Re: Scanning (was Re: Stealth Blocking)

["Christopher A. Woodfield" <rekoil () semihuman com>]

On Sat, May 26, 2001 at 12:41:16PM -0400, Greg A. Woods wrote:
> [ On Saturday, May 26, 2001 at 10:35:47 (-0400), Christopher A. Woodfield wrote: ]
> > Subject: Re: Scanning (was Re: Stealth Blocking)
> >
> > About two years ago the <vijay> promising local ISP </vijay> I worked 
> > for saw the number or ORBS-listed hosts withing its netspace go from ~400 
> > to over 3,000 in one week.
>
> Hmmmm....  you don't say exactly, but two years ago you were probably
> seeing the results of manual list entries (perhaps even entered as
> netblocks).  Back then you had to be really smart and look at the value
> of the A RR returned from a DNS query into the database to be able to
> tell the difference between a proper ORBS entry and one of the
> supplemental manual entries.  These days it's much more difficult to
> confuse the mechanical part of ORBS with the ego part.

Nah, there was a relay test on the ORBS site for each IP...it was a 
customer who had put all 254 usable IPs in one of his blocks on a few 
similarly misconfigured servers. Each IP was tested and listed by ORBS. 
There were other patterns in the listings, as well as logged relay tests 
on non-open relays, that suggested wholesale scanning, but the one quotesd 
was the most egregious. We had one other large web-hosting customer that 
had accounted for about 500 of the listings tell us later that they 
proactively scanned their network after the fact and found that ORBS had 
caught /every/ open relay in their netspace. How you manage to do that 
without wholesale scanning, you tell me.

> > Among the listings was a class C where EVERY HOST, 
> > 254 IPs, in the block was listed. Granted, each one was an open relay, but the 
> > point is that each IP was individually relay tested. When questioned about 
> > this, Alan Brown reponded that he had "received an unusually large number 
> > of nominations" for hosts in our netspace. Uh huh. Sure.
>
> Do you have the mailer logs from those hosts?
>
> Can you prove that there was no other unauthorised use of them during
> the time *before* they were tested by ORBS?

I don't have logs, as these were not our servers, but our customers', nor 
can I prove that none of them had been abused, although we had a pretty 
good record of shutting down the open relays that we got wind of via ORBS' 
weekly reports and our own abuse mailbox.

-C

> -- 
>                                                       Greg A. Woods
>
> +1 416 218-0098      VE3TCP      <gwoods () acm org>     <woods () robohack ca>
> Planix, Inc. <woods () planix com>;   Secrets of the Weird <woods () weird com>

-- 
---------------------------
Christopher A. Woodfield                rekoil () semihuman com

PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B