist!". Which is silly, because you end up blacklisting everyone sooner or later. By testing and not listing on a negative result, you have less chance of blocking a legitimate site.] As another dimension, some people prefer to do very aggressive scanning - they'll test every combination of "tricks" that has been known to bypass anti-relay. Others try to avoid "tricks" that are likely to cause grief to the testee (eg: avoiding double bounces). Don't assume that the testers are specifically targeting mailing lists. Chances are that a NJABL person is on the lists, and is doing a "test if email or spam in hand". [I don't know what NJABL's testing criteria are.] In the scheme of things, such testing is relatively minor, even of the "obnoxious bounce to postmaster" variety. Tune your alarm system to ignore them. If you consider a dozen or two relay tests to be "extreme", I'd hate to think of what you'd think of _some_ other forms of vulnerability testing... By blackholing the tester, you run a _significant_ risk of getting blacklisted, even if you don't relay or proxy. Some blacklists do that. [I don't think NJABL does, but others do.] Secondly, some of them use highly distributed testing. Like SORBS. You'll never get them all. The spamming problem really has gotten so bad that many reputable organizations feel they have no choice do test. It's a sign of the times. It's best to not get bent out of shape over it and adjust your processes to suit. NJABL is reasonably well regarded. It's best not to play games with it, otherwise, you may end up getting blocked by all of its users. We're not using NJABL, but it is one of the ones we'd consider if some of our current ones went down. Some medium to large sites _do_ use it. And don't expect a "we want to be blocked so we can discourage the use of blacklists" attitude to work anymore. From us, at best you'd get a whitelist entry. The spamming problem really _is_ that bad.
Speaking as and for SORBS (another hated and loved antispam bl).. Chris Lewis wrote:
It's worth commenting:
Triggering relay testing can occur in a number of different ways.
Some simply scan all IPs.
I consider this abuse and don't do it.
Some scan particular ranges.
Same as above ;-)
Some scan an IP when they receive email from it. RR and AOL do this amongst biggies.
This is what SORBS started doing - now the volume is so high, and the number of ports to check (and ways to check them) are so large I cannot do it.
Some scan an IP when they receive suspicious/spam email from a given IP. We've done this from time to time. MANY other sites do this.
This is what SORBS does now. If we receive a mail to a SORBS feeder server with a spam assassin score of 5 or more, we automatically scan the host for proxies and relays.
Many consider scanning to be abusive in and of itself, however, there is a considerable amount of agreement that "scanning with email in hand", or, more stringently, "scanning with spam in hand" is perfectly justified, as in "sending me email gives implicit permission to check that you're secure", or, "sending me spam gives permission to check that you're secure" respectively.
[Some people say "if they've sent you spam, why test? Simply blacklist!". Which is silly, because you end up blacklisting everyone sooner or later. By testing and not listing on a negative result, you have less chance of blocking a legitimate site.]
SORBS scans after listing with 'spam in hand' for a number of reasons.... 1/ Not everyone uses the spam DB for blocking (eg: I use it for weighting at the ISP I run - I use it for blocking on my home mail) 2/ People listed will demand delisting immediately regardless (they don't care - it's their "right to send email"), and if they have an open proxy/relay, telling them to fix that first is the best way of stopping future spam. 3/ Proxy and relay scanning takes on average 2 hours per host (purely because we don't want to crash it, or the testers for that matter). SORBS updates ever 20 minutes.
As another dimension, some people prefer to do very aggressive scanning - they'll test every combination of "tricks" that has been known to bypass anti-relay. Others try to avoid "tricks" that are likely to cause grief to the testee (eg: avoiding double bounces).
We do 19 relay tests, and we perform them twice 2 sets of to and from data. Some of our tests cause bounces - we do try to avoid upsetting people, but the 'from postmaster@domain' test is an important one, so we do use it. The test message does include a details description of what it is and who to contact if there is a problem though.
