[Fwd: FC: Email a RoadRunner address, get scanned by their securitysystem]
-------- Original Message -------- Subject: FC: Email a RoadRunner address, get scanned by their securitysystem Date: Fri, 14 Mar 2003 15:25:46 -0500 From: Declan McCullagh <declan@well.com> Reply-To: declan@well.com To: politech@politechbot.com --- Date: Fri, 14 Mar 2003 15:22:24 -0500 Subject: RoadRunner Automated Portscans From: Gunnar Hellekson <gunnar@onepeople.org> To: declan@well.com After sending an email to a friend at a RoadRunner address, I see this in my web access log: 24.30.199.228 - - [13/Mar/2003:15:11:25 -0500] "CONNECT security.rr.com:25 HTTP/1.0" 404 535 "" "" Basically, RoadRunner tried to spam themselves using my server. I mailed abuse@rr.com about this, and received a canned response, enclosed. It's a humble response, but woefully inadequate. Have anti-spam measures come to this? This seems like an ill-considered compromise between privacy and anti-spam efforts. A blunt instrument that betrays less-than-careful thinking. The opt-out option, which was revealed only after my complaint, is even more obnoxious. Under their logic, I feel entitled to poke and prod their customers, just to make sure they don't spam me. Is that fair? I promise to provide an opt-out if anyone complains. I'm curious whether this preemptive measure is effective at all. -Gunnar
From: "Road Runner Security \[DSR\]" <abuse@rr.com> Date: Fri Mar 14, 2003 2:05:12 PM America/New_York Subject: Re: Port scans?
Hello,
The securityscan.sec.rr.com machine is a Road Runner Security resource that is used as a tool to assist us in determining if machines being used to send us mail may be abused from outside sources, allowing them to be used to spam our customers and role accounts. We fully understand your concerns surrounding the probing of your machine. This issue has been raised internally and we hope this email helps you better understand our process.
The intention of this process is truly not meant to be a "big brother" system, but we understand that some may view it as such. Our ultimate goal, however, is to protect our network, our customers, and our role accounts.
Road Runner has begin the REACTIVE testing of IP addresses which connect to its inbound SMTP gateways. If your machine connects to ours to send email, we reserve the absolute right to perform SMTP relay and open proxy server tests upon the connecting IP address to ensure that the machine at that IP address cannot be abused for malicious > purposes.
These scans are done once per week per IP, via an automated process, and only on those servers that have sent our subscriber base mail. The only way for these tests to occur is if an IP address connects to our inbound SMTP gateway. If found to be an open proxy or smtp relay, the IP address will be blocked at our mail gateway borders with one of the following error messages:
ERROR:5.7.1:550 Mail Refused - See http://security.rr.com/mail_blocks.htm#proxy ERROR:5.7.1:550 Mail Refused - See http://security.rr.com/mail_blocks.htm#relay
We understand that some entities may not wish to be scanned as part of this automated process. If you do not wish to be tested by Road Runner, there are two ways to accomplish this:
1. Send an e-mail to 'donottest@security.rr.com' with the IP address that you do not wish to be tested. Please note that if you are not the designated contact for your IP address range (for example, if you are on a cable modem, DSL, or dialup range), we will be unable to fulfill your request for addition or removal. 2. Do not connect to our inbound SMTP servers. Again, this test is only conducted on servers that connect to our servers.
If you have any further questions, you can visit http://security.rr.com or contact Road Runner Security via e-mail at 'spamblock@security.rr.com'
Regards, Road Runner Security
------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Like Politech? Make a donation here: http://www.politechbot.com/donate/ ------------------------------------------------------------------------- Declan McCullagh's photographs are at http://www.mccullagh.org/ -------------------------------------------------------------------------
From: "William Allen Simpson
After sending an email to a friend at a RoadRunner address, I see this in my web access log:
24.30.199.228 - - [13/Mar/2003:15:11:25 -0500] "CONNECT security.rr.com:25 HTTP/1.0" 404 535 "" ""
Basically, RoadRunner tried to spam themselves using my server. I mailed abuse@rr.com about this, and received a canned response, enclosed. It's a humble response, but woefully inadequate. Have anti-spam measures come to this? This seems like an ill-considered compromise between privacy and anti-spam efforts. A blunt instrument that betrays less-than-careful thinking. The opt-out option, which was revealed only after my complaint, is even more obnoxious.
