Previous Politech message: "Email a RoadRunner address, get scanned by their security system" http://www.politechbot.com/p-04556.html --- From: "Sanford Olson" <solsonat_private> To: <declanat_private> References: <5.1.1.6.0.20030314152453.02ca9008at_private> Subject: Re: Email a RoadRunner address, get scanned by their security system Date: Fri, 14 Mar 2003 16:01:16 -0600 Hi Declan, If RR's e-mail server forwards an e-mail message on your e-mail server's behalf, having your e-mail server try to forward a message for them seems reasonable to me. Sanford Olson --- Subject: Re: FC: Email a RoadRunner address, get scanned by their security system From: Ron Guerin <ronat_private> To: declanat_private In-Reply-To: <5.1.1.6.0.20030314152453.02ca9008at_private> The scans are fine by many (but hardly all) of us running mail servers. And there's really little ground to stand on complaining about it since it's only the result of an attempt to connect to their servers. Note I said little, not none. For one thing you wouldn't know you were going to be scanned until the first time you send mail to RR. What you may find more interesting however, is that Road Runner forbids others from scanning them! If you're still on SPAM-L, there was a thread about it this and last week. Excerpt: RR ultimately demanded that anybody who wants to test a host in their network for relay or open proxy requires prior permission from security for 'penetration testing'. This page generated the initial post: http://openrbl.org/roadrunner.htm You'll probably want to read the thread for more context though. That page itself is the subject of some controversy. - Ron --- Date: Sat, 15 Mar 2003 01:49:06 +0000 (GMT) From: Suresh Ramasubramanian <sureshat_private> X-X-Sender: mdropat_private To: Declan McCullagh <declanat_private> cc: Gunnar Hellekson <gunnarat_private> Subject: Re: FC: Email a RoadRunner address, get scanned by their security system On Fri, 14 Mar 2003, Declan McCullagh wrote: > From: Gunnar Hellekson <gunnarat_private> > After sending an email to a friend at a RoadRunner address, I see this in > my web access log: > > 24.30.199.228 - - [13/Mar/2003:15:11:25 -0500] "CONNECT security.rr.com:25 > HTTP/1.0" 404 535 "" "" Lots of other ISPs are doing this, fwiw. It is either that, or drown in the torrents of spam sent at them. Here's what we tell people (in the body of our relaytests / proxy tests, and when someone complains to us). We also whitelist people from further testing if they are not running an open relay / proxy, and their admins give us a point of contact email address for their IP(s). --srs -- srs (postmaster|suresh)@outblaze.com // gpg : 420776FC outblaze.com postmaster & messaging systems specialist ------- Hello Thank you for contacting the Outblaze postmaster desk. The obsl.outblaze.com machine is a Outblaze Security resource that is used as a tool to assist us in determining if machines being used to send us mail may be abused from outside sources, allowing them to be used to spam our customers and role accounts. We fully understand your concerns surrounding the probing of your machine. This issue has been raised internally and we hope this email helps you better understand our process. The intention of this process is truly not meant to be a "big brother" system, but we understand that some may view it as such. Our ultimate goal, however, is to protect our network and our customers. Given that we are an ISP with over 30 million users, we have to adopt this strategy. To that end, Outblaze has begin the reactive testing of IP addresses which connect to its inbound SMTP gateways. If your machine connects to ours to send email, we perform SMTP relay and open proxy server tests upon the connecting IP address to ensure that the machine at that IP address cannot be abused for malicious purposes. Your mail server is most likely being tested because your IP [1] Delivered a spam to us [2] Triggered antispam filters (such as sent us a significant number of emails with hotmail, yahoo or other freemail domains in the envelope sender, but not from a hotmail / yahoo IP) [3] We were previously blocking you, and we are retesting your host. If your host is now seen to be closed to relaying, it will be delisted from our blocklist. If your server is found to be an open relay or proxy it will be locally blocked by us. In such a case, please secure your server using the documentation at http://www.mail-abuse.org/tsi/ar-fix.html (open relays) and http://www.cyberabuse.org (for open proxies). Alternatively, you can ask your software manufacturer / on mailing lists and usenet newsgroups discussing your mail / proxy server), and then contact us at postmasterat_private once your relay or proxy is secured. This message is a test of your mail