RE: CRIME Port scanning from an ISP

From: Rob Jacobsen (cwpcpa@private)
Date: Wed May 28 2003 - 14:35:48 PDT

  • Next message: Seth Arnold: "Re: CRIME Port scanning from an ISP"

    The way I see it, the justification they listed might excuse occassional
    port scans, but not continuous scans.  After all, how often do they think
    you reconfigure your servers?  I would find it annoying, at the very least.
    
    Rob Jacobsen
    Operator / Network Technician
    Cowlitz Water Pollution Control Plant
    
    Mailing Address: 207 Fourth Ave. North
                     Kelso, WA  98626
    
    Plant Location: 467 Fibre Way
                    Longview, WA  98632
    
    Voice:  (360) 577-2040
    Voice:  (360) 577-2020
    Fax:    (360) 577-2041
    E-mail: cwpcpa@private
    
    -----Original Message-----
    From: owner-crime@private [mailto:owner-crime@private]On Behalf Of
    Andrew Plato
    Sent: Wednesday, May 28, 2003 12:16
    To: crime@private
    Subject: CRIME Port scanning from an ISP
    
    
    I'm looking for some opinions.
    
    Recently, an ISP had been relentlessly port scanning our network. So, I
    sent them the logs and asked their admins to look into it. I figured one
    of the weekend admins might be playing 31337 hax0r wannabe.
    
    They responded with the following justification (see below).
    
    I've X'ed out the company's name and I will not reveal that name
    publicly (I don't want them suing me!). But, this response is more than
    a little annoying. Basically, they are saying that because our mail
    server sent a message to one of their users, they can port scan the hell
    out of us.
    
    Now, I suspect they might have been alerted to us since we've been
    getting spammed a lot lately. But, those spams are coming from their
    network, not ours. Our mail server was just bouncing the spams.
    
    A simple scan wouldn't bother me, but they have been relentlessly
    pounding us with port scans. I blocked their IP address - so their scans
    are essentially useless now. But still, does this strike anybody as a
    little annoying?
    
    Here's the mail....
    
    > Dear Andrew,
    >
    > Open SMTP relays and insecure proxy servers are a serious
    > issue on the
    > Internet today. Spammers routinely scan the Internet, searching for
    > open relays and proxies, looking for open servers that allow them to
    > spew their spam. The onslaught of such spam has led some providers to
    > take additional steps to protect their networks from this problem.
    >
    > Accordingly, XXXXXX has begun testing of IP addresses which connect
    > to its inbound SMTP gateways. If your server connects to ours, we
    > reserve the absolute right to perform SMTP relay and open
    > proxy server
    > tests upon the connecting IP address, to ensure that the machine at
    > that IP address cannot be abused for malicious purposes.
    >
    > These scans are done only on those servers that have sent our
    > subscriber base mail. The only way for these tests to occur
    > is if an IP
    > address connects to our inbound SMTP gateway.
    >
    > XXXXXXXXXXX currently scans the following TCP ports for services
    > that may
    > allow OTHER persons to access your systems and perform deeds that are
    > detrimental to the XXXXXXXXXX network, such as spamming, or attacking
    > other Internet users: 23, 25, 80, 81, 85, 1075, 1080, 1180,
    > 1181, 1182, 1282, 3128, 4480, 5490, 6588, 7033, 8000, 8080, 8081,
    8085,
    > 8090, 8095, 8100, 8105, 8110, and 8888
    >
    > XXXXXXXXXXX in NO way attempts to circumvent your security or access
    the
    > contents of your personal computer. We are not interested in its
    > contents, nor what you do while you access the Internet.
    >
    > If you have further questions or problems, please contact us.
    
    
    So what do you think? Good practice or invasion?
    
    ___________________________________
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
    
    Enterprise Security &
    Infrastructure Solutions
    
    503-644-5656 Office
    503-644-8574 Fax
    503-201-0821 Mobile
    www.anitian.com
    ___________________________________
    



    This archive was generated by hypermail 2b30 : Wed May 28 2003 - 15:29:48 PDT