The way I see it, the justification they listed might excuse occassional
port scans, but not continuous scans. After all, how often do they think
you reconfigure your servers? I would find it annoying, at the very least.
Rob Jacobsen
Operator / Network Technician
Cowlitz Water Pollution Control Plant
Mailing Address: 207 Fourth Ave. North
Kelso, WA 98626
Plant Location: 467 Fibre Way
Longview, WA 98632
Voice: (360) 577-2040
Voice: (360) 577-2020
Fax: (360) 577-2041
E-mail: cwpcpa@private
-----Original Message-----
From: owner-crime@private [mailto:owner-crime@private]On Behalf Of
Andrew Plato
Sent: Wednesday, May 28, 2003 12:16
To: crime@private
Subject: CRIME Port scanning from an ISP
I'm looking for some opinions.
Recently, an ISP had been relentlessly port scanning our network. So, I
sent them the logs and asked their admins to look into it. I figured one
of the weekend admins might be playing 31337 hax0r wannabe.
They responded with the following justification (see below).
I've X'ed out the company's name and I will not reveal that name
publicly (I don't want them suing me!). But, this response is more than
a little annoying. Basically, they are saying that because our mail
server sent a message to one of their users, they can port scan the hell
out of us.
Now, I suspect they might have been alerted to us since we've been
getting spammed a lot lately. But, those spams are coming from their
network, not ours. Our mail server was just bouncing the spams.
A simple scan wouldn't bother me, but they have been relentlessly
pounding us with port scans. I blocked their IP address - so their scans
are essentially useless now. But still, does this strike anybody as a
little annoying?
Here's the mail....
> Dear Andrew,
>
> Open SMTP relays and insecure proxy servers are a serious
> issue on the
> Internet today. Spammers routinely scan the Internet, searching for
> open relays and proxies, looking for open servers that allow them to
> spew their spam. The onslaught of such spam has led some providers to
> take additional steps to protect their networks from this problem.
>
> Accordingly, XXXXXX has begun testing of IP addresses which connect
> to its inbound SMTP gateways. If your server connects to ours, we
> reserve the absolute right to perform SMTP relay and open
> proxy server
> tests upon the connecting IP address, to ensure that the machine at
> that IP address cannot be abused for malicious purposes.
>
> These scans are done only on those servers that have sent our
> subscriber base mail. The only way for these tests to occur
> is if an IP
> address connects to our inbound SMTP gateway.
>
> XXXXXXXXXXX currently scans the following TCP ports for services
> that may
> allow OTHER persons to access your systems and perform deeds that are
> detrimental to the XXXXXXXXXX network, such as spamming, or attacking
> other Internet users: 23, 25, 80, 81, 85, 1075, 1080, 1180,
> 1181, 1182, 1282, 3128, 4480, 5490, 6588, 7033, 8000, 8080, 8081,
8085,
> 8090, 8095, 8100, 8105, 8110, and 8888
>
> XXXXXXXXXXX in NO way attempts to circumvent your security or access
the
> contents of your personal computer. We are not interested in its
> contents, nor what you do while you access the Internet.
>
> If you have further questions or problems, please contact us.
So what do you think? Good practice or invasion?
___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation
Enterprise Security &
Infrastructure Solutions
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________
This archive was generated by hypermail 2b30 : Wed May 28 2003 - 15:29:48 PDT