RE: Stealth Blocking
From: David Schwartz [mailto:davids@webmaster.com] Sent: Wednesday, May 23, 2001 4:18 PM
I'm getting seriously confused here. I thought that the open-relay issue was irelevent to MAPS.
No.
I hate to be pendantic here, but from your own email and what other sources have told me, this is inaccurate. MAPS does NOT do pre-emptive open-relay testing. I consider this to be a very important distinction. If I thought this was the case, I would stop using MAPS five minutes ago.
That MAPS only black-holed confirmed SPAM sites (a little tougher, but more granular, charter).
Yes, but open relays can easily become confirmed SPAM sites. All that has to happen is one spammer chooses to use that particular open relay.
That is orthogonal to the point.
I hope this qualifies as clarification.
This was actually the type of post that was muddying the waters quite severely. So no, it does not qualify as clarification. From other sources, and what I originally knew to be true, if MAPS blocks an open-relay, it is entirely incidental to the fact that it was a PROVEN spam origination point. Open relays that are NOT used by spammers never make it into MAPS. Ergo, a site's open-relay status is irrelevent to MAPS. I'm only interested in spanking spammers, not innocents, at any clue level. In the PURE war, one ONLY shoots confirmed bad-guys and has ZERO collateral damage.
In the PURE war, one ONLY shoots confirmed bad-guys and has ZERO collateral damage.
So if someone has a machine gun and is firing randomly, you don't act to stop him until he happens to hit someone? That's madness. I don't advocate random scanning, as it is unethical to probe random people for vulnerability. However, once you know there is in fact an open relay, you are entirely justified in blocking it. And if you have legitimate reason to suspect a site is an open relay, you are entirely justified in probing it to see whether or not it is. If your neighbor is aiming a gun at you, you are justified in checking to see if it's loaded. But if the gun is in his safe, you are not justified in breaking in to check it. DS
On Wed, 23 May 2001, Roeland Meyer wrote:
I hate to be pendantic here, but from your own email and what other sources have told me, this is inaccurate. MAPS does NOT do pre-emptive open-relay testing. I consider this to be a very important distinction. If I thought this was the case, I would stop using MAPS five minutes ago.
What's so bad about pre-emptive open-relay scanning? What's the difference between an open-relay found/used by a spammer and added to the RSS and an open-relay found by pre-emptive scanner and added to the RSS? Both sites are likely sources of relay spam. I recently upgraded a busy set of mail servers from using only the DUL to the DUL/RBL/RSS, and the number of messages being rejected/day has gone up about 20x. I still get relay spam and report a handful of open relays to MAPS every day. If there were a list like ORBS run more the way MAPS is run, I'd probably give that a try too. The only complaint I have about MAPS is that recently someone has been making some SWAGs regarding what blocks of our IP space are dial-ups and whoever oversees the DUL has added blocks of non-dial-ups apparently blindly, causing trouble for our customers and support calls to our NOC. -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Jon Lewis wrote:
What's so bad about pre-emptive open-relay scanning? What's the difference between an open-relay found/used by a spammer and added to the RSS and an open-relay found by pre-emptive scanner and added to the RSS? Both sites are likely sources of relay spam.
What's so bad about pre-emptive open-relay scanning is that if you feel that is justified, you pretty much have accepted that anybody who pleases may scan anybody else's network for any weakness he or she would like to probe for. And if someone else probed 40,000 of your hosts each for 500 vulnerabilitise, you would have to accept the probers answer that there's nothing wrong with pre-emptive scanning. After all, if someone else gets root on your system, it's a potential threat to him. I am not happy with that result. The difference between an open-relay found/used by a spammer and a pre-emptive scanner is the difference between attack and defense, the difference between searching everyone and searching only those people who you have reason to believe pose a threat. If somebody attacks your network from a machine, you are (at least in my opinion) perfectly justified in running some scans against the attacking machine to better determine who might be responsible for the attack and what type of attack it's likely to be. However, I certainly do agree that both sites might be likely sources of spam. I say might be because a well-managed relay might appear open to innocent probers and might pose very little threat of being used as a major spam source. This is really the same problem as IP source spoofing -- the problem is so serious that people have felt justified in taking drastic measures that block legitimate traffic. And again, like in IP source spoofing, the complexity of the right fix is such that 'quick fixes' are likely to become de-facto permanent operational changes. DS
Actually, scanning is an important security tool. It is also an important network monitoring tool. Over the years, we've used scanning to determine the density of IP address assignment, in-addr propagation, and other operational issues. Recently, the OpenSSH project has been doing random probes to determine the numbers and versions of SSH, and sequential probes in selected address space to warn operators of vulnerable early versions. In general, scanning should be done regularly. If not by the affected network operator, then by the targets that have been contacted by the affected network. I _do_ accept that a connected Internet means that anybody may scan anybody else's network. In fact, it is a natural consequence. There is nothing wrong with scanning. (The problem with ORBS was not the scanning, but rather the aggressive nature of the scanner, and the belligerence of the operator. Denial of service is a different kettle of fish.) David Schwartz wrote:
Jon Lewis wrote:
What's so bad about pre-emptive open-relay scanning? What's the difference between an open-relay found/used by a spammer and added to the RSS and an open-relay found by pre-emptive scanner and added to the RSS? Both sites are likely sources of relay spam.