server to determine if it will perform relaying or proxying (re-sending) of e-mail messages for unauthorized outside parties. This capability, if enabled in your server, is widely considered to be a serious flaw in server security. For additional information about this test message, please contact postmasterat_private Please note also that if you are reading this message, then the implication is that your mail server has PASSED this one particular relaying test. However other types of relaying tests may perhaps still indicate mail relaying vulnerabilities in your mail server. If your IP is not running an open mail relay or proxy, we sincerely apologize for the inconvenience caused. Your IP will, in such a case, be whitelisted from further testing for a period of time. The status of your mailserver can be checked at this URL - http://spamblock.outblaze.com/your_ip_here Sincerely, postmasterat_private --- Date: Fri, 14 Mar 2003 17:40:12 -0500 Subject: Re: FC: Email a RoadRunner address, get scanned by their security system Content-Type: text/plain; delsp=yes; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v551) Cc: Declan McCullagh <declanat_private> To: Thomas Shaddack <shaddackat_private> From: Gunnar Hellekson <gunnarat_private> In-Reply-To: <Pine.LNX.4.33.0303142150200.23298-100000@Zeta> Without exhausting you, let me clarify the matter. I'm not complaining about the scanning. I get scanned all day. Though relatively harmless, the RR policy isn't effective. It's foolish of them to think that they can protect themselves by whitelisting every SMTP server on the Internet, and to check every one of these servers at least once a week. It's too little, too late. The checks they are performing are not proper responses to the potential threat. I sent them mail, and they checked for my vulnerability to relayed spam. That makes no sense. Providing the opt-out is the worst. Haven't the bad guys already figured out how to exempt themselves from the scan before the launch their spam payload? A more sensible policy would be more cautious. Taking for granted that a vulnerability check is absolutely necessary, only check for vulnerabilities on servers that are attempting to transmit spam, or have transmitted spam in the past. Regularly vet those servers in real-time, forget the weekly checks. Publicize these probes to increase their own credibility and reduce unnecessary alarm. Eliminate the opt-out which works only to benefit the bad guys. These small adjustments would vastly improve the effectiveness of their effort, and keep intrusiveness to a minimum. This is also more efficient from RR's point of view -- fewer hosts to check, and the spam is more effectively prevented. The current policy is unnecessarily invasive, poorly implemented, and ineffective to boot. While they're at it, they should make their blacklist public so eliminate duplicate effort and allow everyone to benefit from their work. That would be a lovely show of good faith. My other concern, less compelling, is the slippery slope. RR's probes appears acceptable under the CFAA, since they cause no intentional damage. It seems that as long as the promise not to break anything, there's no limit to the checks. Why not check for trivial root passwords? As long as they promise, cross-their-heart-and-hope-to-die, that they won't do anything if they're successful. It's a matter of degrees, and while I certainly sympathize with their effort, this policy is poor thinking. As it stands, RR is distinguishable from the script kids only in their scale and intent -- which isn't sufficiently comforting. Their policy needs to change. -Gunnar --- Date: Fri, 14 Mar 2003 16:05:35 -0500 (EST) From: "Matthew G. Saroff" <msaroffat_private> Reply-To: "Matthew G. Saroff" <msaroffat_private> To: Declan McCullagh <declanat_private> cc: politechat_private Subject: Re: FC: Email a RoadRunner address, get scanned by their security system You know, I have to be on RRs side on this one. With all the complaints about people erroneously being listed by things like spamcop, the idea of an ISP doing it on their own is rather refreshing. -- Matthew G. Saroff Navicula hydraulica plena anguilarum est. --- User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Fri, 14 Mar 2003 13:12:10 -0800 Subject: Re: FC: Email a RoadRunner address, get scanned by their security system From: Amos Jessup <amosat_private> To: <declanat_private> Message-ID: <BA9785AA.5575%amosat_private> Roadrunner's general reputation for service in this neck of the woods is excellent. There have been cases of genuine slime-spammers stealing a Road Runner user address and using it as a reply-to in spams all over the world. Usually they compound the insult by adding a wrong, imaginary plain-language name to boot! The