Re: [expert] Somewhat OT - Strange action from Road Runner -scanning mail servers
Hello Brian Just a small note, scanning your server is an illegal action they took. Individuals have been prosecuted for doing far less. I know of one guy that got prosecuted for connecting to the mailserver of some admin to send him an Email that the admin's box was infected with a trojan, and attacking other networks. I wonder how Roadrunner would respond if you started scanning their networks to determine if they're safe enough to allow them In any case, they are clearly violating the law by doing this. Maybe you can also send this story to the Register (http://www.theregister.co.uk). It could make an interesting article in light of the DMCA being used to prosecute hackers that sneeze. I would like to see this put against an arrogant company. Kind regards Guy On Mon, 2002-12-30 at 17:08, Brian wrote: I noticed in my mail server logs that about a dozen or so scans came from relay=securityscan.sec.rr.com. They were all attempts to relay E-Mail through my mail server. I contacted them asking what this was. They basically said they were going to scan every mail server that sent mail to anyone at rr.com and I could either allow it or they would block my mail server from sending mail to anyone there. One one hand, I think it's great they are making a stab at stopping spam, but on the other, I feel their efforts are misguided. They will block any mail server that allows relaying which, like many attempts at spam filtering, will also stop legitimate mails as well. They also don't seem likely to be helpful to any system they decide to block by informing them of such. Those blocked systems must just discover that they were blocked, then attempt to find out why. Here's the answer they sent: Hello, The securityscan.sec.rr.com machine is a Road Runner Security resource that is used as a tool to assist us in determining if machines being used to send us mail may be abused from outside sources, allowing them to be used to spam our customers and role accounts. We fully understand your concerns surrounding the probing of your machine. This issue has been raised internally and we hope this email helps you better understand our process. The intention of this process is truly not meant to be a big brother system, but we understand that some may view it as such. Our ultimate goal, however, is to protect our network, our customers, and our role accounts. These scans are part of an automated process, and conducted against every host that connects to our inbound mail gateway servers to transmit mail. The connecting IP address will be subject to proxy and smtp relay scans to ensure that the machine at that IP address cannot be abused for malicious purposes. If found to be an open proxy or smtp relay, the IP address will be blocked at our mail gateway borders with one of the following error messages: ERROR:5.7.1:550 Mail Refused - See http://security.rr.com/mail_blocks.htm#proxy ERROR:5.7.1:550 Mail Refused - See http://security.rr.com/mail_blocks.htm#relay We understand that some entities may not wish to be scanned as part of this automated process. If you do not wish to be tested by Road Runner, there are two ways to accomplish this: 1. Do not send mail to Road Runner subscribers. 2. Send an e-mail to '[EMAIL PROTECTED]' with the IP address that you do not wish to be tested. Understand, though, that all e-mails from your server will be blocked from that point, until you let us know that we should begin testing your IP again. If you have any further questions, you can visit http://security.rr.com or contact Road Runner Security via e-mail at '[EMAIL PROTECTED]' Regards, Road Runner Security __ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com -- Guy Van Sanden [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Somewhat OT - Strange action from Road Runner -scanning mail servers
Did a quick check with a legal type... asked him that given this admission by roadrunner if he thought he could win the case. His off the record answer. When do you want to file the suite. This is not just in violation of a number of state laws... it's also apparently in violation of Federal Law. Have fun with it call the FBI and report them. Those guys are real serious about stuff like this. James On Tue, 2002-12-31 at 00:36, Guy Van Sanden wrote: Hello Brian Just a small note, scanning your server is an illegal action they took. Individuals have been prosecuted for doing far less. I know of one guy that got prosecuted for connecting to the mailserver of some admin to send him an Email that the admin's box was infected with a trojan, and attacking other networks. I wonder how Roadrunner would respond if you started scanning their networks to determine if they're safe enough to allow them In any case, they are clearly violating the law by doing this. Maybe you can also send this story to the Register (http://www.theregister.co.uk). It could make an interesting article in light of the DMCA being used to prosecute hackers that sneeze. I would like to see this put against an arrogant company. Kind regards Guy On Mon, 2002-12-30 at 17:08, Brian wrote: I noticed in my mail server logs that about a dozen or so scans came from relay=securityscan.sec.rr.com. They were all attempts to relay E-Mail through my mail server. I contacted them asking what this was. They basically said they were going to scan every mail server that sent mail to anyone at rr.com and I could either allow it or they would block my mail server from sending mail to anyone there. One one hand, I think it's great they are making a stab at stopping spam, but on the other, I feel their efforts are misguided. They will block any mail server that allows relaying which, like many attempts at spam filtering, will also stop legitimate mails as well. They also don't seem likely to be helpful to any system they decide to block by informing them of such. Those blocked systems must just discover that they were blocked, then attempt to