What's so bad about pre-emptive open-relay scanning is that if you feel that is justified, you pretty much have accepted that anybody who pleases may scan anybody else's network for any weakness he or she would like to probe for. And if someone else probed 40,000 of your hosts each for 500 vulnerabilitise, you would have to accept the probers answer that there's nothing wrong with pre-emptive scanning. After all, if someone else gets root on your system, it's a potential threat to him. I am not happy with that result.
20% of Internet bandwidth utilization is from scanning ... -- Another made up statistic. ;-) The elephant is getting hurt by the blind men. How do I differentiate a "white hat" scan from a "black hat" scan? I don't mind people like Bill Manning who send out polite notification before scanning my DNS but general network scanning is starting to get excessive. By my count the average random scans come at least 4 times a week. What is the effect of scanning the whole operational address space four times a week? At 08:52 -0400 24-05-2001, William Allen Simpson wrote:
Actually, scanning is an important security tool. It is also an important network monitoring tool.
Over the years, we've used scanning to determine the density of IP address assignment, in-addr propagation, and other operational issues.
Recently, the OpenSSH project has been doing random probes to determine the numbers and versions of SSH, and sequential probes in selected address space to warn operators of vulnerable early versions.
In general, scanning should be done regularly. If not by the affected network operator, then by the targets that have been contacted by the affected network.
I _do_ accept that a connected Internet means that anybody may scan anybody else's network. In fact, it is a natural consequence.
There is nothing wrong with scanning.
(The problem with ORBS was not the scanning, but rather the aggressive nature of the scanner, and the belligerence of the operator. Denial of service is a different kettle of fish.)
David Schwartz wrote:
Jon Lewis wrote:
What's so bad about pre-emptive open-relay scanning? What's the difference between an open-relay found/used by a spammer and added to the RSS and an open-relay found by pre-emptive scanner and added to the RSS? Both sites are likely sources of relay spam.
What's so bad about pre-emptive open-relay scanning is that if you feel that is justified, you pretty much have accepted that anybody who pleases may scan anybody else's network for any weakness he or she would like to probe for. And if someone else probed 40,000 of your hosts each for 500 vulnerabilitise, you would have to accept the probers answer that there's nothing wrong with pre-emptive scanning. After all, if someone else gets root on your system, it's a potential threat to him. I am not happy with that result.
-- Joseph T. Klein +1 414 915 7489 Senior Network Engineer jtk@titania.net Adelphia Business Solutions joseph.klein@adelphiacom.com "... the true value of the Internet is its connectedness ..." -- John W. Stewart III
[ On Thursday, May 24, 2001 at 08:52:07 (-0400), William Allen Simpson wrote: ]
Subject: Scanning (was Re: Stealth Blocking)
(The problem with ORBS was not the scanning, but rather the aggressive nature of the scanner,
ORBS does not scan. Period. If you believe it does then prove it with complete logs that can be verified by looking through the ORBS database. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
About two years ago the <vijay> promising local ISP </vijay> I worked for saw the number or ORBS-listed hosts withing its netspace go from ~400 to over 3,000 in one week. Among the listings was a class C where EVERY HOST, 254 IPs, in the block was listed. Granted, each one was an open relay, but the point is that each IP was individually relay tested. When questioned about this, Alan Brown reponded that he had "received an unusually large number of nominations" for hosts in our netspace. Uh huh. Sure. -C On Thu, May 24, 2001 at 02:04:02PM -0400, Greg A. Woods wrote:
[ On Thursday, May 24, 2001 at 08:52:07 (-0400), William Allen Simpson wrote: ]
Subject: Scanning (was Re: Stealth Blocking)
(The problem with ORBS was not the scanning, but rather the aggressive nature of the scanner,
ORBS does not scan. Period.