sad side-effect is that all the "nixies" bounce back to the victim and fill his mailbox. I found RR to be highly responsive to this problem in seeking to protect the customer's interest. A --- Date: Fri, 14 Mar 2003 14:14:10 -0700 To: declanat_private From: Charles Oriez <coriezat_private> Subject: Re: FC: Email a RoadRunner address, get scanned by their security system In-Reply-To: <5.1.1.6.0.20030314152453.02ca9008at_private> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Their server, their rules. Seems reasonable to me: >>2. Do not connect to our inbound SMTP servers. Again, this test is only >>conducted on servers that connect to our servers. -- Charles Oriez, coriezat_private 39 34' 34.4"N / 105 00' 06.3"W --- Date: Fri, 14 Mar 2003 22:21:34 +0100 (CET) From: Thomas Shaddack <shaddackat_private> X-X-Sender: <shad@Zeta> To: Declan McCullagh <declanat_private> cc: <gunnarat_private> Subject: Re: FC: Email a RoadRunner address, get scanned by their security system In-Reply-To: <5.1.1.6.0.20030314152453.02ca9008at_private> Essentially harmless, could be quite effective. RR is defending themselves and their customers against the barrage of spam. Open proxies supporting the HTTP CONNECT method are one of the most common spam sources. Automated scan of an SMTP traffic source is one of the possible effective ways of discovering one class of potential offenders. Check your firewall logs. You will possibly find connection attempts to ports 25, 8080, 1080, 3128, maybe 8000 and couple others. One such probe set will maybe be RR-related. You are likely to see many others there; there are many various probe sources, both "white" (eg, spam blackhole list providers), and "black" (spammers, crackers...). (Other common probes these days are 137, 139, 445, 57, 515, 81, 79, 21, 22, 23, 109, 110, and 111, and these are only the ones I got either from memory or from a subsequent quick peek to my fw logs.) Scans of various nature are daily reality for any computer connected to the Net. Any Net-connected machine should be able to withstand such individual attempts without any problem; if it crashes or fails other way as a result of mere scan, you got MUCH more serious problem and should be thankful you were alerted about it before someone exploited it in malicious way. Complaining you are scanned won't make your situation better. Accepting the reality and securing your machine (and occassionally scanning it yourself - Nmap, Nessus, and Whisker are your friends) will. --- From: "John Ellingsworth" <jellingsat_private> To: <declanat_private> References: <5.1.1.6.0.20030314152453.02ca9008at_private> Subject: Re: Email a RoadRunner address, get scanned by their security system Date: Fri, 14 Mar 2003 16:24:09 -0500 MIME-Version: 1.0 Content-Type: text/plain; It's certainly a viable option - trying to determine if you are running an open relay - read this in yesterday's WP about spam; particularly relevant is this quote: " At the quieter end of the battlefield, activists such as Chip Rosenthal, a computer consultant in Texas, create e-mail accounts for the express purpose of attracting spam. "If they hit one of my spam traps, I launch probes" to figure out the location of the senders' computers, Rosenthal said. Sometimes, Rosenthal identifies unprotected computers that were unwittingly taken over by a spammer, launching spam without the owners' knowledge. But Rosenthal is part of a loose network of anti-spam advocates whose primary goal is to collect and publicize "blacklists" of spammers' Internet addresses. These are then incorporated into spam filters used by small Internet service providers, company system administrators and individual users, blocking any e-mail that comes from those addresses." http://www.washingtonpost.com/ac2/wp-dyn/A17754-2003Mar12?language=printer It's a harmless scan, and it isn't as if RR attempted to hide their domain or their intention from the individual. Thanks, John Ellingsworth Project Leader Virtual Curriculum http://ellingsworth.org/john/ --- From: "Christopher Null" <cnullat_private> To: <declanat_private> Subject: RE: Email a RoadRunner address, get scanned by their security system Date: Fri, 14 Mar 2003 13:02:40 -0800 Organization: filmcritic.com Based on informal and unscientific perusing of email headers, a >LOT< of spam comes through rr.com. It's interesting that they appear to be trying to do something about it, though I can't see how port scanning is going to aid that effort. CN ------------------------------------------------------ Christopher Null / cnullat_private / journalist, film critic, novelist www.filmcritic.com - www.sutropress.com - www.chrisnull.com "A stunning accomplishment!" "Completely absorbing!" "I am deeply impressed!" Get your copy of HALF MAST at