In the scheme of things, such testing is relatively minor, even of the "obnoxious bounce to postmaster" variety. Tune your alarm system to ignore them. If you consider a dozen or two relay tests to be "extreme", I'd hate to think of what you'd think of _some_ other forms of vulnerability testing...
wait till he triggers SORBS - it starts with a full port scan... :-/
By blackholing the tester, you run a _significant_ risk of getting blacklisted, even if you don't relay or proxy. Some blacklists do that. [I don't think NJABL does, but others do.] Secondly, some of them use highly distributed testing. Like SORBS. You'll never get them all.
That's right an if SORBS detects firewalling to avoid open-relay detection you get listed as a test blocker in the system, and should you get listed for spam, you will find it near on impossible to get out (even if it was one of your users) - just because you are considered to be someone 'hiding something'. SORBS makes a point of being up front and port scanning uses no stealth features of nmap. It also doesn't do stealth testing.
The spamming problem really has gotten so bad that many reputable organizations feel they have no choice do test. It's a sign of the times. It's best to not get bent out of shape over it and adjust your processes to suit.
NJABL is reasonably well regarded. It's best not to play games with it, otherwise, you may end up getting blocked by all of its users. We're not using NJABL, but it is one of the ones we'd consider if some of our current ones went down. Some medium to large sites _do_ use it.
And don't expect a "we want to be blocked so we can discourage the use of blacklists" attitude to work anymore. From us, at best you'd get a whitelist entry. The spamming problem really _is_ that bad.
...and I'll be a very happy man the day I shut down SORBS because spam is no longer an issue. I might get a life then. / Mat
At 6:15 +1000 12/23/03, Matthew Sullivan wrote:
And don't expect a "we want to be blocked so we can discourage the use of blacklists" attitude to work anymore. From us, at best you'd get a whitelist entry. The spamming problem really _is_ that bad.
...and I'll be a very happy man the day I shut down SORBS because spam is no longer an issue. I might get a life then.
/ Mat
AMEN Mat !!! These damned spammers sending out junk to foul up bayesian filtering is getting to be too much. Not to mention the latest tactic is to sneak IRCbots onto victim's PC's and voila!! Open Proxy. As long as there is a piece of crap operating system like windblows out there that bots and worms can easily compromise, then netblock port scans and detections of proxies will be a necessary evil of the internet. I for one, if one of my luser subscribers is discovered with a proxy or IRCbot running then I for one would like to know about it. -- Michael Jezierski TriLutions Internet Center BOFH - Chief LARTer - Slayer of Spam[mers] Master of the Clue-By-Four +1 (309) 342-7177 x212
Folks, let's end this thread, maybe move it to a more appropriate list: http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list for spam prevention and discussion http://www.abuse.net/spamtools.html -- spam tools list for software tools that detect spam net.admin.net-abuse.email | net.admin.net-abuse.usenet -- usenet lists Thanks.
On Mon, 22 Dec 2003, Chris Brenton wrote:
I hate spammers. I loathe and despise them. I hate njabl even more.
Agreed. My spam is _my_ problem and fixing it should not include making it everyone else's problem. Forget whether its legal, its pretty inconsiderate as many environments flag this stuff as malicious so it triggers alerts.
Hmm...actually, YOUR spam is MY problem. That's how this works. I applaud njabl. If you have open relays, proxies, or whatnot, I want to know about it, so I can reject all mail from you. If we have a single entitity that does all this scanning, we as individual entities do not need to scan ourselves. Therefore, njabl is REDUCING the number of people scanning your netblocks for proxies. If they didn't do it for me, I'd be doing it myself, along with numerous other networks.
As a follow up, it also looks like they did a pretty aggressive port scan of my system. Not sure how checking Telnet, X-Windows or RADIUS will tell them if I'm a spammer, but what ever.
proxies, proxies, proxies. But like you say, "whatever". It's not like you would have noticed if you didn't obsessively scan your logfiles or have an IDS.
Well, nope, I didn't, and I don't. They just did it again, and by "it", I mean that they hit every machine in my little netblock
I've tweaked my perimeter to return host-unreachables to all packets originating from their network (rate limited of course). If that stops them from accepting me mail, oh well I'll survive.