If you believe it does then prove it with complete logs that can be verified by looking through the ORBS database.
-- Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
[ On Saturday, May 26, 2001 at 10:35:47 (-0400), Christopher A. Woodfield wrote: ]
Subject: Re: Scanning (was Re: Stealth Blocking)
About two years ago the <vijay> promising local ISP </vijay> I worked for saw the number or ORBS-listed hosts withing its netspace go from ~400 to over 3,000 in one week.
Hmmmm.... you don't say exactly, but two years ago you were probably seeing the results of manual list entries (perhaps even entered as netblocks). Back then you had to be really smart and look at the value of the A RR returned from a DNS query into the database to be able to tell the difference between a proper ORBS entry and one of the supplemental manual entries. These days it's much more difficult to confuse the mechanical part of ORBS with the ego part.
Among the listings was a class C where EVERY HOST, 254 IPs, in the block was listed. Granted, each one was an open relay, but the point is that each IP was individually relay tested. When questioned about this, Alan Brown reponded that he had "received an unusually large number of nominations" for hosts in our netspace. Uh huh. Sure.
Do you have the mailer logs from those hosts? Can you prove that there was no other unauthorised use of them during the time *before* they were tested by ORBS? -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
We also were blocked by automated scanning from ORBS, about two years ago. I haven't ever checked to see whether the block was ever removed, since we made the decision that ORBS was the problem, and blocked ORBS scanning. "Greg A. Woods" wrote:
Do you have the mailer logs from those hosts?
After two years? Certainly not! Ever since the FBI investigation of one of our users, we dispose of the logs in days! They cannot request what we do not keep.
Can you prove that there was no other unauthorised use of them during the time *before* they were tested by ORBS?
How exactly does anyone prove a negative? Nobody could assert that we have ever been technically unaware. We had outside relaying blocked. We had a formal AUP since inception (1994), long before any of the johnny-come-latelies. We also used MAPS as soon as our software supported it. However, the reason ORBS cited at the time was that the server software (Stalker SIMS) allowed the % hack. I dunno why the % hack is a terrible problem -- support was _required_ in the olden days. But, it was obsolete. I believe that Stalker has since removed that feature. In short, methinks you protesteth too much.
William Allen Simpson wrote:
In short, methinks you protesteth too much.
As a quick update, I'll point out that two years ago, ORBS may have been called IMRSS and/or Dorkslayers, a distinction without a difference. I just received proof positive that Greg is an ORBS supporter, just in case the trolls were not recognized as such. He won't accept email (from my SO's home).... Yet, last time I checked, Earthlink didn't allow outside relaying -- and I cannot send SMTP thru Earthlink to my own ISP, as port 25 appears to be blocked. ----- The following addresses had permanent fatal errors ----- <woods@weird.com> ----- Transcript of session follows ----- ... while talking to mail.weird.com.:
HELO ostrich.mail.pas.earthlink.net <<< 550-You are not permitted to send mail from ostrich.mail.pas.earthlink.net[207.217.120.14]. <<< 550-All SMTP connections have been blocked from that address <<< 550-because it matches the RBL (Realtime/Reverse Blocking List): <<< 550- <<< 550- 14.120.217.207.spamsource-netblocks.orbs.org A 127.0.0.8 <<< 550- <<< 550-Please note the following important additional information: <<< 550- <<< 550- Earthlink/Mindspring. Prolific spam source. No sign of action against spammers in recent months.
[ On Saturday, May 26, 2001 at 22:46:08 (-0400), William Allen Simpson wrote: ]
Subject: Re: Scanning (was Re: Stealth Blocking)
As a quick update, I'll point out that two years ago, ORBS may have been called IMRSS and/or Dorkslayers, a distinction without a difference.
You should check your facts before you display such ignorance.... (ORBS is a replacement for what dorkslayers was, but ORBS is not, and was never, IMRSS) The new dorkslayers.com is under new management. To quote: dorkslayers is almost, but not quite, entirely unlike ORBS
I just received proof positive that Greg is an ORBS supporter
Of course! How could you conclude otherwise? :-) Note that my *home* server uses not just the mechanically verified relays list offered by ORBS, but also the adjunct lists offered under the orbs.org domain, such as this one:
14.120.217.207.spamsource-netblocks.orbs.org A 127.0.0.8
So far both the true mechanically verified ORBS list, as well as the adjunct lists like that one, have done me far more good than not. I really do want to modify the behaviour of those running open relays. I also wish to avoid knowingly being a participant in any theft of service or act of fraud. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
"Greg A. Woods" wrote:
[ On Saturday, May 26, 2001 at 22:46:08 (-0400), William Allen Simpson wrote: ]
As a quick update, I'll point out that two years ago, ORBS may have been called IMRSS and/or Dorkslayers, a distinction without a difference.