find out why. Here's the answer they sent: Hello, The securityscan.sec.rr.com machine is a Road Runner Security resource that is used as a tool to assist us in determining if machines being used to send us mail may be abused from outside sources, allowing them to be used to spam our customers and role accounts. We fully understand your concerns surrounding the probing of your machine. This issue has been raised internally and we hope this email helps you better understand our process. The intention of this process is truly not meant to be a big brother system, but we understand that some may view it as such. Our ultimate goal, however, is to protect our network, our customers, and our role accounts. These scans are part of an automated process, and conducted against every host that connects to our inbound mail gateway servers to transmit mail. The connecting IP address will be subject to proxy and smtp relay scans to ensure that the machine at that IP address cannot be abused for malicious purposes. If found to be an open proxy or smtp relay, the IP address will be blocked at our mail gateway borders with one of the following error messages: ERROR:5.7.1:550 Mail Refused - See http://security.rr.com/mail_blocks.htm#proxy ERROR:5.7.1:550 Mail Refused - See http://security.rr.com/mail_blocks.htm#relay We understand that some entities may not wish to be scanned as part of this automated process. If you do not wish to be tested by Road Runner, there are two ways to accomplish this: 1. Do not send mail to Road Runner subscribers. 2. Send an e-mail to '[EMAIL PROTECTED]' with the IP address that you do not wish to be tested. Understand, though, that all e-mails from your server will be blocked from that point, until you let us know that we should begin testing your IP again. If you have any further questions, you can visit http://security.rr.com or contact Road Runner Security via e-mail at '[EMAIL PROTECTED]' Regards, Road Runner Security __ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Somewhat OT - Strange action from Road Runner - scanning mail servers
On Mon, 30 Dec 2002 17:06:15 -0600 J. Craig Woods [EMAIL PROTECTED] wrote: Brian wrote: I noticed in my mail server logs that about a dozen or so scans came from relay=securityscan.sec.rr.com. They were all attempts to relay E-Mail through my mail server. [snip] I have read their response, and for the sake of saving bandwidth, I am not including it. I completely agree with their answer to you, and would further ask you why would anyone run a mailserver with open relays? You are asking for many problems by doing so, and you are making the internet a much more difficult place to navigate by inviting unscupulous bastards to use your mailserver for their filthy deeds. Maybe you could supply a reason for allowing a public mailserver to have open relays. I can not think of any reason for it! Furthermore, if you read their response to you, you will see that they do send notification of why you can not pass mail to their network: [snip] -- J. Craig Woods UNIX Network/System Administration http://www.trismegistus.net/resume.html Character is built upon the debris of despair --Emerson Actually, you really didn't understand the situation. I make every effort to prevent both abuse of my mail server and allowing it to abuse others. It is NOT an open relay. The response for Road Runner was only after I noticed their actions in the mail server log and sent them a message asking what was the reason for their actions. They were not informing me they had blocked my server, they only provided a sample of the message that MIGHT be sent if the server were to be blocked. While I totally agree there should not be any mail servers allowing relaying, not everyone agrees with this and for sometimes the wrong reasons they feel they need a mail server with open relaying. Some mail servers are still several years behind software-wise and back in those days the default setting allowed relaying. Your failure to fully read my post made your answer less than useful. The issue was whether it's acceptable for anyone to make any kind of security scans of another server without permission from the operator of that server. How would you like it if I took it upon myself to scan any servers you are running silently and then without so much as offering you the results of those scans block your system if I didn't like the way you had your servers setup? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[expert] Somewhat OT - Strange action from Road Runner - scanning mail servers
I noticed in my mail server logs that about a dozen or so scans came from relay=securityscan.sec.rr.com. They were all attempts to relay E-Mail through my mail server. I contacted them asking what this was. They basically said they were going to scan every mail server that sent mail to anyone at rr.com and I could either allow it or they would block my mail server from sending mail to anyone there. One one hand, I think it's great they are making a stab at stopping spam, but on the other, I feel their efforts are misguided. They will block any mail server that allows relaying which, like many attempts at spam filtering, will also stop legitimate mails as well. They also don't seem likely to be helpful to any system they decide to block by informing them of such. Those blocked systems must just discover that they were blocked, then attempt to find out why. Here's the answer they sent: Hello, The securityscan.sec.rr.com machine is a Road Runner Security resource that is used as a tool to assist us in determining if machines being used to send us mail may be abused from outside sources, allowing them to be used to spam our customers and role accounts. We fully understand your concerns surrounding the probing of your machine. This issue has been raised internally and we hope this email helps you better understand our process. The intention of this process is truly not meant to be a big brother system, but we understand that some may view it as