In the old days, when Abovenet and ORBS (I think, could be wrong, been awhile) got into it, and ORBS (or whoever) blacklisted Abovenet's IP space because they were firewalled, that was simply petty and stupid. NJABL will not list you for preventing them from scanning your servers. Is Jon aggressive? Yes. Is he a dickhead? No. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
On Mon, 2003-12-22 at 13:46, Andy Dills wrote:
Agreed. My spam is _my_ problem and fixing it should not include making it everyone else's problem. Forget whether its legal, its pretty inconsiderate as many environments flag this stuff as malicious so it triggers alerts.
Hmm...actually, YOUR spam is MY problem. That's how this works.
Except its broken because the message in question was not spam. It was a technical post to the NANOG mailing list that triggered the 100+ port scan, as well as about 15 different variations attempting to relay e-mail through my sever. Am I missing the Viagra ad that gets tacked to the end of all NANOG posts? ;-)
I applaud njabl.
I guess I don't. I can *totally* understand wanting to control the amount of spam that an environment receives. I obviously deal with this problem as well. I guess in my mind however I feel like the cost/burden of dealing with that spam should be my responsibility, and I should not expect legitimate organizations that are not part of the problem to incur a financial impact due to my efforts. For example their scans and probes would easily trigger an alert in most environments (they did in mine and I'm by no means high security). This means that a security analyst now has to check out the traces and see if its a real attack. Then a decision has to be made as to how to deal with it, which may well require (depending on policy) multiple resources. So I end up spending money so njabl can try and reduce the amount of spam they receive. Oh joy, oh rapture. Also, I don't see this as a totally effective solution. This works if the spam comes through an open relay, but fails if it does not. That means you need some other layer of checking to deal with the non-relay spam. Something like Spamassassin for example. Of course Spamassassin can also easily deal with the open relay spam as well, without requiring an obtrusive check back system. Finally, I used to blacklist known spammer's IP addresses as well, but stopped after I crunched some numbers. When you blacklist the spammers IP, they don't give up and remove your address, they just keep trying. The bandwidth lost to the retries (on average) is greater than the bandwidth used to transmit the actual spam. So blocking spam saves you some temporary disk space, but increase network utilization.
If you have open relays, proxies, or whatnot, I want to know about it, so I can reject all mail from you.
Again, except I don't. If I transmit spam, I should expect to be poked and probed. When one receives an unprovoked probe/attack like this, the target is going to assume the source is hostile. Its not till you spend time looking into it (in other words, burn $$$ on resources) that you figure out that someone actually considers this pattern to be "a feature".
If we have a single entitity that does all this scanning, we as individual entities do not need to scan ourselves.
This is going to sound really snippy, but who died and made then god/goddess of the Internet? Where is the document trail empowering them to be spam cops of the Internet with absolute authority to probe who ever they see fit? Also, it does not quite work out that they are the only ones doing it (see earlier thread on AOL). They just seem to be more aggressive than most.
Therefore, njabl is REDUCING the number of people scanning your netblocks for proxies. If they didn't do it for me, I'd be doing it myself, along with numerous other networks.
I guess we can "agree to disagree" here as I'm not a "ends justifies the means" type of person. I want to reduce the amount of spam I receive as well, and certainly would not mind making the spammer's lives a bit more difficult. I don't want to do that however at the cost of annoying/sucking money out of legitimate Internet users.
As a follow up, it also looks like they did a pretty aggressive port scan of my system. Not sure how checking Telnet, X-Windows or RADIUS will tell them if I'm a spammer, but what ever.
proxies, proxies, proxies.
Humm. This is something I have not run into before. Can you supply a URL that explains how to relay mail though a Telnet or RADIUS server?
But like you say, "whatever". It's not like you would have noticed if you didn't obsessively scan your logfiles or have an IDS.