You should check your facts before you display such ignorance....
And I love you too.... IIRC, investigation some time ago uncovered that these various services originated from and used the same databases.
(ORBS is a replacement for what dorkslayers was, but ORBS is not, and was never, IMRSS)
One or more of them did automated scanning, with considerable false positives. Hard to remember the details after all this time. They were all associated with the same belligerent operator. It has already been noted that ORBS explicitly advocated scanning, at one time or another, based on its own web pages.
The new dorkslayers.com is under new management. To quote:
dorkslayers is almost, but not quite, entirely unlike ORBS
As I opined, a distinction without a difference. Renaming them doesn't removed the smell. Oh well, someday we should go through the routers and figure out which ACLs were for which miscreant. I'm sure we still have them for old viral updaters, etc. The problem with those "temporary" blocks is that they are so permanent.... and we never know when it's safe to remove. Greg, I'm sure you've done good things in the past. CVS comes to mind? (assuming my memory is not entirely failing.) But, ORBS remains indefensible. I've long known and argued with Paul Vixie and Dave Rand in person many times, and they are competent and capable, even when in disagreement. The MAPS leads to far fewer mistakes -- does not block non-relaying servers just because they don't think the network has sufficient "action against spammers in recent months." That's entirely judgmental, not operational. It all comes down to trust and reliability. I trust MAPS. We've been falsely accused by ORBS, without any evidence of spamming. ORBS blocks for political reasons, rather than technical. 'nough said, for now.
[ On Sunday, May 27, 2001 at 00:17:29 (-0400), William Allen Simpson wrote: ]
Subject: Re: Scanning (was Re: Stealth Blocking)
And I love you too.... IIRC, investigation some time ago uncovered that these various services originated from and used the same databases.
The facts are not that hard to see from the current information available on their repective web pages -- if you care to look; and can be corroberated with other documentation easily found online with the assistance of Google, etc.
One or more of them did automated scanning, with considerable false positives. Hard to remember the details after all this time. They were all associated with the same belligerent operator.
IMRSS certainly did very systematic scanning for open relays. However I don't see how it could have detected any false positives since it was actually collecting relayed messages -- a relayed message sent from a more or less arbitrary host out there on the internet almost certainly indicates that the tested host is an open relay, no? There's only one possible exception I can think of, and if memory serves me correctly that particular exception could only have accounted for one or two of the hundreds of thousands of open relays IMRSS found. That exception being of course that it detected its own upstream relay(s) which would perhaps have explicitly authorised it to relay a message.
Greg, I'm sure you've done good things in the past. CVS comes to mind? (assuming my memory is not entirely failing.)
(I've not done much but debate about CVS lately -- though I still maintain Smail-3 and I contribute to *BSD and other minor things.)
But, ORBS remains indefensible.
It would seem that I have no problems either defending it, or using it. Whether I'm successful in the latter endeavour is only for me to decide. Whether I'm successful in the former endeavour is a larger question.
The MAPS leads to far fewer mistakes -- does not block non-relaying servers just because they don't think the network has sufficient "action against spammers in recent months." That's entirely judgmental, not operational.
The mechanically verified part of ORBS cannot, by definition, lead to any
It all comes down to trust and reliability. I trust MAPS.
I implicitly trust both MAPS and ORBS -- at least with my ability to receive e-mail! ;-) In fact I trust the mechanially verified primary ORBS list far more than any other related and manually maintained service. By now the softare maintaining that list has been extremely well tested and will most certainly never make anywhere near as many mistakes as even the most careful human.
We've been falsely accused by ORBS,
Which list were you on again? Wasn't it the manual netblocks list?
without any evidence of spamming.
Please do not forget that ORBS goal is not to detect or prevent spamming per se. It's full name should make this clear: Open Relay Behaviour- modification System. Any open relay is a bad thing regardless of whether it has yet been abused by a spammer (because it will undoubtably be abused unless it is closed first). I don't block e-mail from ORBS-listed hosts (just) because it might be spam. I block it because I do not wish to knowingly be a party to any acts of theft of service or fraud. If the received headers were part of the SMTP envelope then it might be possible to be more discerning about which messages to reject from an open relay, but with our current protocol that is not possible and so I must simply block all e-mail from any known open relay.