Sending email to many servers means that your mail server will be probed for open proxies and open relays. It's only seriously taboo when it leaves the actual connecting server to scan the rest of the network. This is why I posted previously about a centralized system so that we can limit these probes. In the case of RoadRunner, it is only inappropriate because RR themselves complains and throughs a fit about being probed, and yet they probe others. -Jack
I only find it humorous that a majority of the network probes against my network come from RoadRunner cable modems as it is, yet they want to add to it by having their own server run a probe... Not that I email many RR customers as it is directly through my mail servers... I also enjoy the ironic humor in the fact my home network is on statically assigned DSL IP space that I hold forward and reverse DNS control for but by their own statements I could not opt-out even though it is SWIP'd to me but is a DSL allocation... No worries the only machines on my network that would send outgoing email are behind a NAT that does port forwarding so even if they connect back on port 80 from the IP that connects to port 25 on their server doesn't mean they're talking back to even the same machine here... In all fairness though looking at the top 15 source addresses my IDS has pick'd up lately... 9 of the 15 are from my own providers space and they don't even react to reports... 90% of the hits are still CodeRed no less... Jeremy On Fri, Mar 14, 2003 at 10:27:03PM -0600, Jack Bates wrote:
Sending email to many servers means that your mail server will be probed for open proxies and open relays. It's only seriously taboo when it leaves the actual connecting server to scan the rest of the network. This is why I posted previously about a centralized system so that we can limit these probes. In the case of RoadRunner, it is only inappropriate because RR themselves complains and throughs a fit about being probed, and yet they probe others.
-Jack
I only find it humorous that a majority of the network probes against my network come from RoadRunner cable modems as it is, yet they want to add to it by having their own server run a probe...
RR scans their own network far more intrusively than they scan outside mail senders and thwack their own users all the time, only of course nobody hears about that. As I've said elsewhere, most of a network's real mail comes from places that have sent mail before. If you get mail from a host that's never sent you mail before, it is far more likely to be a compromised relay or proxy sending spam than a legit mail server. Of course they test it. Put yourself in their shoes. They have a network with tens, probably hundreds of thousands of users, all with a swell high-speed connection, all under continuous attack by various sorts of malware. Most of the users are running Windows 98 or XP systems which are at least 30 critical security patches (that is to say, more than a month) out of date. Realistically, what would you do? -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 johnl@iecc.com, Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
From: Gunnar Hellekson <gunnar@onepeople.org>
Basically, RoadRunner tried to spam themselves using my server. I mailed abuse@rr.com about this, and received a canned response, enclosed.
Under their logic, I feel entitled to poke and prod their customers, just to make sure they don't spam me. Is that fair? I promise to provide an opt-out if anyone complains.
Oh no, they'll bitch, at great length. This was recently discussed on SPAM-L ( http://peach.ease.lsoft.com/scripts/wa.exe?LIST=SPAM-L ). Jeff
On Fri, 14 Mar 2003, Jeff Kell wrote:
Basically, RoadRunner tried to spam themselves using my server. I mailed abuse@rr.com about this, and received a canned response, enclosed.
Under their logic, I feel entitled to poke and prod their customers, just to make sure they don't spam me. Is that fair? I promise to provide an opt-out if anyone complains.
Oh no, they'll bitch, at great length. This was recently discussed on SPAM-L ( http://peach.ease.lsoft.com/scripts/wa.exe?LIST=SPAM-L ).
Actually, if you go a few rounds with Mr. Herrick of rr.com, and explain that you want to do the same sort of testing under the same ground rules as security.rr.com, I think you'll find that he will not object. It is quite ironic (perhaps a sign of how bad the problem of spam on the internet has gotten) that rr.com has decided to emulate those that they have attacked in the past. I suspect we've gotten to the point now that there are more open proxies than open relays on the net, and it seems the proxies are more heavily abused. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
From: <jlewis@lewis.org>
I suspect we've gotten to the point now that there are more open proxies than open relays on the net, and it seems the proxies are more heavily abused.
Perhaps it is because trojans and worms aren't setup to install open relays but to install open proxies. Proxies also have the advantage of hiding the original sender. I suspect that the next thing we will see is open proxies abused and then all traces wiped out by self protecting worms. -Jack
--On Friday, March 14, 2003 09:32:09 PM -0500 William Allen Simpson <wsimpson@greendragon.com> wrote: <snip>
After sending an email to a friend at a RoadRunner address, I see this in my web access log:
24.30.199.228 - - [13/Mar/2003:15:11:25 -0500] "CONNECT security.rr.com:25 HTTP/1.0" 404 535 "" ""
<snip> spam-l is over there -->
participants (7)
-
Jack Bates -
Jeff Kell -
Jeremy T. Bouse -
jlewis@lewis.org -
John Payne -
johnl@iecc.com -
William Allen Simpson