www.sutropress.com --- From: Zero Sum <countat_private> Organization: Tobacco Chewers and Body Painters Association To: declanat_private Subject: Re: FC: Email a RoadRunner address, get scanned by their security system Date: Sat, 15 Mar 2003 08:18:11 +1100 User-Agent: KMail/1.5 References: <5.1.1.6.0.20030314152453.02ca9008at_private> On Sat, 15 Mar 2003 07:25, Declan McCullagh wrote: > After sending an email to a friend at a RoadRunner address, I see this in > my web access log: > > 24.30.199.228 - - [13/Mar/2003:15:11:25 -0500] "CONNECT security.rr.com:25 > HTTP/1.0" 404 535 "" "" > Check your firewall log. You'll find road runner at more than Port 80. > Basically, RoadRunner tried to spam themselves using my server. I mailed > abuseat_private about this, and received a canned response, enclosed. It's > a humble response, but woefully inadequate. Have anti-spam measures come > to this? This seems like an ill-considered compromise between privacy > and anti-spam efforts. A blunt instrument that betrays less-than-careful > thinking. The opt-out option, which was revealed only after my > complaint, is even more obnoxious. > I requested that they stop probing my machine. They declined. The emails have been preserved. It is my belief that according to the law of _this_ country, they are both "tresspassing" and "appropriating the resource of others". Since Bush the Younger, complaints to American companies have been answere with appalling arrogance. > Under their logic, I feel entitled to poke and prod their customers, just > to make sure they don't spam me. Is that fair? I promise to provide an > opt-out if anyone complains. > > I'm curious whether this preemptive measure is effective at all. > No. I have them firewalled, but it is still annoying to see their arrogance in my logs. -- Zero Sum <countat_private> - Nullus Anxietas Sanguinae Q.) What's the difference between a scientist and an engineer? A.) A scientist thinks that two points are enough to define a strait line while an engineer wants more data!!! --- X-Mailer: exmh version 2.4 06/23/2000 with nmh-1.0.4 To: declanat_private cc: hmurrayat_private Subject: Re: FC: Email a RoadRunner address, get scanned by their security system RR has been doing that for a while. I think AOL does it too. In some sense, it's a reasonable approach. Finding one of the many holes that the spammers use is a very strong indication that spam will come from from that machine. The problem with RR scanning your system after you send them email is that they don't want you doing the same thing back to them. That can also be considered reasonable - most of the scans are probably from spammers. I think the real question is how many scanning sites do we need and/or who should run them. If you are an AOL or RR, you probably can't afford to trust info from a volunteer anti-spam organization. Should each ISP do their own scanning? How many ISPs are there on the net? ... -- The suespammers.org mail server is located in California. So are all my other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited commercial e-mail to my suespammers.org address or any of my other addresses. These are my opinions, not necessarily my employer's. I hate spam. --- Date: Fri, 14 Mar 2003 17:13:05 -0500 From: Adam Lynch <alynchat_private> To: declanat_private Subject: Re: FC: Email a RoadRunner address, get scanned by their security system MIME-Version: 1.0 Quoting Declan McCullagh <declanat_private>: > Under their logic, I feel entitled to poke and prod their customers, just > to make sure they don't spam me. Is that fair? I promise to provide an > opt-out if anyone complains. I myself saw this a few nights ago on a number of my mailhosts. A quick visit to http://sec.rr.com/probing.htm explains their policy in-depth. I find this very interesting, as the ISP I'm sysadmin for ran into an issue where a number of their MX servers made it into an open-relay database, which we use. Further investigation of that issue proved that RR.com *actively blocks access to their MX servers from automated testing bots.