ORBS blocks for political reasons, rather than technical.
I guess I can't really disagree with that, though I will point out that I am using ORBS as a deterrent against such acts of theft of service and fraud and thus it is in fact what's known as a "technical control".
'nough said, for now.
or that.... :-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
Date: Sun, 27 May 2001 02:02:24 -0400 (EDT) From: Greg A. Woods <woods@weird.com>
But, ORBS remains indefensible.
It would seem that I have no problems either defending it, or using it.
ORBS catches far more than MAPS. My take is that anybody who has a problem with the infrequent ORBS probes should have a huge problem with the daily bombardment of relay attempts. Besides, whoever said that one must use ORBS "out of the box"? I maintain a whitelist of IP addresses to override ORBS. As much as I'd like to see Earthlink get a clue, MSN close their relays (have they yet?), and RoadRunner cooperate, I allow their MXes through when I find them. Modern spammers have gotten nasty. They use hundreds of different relays, each time changing the source address: a57e6s@t8iji7.somedomain.tld in46hi@diief4.anotherdomain.tld xkm8ey@ithi62.yetanotherdomain.tld with * DNS so that all subdomains resolve, and the subject: I have no respect for netiquette!!!!! [i35ed7] I have no respect for netiquette!!!!! [ed8ooe] I have no respect for netiquette!!!!! [h8qi2h] So as to throw off MXes that look for the same message again and again. I suppose that scanning the body and looking for repetition is possible, but it's only a matter of time until _that_ get perturbed in 100 different fashions. Bottom line: Blocking mail from rogue servers is the best way to stop spam and to not be a party to somebody else getting relay-raped. Anyone with clue closed relays how many years ago? I don't buy the "we need open relay for nationwide users" argument, either. Build a cheap MX that does nothing but take mail from a given POP, and send it to the world. Anti-spoofing at the border, don't accept mail from the outside world, and you're done. Eddy --------------------------------------------------------------------------- Brotsman & Dreger, Inc. EverQuick Internet Division Phone: (316) 794-8922 --------------------------------------------------------------------------- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
On 05/27/01, "E.B. Dreger" <eddy+public+spam@noc.everquick.net> wrote:
ORBS catches far more than MAPS.
Now now, this is a technical list, so let's deal in technical realities for a moment: using the ORBS lists to block e-mail will cause more messages to be denied than using the various MAPS lists in the same way. I think everyone can agree on that bit of data, yes? -- J.D. Falk SILENCE IS FOO! <jdfalk@cybernothing.org>
William Allen Simpson wrote:
As a quick update, I'll point out that two years ago, ORBS may have been called IMRSS and/or Dorkslayers, a distinction without a difference.
IMRSS was run by Ron Guilmette out in California. ORBS used to be Dorkslayers and is operated by Alan Brown.
I just received proof positive that Greg is an ORBS supporter, just in case the trolls were not recognized as such. He won't accept email (from my SO's home).... Yet, last time I checked, Earthlink didn't allow outside relaying -- and I cannot send SMTP thru Earthlink to my own ISP, as port 25 appears to be blocked.
(finally) but Earthlink has had a lot of problems in the past. Earthlink USED to be a huge spam sewer (yes, I meant sewer, not spewer :) So any blacklistings are probably in place for historical reasons. You could argue that the lists should be modified if the spam sources are no longer spam sources, and I would agree with you, but that isn't under Greg's direct control. -- Tired of Earthlink? Get JustTheNet! Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more. EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free More info coming soon to http://JustThe.net, or e-mail me! B!ff: K3wl, w3'v3 r00t3D da N@vy... 0h CrAp, INC0M!Ng $%^NO CARRIER
On Sat, May 26, 2001 at 12:41:16PM -0400, Greg A. Woods wrote:
[ On Saturday, May 26, 2001 at 10:35:47 (-0400), Christopher A. Woodfield wrote: ]
Subject: Re: Scanning (was Re: Stealth Blocking)
About two years ago the <vijay> promising local ISP </vijay> I worked for saw the number or ORBS-listed hosts withing its netspace go from ~400 to over 3,000 in one week.
