Re: anti-spam vs network abuse
Honestly people, to summarize all this... Legislation is not the correct "knee jerk" response to technical challenges... Lawyers and Politicians just -think- it is Perhaps related to perceiving themselves as important to the problem, eh ? And, that also happens to create a situation where they get paid to be involved, eh ? Science really doesn't care about what is politically correct, or who you are, all it really cares about is mathematics, and reality. Only politicians think it bends to their whim... (See the attempt to "legislate" the value of PI) The reality is, if we outlaw probing, we will be arresting thousands of innocents, as 80% (if not more, this stat is made up, but based upon real world observation ) of the probes in the internet are caused by trojans and worms So, Grandma Kettle, sitting out in her cornfield, on GTE DSL is going to go to jail, because her grandson downloaded a "neat" program he saw on the internet or, clicked on the attachment that arrived in the e-mail whose subject was the beginning of a cute little joke about snow white, and some dwarves By that standard we would be arresting the Microsoft database administrators, for participating in the most recent SQL based worm. (Once penetrated, the MS servers probed other servers to self-propogate, just like other compromised servers..) The sheer volume of "false probe positives" could busy out -any- size agency created to enforce such a law. Legislating something rarely makes the situation better, when it comes to science.I sugges the answer is found in ACL's, and the technical arena, not the political.. And, also, I suggest PI should remain 3.14(etc.), no matter what the politicians say. Michael Lamoureux wrote: > > "andy" == Andy Dills <[EMAIL PROTECTED]> writes: > > andy> On Fri, 28 Feb 2003, Charlie Clemmer wrote: > > >> At 03:52 PM 2/28/2003 -0500, Andy Dills wrote: > >> >Why is probing networks wrong? > >> > >> Depends on why you're doing the probing. > > andy> If so, why outlaw the act of probing? Why not outlaw "probing > andy> for the purposes of..."? > > What's the offset into the probe packets to the "intent of the this > probe" field? And would you trust it if there were one anyway? > > >> If you're randomly walk up to my house and check to see if the door > >> is unlocked, you better be ready for a reaction. Same thing with > >> unsolicited probes, in my opinion. Can I randomly walk up to your > >> car to see if it's unlocked without getting a reaction out of you? > > andy> This is different. Metaphors applying networking concepts to > andy> real world scenarios are tenuous at best. > > andy> In this case, your door being unlocked cannot cause me > andy> harm. However, an "unlocked proxy" can. > > Heh, so I guess you could make it his gun and the safety. Does that > change your answer? ;-) > > andy> Legit probes are an attempt to mitigate network abuse, not > andy> increase it. If there was a sanctioned body who was trusted to > andy> scan for such things, maybe this wouldn't be an issue. But > andy> there's not, so it's a vigilante effort. > > What's a legit probe? One where the owner gave you permission in > advance to run the scan? I can't think of another definition of that > phrase. > > andy> You don't have to. This is why I never understood why people > andy> care so much about probing. If you do a good job with your > andy> network, probing will have zero affect on you. All the person > andy> probing can do (regardless of their intent) is say "Gee, I guess > andy> there aren't any vulnerabilities with this network." > > This is a completely naive statement. There are 0 networks that I'm > willing to believe have 0 vulnerabilities on them. There may be 0 > that you know about, but that doesn't mean there aren't more > vulnerabilities which aren't public knowledge lurking in sendmail or > bind or ssh or ssl or apache or any number of other services you have > running. > > IMHO, > Michael
Re: anti-spam vs network abuse
"andy" == Andy Dills <[EMAIL PROTECTED]> writes: andy> On 1 Mar 2003, Michael Lamoureux wrote: andy> If you do a good job with your network, probing will have zero andy> affect on you. All the person probing can do (regardless of andy> their intent) is say "Gee, I guess there aren't any andy> vulnerabilities with this network." >> >> This is a completely naive statement. There are 0 networks that I'm >> willing to believe have 0 vulnerabilities on them. There may be 0 >> that you know about, but that doesn't mean there aren't more >> vulnerabilities which aren't public knowledge lurking in sendmail or >> bind or ssh or ssl or apache or any number of other services you have >> running. andy> My statement is as naive as yours is ridiculous. andy> You're telling me your IDS systems tell you when there is a new andy> vulnerabilitiy, before you see it on bugtraq? I've read my statement quite a few times, and I can't see where I even implied that. andy> So, since I'm so naive, No no no...I never said that YOU were naive. I said the statement that if you've done a good job, all the prober can do is say that there aren't any vulnerabilities on your network was naive. Your own argument supports what I said. My whole point was that no matter how good a job you do, you probably are still vulnerable to something. andy> You realize that scanning happens after exploits get published, andy> not before. I don't even make the assumption that all exploits ever get published. andy> My network is as secure as it can be, which IS NOT the same as andy> "My network is invulnerable". Exactly. andy> Don't put words into my mouth simply so you can call them naive. I'm not 100% sure where I did this, but I completely apologize if I have. IMHO, Michael
Re: anti-spam vs network abuse
On 1 Mar 2003, Michael Lamoureux wrote: > >> If you're randomly walk up to my house and check to see if the door > >> is unlocked, you better be ready for a reaction. Same thing with > >> unsolicited probes, in my opinion. Can I randomly walk up to your > >> car to see if it's unlocked without getting a reaction out of you? > > andy> This is different. Metaphors applying networking concepts to > andy> real world scenarios are tenuous at best. > > andy> In this case, your door being unlocked cannot cause me > andy> harm. However, an "unlocked proxy" can. > > Heh, so I guess you could make it his gun and the safety. Does that > change your answer? ;-) No, because a gun is private property and is not laying around for the public to examine. If I saw a gun sitting on the street, I would take it to the police. Even though that might be stealing, I'm still doing the right thing. Any more metaphors for me to debunk? Here's another weak metaphor for you: Probing ports is like knocking on a door. It's not inherently a nuisance. Knocking repeatedly without regard to the people inside is abuse. Likewise, knocking on a door, noticing that nobody is home, trying the knob, seeing that it's unlocked, and entering...that's clearly abuse also. But should we outlaw knocking