* They consider it a security probe (and an attempted security violation, theft of services, etc), and have decided that blocking these bots and making it into some ORDBs is acceptible, and justified. To me, it seems that RR.com is basically forcing on the rest of the Net policies that they themselves would consider unacceptable. -- --- AdamL. alynchat_private http://sprawl.net --- From: "William K. Walker" <wkwalkerat_private> To: <declanat_private> Subject: RE: Email a RoadRunner address, get scanned by their security system Declan, It looks like RoadRunner is not the only ISP doing "REACTIVE testing of IP addresses which connect to its inbound SMTP gateways." According to the folks who run my hosting service, "a lot of the larger ISP's are moving to the same method as RR." Bill Walker NVDi --- From: "Thomas Junker" <tjunkerat_private> To: declanat_private Date: Fri, 14 Mar 2003 16:49:50 -0600 MIME-Version: 1.0 Subject: Re: FC: Email a RoadRunner address, get scanned by their security system Reply-to: Thomas Junker <tjunkerat_private> On 14 Mar 2003 at 15:25, Declan McCullagh wrote: > Date: Fri, 14 Mar 2003 15:22:24 -0500 > Subject: RoadRunner Automated Portscans > From: Gunnar Hellekson <gunnarat_private> > To: declanat_private > > After sending an email to a friend at a RoadRunner address, I see this in > my web access log: > > 24.30.199.228 - - [13/Mar/2003:15:11:25 -0500] "CONNECT security.rr.com:25 > HTTP/1.0" 404 535 "" "" > > Basically, RoadRunner tried to spam themselves using my server. I mailed > abuseat_private about this, and received a canned response, enclosed. It's a > humble response, but woefully inadequate. Have anti-spam measures come to > this?.. Hi Declan, If Road Runner had even a fragment of a clue they would be directing their attention to the epidemic of virus and worm probes that originate within their own networks. My Web server, on a fixed IP in a Road Runner net, is probed and attacked hundreds, thousands of times each day. I took to extracting the offending IP addresses, almost all of which are "nearby" in the 24.x.x.x tree, and adding them to the "deny" section in my Web config. I gave up on that after building about 30 pages of deny entries, 22 lines per page, four IP addresses per line. I began doing this after noticing that the offending hosts do *not* disappear -- they continue to probe and attack for month after month. Nimda may be old news in the world generally, but it's very much a huge and current problem within Road Runner. It seems obvious to me that Road Runner does nothing about this type of net pollution because they collect monthly fees from the clueless whose PCs have become infected. Compared to the volume of virus and worm traffic within their own network and the nasty effects on unsuspecting new subscribers when they connect to this infested network, the lame anti-spam scanning they are doing of mail servers that send lone messages to their subscribers seems not only misplaced but moronic. Oh yes: they also probe mail servers operating within the Road Runner networks. They have repeatedly probed mine, even though I have no large list traffic going out, send no spam, and mostly send only individual, hand-composed, normal email. I do, however, receive spam from the outside world at the rate of 5-10 or more per hour. I'll be content if Road Runner does *nothing* about inbound spam because I don't believe any ISP on the planet can accurately filter inbound spam without also tossing legitimate traffic. Lost business email that is silently deleted is entirely intolerable. Business email that is bounced is not much better, but at least someone in the loop will notice that the messages weren't delivered. The stupidity that generally infects modern corporate business is exceeded only by the utter brain death characteristic of many ISPs and business Website operators. The single most effective policy that could bring Web problems to the attention of managers and executives who presently never see them would be to have email sent to "webmaster" go not to the Webmaster but to someone several levels higher in management *above* the Webmaster. As it is, notifications of Web stupidities that should result in immediate firing of the Webmaster go *to* the Webmaster. Duhhhhh! ISPs could be made to work reliably if they could find a way to route the paychecks or air supply (or both) of their operational staffs sequentially through *all* their servers. "If you want to get your paychecks, KEEP THE #@$)(&* SERVERS UP!" Personally I like the air supply approach lot better. The email server goes down and Joe, the email "system engineer" feels his air supply begin to ratchet down while a voice says, "Warning! You have approximately 10 minutes left until losing consciousness... 9 minutes... 