Interesting RoadRunner Policy

[Alex Campoe <campoe () USF EDU>]

We recently noticed (among the hundred or so machines that scan us every
day) some constant scans from the same machine, securityscan.sec.rr.com.
When we contacted the folks at RoadRunner we received the attached
response. I am not exactly sure what to think. I certainly hope these
scans do not become standard ISP practices. Anyhow, I just thought I'd
share it with all of you guys.

Alex

PS - Interestingly enough, they were hitting several different ports on
our boxes, all expect port 25.

-------
J. Alex Campoe
Associate Director, Systems, Academic Computing
Data Security Manager, University of South Florida
Phone (813) 974-1796



#############################33

Date: Mon, 13 Jan 2003 08:43:36 -0500
From: "Road Runner Security [JEO]" <abuse () rr com>
Subject: Re: sweeps from securityscan.sec.rr.com (24.30.199.228)

Hello,

The securityscan.sec.rr.com machine is a Road Runner Security resource
that
is used as a tool to assist us in determining if machines being used to
send us mail may be abused from outside sources, allowing them to be
used
to spam our customers and role accounts. We fully understand your
concerns
surrounding the probing of your machine. This issue has been raised
internally and we hope this email helps you better understand our
process.

The intention of this process is truly not meant to be a "big brother"
system, but we understand that some may view it as such. Our ultimate
goal,
however, is to protect our network, our customers, and our role
accounts.

Road Runner has begin the REACTIVE testing of IP addresses which connect
to
its inbound SMTP gateways. If your machine connects to ours to send
email,
we reserve the absolute right to perform SMTP relay and open proxy
server
tests upon the connecting IP address to ensure that the machine at that
IP
address cannot be abused for malicious purposes.

These scans are done once per day per IP, via an automated process, and
only on those servers that have sent our subscriber base mail. The only
way
for these tests to occur is if an IP address connects to our inbound
SMTP
gateway. If found to be an open proxy or smtp relay, the IP address will
be
blocked at our mail gateway borders with one of the following error
messages:

ERROR:5.7.1:550 Mail Refused - See
http://security.rr.com/mail_blocks.htm#proxy
ERROR:5.7.1:550 Mail Refused - See
http://security.rr.com/mail_blocks.htm#relay

We understand that some entities may not wish to be scanned as part of
this
automated process. If you do not wish to be tested by Road Runner, there
are two ways to accomplish this:

1. Send an e-mail to 'donottest () security rr com' with the IP address
that
you do not wish to be tested. Please note that if you are not the
designated contact for your IP address range (for example, if you are on
a
cable modem, DSL, or dialup range), we will be unable to fulfill your
request for addition or removal.
2. Do not connect to our inbound SMTP servers. Again, this test is only
conducted on servers that connect to our servers.

If you have any further questions, you can visit http://security.rr.com
or
contact Road Runner Security via e-mail at 'spamblock () security rr com'

Regards,
Road Runner Security

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.