I got the following personal message from Mark Herrick of rr.com (which I'm passing along with his permission/request). I hope (and I think he hopes) that by passing it along, some questions can be answered and misunderstandings explained. In an additional message, he answered my question of "how does rr.com security define 'network owner'?" with the following URL. http://security.rr.com/subdelegation.htm So as long as space is swipped or documented in a publicly accessible rwhois server, if you're a contact for the IP block, you should be accepted as the 'network owner'. BTW...for the time being, rr.com has stopped SMTP relay testing and is focusing entirely on finding and blocking mail from open proxies that have been used to spam their customers. ---------- Forwarded message ---------- Date: Sun, 16 Mar 2003 12:56:30 -0500 From: "W. Mark Herrick, Jr." <markh@va.rr.com> To: jlewis@lewis.org Subject: Re: Your NANOG post Hi Jon, I was pointed to the thread on NANOG through another person, and I saw your post on the Merit website (below). As I'm not subscribed to NANOG, and unfortunately I am prohibited (from a time resource standpoint, not administratively) from subscribing to that list at this time, but I thought that I'd comment on your post specifically, since it touched on more than one area. If you are so included, feel free to pass this along to NANOG, with my regards. So, just to set one ground rule here - we're talking about proxy and relay testing, not full-out penetration testing. With that in mind... To directly answer your first paragraph, you are absolutely correct - we have absolutely NO objection to open proxy or relay scanning of IP addresses from a system that either: 1. Has spam in hand (a la MAPS RSS). 2. Has received a direct connection from our subscriber IP address or SMTP server (a la AOL, Outblaze). That being said, we have, and will continue to have, a severe issue with so-called 'scanning services', that *proactively* scan IP addresses (e.g., DSBL), or services that accept requests from anywhere to perform 'on-demand' scans (e.g., hatcheck.org) without first requiring (and keeping on hand) proof (e.g., spam-in-hand) that the IP address is a source of spam, open to third party relay, or has an open proxy service. At no time has Road Runner performed any PROACTIVE scanning on any IP address that does not belong to Road Runner. Furthermore, we perform no REACTIVE scanning unless it meets one of the above criteria, and in addition, regardless of whether or not there has EVER been an issue with the network, we will not REACTIVELY scan ANY IP address when there is a request from the *network owner* that we do not do so. We have no wish to be abusive, and as such, we limit scans of an IP to one per week. This is all clearly explained at http://security.rr.com. You brought up another issue, which I *think* may be pointing to an argument that I had with Ron Guilmette some time ago, when his service was performing relay scans on our IP space or some such. I am fairly certain that this argument took place because I viewed Ron's scans to be proactive in nature. Our stance on proactive scanning has not changed in the 5 years that I have been with Road Runner. Anyways, as far as your last statement - since the inception of our scanning initiative (1st week in January), we have identified over 50,000 open proxy servers. The problem is big, it's only getting bigger, and it's not going to go away, unfortunately. Best, Mark Herrick Director - Operations Security Road Runner