8 minutes..." There is *no* sense of "mission critical" in much of today's Internet staff. It's weird that the coining of that term more or less coincided with the evaporation of any comprehension of critical and/or 24 x 7 operations. Road Runner (at least in my area) occasionally makes network changes that require that I power cycle my cable modem. Excuuuuuuse me? I have so-called "Business Class" service. I run servers. I am sometimes out of town. Like most people, I occasionally sleep. Last I checked, this was the 21st Century. Why would I *ever* have to power cycle my cable modem to get it to hook up again with the upstream equipment? The answer seems to be: because cable Internet is provided by -- surprise, surprise -- *cable* *TV* companies, traditionally the lowest form of life on the planet that bases a business on hi-tech equipment. They were as dumb as rocks when they gave us only TV, and they seem to be as dumb as rocks giving us Internet. More than once I've had IBM's e-commerce error out before I could find the information I needed or complete a purchase. This from the people who hold themselves up as the world's experts in e-commerce. Many Webmasters the world over are so stupid that they ignore the design concepts of the WWW (and Tim Berners Lee's admonitions) and recklessly revise and change URLs, breaking links in other Websites and in search engine databases -- links that presumably would have brought visitors to their Websites. Others actually *remove* information from the WWW in this day and age when storage is almost dirt cheap and *so* cheap that individuals can in many cases mount more online storage than would be required to contain *all* the information that many large corporations could ever find to publish even if they were so inclined. As a private individual it costs me about $0.0000066 for the storage required to publish a page of standard text (4.6KB) on the WWW. That's 66 100-thousandths of a penny, or about 152,000 pages per dollar of storage. It is well within the means of anyone who can afford a home theater system or a second car to publish *hundreds* of *millions* of pages of information. It's utterly incongruous for a corporation to take down technical or retired product information "because we can't afford the disk space" or "because it's too expensive to maintain." The general principal of the WWW is that information should go up and never be taken down, and that URLs should be stable and persistent over the long term to give value to links. Duhhh! I have never found an ISP that could keep its servers running. In my experience many who offer dialup don't even know when they have dead lines or dead modems. Some have been so poorly configured that a dead line or modem can catch and block *all* incoming calls until multiple concurrent calls jump past it to another port. Mail and Web and news servers often go up and down like yo-yos while the "network status" Web page or phone message claims that "All systems are functioning normally." Perhaps what is really at issue here is their definition of "normally." Perhaps "functioning normally" means "down" to them. Road Runner and various intermediate points in networks I regularly use seem to think it's OK to take down routers or links for minutes at a time. They also proliferate levels within their own nets as if they were the only nets on the planet. Many times I have encountered situtations in which the standard 30-hop limit is exceeded because one or another of the players between two points has 10 or 15 levels of routing just in its own network. One route I am forced to use between two nearby cities goes exceeds 30 hops from time to time, seemingly according to someone rolling some dice. I've noticed a peculiar confluence of outages in the 0200-0400 period, as if network operators fail to comprehend that it's a 24- hour planet and Internet. Road Runner (in my area -- all the Road Runners seem to be different, using different equipment and different policies) seems to use some kind of load balancing for their DNS farms. The result is that my browser pauses in the "Looking up..." phase on host names I've accessed within seconds or minutes that SHOULD BE CACHED but are obviously not. I've only been able to overcome this by adding entries to my hosts file for the places I visit heavily. Of course this leaves it to *me* to maintain those hosts entries as current. If the Internet ever melts down, it won't be a consequence of high traffic levels -- it will be a consequence of reaching a critical mass of stupidity. Regards, Thomas Junker tjunkerat_private --- Date: Fri, 14 Mar 2003 15:28:29 -0800 From: Brandon Long <blongat_private> To: Declan McCullagh <declanat_private> Subject: Re: FC: Email a RoadRunner address, get scanned by their security system Message-ID: <20030314152829.E25167@pulp> Reply-To: blongat_private A quick scan of my own web logs shows the following people have scanned my server in the same way: security.rr.com before-reporting-as-abuse-please-see-www.njabl.org 67.41.194.17 67.128.51.14 So, two validity checks and two spammers. The spammers actually hit more machines, and they usually used the name maila.microsoft.com. I imagine that if that much spam mail is actually going through open proxies, then yes it is effective. I would think this is less intrusive that services which scan random machines for relaying tests, since you are actually actively sending them mail. This reminds me of the