LOL! I see, this is my fault because I actually take steps to secure my environment. ;-) Thanks for the chuckle, C
* cbrenton@chrisbrenton.org (Chris Brenton) [Mon 22 Dec 2003, 21:07 CET]: [proxies]
Humm. This is something I have not run into before. Can you supply a URL that explains how to relay mail though a Telnet or RADIUS server?
Older versions of WinGate used to run a listener service on port 23 that would take a hostname and a port as input and connect to that. Real easy to abuse, and also to DoS itself - let it connect to localhost:23 a bunch of times and eventually Windows would run out of clean winsocks, thus solving the problem for a little while. -- Niels.
On Mon, 22 Dec 2003, Chris Brenton wrote:
If we have a single entitity that does all this scanning, we as individual entities do not need to scan ourselves.
This is going to sound really snippy, but who died and made then god/goddess of the Internet? Where is the document trail empowering them to be spam cops of the Internet with absolute authority to probe who ever they see fit?
This is a can of worms with no answer. Who gives authority to IANA for that matter? We're dealing with protocols, not laws. If you don't like X persons traffic, you have 100% authority to filter it. That's the sole authority on the internet. You'd be hard pressed to frame what NJABL does in terms of "abuse", because of the intent, and because of the actual bit volume involved. Since you can't call it abuse, NJABL's upstream has no reason to swing the abuse hammer. (We all know it's hard enough to get many networks to swing any sort of hammer at all, even for significantly more egregious behavior.) Since you can't convince their upstream to swing the abuse hammer, you have two options: 1) Filter the traffic 2) Not filter the traffic For the simple reason that there IS no central authority on the internet who CAN decide what flys and what doesn't, grumbling on a mailing list is about as far as one can go in response.
Humm. This is something I have not run into before. Can you supply a URL that explains how to relay mail though a Telnet or RADIUS server?
No, but I can supply a URL that explains how to change the port that proxy servers bind to. I don't think you actually need that, though. You really think people who professionally hack servers and setup spam relay proxies put them on the standard ports?
LOL! I see, this is my fault because I actually take steps to secure my environment. ;-)
No, but it is your fault for overreacting to your IDS. Security doesn't require an IDS. An IDS merely tells you who's checking your doorknobs to see if they're locked. If you do a good enough job keeping your doors locked, an IDS is little more than a touchy doorbell at 3 AM, being tripped by the wind. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
On Mon, 2003-12-22 at 16:55, Andy Dills wrote:
This is going to sound really snippy, but who died and made then god/goddess of the Internet? Where is the document trail empowering them to be spam cops of the Internet with absolute authority to probe who ever they see fit?
This is a can of worms with no answer. Who gives authority to IANA for that matter?
That was my point. I was responding to someone that was implying that njabl was doing this for the benefit of everyone and thus had some authority to do so. Obviously that's not the case.
Humm. This is something I have not run into before. Can you supply a URL that explains how to relay mail though a Telnet or RADIUS server?
No, but I can supply a URL that explains how to change the port that proxy servers bind to. I don't think you actually need that, though.
You really think people who professionally hack servers and setup spam relay proxies put them on the standard ports?
Again, this was my point. Finding out if I have an exposed RADIUS server is not really evidence that I'm running an open SMTP proxy. So where does it stop? Scanning all 65K ports? Full OS fingerprinting to shun the most compromised OS's? Maybe we insist on being provided with root access to verify the box as being clean before we accept their e-mail? This slope can get pretty scary.
LOL! I see, this is my fault because I actually take steps to secure my environment. ;-)
No, but it is your fault for overreacting to your IDS.
I honestly don't think I over reacted. My original post labeled the traffic as simply "interesting" and I stated I was posting it in case others were interested and had not noticed it in their logs. No call to arms, flames, or rants for wide spread blacklisting, just an FYI in case others found the info useful.
Security doesn't require an IDS. An IDS merely tells you who's checking your doorknobs to see if they're locked. If you do a good enough job keeping your doors locked, an IDS is little more than a touchy doorbell at 3 AM, being tripped by the wind.