on doors because some people do it to annoy people and some people do it to see if they can break in? But of course, that's not even the same, for various reasons. So, let's stop using metaphors to debate this. As Jack Nicholson said in "As Good as it Gets", "People who speak in metaphors should shampoo my crotch." > andy> Legit probes are an attempt to mitigate network abuse, not > andy> increase it. If there was a sanctioned body who was trusted to > andy> scan for such things, maybe this wouldn't be an issue. But > andy> there's not, so it's a vigilante effort. > > What's a legit probe? One where the owner gave you permission in > advance to run the scan? I can't think of another definition of that > phrase. A legit probe is simply a probe with good intentions. And no, you have no way of knowing. But you also don't have to accept his traffic. So don't try to make this a LEGAL issue, keep it civil. > andy> You don't have to. This is why I never understood why people > andy> care so much about probing. If you do a good job with your > andy> network, probing will have zero affect on you. All the person > andy> probing can do (regardless of their intent) is say "Gee, I guess > andy> there aren't any vulnerabilities with this network." > > This is a completely naive statement. There are 0 networks that I'm > willing to believe have 0 vulnerabilities on them. There may be 0 > that you know about, but that doesn't mean there aren't more > vulnerabilities which aren't public knowledge lurking in sendmail or > bind or ssh or ssl or apache or any number of other services you have > running. My statement is as naive as yours is ridiculous. You're telling me your IDS systems tell you when there is a new vulnerabilitiy, before you see it on bugtraq? I don't think so. You can see people scanning your network on port 80, but does that tell you apache has a vulnerability? People are probing on port 25are they looking to exploit an unknown bug...or just looking to relay spam? Maybe they're just trying to make sure you don't have any open relays on your network? Who knows. You don't. So watching your IDS logs won't tell you jack, because people who are trying to hack you WILL NOT SCAN FROM WHERE THEY HACK. You're not going to get any advance knowlegde of an exploit, and you're not even going to know where the actual hack is coming from. So, since I'm so naive, please explain to me what you can do differently than I can, simply by following a few fundemental rules. Rule 1: All windows boxes behind a well implemented firewall. Rule 2: Run only required services on unix servers, with a packet filter (ipfw and friends) to easily drop http or smtp traffic quickly and easily. Rule 3: Keep current with all bugfixes. Rule 4: Filter packets network-wide, when needed. (snmp, slammer, etc) So, keeping such a detailed eye on the stray packets that enter your network, what will you know about an attack that I wouldn't? You realize that scanning happens after exploits get published, not before. Scanning as a precursor to attack is done by unskilled mass-hackers. People who write exploits don't scan, and if they do, they WILL NOT hack from where they scan. So that reactive filter rule based on the portscan doesn't help you. So, in your hypothetical, when some popular daemon develops a vulnerability (like with openssh and apache within the last year), what are YOU going to do about it before the workarounds and patches are available? Nothing. And that's why I don't bother worrying about it. My network is as secure as it can be, which IS NOT the same as "My network is invulnerable". Don't put words into my mouth simply so you can call them naive. Andy x
Re: anti-spam vs network abuse
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 02:07 PM 3/1/2003 -0500, [EMAIL PROTECTED] wrote: >People speed, drive drunk, and run over pedestrians. Should we outlaw >cars? Maybe just in California? :) To use your analogy, you'd have to outlaw computers because they're used to bad things. That's not what's being discussed. Speeding can cause harm to others, thus it's against the law. Same with drunk and reckless driving. So, since probing is often used for malicious intent, should it not also be prohibited or at the very least limited? Since there's no way to tell if a probe is being done for precautionary or exploratory purposes, me being the security paranoid type that I am will always assume the worst and react accordingly. I don't think I'm alone here. -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBPmENg6vEtUU05riwEQJp4ACfS9HoxmdPVMf0ugiUkjjAjvr7Jz0AnjvH RIYXLLs6Fm6N/s7ZJcfLLRQa =lMDX -END PGP SIGNATURE-
Re: anti-spam vs network abuse
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 01:41 PM 3/1/2003 -0500, Michael Lamoureux wrote: > andy> In this case, your door being unlocked cannot cause me >andy> harm. However, an "unlocked proxy" can. > >Heh, so I guess you could make it his gun and the safety. Does that >change your answer? ;-) Heh ... I wasn't going to go there, but that's what I meant by being prepared for my response. :) -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBPmEK3qvEtUU05riwEQJ0CQCgsGRx8acSws4V4nQ6wJuodBtewukAoPOd fYTiwDfn9DEn7yUGIW5esq4/ =m4Xq -END PGP SIGNATURE-
Re: anti-spam vs network abuse
On 1 Mar 2003, Michael Lamoureux wrote: > andy> If so, why outlaw the act of probing? Why not outlaw "probing > andy> for the purposes of..."? > > What's the offset into the probe packets to the "intent of the this > probe" field? And would you trust it if there were one anyway? People speed, drive drunk, and run over pedestrians. Should we outlaw cars? Maybe just in California? :) > What's a legit probe? One where the owner gave you permission in > advance to run the scan? I can't think of another definition of that > phrase. When you walk into the secure part of an airport or some schools in rough neighborhoods, you're scanned for metallic objects. When you exchange traffic with certain networks, they may also want to check you out to see what risk may be associated with accepting your data in the future. If your system is an open relay/proxy, then there's elevated risk that at some point (if not already), the data coming from your system will be SPAM. Some networks will choose not to accept your data or to tag it in order to prevent their customers from having to accept unwanted data. > This is a completely naive statement. There are 0 networks that I'm > willing to believe have 0 vulnerabilities on them. There may be 0 > that you know about, but that doesn't mean there aren't more > vulnerabilities which aren't public knowledge lurking in sendmail or > bind or ssh or ssl or apache or any number of other services you have > running. So if nobody probes your network, it's more secure? -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: anti-spam vs network abuse
"andy" == Andy Dills <[EMAIL PROTECTED]> writes: andy> On Fri, 28 Feb 2003, Charlie Clemmer wrote: >> At 03:52 PM 2/28/2003 -0500, Andy Dills wrote: >> >Why is probing networks wrong? >> >> Depends on why you're doing the probing. andy> If so, why outlaw the act of probing? Why not outlaw "probing andy> for the purposes of..."? What's the offset into the probe packets to the "intent of the this probe" field? And would you trust it if there were one anyway? >> If you're randomly walk up to my house and check to see if the door >> is unlocked, you better be ready for a reaction. Same thing with >> unsolicited probes, in my opinion. Can I randomly walk up to your >> car to see if it's unlocked without getting a reaction out of you? andy> This is different. Metaphors applying networking concepts to andy> real world scenarios are tenuous at best. andy> In this case, your door being unlocked cannot cause me andy> harm. However, an "unlocked proxy" can. Heh, so I guess you could make it his gun and the safety. Does that change your answer? ;-) andy> Legit probes are an attempt to mitigate network abuse, not andy> increase it. If there was a sanctioned body who was trusted to andy> scan for such things, maybe this wouldn't be an issue. But andy> there's not, so it's a vigilante effort. What's a legit probe? One where the owner gave you permission in advance to run the scan? I can't think of another definition of that phrase. andy> You don't have to. This is why I never understood why people andy> care so much about probing. If you do a good job with your andy> network, probing will have zero affect on you. All the person andy> probing can do (regardless of their intent) is say "Gee, I guess andy> there aren't any vulnerabilities with this network." This is a completely naive statement. There are 0 networks that I'm willing to believe have 0 vulnerabilities on them. There may be 0 that you know about, but that doesn't mean there aren't more vulnerabilities which aren't public knowledge lurking in sendmail or bind or ssh or ssl or apache or any number of other services you have running. IMHO, Michael
Re: anti-spam vs network abuse
At 05:05 PM 28-02-03 -0500, Len Rose wrote: Scanning is always a precursor to an attack, or to determine if any obvious methodology can be used to attack. At least that's how it has been historically viewed. When buying from Landsend or Amazon, I normally trust their ecommerce security. But when I am buying something online from "Bubba's Lasermax Imporium" in Nebraska, I will scan their site as well as "Dwyne's Glock Shop" in Arkansas and pick the one with the more secure ecommerce rather than the one with the cheaper price. Call me Joe consumer :-) -Hank
Re: anti-spam vs network abuse
[EMAIL PROTECTED] writes: > When I hooked up my first server on the internet back in 1993, I was kind > of shocked that some far away stranger was trying to log into my POP3 > server. Unwanted connections have been a fact of life on the internet > probably since its beginning. here's a sample of current SMTP activity in unused parts of ISC's netblocks: > [211.59.151.211] -> [204.152.191.97] hanmir.com <[EMAIL PROTECTED]> (136) > <[EMAIL PROTECTED]> > -- > Message-ID: <[EMAIL PROTECTED]> > X-EM-Version: 6, 0, 0, 4 > X-EM-Registration: #0010630410721500AB30 > Reply-To: [EMAIL PROTECTED] > From: "coscard01" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: 204.152.191.97 > Date: Thu, 27 Feb 2003 09:55:10 +0900 > MIME-Version: 1.0 > Content-Type: text/html; charset=KS_C_5601-1987 > Content-Transfer-Encoding: quoted-printable > > [211.59.151.211] -> [204.152.191.98] hanmir.com <[EMAIL PROTECTED]> (136) > <[EMAIL PROTECTED]> > -- > Message-ID: <[EMAIL PROTECTED]> > X-EM-Version: 6, 0, 0, 4 > X-EM-Registration: #0010630410721500AB30 > Reply-To: [EMAIL PROTECTED] > From: "coscard01" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: 204.152.191.98 > Date: Thu, 27 Feb 2003 09:55:11 +0900 > MIME-Version: 1.0 > Content-Type: text/html; charset=KS_C_5601-1987 > Content-Transfer-Encoding: quoted-printable > > [211.59.151.211] -> [204.152.191.99] hanmir.com <[EMAIL PROTECTED]> (136) > <[EMAIL PROTECTED]> > -- > Message-ID: <[EMAIL PROTECTED]> > X-EM-Version: 6, 0, 0, 4 > X-EM-Registration: #0010630410721500AB30 > Reply-To: [EMAIL PROTECTED] > From: "coscard01" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: 204.152.191.99 > Date: Thu, 27 Feb 2003 09:55:11 +0900 > MIME-Version: 1.0 > Content-Type: text/html; charset=KS_C_5601-1987 > Content-Transfer-Encoding: quoted-printable here's the "sort | uniq -c | sort -nr" output from the last two weeks: > 757266 210.218.176.100 > 126472 210.105.112.100 > 2032 211.59.151.211 > 1261 218.49.187.136 > 780 219.248.155.57 > 508 211.49.94.75 > 508 211.49.94.211 > 508 211.49.94.118 > 508 211.194.117.174 > 506 218.49.187.184 > 378 211.49.94.238 > 252 218.49.187.176 > 221 61.75.215.47 > 214 61.61.28.159 > 118 61.254.207.114 >6 62.79.90.71 >4 217.226.92.40 >3 80.130.52.180 >3 217.226.91.5 >2 80.130.54.82 >2 217.226.91.68 >2 217.226.82.168 >1 62.79.110.122 >1 217.226.85.181 >1 217.226.83.80 i don't think this is, ever was, or will be allowed to be, a fact of my life. -- Paul Vixie
Re: anti-spam vs network abuse
On Sat, 1 Mar 2003 [EMAIL PROTECTED] wrote: > On Fri, 28 Feb 2003, Andy Dills wrote: > > > You don't have to. This is why I never understood why people care so much > > about probing. If you do a good job with your network, probing will have > > zero affect on you. All the person probing can do (regardless of their > > intent) is say "Gee, I guess there aren't any vulnerabilities with this > > network." > > When I hooked up my first server on the internet back in 1993, I was kind > of shocked that some far away stranger was trying to log into my POP3 > server. Unwanted connections have been a fact of life on the internet > probably since its beginning. Maybe so, but I think any net admin should care if his hosts are being probed, even if he is under the mistaken assumtion that those hosts are invulnerable. If I see several ports being probed, I drop an email to [EMAIL PROTECTED] It may well be innocent (I do it myself for valid reasons at times), but it's good to let the respective abuse departments know what's going on, for two reasons: 1) It gives them a heads up to keep an eye out for other "suspicious" activity from that host/user. 2) it usually lets that user know you're alert. Call it "profiling", only based on "curiosity" instead of ethnicity :) James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: anti-spam vs network abuse
On Fri, 28 Feb 2003, Andy Dills wrote: > Actually, I think the debate starts with Paul telling Jon that Jon isn't > passively scanning connection hosts, he's actively trawling for open > proxies, that Paul has the logs to prove it, and that since Paul is in > California, Jon has broken the law. He was using considerable artistic license with the numbers when he said every IP on every net he owns had been checked by NJABL. The reality is more like 0.06% of the IPs on 3 networks he owns or manages were checked over the span of about 7 months. At that rate (if my math is correct), it would take almost 1000 years to scan all the IPs on those networks. Hopefully, someone will have solved this spam problem by then. > You don't have to. This is why I never understood why people care so much > about probing. If you do a good job with your network, probing will have > zero affect on you. All the person probing can do (regardless of their > intent) is say "Gee, I guess there aren't any vulnerabilities with this > network." When I hooked up my first server on the internet back in 1993, I was kind of shocked that some far away stranger was trying to log into my POP3 server. Unwanted connections have been a fact of life on the internet probably since its beginning. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: anti-spam vs network abuse
On Fri, 28 Feb 2003, Roy wrote: > I haven not checked NJABL but some of the other other open relay testers use > scenarios that are illegal (actually criminal) in California. If you mean the use of "incorrect" from addresses, I believe that law only applies if the message(s) sent with someone else's address results in damage. I'm not here to debate the issue, and I certainly didn't mean to start such a long thread here (the same post went to spam-l, where it was nearly ignored), but I don't think 1 test message sent every 4 weeks (or less frequently) will cause damage[1]. [1] yes...I am aware of one case where were ORBZ got in some hot water over an SMTP envelope that effectively broke an outdated version of Lotus Domino. NJABL takes precautions to not repeat that mishap. Just to be safe, mayby I'll avoid visiting the People's Republic of Kalifornia. That shouldn't be so hard. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: anti-spam vs network abuse
Hi, NANOGers. ] and conversely, all attacks are not preceded by scanning. Very true. Most of the attack activity I monitor does not include scanning activity or any other reconnaissance. However, those who attack often enjoy monitoring their progress. This can be an interesting (albeit difficult) way to trace back the attack to the sources. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Re: anti-spam vs network abuse
It isn't the probing that is illegal in California, its the unauthorized use of a domain name especially in the from address. http://law.spamcon.org/us-laws/states/ca/pc_502.shtml 9.Knowingly and without permission uses the Internet domain name of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages, and Andy Dills wrote: > On Fri, 28 Feb 2003, Charlie Clemmer wrote: > > > At 03:52 PM 2/28/2003 -0500, Andy Dills wrote: > > >Why is probing networks wrong? > > > > Depends on why you're doing the probing. > > If so, why outlaw the act of probing? Why not outlaw "probing for the > purposes of..."? > > > If you're randomly walk up to my house and check to see if the door is > > unlocked, you better be ready for a reaction. Same thing with unsolicited > > probes, in my opinion. Can I randomly walk up to your car to see if it's > > unlocked without getting a reaction out of you? > > This is different. Metaphors applying networking concepts to real world > scenarios are tenuous at best. > > In this case, your door being unlocked cannot cause me harm. However, an > "unlocked proxy" can. Legit probes are an attempt to mitigate network > abuse, not increase it. If there was a sanctioned body who was trusted to > scan for such things, maybe this wouldn't be an issue. But there's not, so > it's a vigilante effort. > > > Where this thread got started, the scenario was around if I connect to your > > SMTP server to attempt to relay mail, is it then right to probe me for open > > relays and so forth. In that case, I can see the reasoning, as I initiated > > the connection, so you're checking to see if I'm sane or not. The line gets > > drawn though as to how much probing is reasonable ... can you probe my > > system for ALL open ports/exploits just because I tried to send mail > > through you, or can you probe all machines that fit in my address range > > (and how do you determine my address range?) ... that's where the larger > > debate comes in. > > Actually, I think the debate starts with Paul telling Jon that Jon isn't > passively scanning connection hosts, he's actively trawling for open > proxies, that Paul has the logs to prove it, and that since Paul is in > California, Jon has broken the law. > > Paul has only indicated his point of view objectively; he hasn't yet > indicated he wants to do something about it (or that he personally feels > that he should do something about it). > > > I have servers hosted at shared colo facilities. If you were to scan the > > entire netblock for my colo provider because a different customer at the > > same facility tried to send mail through you, how am I to determine your > > cause, or determine that it was not a scan for a vulnerability? > > You don't have to. This is why I never understood why people care so much > about probing. If you do a good job with your network, probing will have > zero affect on you. All the person probing can do (regardless of their > intent) is say "Gee, I guess there aren't any vulnerabilities with this > network." > > Andy > > > Andy Dills 301-682-9972 > Xecunet, LLCwww.xecu.net > > Dialup * Webhosting * E-Commerce * High-Speed Access
Re: anti-spam vs network abuse
Hi, Why is it clearly untrue? Remember when researchers used to send announcements out beforehand? I do. Well, you're taking me too literally of course! Len On Fri, Feb 28, 2003 at 04:00:25PM -0800, Randy Bush wrote: > > Scanning is always a precursor to an attack > > this is clearly not true, as scans are done for research and > other goals. > > and conversely, all attacks are not preceded by scanning. > > randy
Re: anti-spam vs network abuse
> Scanning is always a precursor to an attack this is clearly not true, as scans are done for research and other goals. and conversely, all attacks are not preceded by scanning. randy
Re: anti-spam vs network abuse
"E.B. Dreger" wrote: > Actually, when one leaves honeypots and/or tarpits, getting > probed can be rather fun... Second this ! :D Did you ever hear of the guy who wrote a C based 'bot trap and brought down both a big name search engine mining bot, and a providers (major) Unix server ? LOL! He apparently didn't like the idea that the bot had the right to mine his site for data and so, a few lines of C, and Tada! Deadlock, on endless nested directories. Dueling Servers at Dawn ! He had to write a letter of apology to his service provider, and to the search engine. I think it can still be found online somewhere :{ > > Eddy > -- > Brotsman & Dreger, Inc. - EverQuick Internet Division > Bandwidth, consulting, e-commerce, hosting, and network building > Phone: +1 (785) 865-5885 Lawrence and [inter]national > Phone: +1 (316) 794-8922 Wichita > > ~ > Date: Mon, 21 May 2001 11:23:58 + (GMT) > From: A Trap <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Please ignore this portion of my mail signature. > > These last few lines are a trap for address-harvesting spambots. > Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to > be blocked.
Re: anti-spam vs network abuse
> Why is probing networks wrong? i guess it's a last ditch scaling thing. i won't complain to an isp when their customer probes my host as a result of me sending them e-mail -- but i will drop in a local blackhole route so that i won't get any more traffic from or to the prober's network. (if the isp thinks this is too draconian they are welcome to contact me, which is how jon and i wound up talking a couple of months ago.) on the other hand if they probe my network looking for relays to see whether any of those relays are open, then i will complain to their isp. there's an active prober in asia right now who actually *is* an ISP, though, and so, there's really no basis for discussion. -- Paul Vixie
Re: anti-spam vs network abuse
> As a result the ISP must either A) purchase more RAM, faster CPUs, > and additional servers, or B) run the risk of complaints and lost > customer goodwill. All of this costs time and money. Looks like both a netscan and a portscan, and clearly not designed to limit damages to innocent third parties. Come on njabl.org, this isn't rocket science. Turn down that scan rate by a factor of at least 50, please. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:1080 from 209.208.0.15:55571 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:1180 from 209.208.0.15:55572 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:1080 from 209.208.0.15:55573 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:80 from 209.208.0.15:55575 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:1180 from 209.208.0.15:55574 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:81 from 209.208.0.15:55576 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:1182 from 209.208.0.15:55577 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:3128 from 209.208.0.15:55578 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:4480 from 209.208.0.15:55579 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:6588 from 209.208.0.15:55580 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:8000 from 209.208.0.15:55581 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:8081 from 209.208.0.15:55583 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:8090 from 209.208.0.15:55584 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:7033 from 209.208.0.15:55585 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:8085 from 209.208.0.15:55586 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:8095 from 209.208.0.15:55587 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:8100 from 209.208.0.15:55588 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:8105 from 209.208.0.15:55589 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:8110 from 209.208.0.15:55590 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:80 from 209.208.0.15:55591 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:81 from 209.208.0.15:55592 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:3128 from 209.208.0.15:55594 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:1182 from 209.208.0.15:55593 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:4480 from 209.208.0.15:55595 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:6588 from 209.208.0.15:55596 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:8000 from 209.208.0.15:55597 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:8081 from 209.208.0.15:55599 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:1181 from 209.208.0.15:55601 15:16:21 PST Connection attempt to TCP IP.IP.IP.IP:8090 from 209.208.0.15:55600 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:1080 from 209.208.0.15:55571 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:1180 from 209.208.0.15:55572 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:1080 from 209.208.0.15:55573 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:1180 from 209.208.0.15:55574 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:80 from 209.208.0.15:55575 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:81 from 209.208.0.15:55576 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:4480 from 209.208.0.15:55579 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:8000 from 209.208.0.15:55581 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:1182 from 209.208.0.15:55577 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:3128 from 209.208.0.15:55578 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:6588 from 209.208.0.15:55580 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:8090 from 209.208.0.15:55584 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:7033 from 209.208.0.15:55585 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:8081 from 209.208.0.15:55583 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:8085 from 209.208.0.15:55586 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:8095 from 209.208.0.15:55587 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:8110 from 209.208.0.15:55590 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:8100 from 209.208.0.15:55588 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:8105 from 209.208.0.15:55589 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:80 from 209.208.0.15:55591 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:1182 from 209.208.0.15:55593 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:81 from 209.208.0.15:55592 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:3128 from 209.208.0.15:55594 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:4480 from 209.208.0.15:55595 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:8000 from 209.208.0.15:55597 15:16:24 PST Connection attempt to TCP IP.IP.IP.IP:6588 from 209.208.0.15:55596 15:16:24 PST Connect
Re: anti-spam vs network abuse
AD> Date: Fri, 28 Feb 2003 16:54:47 -0500 (EST) AD> From: Andy Dills AD> You don't have to. This is why I never understood why people AD> care so much about probing. If you do a good job with your AD> network, probing will have zero affect on you. All the person Actually, when one leaves honeypots and/or tarpits, getting probed can be rather fun... Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~ Date: Mon, 21 May 2001 11:23:58 + (GMT) From: A Trap <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to be blocked.
Re: anti-spam vs network abuse
Joe St Sauver wrote: > There is NO legal advice in this post. Really! > In Oregon, see ORS 164.377(4): > > "Any person who knowingly and without authorization uses, accesses or > attempts to access any computer, computer system, computer network, or any > computer software, program, documentation or data contained in such computer, > computer system or computer network, commits computer crime." Define "without authorization", and also "knowingly". Was the port open to the public internet ? If so, it sounds pretty "authorized" to me, therefore undermining "knowingly", afaict. Or, otherwise, with a few exceptions, almost every web site I have ever surfed has been "without authorization". Like I said, "intention" has to come into the picture in this case, it is in the form of "knowingly". Do you open your "unauthorized" ports to the public internet ? "Unauthorized" on wide open internet usually infers that there is an access scheme in place to -prevent- "unauthorized access", and activity that attempts to undermine that security scheme -then- becomes illegal, AFAIK. The absence of such an access scheme, on open internet, would infer an "implied authorization"... as in the case of the millions of WWW pages we all access daily. After all, protocol ports do not publish themselves. Now, to add a twist, did I probe you from "authorized" space, and gain "illegal access", undermining your (inadequate) security scheme ? Well, then I must have been "authorized", or you wouldn't have allowed me in from this "auhtorized" space, eh ? Oh, I was in "authorized space", but "I" wasn't authorized, and I didn't know ? Oh, well there goes the "knowing" thing again. .JMHO. .Richard. == While some of this information could be considered legally valid coming from a "technical expert", it isn't to be construed as "legal advice". Get a lawyer for actual legal advice. > > http://www.leg.state.or.us/ors/164.html > > Regards, > > Joe
Re: anti-spam vs network abuse
Richard Irving wrote >Jack Bates wrote:(SNIPO) >> > Should we outlaw a potentially beneficial practice due to its abuse by >> > criminals? >> > >> Okay. What happens if you make a mistake and overload one of my devices >> costing my company money. > > That is usually a civil issue, not criminal. Legal considerations aside it is not good practice to scan a subnet/server hosting dozens of websites. Typical symptoms are slow connections to all the sites, increased memory utilization, and error logs like the following: [Wed Feb 26 02:14:57 2003] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 26 children, there are 60 idle, and 88 total children As a result the ISP must either A) purchase more RAM, faster CPUs, and additional servers, or B) run the risk of complaints and lost customer goodwill. All of this costs time and money. The best mitigation is to set a _slow_ scan rate but even that can still get you blacklisted by a well designed NIDS. Given the potential cost to third parties it's difficult to see any case for netscanning, regardless of the scanner's rational. -- Roger Marquis Roble Systems Consulting http://www.roble.com/
Re: anti-spam vs network abuse
Hi.. That's the problem, Sir! Many (I daresay the majority) of people take my hardnosed position. I know that there are people and services with good intentions, but I respectfully suggest that those good intentions shall not pass my borders. If an anti-spam mail relay testing service proactively scans my mail servers for smtp related issues, I will not complain because spam friendly relays and proxies are evil and must be shut down. If my service provider wishes to scan my network and hosts they can do so after they get obtain my permission. Just because my networks happen to connect to the internet doesn't give up any dominion over those networks. If some unknown entity (whether it's a service or an individual) (for whatever reason) scans my networks and hosts proactively for whatever justificatiojn, I still find that to be excessive trespass. Just because you can reach my network does not give you grounds to play with my toys. More below: Richard Irving wrote: > > Scanning is always a precursor to an attack, or to determine if any obvious > > methodology can be used to attack. At least that's how it has been > > historically viewed. > See my other post. MAPS assists users in closing their "innocent" > relay capable systems. And, FWIW, pro-active probing -can- provide > a great service to the "less than clueful" end users. I agree with all of your positive reasons why such a service is great but you should be dealing with it by blackingholing their ASN nstead and soon when everyone does so, they'll get their act together or be cut off. Since your network was victimized you should be proactive about contacting the people responsible. You can even scan their hosts at this point since you're engaged in defensive operations. If they're a responsible provider (it sounds like you're talking about some sort of hosting provider here) they'll have a NOC, and you can escalate it until you reach a clue. I don't see anything else as being more than busybodies poking where they don't beloong. Cheers! Len > Scenario: [snip]
Re: anti-spam vs network abuse
Len Rose wrote: > > Scanning is always a precursor to an attack, or to determine if any obvious > methodology can be used to attack. At least that's how it has been > historically viewed. See my other post. MAPS assists users in closing their "innocent" relay capable systems. And, FWIW, pro-active probing -can- provide a great service to the "less than clueful" end users. Scenario: MR. ISP A, we received over 300mbs from your network last week, as it participated in a 1500-bot attack of K ROOT SERVER... We have determined, via access list, that the following IP's appear to be the source of this attack, and we suspect have been compromised by the "koo-koo-ka-chooo" worm. We have not confirmed the identity of the worm, as the attack worm has yet to be identified, and isolated, conclusively. However, we have found all sources that participated in this attack had port 6667 and ports open. This lead us to hypothesize that it was the "koo-koo-ka-choo" worm... Several of these sites are under your Administration Attached, please find the list of infected servers Any information regarding this worm, and the servers subsequent sterilization, would be appreciated. Signed, The Admininstration of -=Your=- NSP. > In my opinion there is no legitimate reason to scan a remote host or network > without the permission of the owners. Otherwise it is in fact excessive > behaviour. See above.
Re: anti-spam vs network abuse
> In this case, your door being unlocked cannot cause me harm. However, an > "unlocked proxy" can. Legit probes are an attempt to mitigate network > abuse, not increase it. If there was a sanctioned body who was trusted to > scan for such things, maybe this wouldn't be an issue. But there's not, so > it's a vigilante effort. Not completely "Vigilante", many of the Network providers reserve the right to "manage" (including probe) any network block that they -=announce=-... if not, they simply won't announce it. (While I have experienced many a probe, I have neither heard of anyone actually being declined from announcement, nor have I been part of such an experience, FWIW, but the right is "reserved".) That activity is considered by many, proper administrative "due diligence", or "managed network service". Now, if Genuity were to start probing UUnet blocks, then that becomes a little more "Vigilante"... although, in most cases, not illegal. (AFAICT) [Any comments construed as legal advice, are purely do to an errant perception on the part of the reader... illigitimi non carborundum]
Re: anti-spam vs network abuse
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 04:54 PM 2/28/2003 -0500, Andy Dills wrote: >You don't have to. This is why I never understood why people care so much >about probing. If you do a good job with your network, probing will have >zero affect on you. All the person probing can do (regardless of their >intent) is say "Gee, I guess there aren't any vulnerabilities with this >network." I don't have to understand why you're probing my network? (using the term "your" loosely, not referring specifically to Andy's network/hosts) The actual probe may not have any affect on my network, but if you probe my network/hosts because someone iusing the same colo facilities as me sent you mail (not through me), there is no way for me to determine whether your intent is hostile or not, and you will likely set off my IDS alerts. There's two reasons to probe my hosts ... trying to protect your hosts or trying to violate mine, and if I've not initiated any type of communication to your host(s), I can only assume your intent is hostile since it was unprovoked. -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBPl/fbavEtUU05riwEQKRLgCg2b7p6ua04d1tOIBtAWYe034+tOAAoKER aiwfIt8uR557NG21FddezLQ8 =7hDv -END PGP SIGNATURE-
Re: anti-spam vs network abuse
Scanning is always a precursor to an attack, or to determine if any obvious methodology can be used to attack. At least that's how it has been historically viewed. In my opinion there is no legitimate reason to scan a remote host or network without the permission of the owners. Otherwise it is in fact excessive behaviour. Andy Dills wrote: [alot of interesting points deleted] > You don't have to. This is why I never understood why people care so much > about probing. If you do a good job with your network, probing will have > zero affect on you. All the person probing can do (regardless of their > intent) is say "Gee, I guess there aren't any vulnerabilities with this > network." > Andy > Andy Dills 301-682-9972 > Xecunet, LLCwww.xecu.net
Re: anti-spam vs network abuse
There is NO legal advice in this post. Jack Bates wrote:(SNIPO) > > Should we outlaw a potentially beneficial practice due to its abuse by > > criminals? > > > Okay. What happens if you make a mistake and overload one of my devices > costing my company money. That is usually a civil issue, not criminal. (.edu, .mil and .gov can be exceptions to the rule) [ Older laws protecting the internet, prior to it being public were allowed to linger for just that effectFWIW] And Vixie isn't unique in quoting these California Statutes Does anyone have an actual pointer to these things, please ? I realize they don't apply to anywhere but California, but it would make interesting reading... > I guarantee you, the law will look favorably on > damages. That is the problem with probing. See above, that remains a Civil issue, in most cases. > Sometimes the probe itself can be > the damage. Programmers are human. Humans make mistakes. Sometime probes can provide great benefits to all involved, as well. How about the case of the MAPS "test for email relay" function, available to the public ? > Programmers are perfect. Absolutely NOT True... It is just relative to the rest of the world, we just APPEAR to be perfect. :* :P > > -Jack
Re: anti-spam vs network abuse
On Fri, 28 Feb 2003, Charlie Clemmer wrote: > At 03:52 PM 2/28/2003 -0500, Andy Dills wrote: > >Why is probing networks wrong? > > Depends on why you're doing the probing. If so, why outlaw the act of probing? Why not outlaw "probing for the purposes of..."? > If you're randomly walk up to my house and check to see if the door is > unlocked, you better be ready for a reaction. Same thing with unsolicited > probes, in my opinion. Can I randomly walk up to your car to see if it's > unlocked without getting a reaction out of you? This is different. Metaphors applying networking concepts to real world scenarios are tenuous at best. In this case, your door being unlocked cannot cause me harm. However, an "unlocked proxy" can. Legit probes are an attempt to mitigate network abuse, not increase it. If there was a sanctioned body who was trusted to scan for such things, maybe this wouldn't be an issue. But there's not, so it's a vigilante effort. > Where this thread got started, the scenario was around if I connect to your > SMTP server to attempt to relay mail, is it then right to probe me for open > relays and so forth. In that case, I can see the reasoning, as I initiated > the connection, so you're checking to see if I'm sane or not. The line gets > drawn though as to how much probing is reasonable ... can you probe my > system for ALL open ports/exploits just because I tried to send mail > through you, or can you probe all machines that fit in my address range > (and how do you determine my address range?) ... that's where the larger > debate comes in. Actually, I think the debate starts with Paul telling Jon that Jon isn't passively scanning connection hosts, he's actively trawling for open proxies, that Paul has the logs to prove it, and that since Paul is in California, Jon has broken the law. Paul has only indicated his point of view objectively; he hasn't yet indicated he wants to do something about it (or that he personally feels that he should do something about it). > I have servers hosted at shared colo facilities. If you were to scan the > entire netblock for my colo provider because a different customer at the > same facility tried to send mail through you, how am I to determine your > cause, or determine that it was not a scan for a vulnerability? You don't have to. This is why I never understood why people care so much about probing. If you do a good job with your network, probing will have zero affect on you. All the person probing can do (regardless of their intent) is say "Gee, I guess there aren't any vulnerabilities with this network." Andy Andy Dills 301-682-9972 Xecunet, LLCwww.xecu.net Dialup * Webhosting * E-Commerce * High-Speed Access
Re: anti-spam vs network abuse
On Fri, Feb 28, 2003 at 03:11:00PM -0600, Jack Bates quacked: > > > > Should we outlaw a potentially beneficial practice due to its abuse by > > criminals? > > > Okay. What happens if you make a mistake and overload one of my devices > costing my company money. I guarantee you, the law will look favorably on > damages. That is the problem with probing. Sometimes the probe itself can be > the damage. Programmers are human. Humans make mistakes. Programmers are > perfect. That wasn't the question. There are plenty of circumstances in which it's legal to do something once -- say, make a phone call to you and ask how you're doing -- and illegal to do it one hundred million times. You don't outlaw telephones because people can and have used them to harass other people, you outlaw the harassing behavior and make it subject to damages. ... which is exactly what you described. Probing can be knocking on your door, or it can be taking a sledgehammer to your garage. These are so quantitatively different that there is a qualitative shift between the behaviors. -Dave -- work: [EMAIL PROTECTED] me: [EMAIL PROTECTED] MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.
Re: anti-spam vs network abuse
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 03:52 PM 2/28/2003 -0500, Andy Dills wrote: >Why is probing networks wrong? Depends on why you're doing the probing. If you're randomly walk up to my house and check to see if the door is unlocked, you better be ready for a reaction. Same thing with unsolicited probes, in my opinion. Can I randomly walk up to your car to see if it's unlocked without getting a reaction out of you? Where this thread got started, the scenario was around if I connect to your SMTP server to attempt to relay mail, is it then right to probe me for open relays and so forth. In that case, I can see the reasoning, as I initiated the connection, so you're checking to see if I'm sane or not. The line gets drawn though as to how much probing is reasonable ... can you probe my system for ALL open ports/exploits just because I tried to send mail through you, or can you probe all machines that fit in my address range (and how do you determine my address range?) ... that's where the larger debate comes in. I have servers hosted at shared colo facilities. If you were to scan the entire netblock for my colo provider because a different customer at the same facility tried to send mail through you, how am I to determine your cause, or determine that it was not a scan for a vulnerability? Just my opinions ... Charlie -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBPl/RFKvEtUU05riwEQJV8gCaAkCTqzaB2BtbAqrcG2IGf4O/tfoAoKEd NSQGE2TuArNzErLNXHacGPmS =hndb -END PGP SIGNATURE-
Re: anti-spam vs network abuse
> > Why is probing networks wrong? > > I would agree exploiting vulnerabilities discovered from probing networks > is wrong. But I don't agree that probing is inherently wrong. > > People probe networks for great reasons. Likewise, people have the ability > to prevent other people from probing their networks. > > Should we outlaw a potentially beneficial practice due to its abuse by > criminals? > Okay. What happens if you make a mistake and overload one of my devices costing my company money. I guarantee you, the law will look favorably on damages. That is the problem with probing. Sometimes the probe itself can be the damage. Programmers are human. Humans make mistakes. Programmers are perfect. -Jack
Re: anti-spam vs network abuse
On Fri, 28 Feb 2003, Andy Dills wrote: > Why is probing networks wrong? Probe .mil and .gov networks and find out. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: anti-spam vs network abuse
On Fri, 28 Feb 2003, Gary E. Miller wrote: > On Fri, 28 Feb 2003, Paul Vixie wrote: > > > However, they scanned every address in every netblock I own, looking > > for SMTP servers. That was abuse, that was illegal in California, > > Could you please provide a citation from the CA law for this? Better > yet, do you have any case law? More importantly, could somebody provide some sort of moral basis for this law? (I'm not sure if Paul feels the way he wrote, or if there was a bit of tongue-in-cheeck...I suspect and hope the latter.) Why is probing networks wrong? I would agree exploiting vulnerabilities discovered from probing networks is wrong. But I don't agree that probing is inherently wrong. People probe networks for great reasons. Likewise, people have the ability to prevent other people from probing their networks. Should we outlaw a potentially beneficial practice due to its abuse by criminals? Andy Andy Dills 301-682-9972 Xecunet, LLCwww.xecu.net Dialup * Webhosting * E-Commerce * High-Speed Access
Re: anti-spam vs network abuse
Yo Paul! On Fri, 28 Feb 2003, Paul Vixie wrote: > However, they scanned every address in every netblock I own, looking > for SMTP servers. That was abuse, that was illegal in California, Could you please provide a citation from the CA law for this? Better yet, do you have any case law? RGDS GARY --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676
Re: anti-spam vs network abuse
At 12:56 PM 2/28/2003, Paul Vixie wrote: > > For the past 15 months, NJABL has reactively tested systems that have > > connected to participating SMTP servers to see if those systems are open > > relays. ... > > > > We do not consider what NJABL does abuse, ... Jon, If "they" are indeed only testing systems who connect to them, it's not abuse, and I would not have complained. However, they scanned every address in every netblock I own, looking for SMTP servers. That was abuse, that was illegal in California, and I was shocked that you "allowed" "them" to behave that way. Hopefully my inference is correct and "they" are now scanning only the hosts which connect to participating SMTP servers. Paul raises good questions about the level of response to incoming SMTP traffic. If contacted for transmission of SMTP, do you have the right to go probe the sending system for all possible vulnerabilities, or only ones that relate directly to email? Clearly there are concerns about email coming from open relays, and from open proxies. The degree of scanning could easily cross the line from warranted to abusive, and potentially illegal. Scanning machines "in the neighborhood" sure seems far over the line. This is further complicated by the difficulty in determining the size of the "neighborhood" (read: netblock assigned to a customer). While we would all like to find some solution to the spam problem before email is rendered useless, measures which themselves threaten the network with denial of service attacks and other measures can be considered just as damaging.
Re: anti-spam vs network abuse
> > For the past 15 months, NJABL has reactively tested systems that have > > connected to participating SMTP servers to see if those systems are open > > relays. ... > > > > We do not consider what NJABL does abuse, ... Jon, If "they" are indeed only testing systems who connect to them, it's not abuse, and I would not have complained. However, they scanned every address in every netblock I own, looking for SMTP servers. That was abuse, that was illegal in California, and I was shocked that you "allowed" "them" to behave that way. Hopefully my inference is correct and "they" are now scanning only the hosts which connect to participating SMTP servers. Paul
Re: anti-spam vs network abuse
I haven not checked NJABL but some of the other other open relay testers use scenarios that are illegal (actually criminal) in California. Roy [EMAIL PROTECTED] wrote: > We (Atlantic.Net) have gotten a flurry of abuse complaints from people > who's systems have been scanned by 209.208.0.15 (rt.njabl.org...a DNSBL > hosted on our network). I'm hoping the new PTR record will head off many > complaints now. > > For the past 15 months, NJABL has reactively tested systems that have > connected to participating SMTP servers to see if those systems are open > relays. Just over a week ago, NJABL added open proxy testing to its relay > testing software. The proxy testing checks for a variety of common proxy > software/protocols on about 20 different ports simultaneously. This is > apparently setting off some IDS/firewall alarms. > > We do not consider what NJABL does abuse, and we reply to all the > complaints explaining that the complainant should go have a look at > http://njabl.org/ and hopefully they'll understand why their system was > scanned. > > This sort of activity is becoming more common / mainstream, so people > ought to just get used to it. Road Runner is doing the same thing > (according to http://sec.rr.com/probing.htm) which is pretty ironic given > how their security department has gotten along with (or not) various > DNSBLs in the past. > > BTW...in the week that NJABL has been testing for open proxies, more than > 18000 have been detected, pretty much all of which are actively being > abused by spammers, else mail would not have come through them. > > -- > Jon Lewis [EMAIL PROTECTED]| I route > System Administrator| therefore you are > Atlantic Net| > _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: anti-spam vs network abuse
On Thu, 27 Feb 2003 22:36:37 -0500 (EST), [EMAIL PROTECTED] wrote: >This sort of activity is becoming more common / mainstream, so >people >ought to just get used to it. Road Runner is doing the same thing >(according to http://sec.rr.com/probing.htm) which is pretty ironic >given >how their security department has gotten along with (or not) various >DNSBLs in the past. It has always been my opinion that if somebody connects to you, they are implicitly granting you the right to connect back to them on well-known ports. I have discussed this opinion with several dozen people and have yet to find one who disagrees. (Though I'm sure they're probably out there.) I've dealt with any number of abuse complaints, many from governmental and quasi-governmental group. They've all accepted my cut/pasted explanation and we've been whitelisted by several such organizations. I often use the following as the 'meat' paragraph of my reply: "In accord with our terms of service, when someone makes a connection to one of our machines, we make connections back to them to ensure they're not connecting through an open proxy. These connections are to each of the ports on which such proxies commonly run and some ports may require more than one connection to test multiple protocols. We never do such a probe except as a response to a connection made to us." -- David Schwartz <[EMAIL PROTECTED]>
Re: anti-spam vs network abuse
From: <[EMAIL PROTECTED]> > > We (Atlantic.Net) have gotten a flurry of abuse complaints from people > who's systems have been scanned by 209.208.0.15 (rt.njabl.org...a DNSBL > hosted on our network). I'm hoping the new PTR record will head off many > complaints now. > > For the past 15 months, NJABL has reactively tested systems that have > connected to participating SMTP servers to see if those systems are open > relays. Just over a week ago, NJABL added open proxy testing to its relay > testing software. The proxy testing checks for a variety of common proxy > software/protocols on about 20 different ports simultaneously. This is > apparently setting off some IDS/firewall alarms. > > We do not consider what NJABL does abuse, and we reply to all the Ahh, yes. The age old debate. So long as you, their provider, doesn't consider it abuse, they should be relatively safe. Obviously, there are some net blocks up to stop the probes. There always are and always will be. Networks don't like scans. One thing I'll say about NJABL, it's probably the most accurate list for what it does. With the added proxy testing, they'll get more people using the list, along with more complaints. I'll be adding my log IP's to that list soon enough. -Jack
anti-spam vs network abuse
We (Atlantic.Net) have gotten a flurry of abuse complaints from people who's systems have been scanned by 209.208.0.15 (rt.njabl.org...a DNSBL hosted on our network). I'm hoping the new PTR record will head off many complaints now. For the past 15 months, NJABL has reactively tested systems that have connected to participating SMTP servers to see if those systems are open relays. Just over a week ago, NJABL added open proxy testing to its relay testing software. The proxy testing checks for a variety of common proxy software/protocols on about 20 different ports simultaneously. This is apparently setting off some IDS/firewall alarms. We do not consider what NJABL does abuse, and we reply to all the complaints explaining that the complainant should go have a look at http://njabl.org/ and hopefully they'll understand why their system was scanned. This sort of activity is becoming more common / mainstream, so people ought to just get used to it. Road Runner is doing the same thing (according to http://sec.rr.com/probing.htm) which is pretty ironic given how their security department has gotten along with (or not) various DNSBLs in the past. BTW...in the week that NJABL has been testing for open proxies, more than 18000 have been detected, pretty much all of which are actively being abused by spammers, else mail would not have come through them. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_