Hmmmm.... you don't say exactly, but two years ago you were probably seeing the results of manual list entries (perhaps even entered as netblocks). Back then you had to be really smart and look at the value of the A RR returned from a DNS query into the database to be able to tell the difference between a proper ORBS entry and one of the supplemental manual entries. These days it's much more difficult to confuse the mechanical part of ORBS with the ego part.
Nah, there was a relay test on the ORBS site for each IP...it was a customer who had put all 254 usable IPs in one of his blocks on a few similarly misconfigured servers. Each IP was tested and listed by ORBS. There were other patterns in the listings, as well as logged relay tests on non-open relays, that suggested wholesale scanning, but the one quotesd was the most egregious. We had one other large web-hosting customer that had accounted for about 500 of the listings tell us later that they proactively scanned their network after the fact and found that ORBS had caught /every/ open relay in their netspace. How you manage to do that without wholesale scanning, you tell me.
Among the listings was a class C where EVERY HOST, 254 IPs, in the block was listed. Granted, each one was an open relay, but the point is that each IP was individually relay tested. When questioned about this, Alan Brown reponded that he had "received an unusually large number of nominations" for hosts in our netspace. Uh huh. Sure.
Do you have the mailer logs from those hosts?
Can you prove that there was no other unauthorised use of them during the time *before* they were tested by ORBS?
I don't have logs, as these were not our servers, but our customers', nor can I prove that none of them had been abused, although we had a pretty good record of shutting down the open relays that we got wind of via ORBS' weekly reports and our own abuse mailbox. -C
-- Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
At 10:35 AM 5/26/01 -0400, Christopher A. Woodfield wrote:
About two years ago the <vijay> promising local ISP </vijay> I worked for saw the number or ORBS-listed hosts withing its netspace go from ~400 to over 3,000 in one week. Among the listings was a class C where EVERY HOST, 254 IPs, in the block was listed. Granted, each one was an open relay, but the point is that each IP was individually relay tested. When questioned about this, Alan Brown reponded that he had "received an unusually large number of nominations" for hosts in our netspace. Uh huh. Sure.
I really shouldn't contribute to this off-topic thread but I'm not very good at resisting temptation. Anyone who claims that ORBS doesn't scan is using an extremely narrow definition of the word scanning. If you take a list of hundreds of IP addresses, and relay-test every IP on that list, is that scanning? ORBS supporters claim that it is not. Don't take my word for it, ask one. Try something like "Didn't Alan Brown admit on SPAM-L back in 99 that he will take a list of hundreds of addresses which is submitted by one of his supporters and relay-test every IP on it, without any evidence that any address on the list has ever delivered spam?"
On Thu, 24 May 2001, David Schwartz wrote:
What's so bad about pre-emptive open-relay scanning is that if you feel that is justified, you pretty much have accepted that anybody who pleases may scan anybody else's network for any weakness he or she would like to probe for.
Whether you like / agree with it or not, this is happening and you can't stop it. Even back in the very early 90's you pretty much couldn't put a system on an internet connected network without people probing it, attempting to log into it, etc. There's a big difference between open-relay testing and port scanning / vulnerability probing. Saying that the former will lead to more of the latter is silly with current levels of the latter we already have. I've seen new systems hacked within 24h of being put on the net on a previously unused IP. Any argument that open-relay scanning will lead to more vulnerability scanning is just silly. -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
What's so bad about pre-emptive open-relay scanning is that if you feel that is justified, you pretty much have accepted that anybody who pleases may scan anybody else's network for any weakness he or she would like to probe for.
Whether you like / agree with it or not, this is happening and you can't stop it. Even back in the very early 90's you pretty much couldn't put a system on an internet connected network without people probing it, attempting to log into it, etc.
There's a big difference between open-relay testing and port scanning / vulnerability probing. Saying that the former will lead to more of the latter is silly with current levels of the latter we already have. I've seen new systems hacked within 24h of being put on the net on a previously unused IP. Any argument that open-relay scanning will lead to more vulnerability scanning is just silly.
No, this is a totally valid argument. The reason is that process of scanning for vulnerabilities is not in any shape or form different from scanning for open-relays. Please explain to me who are you to determine what is a "right" and what is a "wrong" reason? Thanks, Alex
participants (13)
-
Albert Meyer -
alex@yuriev.com -
Christopher A. Woodfield -
David Schwartz -
E.B. Dreger -
J.D. Falk -
jlewis@lewis.org -
Joseph T. Klein -
Randy Bush -
Roeland Meyer -
Steve Sobol -
William Allen Simpson -
woods@weird.com