I'm looking for some opinions. Recently, an ISP had been relentlessly port scanning our network. So, I sent them the logs and asked their admins to look into it. I figured one of the weekend admins might be playing 31337 hax0r wannabe. They responded with the following justification (see below). I've X'ed out the company's name and I will not reveal that name publicly (I don't want them suing me!). But, this response is more than a little annoying. Basically, they are saying that because our mail server sent a message to one of their users, they can port scan the hell out of us. Now, I suspect they might have been alerted to us since we've been getting spammed a lot lately. But, those spams are coming from their network, not ours. Our mail server was just bouncing the spams. A simple scan wouldn't bother me, but they have been relentlessly pounding us with port scans. I blocked their IP address - so their scans are essentially useless now. But still, does this strike anybody as a little annoying? Here's the mail.... > Dear Andrew, > > Open SMTP relays and insecure proxy servers are a serious > issue on the > Internet today. Spammers routinely scan the Internet, searching for > open relays and proxies, looking for open servers that allow them to > spew their spam. The onslaught of such spam has led some providers to > take additional steps to protect their networks from this problem. > > Accordingly, XXXXXX has begun testing of IP addresses which connect > to its inbound SMTP gateways. If your server connects to ours, we > reserve the absolute right to perform SMTP relay and open > proxy server > tests upon the connecting IP address, to ensure that the machine at > that IP address cannot be abused for malicious purposes. > > These scans are done only on those servers that have sent our > subscriber base mail. The only way for these tests to occur > is if an IP > address connects to our inbound SMTP gateway. > > XXXXXXXXXXX currently scans the following TCP ports for services > that may > allow OTHER persons to access your systems and perform deeds that are > detrimental to the XXXXXXXXXX network, such as spamming, or attacking > other Internet users: 23, 25, 80, 81, 85, 1075, 1080, 1180, > 1181, 1182, 1282, 3128, 4480, 5490, 6588, 7033, 8000, 8080, 8081, 8085, > 8090, 8095, 8100, 8105, 8110, and 8888 > > XXXXXXXXXXX in NO way attempts to circumvent your security or access the > contents of your personal computer. We are not interested in its > contents, nor what you do while you access the Internet. > > If you have further questions or problems, please contact us. So what do you think? Good practice or invasion? ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation Enterprise Security & Infrastructure Solutions 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________
This archive was generated by hypermail 2b30 : Wed May 28 2003 - 14:08:00 PDT