[ISN] Moderators note: Wh00ps!!!

From: InfoSec News (isnat_private)
Date: Fri Mar 14 2003 - 23:22:25 PST

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - March 14th 2003"

    For only the second time since taking over the list, I accidently sent
    something off that I shouldn't have - I'm in the middle of trying to a
    resolve a week long spam/virus problem with a provider that has been
    falling on deaf ears.
    Thankfully, there was *NO* virus payload in that message.
    In a related note, Declan McCullagh's Politech list has an interesting 
    note about this same provider...
    Thank you for your understanding,
    William Knowles
    ---------- Forwarded message ----------
    Date: Fri, 14 Mar 2003 15:25:46 -0500
    From: Declan McCullagh <declanat_private>
    To: politechat_private
    Subject: FC: Email a RoadRunner address, get scanned by their security system
    Date: Fri, 14 Mar 2003 15:22:24 -0500
    Subject: RoadRunner Automated Portscans
    From: Gunnar Hellekson <gunnarat_private>
    To: declanat_private
    After sending an email to a friend at a RoadRunner address, I see this in 
    my web access log: - - [13/Mar/2003:15:11:25 -0500] "CONNECT security.rr.com:25 
    HTTP/1.0" 404 535 "" ""
    Basically, RoadRunner tried to spam themselves using my server.  I mailed 
    abuseat_private about this, and received a canned response, enclosed.  It's a 
    humble response, but woefully inadequate.  Have anti-spam measures come to 
    this?  This seems like an ill-considered compromise between privacy and 
    anti-spam efforts.  A blunt instrument that betrays less-than-careful 
    thinking.  The opt-out option, which was revealed only after my complaint, 
    is even more obnoxious.
    Under their logic, I feel entitled to poke and prod their customers, just 
    to make sure they don't spam me.  Is that fair?  I promise to provide an 
    opt-out if anyone complains.
    I'm curious whether this preemptive measure is effective at all.
    >From: "Road Runner Security \[DSR\]" <abuseat_private>
    >Date: Fri Mar 14, 2003  2:05:12 PM America/New_York
    >Subject: Re: Port scans?
    >The securityscan.sec.rr.com machine is a Road Runner Security resource that
    >is used as a tool to assist us in determining if machines being used to
    >send us mail may be abused from outside sources, allowing them to be used
    >to spam our customers and role accounts. We fully understand your concerns
    >surrounding the probing of your machine. This issue has been raised
    >internally and we hope this email helps you better understand our process.
    >The intention of this process is truly not meant to be a "big brother"
    >system, but we understand that some may view it as such. Our ultimate goal,
    >however, is to protect our network, our customers, and our role accounts.
    >Road Runner has begin the REACTIVE testing of IP addresses which connect 
    >to its inbound SMTP gateways. If your machine connects to ours to send 
    >email, we reserve the absolute right to perform SMTP relay and open proxy 
    >server tests upon the connecting IP address to ensure that the machine at 
    >that IP address cannot be abused for malicious > purposes.
    >These scans are done once per week per IP, via an automated process, and 
    >only on those servers that have sent our subscriber base mail. The only 
    >way for these tests to occur is if an IP address connects to our inbound 
    >SMTP gateway. If found to be an open proxy or smtp relay, the IP address 
    >will be blocked at our mail gateway borders with one of the following 
    >error messages:
    >ERROR:5.7.1:550 Mail Refused - See 
    >ERROR:5.7.1:550 Mail Refused - See 
    >We understand that some entities may not wish to be scanned as part of this
    >automated process. If you do not wish to be tested by Road Runner, there
    >are two ways to accomplish this:
    >1. Send an e-mail to 'donottestat_private' with the IP address that
    >you do not wish to be tested. Please note that if you are not the
    >designated contact for your IP address range (for example, if you are on a
    >cable modem, DSL, or dialup range), we will be unable to fulfill your
    >request for addition or removal.
    >2. Do not connect to our inbound SMTP servers. Again, this test is only
    >conducted on servers that connect to our servers.
    >If you have any further questions, you can visit http://security.rr.com or
    >contact Road Runner Security via e-mail at 'spamblockat_private'
    >Road Runner Security
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Sat Mar 15 2003 - 01:09:54 PST