such. Our ultimate goal, however, is to protect our network, our customers, and our role accounts. These scans are part of an automated process, and conducted against every host that connects to our inbound mail gateway servers to transmit mail. The connecting IP address will be subject to proxy and smtp relay scans to ensure that the machine at that IP address cannot be abused for malicious purposes. If found to be an open proxy or smtp relay, the IP address will be blocked at our mail gateway borders with one of the following error messages: ERROR:5.7.1:550 Mail Refused - See http://security.rr.com/mail_blocks.htm#proxy ERROR:5.7.1:550 Mail Refused - See http://security.rr.com/mail_blocks.htm#relay We understand that some entities may not wish to be scanned as part of this automated process. If you do not wish to be tested by Road Runner, there are two ways to accomplish this: 1. Do not send mail to Road Runner subscribers. 2. Send an e-mail to '[EMAIL PROTECTED]' with the IP address that you do not wish to be tested. Understand, though, that all e-mails from your server will be blocked from that point, until you let us know that we should begin testing your IP again. If you have any further questions, you can visit http://security.rr.com or contact Road Runner Security via e-mail at '[EMAIL PROTECTED]' Regards, Road Runner Security Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Somewhat OT - Strange action from Road Runner - scanning mail servers
Brian wrote: I noticed in my mail server logs that about a dozen or so scans came from relay=securityscan.sec.rr.com. They were all attempts to relay E-Mail through my mail server. I contacted them asking what this was. They basically said they were going to scan every mail server that sent mail to anyone at rr.com and I could either allow it or they would block my mail server from sending mail to anyone there. One one hand, I think it's great they are making a stab at stopping spam, but on the other, I feel their efforts are misguided. They will block any mail server that allows relaying which, like many attempts at spam filtering, will also stop legitimate mails as well. They also don't seem likely to be helpful to any system they decide to block by informing them of such. Those blocked systems must just discover that they were blocked, then attempt to find out why. Here's the answer they sent: I have read their response, and for the sake of saving bandwidth, I am not including it. I completely agree with their answer to you, and would further ask you why would anyone run a mailserver with open relays? You are asking for many problems by doing so, and you are making the internet a much more difficult place to navigate by inviting unscupulous bastards to use your mailserver for their filthy deeds. Maybe you could supply a reason for allowing a public mailserver to have open relays. I can not think of any reason for it! Furthermore, if you read their response to you, you will see that they do send notification of why you can not pass mail to their network: [QUOTE] If found to be an open proxy or smtp relay, the IP address will be blocked at our mail gateway borders with one of the following error messages: ERROR:5.7.1:550 Mail Refused - See http://security.rr.com/mail_blocks.htm#proxy ERROR:5.7.1:550 Mail Refused - See http://security.rr.com/mail_blocks.htm#relay; I only wish more people would set up their mailservers as such. We would all be so much better off. Thanks for sharing the letter. I hope it is something we all think about before *just* turning on sendmail or postfix. drjung -- J. Craig Woods UNIX Network/System Administration http://www.trismegistus.net/resume.html Character is built upon the debris of despair --Emerson Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Somewhat OT - Strange action from Road Runner -scanning mail servers
Speeking of reralying mail. Where is it in postfix that turns relaying off. I want to make damn sure that im not a relay. I dont think I am but just want to check. I only wish more people would set up their mailservers as such. We would all be so much better off. Thanks for sharing the letter. I hope it is something we all think about before *just* turning on sendmail or postfix. drjung -- Bill Beauchemin www.billbeau.net Home of Beau's Bullet and Beautie Goldens Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Somewhat OT - Strange action from Road Runner -scanning mail servers
This time Bill Beauchemin [EMAIL PROTECTED] becomes daring and writes: Speeking of reralying mail. Where is it in postfix that turns relaying off. I want to make damn sure that im not a relay. I dont think I am but just want to check. To relay in postfix you have to do several things...the compiled default doesn't let mail through except from the same subnet and from localhost. Mandrake's default configuration doesn't change that. You'd probably want to go through /etc/postfix/main.cf and just search for the word relay and you'll see 2 or 3 different methods described for doing mail relaying that you can activate...but they are inactive by default. Vox -- Think of the Linux community as a niche economy isolated by its beliefs. Kind of like the Amish, except that our religion requires us to use _higher_ technology than everyone else. -- Donald B. Marti Jr. msg63532/pgp0.pgp Description: PGP signature
Re: [expert] Somewhat OT - Strange action from Road Runner -scanning mail servers
Your correct. Thanks :) To relay in postfix you have to do several things...the compiled default doesn't let mail through except from the same subnet and from localhost. Mandrake's default configuration doesn't change that. You'd probably want to go through /etc/postfix/main.cf and just search for the word relay and you'll see 2 or 3 different methods described for doing mail relaying that you can activate...but they are inactive by default. Vox -- Bill Beauchemin www.billbeau.net Home of Beau's Bullet and Beautie Goldens Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com