FC: Road Runner's security director replies to Politech over probes

From: Declan McCullagh (declanat_private)
Date: Sun Mar 16 2003 - 21:08:44 PST

  • Next message: Declan McCullagh: "FC: Politech members reply over RoadRunner scanning email senders"

    Previous Politech message:
    
    "Email a RoadRunner address, get scanned by their security system"
    http://www.politechbot.com/p-04556.html
    
    ---
    
    Date: Sun, 16 Mar 2003 13:25:00 -0500
    To: declanat_private
    From: "W. Mark Herrick, Jr." <markhat_private>
    Subject: Politechbot article on RR Scanning
    
    Hello Declan,
    
    I was pointed to the thread on Politechbot through another person, and I 
    saw the article on http://www.politechbot.com/.
    
    I thought that I'd comment on your article, since it is at the top of your 
    page and pretty fresh on the minds of your readers. Feel free to post my 
    response on that web page, or in your mailing list.
    
    So, just to set one ground rule here - we're talking about proxy and relay 
    testing, not full-out penetration testing. With that in mind...
    
    The author in the article has made a fatal flaw in his mail to you, that 
    being that are scans are proactive in nature.
    
    "I'm curious whether this preemptive measure is effective at all."
    
    His assertion that our scans are proactive could not be further from the 
    truth. At no time has Road Runner performed any PROACTIVE scanning on any 
    IP address that does not belong to Road Runner.
    
    Road Runner's scans are completely REACTIVE in nature. IP addresses 
    connecting to our mail gateways are TCP-scanned for open proxy servers on a 
    variety of ports, and then, if those ports are open, we attempt to mail 
    ourselves via either HTTP CONNECT or SOCKS. Success equals blocking via our 
    local block list.
    
    We perform no REACTIVE scanning on an IP address unless one of the 
    following conditions is met:
    
    1. We have spam in hand.
    2. We have received a direct connection to our inbound SMTP servers from 
    that IP.
    
    In addition, regardless of whether or not there has EVER been an issue with 
    the network, we will not REACTIVELY scan ANY IP address when there is a 
    request from the *network owner* that we not do so. We have no wish to be 
    abusive, and as such, we limit scans of an IP to one per week.
    
    This is all clearly explained at http://security.rr.com (and 
    http://securityscan.sec.rr.com).
    
    So, just to clarify some other misconceptions:
    
    We have absolutely NO objection to REACTIVE open proxy or relay scanning of 
    IP addresses from a system that either:
    
    1. Has spam in hand (a la MAPS RSS).
    2. Has received a direct connection from our subscriber IP address or SMTP 
    server (a la AOL, Outblaze).
    
    Why should we? IRC servers perform a similar function all day long.
    
    Our stance on proactive scanning, however, has not changed in the 5 years 
    that I have been with Road Runner.
    
     From the article:
    
    "Under their logic, I feel entitled to poke and prod their customers, just 
    to make sure they don't spam me.  Is that fair?  I promise to provide an 
    opt-out if anyone complains."
    
    I believe that the author is indicating that there is a relationship 
    between our REACTIVE testing, and his desire to PROACTIVELY test our 
    network. This is where we take issue.
    
    We have, and will continue to have, a severe issue the proactive scanning 
    of our networks. This includes individual users or so-called 'scanning 
    services', that accept requests from anywhere to perform 'on-demand' scans 
    (e.g., hatcheck.org). We also have a serious issue with blocklist systems 
    that *proactively* scan IP addresses (e.g., DSBL), without first requiring 
    (and keeping on hand) proof (e.g., spam-in-hand) that the IP address is a 
    source of spam, open to third party relay, or has an open proxy service.
    
    We have an even BIGGER problem when those same services tell us to pound 
    sand when we tell them to stop scanning our space (specific examples 
    include the now-defunct ORBS and ORBZ block lists, and most recently DSBL). 
    As such, we will not work with those entities under any circumstances.
    
    To close, the problem of open relays and proxies has exploded. To 
    demonstrate this, since the inception of our scanning initiative (1st week 
    in January), we have identified over 50,000 open proxy servers that 
    constantly barrage our 3 million members with spam all day long. We MUST 
    take steps to combat that abuse, in a responsible manner, or else our 
    business will suffer. As the person responsible for the security of our 
    network, I will not allow that to happen.
    
    Regards,
    Mark Herrick
    Director - Operations Security
    Road Runner
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    -------------------------------------------------------------------------
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Sun Mar 16 2003 - 22:05:59 PST