An IDS is more like an empty box. One person may look at it and see a simple storage device. Show it to a 5 year old however and it becomes a boat, a plane, a car, a castle, etc. etc. etc. I mentioned in another thread that I've caught plenty of 0-day stuff with my IDS. In other words, stuff that had no known signatures or patches. Its also helped me out in a fair amount of troubleshooting. Its all a matter of being inventive and knowing what to look for. If you perceive your IDS to be "little more than a touchy doorbell", I would highly recommend attending SANS IDS training. It'll open your mind and show you a wealth of other possibilities. Regards, Chris
i promised sue that i would stay out of spam-related discussions, but as usual there's a thing which i can't let pass.
... You'd be hard pressed to frame what NJABL does in terms of "abuse", because of the intent, and because of the actual bit volume involved.
intent does not, and cannot, matter. when an isp hears a complain about spam, and seeks explaination from their spamming customer, an answer of the form "we have only the best of intentions", then the result still has to be service disconnection. volume cannot matter, either. a received datum either is or isn't abusive regardless of how large it was or how often it was received by a specific complainer. otherwise "this is a one-time mailing" is legitimate. i am astonished at the lack of forethought being displayed here. quoting from "Sendmail: Theory and Practice", 2nd Ed, Digital Press, 2002: | The standard for ``spamness'' which most embodies this prin- | ciple was found at http://mail-abuse.org/standard.html and | is reproduced here: | | STANDARD: | | An electronic message is ``spam'' IF: (1) the recip- | ient's personal identity and context are irrelevant | because the message is equally applicable to many | other potential recipients; AND (2) the recipient | has not verifiably granted deliberate, explicit, and | still-revocable permission for it to be sent; AND | (3) the transmission and reception of the message | appears to the recipient to give a disproportionate | benefit to the sender. | | DISCUSSION: | | (i) Trivial or mechanised personalization such as | ``Dear Mr. Jones, we see that you are the holder of | the JONES.COM domain'' does not make the personal | identity of the recipient relevant in any way. | | (ii) Failing to click the ``do not send me marketing | literature by e-mail'' button in a web sign-up form | does not convey explicit permission. Only when the | default result is ``no followup e-mail'' AND the in- | box impact is clearly stated before any action which | changes this result, can permission of this kind be | conveyed. | | (iii) The appearance of disproportionate benefit to | the sender, and the relevancy of the recipient's | specific personal identity, are authoritatively de- | termined by the recipient, and is not subject to ar- | gument or reinterpretation by the sender. | | (iv) Non-personal e-mail always places a dispropor- | tionate cost burden on the recipient, and is consid- | ered to disproportionately benefit the sender unless | it was verifiably solicited or by the recipient's | willing exception. | | (v) A message need not be offensive or commercial in | order to fit the definition of ``spam.'' Content is | irrelevent except to the extent necessary to deter- | mine personal applicability, consent, and benefit. | | We've heard of arguments that such a standard places | too much power in the hands of recipients. In our view, | recipients are paying the majority of the cost of e-mail | transport, and thus ought to have the strongest voice in | what's sent (or not) to them. Besides which, such an argu- | ment presumes that there's a piece of mail that a sender | isn't certain was solicited. Our advice is: don't send it | then!. (note, i coauthored both the book and the referenced website.) -- Paul Vixie
On 23 Dec 2003, Paul Vixie wrote:
You'd be hard pressed to frame what NJABL does in terms of "abuse", because of the intent, and because of the actual bit volume involved.
intent does not, and cannot, matter. when an isp hears a complain about spam, and seeks explaination from their spamming customer, an answer of the form "we have only the best of intentions", then the result still has to be service disconnection.
Therefore, in accordance with your logic, if I have a "spam in hand", and I probe your servers to determine if you're an open relay, I'm myself spamming, and that is network abuse, and my ISP should disconnect me. So intent doesn't matter, huh? Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
andy, From: "Andy Dills" <andy@xecu.net>
On 23 Dec 2003, Paul Vixie wrote:
You'd be hard pressed to frame what NJABL does in terms of "abuse", because of the intent, and because of the actual bit volume involved.
intent does not, and cannot, matter. when an isp hears a complain about spam, and seeks explaination from their spamming customer, an answer of the form "we have only the best of intentions", then the result still
has
to be service disconnection.
