Re: SMTP Scans

[Chris Boyd <cboyd () gizmopartners com>]

On Friday, April 25, 2003, at 07:21  PM, Hoof Hearted wrote:

> Wow! - OK it's safe to say there is some opinion on this. Many thanks 
> to all those that have taken the time and trouble to comment.
>
> Opinion seems to be divided 99/1 that the scans (as posted) are bad. 
> Kurt was the only one to point out the POTENTIAL savings. Ergo, 
> assuming all mail is bad unless proven otherwise.
>
> Admittedly, this is a minor digression on the point, however, it has 
> validity. The day after posting my initial comments my (personal) 
> router went south big-style. No big deal, failover was an adsl and 
> $200 & 24 hours later all was fixed (bugger - now I WILL keep a spare 
> on site!), in the meantime, some connection sharing solved the 
> immediate inconvenience... and provided me with a useful list of 
> 'oops' IP's.
>
> Less than 24 hrs of Net life (unprotected by a NAT) scared me witless. 
> I went from being mildly aggravated by Kurt's comments to wholehearted 
> agreement. The world DOES seem to be out to get me!
>
> Anyway, back to my point - my ISP is scanning me (at least) twice 
> daily for an open relay, not only that, they are also scanning our mx 
> listed secondary too - implying some nslookup work at least. 
> