Re: [mailop] Internet Research Project on Linode - Any Experience?
On 5/8/22 9:18 AM, Mary via mailop wrote: Linode refused to remove them from their servers because they think they are doing "research"... Aside: What is research? A la. why is fire hot? Interestingly, while doing some "research" of my own, I probed them back and found out that they host their severs across a wide range of hosting companies, like AWS, DigitalOcean, Linode and Hetzner, across different geographical regions. I have no idea if it is the case or not, but I can see some use in conducting research from multiple VPS providers /especially/ if the intent of the research is to identify different behaviors based on the source VPS. However, as others have stated, this type of research should be quite easy to identify and understand. As in a landing page on the same domain that has sufficient details within one click or full details within a few clicks. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
I see the same scans on my servers from "internet-research-project.net" and from another scammer called "binaryedge.ninja" Linode refused to remove them from their servers because they think they are doing "research"... Interestingly, while doing some "research" of my own, I probed them back and found out that they host their severs across a wide range of hosting companies, like AWS, DigitalOcean, Linode and Hetzner, across different geographical regions. On Fri, 6 May 2022 16:16:53 + (UTC) "L. Mark Stone via mailop" wrote: > So before I start blocking all of the Linode networks from which this traffic > originates, I thought I should ask here to see if anyone else has had > experience with this internet-research-project.net organization. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
On Fri 06/May/2022 21:23:24 +0200 Grant Taylor via mailop wrote: On 5/6/22 11:41 AM, L. Mark Stone via mailop wrote: So I asked Linode nicely to please take a look; they said they felt it was legitimate traffic because it's just "research" and not "malicious", and then I asked them to stop because we felt it wasn't legal (or give us their IPs so we could stop it), and they said no. I understand why Linode wouldn't share client's information. I would expect such refusal without a warrant. I don't. A similar issue happened to me a couple of years ago. I reported a PHP scan to Linode and they replied it was in the scope of a research project. It was binaryedge.io. They gave me a pointer to a list of 1240 scanners. I chose to give them my much much smaller list of addresses for them to skip. Non-malicious scanners become harmful only because of the traps we set up against the malicious ones. Best Ale -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
On Fri, 06 May 2022 15:31:12 -0700, Mike D via mailop wrote: >I highly recommend using greynoise.io to help filter your logs. They do >a pretty good job of determining what connections are benign scanners >and which lead to subsequent attacks. Benign scanners are the ones who transparently announce their intentions, preferably before commencing their scans. ALL others are hostile, without exception. Especially the ones who are checking out login vulnerabilities on an SSH port that has been moved to port 2271. mdr -- The world was almost won by such an ape! The nations put him where his kind belong. But do not rejoice too soon at your escape. The womb he crawled from is still going strong. -- Bertold Brecht,"The Resistible Rise of Arturo UI" ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
On 2022-05-06 09:16, L. Mark Stone via mailop wrote: Good Morning, Asking if anyone has had experience with internet-research-project.net please? They have no apparent web presence, so no straightforward way to contact them. They can be reached via email using concerns@ Linode hosts this allegedly legitimate security researcher, and my mail systems logs are full of connections from a large number of IPs like "cloud-scanner-17c84c24.internet-research-project.net" I highly recommend using greynoise.io to help filter your logs. They do a pretty good job of determining what connections are benign scanners and which lead to subsequent attacks. -Mike ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
On 6 May 2022 14:53:35 -0400, John Levine via mailop wrote: >They appear to fail on all three criteria. As do a couple of parties operating out of several /24 or smaller blocks, none of which are now allowed to connect here. I cheerfully participate in research, both to my personal benefit and to that of the others. I moderate a support group for a particular neurological condition, and we allow and encourage researchers to invite participants. I note that none of the "research" efforts I have observed from the logs have at any time invited participation. Accordingly, I engage the functional equivalent of the machete mentioned above. mdr -- "There are no laws here, only agreements." -- Masahiko ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
On 5/6/22 12:20 PM, Bill Cole via mailop wrote: If someone were to try opening my front door in the name of "research" there is a non-zero chance that they would have a very unpleasant experience involving a machete and were that to happen, the police would not arrest me. (See "castle doctrine") And yet there are people that do exactly that, walk down the street trying to open car / home / office doors. Many will subsequently go into a door that does open. Some may close the door and make note of the door's location. Scanners should expect hostile reactions. Not machete-to-the-face hostile, but hostile. The best of them are programmatic trespassers. I completely agree. Everyone should expect repercussions for their actions. How (un)pleasant the repercussion is will be dependent on their actions. Given the non-transparency I've seen with Linode, you can expect to encounter blockage as collateral damage. If you're domiciled by Linode in the vicinity of "researchers" who randomly wander the net trying random ports without clearly and openly documenting their "research" you can expect to be treated similarly to your neighbor, if your landlord doesn't make it very clear who is who. I understand. I agree with the logic. But that doesn't mean that I /like/ the meaning therein. It's one of the reasons that I keep an eye on things and wonder /when/, not /if/, I'll need to move. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
On 5/6/22 11:41 AM, L. Mark Stone via mailop wrote: Hi Grant, Hi Mark, Thanks for your reply. You're welcome. But IMHO, just opening up a connection on TCP port 25 repeatedly without actually trying to send an email inbound, or opening up a connection on TCP port 587 without trying to authenticate is not a legitimate nor legal use; I largely agree. My qualm is over the use of the word "legal". I'm not aware of any laws that make repeatedly opening TCP connections to ports and not utilizing the ports for the protocols intended purpose. it pretty much looks like an APT that's a prelude to a DDoS attack. A agree that usage of the port atypical to how the protocol normally operates can be construed as an attack. So I asked Linode nicely to please take a look; they said they felt it was legitimate traffic because it's just "research" and not "malicious", and then I asked them to stop because we felt it wasn't legal (or give us their IPs so we could stop it), and they said no. I understand why Linode wouldn't share client's information. I would expect such refusal without a warrant. I think the definition / explanation of "legal" will come into play as defense of abuse conducted by a Linode customer. If this behavior was coming from a single IP, or in sufficient volume, our protections would have already blocked the offending IPs. ACK Since I have no way to vet the legitimacy of this organization, I asked here if anyone else has experience with them. Fair enough. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
It appears that L. Mark Stone via mailop said: >Thanks Jarland for your reply. We run a commercial multi-tenant email hosting >service so tightening the screws down as much as you suggest is not possible. > >To my original question though... Do you have any experience with >internet-research-project.net? Not directly, but in my experience, real research projects make it easy to find out who they are, what they are doing, and how to tell them to stop bothering you. They appear to fail on all three criteria. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
On 2022-05-06 at 13:13:54 UTC-0400 (Fri, 6 May 2022 11:13:54 -0600) Grant Taylor via mailop is rumored to have said: On 5/6/22 10:33 AM, Jarland Donnell via mailop wrote: Isn't that a bit of an overreaction? If you didn't want any undesirable traffic you'd whitelist IPs in your firewall or run it on LAN. It's a very standard expectation that other servers will hit yours without your consent on the public internet. I too believe that having something connected to the Internet without a firewall (et al.) filtering the connections is implicit agreement for someone to connect to the port. Nope. If someone were to try opening my front door in the name of "research" there is a non-zero chance that they would have a very unpleasant experience involving a machete and were that to happen, the police would not arrest me. (See "castle doctrine") Scanners should expect hostile reactions. Not machete-to-the-face hostile, but hostile. The best of them are programmatic trespassers. If for nothing other than lack of steps to prevent them from doing so. In my opinion, being on the Internet is very much akin to being in public. You have exceedingly little, if any, expectation that someone won't try to connect to any port that they can communicate with. As a Linode user, I would also prefer it if you didn't block Linode addresses carte blanch. Given the non-transparency I've seen with Linode, you can expect to encounter blockage as collateral damage. If you're domiciled by Linode in the vicinity of "researchers" who randomly wander the net trying random ports without clearly and openly documenting their "research" you can expect to be treated similarly to your neighbor, if your landlord doesn't make it very clear who is who. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
Thanks Jarland for your reply. We run a commercial multi-tenant email hosting service so tightening the screws down as much as you suggest is not possible. To my original question though... Do you have any experience with internet-research-project.net? All the best, Mark _ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs - Original Message - From: "Jarland Donnell via mailop" To: "mailop" Sent: Friday, May 6, 2022 12:33:38 PM Subject: Re: [mailop] Internet Research Project on Linode - Any Experience? Isn't that a bit of an overreaction? If you didn't want any undesirable traffic you'd whitelist IPs in your firewall or run it on LAN. It's a very standard expectation that other servers will hit yours without your consent on the public internet. On 2022-05-06 11:16, L. Mark Stone via mailop wrote: > Good Morning, > > Asking if anyone has had experience with internet-research-project.net > please? They have no apparent web presence, so no straightforward way > to contact them. > > Linode hosts this allegedly legitimate security researcher, and my > mail systems logs are full of connections from a large number of IPs > like "cloud-scanner-17c84c24.internet-research-project.net" where the > server just drops the connection without attempting authentication. > Looks like a port probe. > > I opened up a support case with Linode; they said their Trust & > Security team feels their customer is doing legitimate security > research. I responded that I thought it was a violation of the > Computer Fraud and Abuse Act of 1986 (as amended), as we have never > authorized any third party to access our systems for anything other > than sending legal email to our customers. > > Linode said if I gave Linode all of my servers' IP addresses, they > would pass them on to internet-reserach-project.net with a request > that they not probe my IPs any longer (I declined). I responded > asking for all of the IPs internet-research-project.net uses so I can > block them on my firewall (Linode declined). > > So before I start blocking all of the Linode networks from which this > traffic originates, I thought I should ask here to see if anyone else > has had experience with this internet-research-project.net > organization. > > I used to host at Linode. I thought they were pretty good a few years > ago, with great customer service and solid hosting at the time. > > Any insights/suggestions/etc. are greatly appreciated. > > Thanks in advance, > Mark > _ > L. Mark Stone, Founder > Mission Critical Email LLC > North America's Leading Zimbra VAR/BSP/Training Partner > For Companies With Mission-Critical Email Needs > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
Of course, most Internet probing systems SHOULD have full transparency, and of course not probe any IPs at abnormal or high rates without considering the destination. My opinion, if they aren't transparent with their dealings, including PTR's, URLs', User Agents, HELO, and of course 'rwhois', then yes.. If I don't know who they are, and can't contact them to find out, then block them. That does for any email 'validators', or probes of any type. If Shodan wasn't transparent, I would block them too.. This is irrespective of what hosting company they are using. (Just take a look at all of the anonymous ones coming from Azure and AWS) But, if they aren' abusive, and they are transparent, then hey.. if it doesn't hurt, why worry.. On 2022-05-06 09:16, L. Mark Stone via mailop wrote: Good Morning, Asking if anyone has had experience with internet-research-project.net please? They have no apparent web presence, so no straightforward way to contact them. Linode hosts this allegedly legitimate security researcher, and my mail systems logs are full of connections from a large number of IPs like "cloud-scanner-17c84c24.internet-research-project.net" where the server just drops the connection without attempting authentication. Looks like a port probe. I opened up a support case with Linode; they said their Trust & Security team feels their customer is doing legitimate security research. I responded that I thought it was a violation of the Computer Fraud and Abuse Act of 1986 (as amended), as we have never authorized any third party to access our systems for anything other than sending legal email to our customers. Linode said if I gave Linode all of my servers' IP addresses, they would pass them on to internet-reserach-project.net with a request that they not probe my IPs any longer (I declined). I responded asking for all of the IPs internet-research-project.net uses so I can block them on my firewall (Linode declined). So before I start blocking all of the Linode networks from which this traffic originates, I thought I should ask here to see if anyone else has had experience with this internet-research-project.net organization. I used to host at Linode. I thought they were pretty good a few years ago, with great customer service and solid hosting at the time. Any insights/suggestions/etc. are greatly appreciated. Thanks in advance, Mark _ L. Mark Stone, Founder Mission Critical Email LLC North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
Hi Grant, Thanks for your reply. Sure, I expect all sorts of folks (including spammers) to try to send email to my customers, as well as bad actors who will try to brute-force accounts. We all have lots of protections in place for those circumstances. But IMHO, just opening up a connection on TCP port 25 repeatedly without actually trying to send an email inbound, or opening up a connection on TCP port 587 without trying to authenticate is not a legitimate nor legal use; it pretty much looks like an APT that's a prelude to a DDoS attack. So I asked Linode nicely to please take a look; they said they felt it was legitimate traffic because it's just "research" and not "malicious", and then I asked them to stop because we felt it wasn't legal (or give us their IPs so we could stop it), and they said no. If this behavior was coming from a single IP, or in sufficient volume, our protections would have already blocked the offending IPs. Since I have no way to vet the legitimacy of this organization, I asked here if anyone else has experience with them. Thanks again, Mark _ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs - Original Message - From: "Grant Taylor via mailop" To: "mailop" Sent: Friday, May 6, 2022 1:13:54 PM Subject: Re: [mailop] Internet Research Project on Linode - Any Experience? On 5/6/22 10:33 AM, Jarland Donnell via mailop wrote: > Isn't that a bit of an overreaction? If you didn't want any undesirable > traffic you'd whitelist IPs in your firewall or run it on LAN. It's a > very standard expectation that other servers will hit yours without your > consent on the public internet. I too believe that having something connected to the Internet without a firewall (et al.) filtering the connections is implicit agreement for someone to connect to the port. If for nothing other than lack of steps to prevent them from doing so. In my opinion, being on the Internet is very much akin to being in public. You have exceedingly little, if any, expectation that someone won't try to connect to any port that they can communicate with. As a Linode user, I would also prefer it if you didn't block Linode addresses carte blanch. -- Grant. . . . unix || die ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
On 5/6/22 11:03 AM, Michael Butler via mailop wrote: If you see an unknown person walk up to your car and try all the doors, the hood and the trunk, even if it's parked on a public street, you'd likely call the police. Agreed. I believe that contacting Linode's abuse desk is akin to calling the police. Remember, just because you call the police / report the problem to Linode, that doesn't mean that the perpetrator will be identified / dealt with. What annoys me more is that every two-bit organization is now doing this under the banner of "research" .. so now, instead of a single guy checking your car, we've got entire communities probing not only your car but also your house. I would suggest parking your car in a non-public space / behind a firewall -- if at all possible. How much "noise" should we tolerate before we decide it's a problem? Until it saturates our uplink(s)? That's up to each recipient of such actions. While I have automated mitigations in place, these do have limits that I'd rather not reach. Responses once the limits of toleration are also up to recipients of such actions. My opinion is that gone are the days where we can expect non-public ports to be left alone while still being accessible on the Internet. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
On 5/6/22 10:33 AM, Jarland Donnell via mailop wrote: Isn't that a bit of an overreaction? If you didn't want any undesirable traffic you'd whitelist IPs in your firewall or run it on LAN. It's a very standard expectation that other servers will hit yours without your consent on the public internet. I too believe that having something connected to the Internet without a firewall (et al.) filtering the connections is implicit agreement for someone to connect to the port. If for nothing other than lack of steps to prevent them from doing so. In my opinion, being on the Internet is very much akin to being in public. You have exceedingly little, if any, expectation that someone won't try to connect to any port that they can communicate with. As a Linode user, I would also prefer it if you didn't block Linode addresses carte blanch. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
On 5/6/22 12:33, Jarland Donnell via mailop wrote: Isn't that a bit of an overreaction? If you didn't want any undesirable traffic you'd whitelist IPs in your firewall or run it on LAN. It's a very standard expectation that other servers will hit yours without your consent on the public internet. If you see an unknown person walk up to your car and try all the doors, the hood and the trunk, even if it's parked on a public street, you'd likely call the police. What annoys me more is that every two-bit organization is now doing this under the banner of "research" .. so now, instead of a single guy checking your car, we've got entire communities probing not only your car but also your house. How much "noise" should we tolerate before we decide it's a problem? Until it saturates our uplink(s)? While I have automated mitigations in place, these do have limits that I'd rather not reach. On 2022-05-06 11:16, L. Mark Stone via mailop wrote: Good Morning, Asking if anyone has had experience with internet-research-project.net please? They have no apparent web presence, so no straightforward way to contact them. Linode hosts this allegedly legitimate security researcher, and my mail systems logs are full of connections from a large number of IPs like "cloud-scanner-17c84c24.internet-research-project.net" where the server just drops the connection without attempting authentication. Looks like a port probe. I opened up a support case with Linode; they said their Trust & Security team feels their customer is doing legitimate security research. I responded that I thought it was a violation of the Computer Fraud and Abuse Act of 1986 (as amended), as we have never authorized any third party to access our systems for anything other than sending legal email to our customers. Linode said if I gave Linode all of my servers' IP addresses, they would pass them on to internet-reserach-project.net with a request that they not probe my IPs any longer (I declined). I responded asking for all of the IPs internet-research-project.net uses so I can block them on my firewall (Linode declined). So before I start blocking all of the Linode networks from which this traffic originates, I thought I should ask here to see if anyone else has had experience with this internet-research-project.net organization. I used to host at Linode. I thought they were pretty good a few years ago, with great customer service and solid hosting at the time. Any insights/suggestions/etc. are greatly appreciated. Thanks in advance, Mark _ L. Mark Stone, Founder Mission Critical Email LLC North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Internet Research Project on Linode - Any Experience?
Isn't that a bit of an overreaction? If you didn't want any undesirable traffic you'd whitelist IPs in your firewall or run it on LAN. It's a very standard expectation that other servers will hit yours without your consent on the public internet. On 2022-05-06 11:16, L. Mark Stone via mailop wrote: Good Morning, Asking if anyone has had experience with internet-research-project.net please? They have no apparent web presence, so no straightforward way to contact them. Linode hosts this allegedly legitimate security researcher, and my mail systems logs are full of connections from a large number of IPs like "cloud-scanner-17c84c24.internet-research-project.net" where the server just drops the connection without attempting authentication. Looks like a port probe. I opened up a support case with Linode; they said their Trust & Security team feels their customer is doing legitimate security research. I responded that I thought it was a violation of the Computer Fraud and Abuse Act of 1986 (as amended), as we have never authorized any third party to access our systems for anything other than sending legal email to our customers. Linode said if I gave Linode all of my servers' IP addresses, they would pass them on to internet-reserach-project.net with a request that they not probe my IPs any longer (I declined). I responded asking for all of the IPs internet-research-project.net uses so I can block them on my firewall (Linode declined). So before I start blocking all of the Linode networks from which this traffic originates, I thought I should ask here to see if anyone else has had experience with this internet-research-project.net organization. I used to host at Linode. I thought they were pretty good a few years ago, with great customer service and solid hosting at the time. Any insights/suggestions/etc. are greatly appreciated. Thanks in advance, Mark _ L. Mark Stone, Founder Mission Critical Email LLC North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