Therefore, in accordance with your logic, if I have a "spam in hand", and I probe your servers to determine if you're an open relay, I'm myself spamming, and that is network abuse, and my ISP should disconnect me.
So intent doesn't matter, huh?
if i parsed paul's post correctly, that is exactly what he is saying. i agree. his logic and the statement you consider ridiculous make perfect sense to me. i have *not* given anyone permission to scan my boxes by sending out mail. trying to somehow justify around this is conjecture - a conjecture that, in my mind, is equivalent to the argument that people have given permission to be mailed (and spammed) by putting their address on a website. njabl is welcome to scan me and i, in turn, am free to drop their traffic at my edge. i do the same to a multitude of abusive sources every day. paul
On Tue, 23 Dec 2003, Paul wrote:
if i parsed paul's post correctly, that is exactly what he is saying. i agree. his logic and the statement you consider ridiculous make perfect sense to me.
i have *not* given anyone permission to scan my boxes by sending out mail. trying to somehow justify around this is conjecture - a conjecture that, in my mind, is equivalent to the argument that people have given permission to be mailed (and spammed) by putting their address on a website.
I think the concept of "permission" is antiquated in terms of the internet. I repeat my previous assertion: The only authority on the internet is over YOUR network. Because you only have authority over your network, and not mine, it is unfair for you to dictate any sort of rules to me, and likewise. Your authority stops at your routers. You don't want my packets, drop them. That's the sole concept of social authority that exists on the internet. You control what packets traverse your network. Given that, you connecting to the internet and accepting my packets is implicit permission for me to send packets to those boxes. Don't like it? Drop my packets, revoke my permission.
njabl is welcome to scan me and i, in turn, am free to drop their traffic at my edge. i do the same to a multitude of abusive sources every day.
Exactly. This is CLEARLY not what Paul V. wants. He feels that if he can declare something abuse, that should be sufficient grounds for disconnection. He also thinks that the network who must do the disconnecting should ignore anything external to the evidence he provides. *shrug* This isn't really my problem, I'm not a source of anything anybody would term abuse. But from talking to network operators, many feel the same way I do and I think this point of view should be stated. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
andy, From: "Andy Dills" <andy@xecu.net>
On Tue, 23 Dec 2003, Paul wrote:
if i parsed paul's post correctly, that is exactly what he is saying. i agree. his logic and the statement you consider ridiculous make perfect sense to me.
i have *not* given anyone permission to scan my boxes by sending out
mail.
trying to somehow justify around this is conjecture - a conjecture that, in my mind, is equivalent to the argument that people have given permission to be mailed (and spammed) by putting their address on a website.
I think the concept of "permission" is antiquated in terms of the internet.
I repeat my previous assertion: The only authority on the internet is over YOUR network.
yep, agreed.
Because you only have authority over your network, and not mine, it is unfair for you to dictate any sort of rules to me, and likewise.
see below.
Your authority stops at your routers. You don't want my packets, drop them.
That's the sole concept of social authority that exists on the internet. You control what packets traverse your network.
Given that, you connecting to the internet and accepting my packets is implicit permission for me to send packets to those boxes. Don't like it? Drop my packets, revoke my permission.
njabl is welcome to scan me and i, in turn, am free to drop their
traffic at
my edge. i do the same to a multitude of abusive sources every day.