IDENT protocol, which various services (including some of the original web servers) would use to "reverse lookup" information about someone connecting to their server. Many servers today are probably still doing this reverse lookup... is this different? Some servers today are set up such that if your reverse and forward DNS names don't match, they won't accept mail or a connection from you. Depending on who's hosting your DNS, that might come back to you too. The difference is one of expectation, I imagine. Brandon -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin http://www.fiction.net/blong/ --- Date: Fri, 14 Mar 2003 21:37:38 -0500 To: declanat_private From: Stephen Cobb <scobbat_private> Subject: Re: FC: Email a RoadRunner address, get scanned by their security system In-Reply-To: <5.1.1.6.0.20030314152453.02ca9008at_private> Mime-Version: 1.0 Content-Type: multipart/mixed; x-avg-checked=avg-ok-1A4D56C; Declan A sad state of affairs indeed, but I can perhaps shed some light on RoadRunner's motives for this extreme approach. The rr.com domain cropped up last year when I was researching spam issues for my book, "Privacy for Business: Web Sites and Email." Even as I was investigating some fairly pernicious spam that was abusing rr.com, my wife was finding that her relatives in central Florida could not send email to her, because RoadRunner was their ISP. In other words, RoadRunner was getting black-holed in a big way because one of their servers was being abused by a spammer. A lot of people would say tighter security in the server farm is a better approach than this high-risk response, but I fear that we will only see more of this type of reaction until something is fundamental is done to change email technology for the better. Stephen Cobb www.privacyforbusiness.com --- Date: 15 Mar 2003 01:31:31 -0500 Message-ID: <Pine.BSI.4.40.0303141603150.8281-100000at_private> From: "John R Levine" <johnlat_private> To: "Declan McCullagh" <declanat_private> Subject: Re: FC: Email a RoadRunner address, get scanned by their security system X-UIDL: df810f5cde0269e3e22b17f2f0306cca ISPs from AOL on down have been relay testing mail servers for years. For some reason Road Runner gets the most hassle about it, but what they are doing is utterly common and quite effective as a way of blocking spam. Most legitimate mail comes from a relatively small set of familiar mail servers. When you get mail from a host you've never gotten mail from before, more likely than not it's an open relay or compromised proxy sending spam. On today's Internet filled with worms, viruses, and spam, testing a hitherto unseen host is a a perfectly reasonable response. A small ISP down the road from me has a very simple test scheme that sends a single message to each newly seen sending host, addressed to a pair of mailboxes on his system and on mine, which will only be delivered if the host is an open relay. We get deliveries about every two minutes all day and all night from open relays we haven't seen before and that aren't on any of the blocking lists we use. It's nuts, but these days, it's life. Regards, John Levine, johnlat_private, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner "More Wiener schnitzel, please", said Tom, revealingly. --- Date: Sat, 15 Mar 2003 01:34:51 -0500 From: "Timothy M. Lyons" <lyonsat_private> Reply-To: lyonsat_private User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3b) Gecko/20030210 X-Accept-Language: en-us, en MIME-Version: 1.0 To: declanat_private Declan, In my opinion, RoadRunners actions are completely benign and should not be considered intrusive. If you are not running an open relay then there really is no problem. If you are then it will be caught and (hopefully) submitted to multiple RBL's for further confirmation testing and possible blacklisting. The test is non-intrusive and should not be creating any undue stress on the mailserver. Another RBL that performs a similar service is njabl.org. Using the queries sent to their system from participating mailservers, they then test those remote hosts to determine open relay status. we use their RBL in conjunction with others and participate in the above service. However, we did take the time to add a notice that displays when a remote host connects to our or a client mailserver that states our policy (below) - something RoadRunner has neglected to do. 220-mail.xxxx.xxx ESMTP server ready at Sat, 15 Mar 2003 01:17:50 -0500. 220- 220- NO UNSOLICITED OR UNCONSENTED TO COMMERCIAL EMAIL IS WANTED 220- OR WELCOME HERE AND IS SUBJECT TO THE TERMS SHOWN AT: 220- http://www.xxxx.xxx/xxx_xxxxxx.htm 220- 220- RBL Testing and Publishing Notice 220- 220- ----------------- NOTICE - and - TERMS OF USE ----------------- 220- 220- We reserve the right to test all offerings and intermediate 220- relay hosts used by you for Open Relay and related status, 220- and to report for public publishing the results of our tests. 220- 220- All content offered to this mailserver is done without any 220- further expectation of privacy by you, and you grant to us 220- full rights of republication at our sole discretion. 220- 220- We also infer irrevocable explicit consent to our test of 220- those hosts, once you have further used our resources. 220- 220- Do not accept these polices? Okay -- Disconnect. 220- 220- Type quit to disconnect NOW, and send paper mail 220- to our domain mailing address if you disagree with any of 220- these terms and reporting. 220- --------------------------------------------------------------- 220- Revised 2003-03-11 220- --------------------------------------------------------------- 220 Regards, --Tim --- From: "Adam Goldberg" <adam_gat_private> To: <declanat_private> Subject: RE: Email a RoadRunner address, get scanned by their security system Date: Sat, 15 Mar 2003 09:34:59 -0500 Declan, I'm afraid I don't understand this complaint. The response explains it reasonably well: for each IP address that sends email into roadrunner, once a week they check the sending SMTP to see if it is an open relay. How do you automatically avoid receiving mail from open relays? Check each sender to see IF they are an open relay. Adam Adam Goldberg adam_gat_private --- doing -bs Date: Sat, 15 Mar 2003 11:44:13 -0500 (EST) From: John Jasen <jjasenat_private> X-X-Sender: jjasen@bushido They scan your mail port, ftp I believe, and several well-known proxy ports. I love how they scan you for emailing a rr.com address, but if you check your firewall or system logs, you'll discover smb attacks, mssql probes, and a whole host of other baddies ... -- -- John E. Jasen (jjasenat_private) -- User Error #2361: Please insert coffee and try again. --- X-Sender: poosld@pop-server.ec.rr.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Sat, 15 Mar 2003 11:52:23 -0500 To: declanat_private From: Larry Poos <poosldat_private> Subject: Re: FC: Email a RoadRunner address, get scanned by their security system Cc: gunnarat_private In-Reply-To: <5.1.1.6.0.20030314152453.02ca9008at_private> The internet is not private, secure or friendly, The government wants to read your email and track where you surf, Crooks want your private and personal data, Marketers want your spending and personal habits profile, Financial and Insurance companies want your asset and medical information for risk profiling. I find that in the 57,000+ probes my firewalls have logged since 1/1/2003 413 have IP numbers related to RR and only 20 have been from the RR security IP number. The single largest prober to my system by far are computers from atl.client2.attbi.com with over 1280 probes in the same time period. As to the privacy issue, RR is doing no more than you calling back a number with caller ID that left a message on your answering machine (non-issue to me). If that bothers you use web type email or an anonymous remailer to hide your originating IP number (and take your chances on the mail getting through). As to the anti-spam measures question; Yes they have come to this, with spam sucking up massive amounts of network resources and manpower in an attempt to control it. I personnaly feel that blocking relays and proxy servers will eventually kill the spam industry but only if all the ISPs do it and do it using the same rules. As to your right to poke and prod computers. Do so at your own risk, port scanning has been around for a long time, though not (to my knowledge) illegal in itself, high levels of port scanning tends to whiz-off network administrators. The firewalls will log your probes, excessive probing (based on individual network paramaters) will trigger DOS investigations on many networks. What is so obnoxious with the opt out policy? They tell you plain and simply if you connect to us we will probe you. If you don't want us to probe you have two choices, ask us not to probe you, but you must be the designated contact for your IP address (in your case Cedant Web Hosting) or don't connect to us, to me this is a straight forward policy. At least they have a policy (I have not been able to find one for attbi.com). Probe me and I reserve the right to probe back and I d0n't have an opt-out policy either. Larry D. Poos [System Consultant] LTAD Enterprises ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Like Politech? Make a donation here: http://www.politechbot.com/donate/ ------------------------------------------------------------------------- Declan McCullagh's photographs are at http://www.mccullagh.org/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Mar 16 2003 - 22:29:25 PST