Exactly. This is CLEARLY not what Paul V. wants. He feels that if he can declare something abuse, that should be sufficient grounds for disconnection. He also thinks that the network who must do the disconnecting should ignore anything external to the evidence he provides.
i do not want to be portscanned, so i will drop all future traffic from you. i am also somewhat annoyed about getting an alert and spending my time looking into it, so i am going to call your upstream(s) and complain. if they agree that your behaviour was out of line, they will not transit your traffic either. if they do not see the light, i add them (AS 6364 in this case) to my 'we will never do business with them' list. at the end, i vote with my enable and my dollars. paul
On Mon, 22 Dec 2003 15:01:35 EST, Chris Brenton <cbrenton@chrisbrenton.org> said:
Except its broken because the message in question was not spam. It was a technical post to the NANOG mailing list that triggered the 100+ port
Chris - please see if you can find out if it *was* your message. A few weeks ago, I posted a note to NANOG, and somebody on the list is infected with malware that took the From/To/CC list and stuck them onto a spam for "enhancement pills". In near real-time no less - the site that caught it had its "your note has been quarantined" notice to me some 8 minutes after I hit 'send'. When they fished it out of quarantine, it did indeed have my NANOG headers joe-job glued onto the spam.
On Mon, 22 Dec 2003, Andy Dills wrote:
Hmm...actually, YOUR spam is MY problem. That's how this works.
I applaud njabl.
Then you've never been on receiving end of their (and their ilk) viligantine "justice" for no reason other than being in the same block of addresses as some hacked windoze host (NOT on your network, mind you) and using business-grade DSL. I wish you have an opportunity to try that being YOUR problem, _then_ we'll hear your opinion on spam nazi. Oh, and I usually get it fixed by forcing postmasters on receiving end to stop using offending lists, sometimes by forging "spam" from them (yes, Virginia, the one-way TCP hack works) - when it's for some reason important to me to communicate with their customer, and the a*le running the mailserver is immune to reason. --vadim
On Mon, 22 Dec 2003, Vadim Antonov wrote:
On Mon, 22 Dec 2003, Andy Dills wrote:
Hmm...actually, YOUR spam is MY problem. That's how this works.
I applaud njabl.
Then you've never been on receiving end of their (and their ilk) viligantine "justice" for no reason other than being in the same block of addresses as some hacked windoze host (NOT on your network, mind you) and using business-grade DSL.
Oh, sure have. Spews has listed an entire /19 of ours before, merely because of a multi-stage relay (customer had an open relay configured to dump everything to our mailserver). NJABL isn't Spews. To my knowledge, NJABL doesn't write off entire subnets...thus the need for scanning so many IPs. It's possible you were grouped in with dynamic IP DSL...but from the njabl.org website: http://www.njabl.org/listing.html "2. If an IP is listed because we think it's in a dial-up range, show us that it not. If it really is a dial-up, it'll most likely remain in the list, but we may add non-dial-up range IP's to the list thinking they are dial-up range IP's. In these cases, we'll be happy to correct the error."
I wish you have an opportunity to try that being YOUR problem, _then_ we'll hear your opinion on spam nazi.
Having used NJABL for well over a year, the collateral damage is almost nil. I'm well aware of the issues involved. I still think proactive scanning is better than reactive scanning. I'm also completely aware that others will disagree with that sentiment. It's not really something that's worth our time debating, we may as well debate abortion. You're either offended that somebody is probing your systems or you aren't. No amount of conjecture is going to change an opinion on this issue. But I felt somebody needed to stick up for them, lest people think there is some sort of consensus. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Andy Dills writes on 12/22/2003 7:33 PM:
Oh, sure have. Spews has listed an entire /19 of ours before, merely because of a multi-stage relay (customer had an open relay configured to dump everything to our mailserver).
As far as I have seen, that is not the typical reason for a spews nom. Spews seems to target a fairly similar crowd to what (say) the SBL targets, but uses a rather wider brush. To forestall further discussion on this, I'd suggest reading http://www.scconsult.com/bill/dnsblhelp.html - especially http://www.scconsult.com/bill/dnsblhelp.html#4-20 srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
participants (14)
-
Andy Dills
-
Chris Brenton
-
Chris Lewis
-
Etaoin Shrdlu
-
Matthew Sullivan
-
Mike Jezierski - BOFH
-
Niels Bakker
-
Paul
-
Paul Vixie
-
Robin Lynn Frank
-
Suresh Ramasubramanian
-
Susan Harris
-
Vadim Antonov
-
Valdis.Kletnieks@vt.edu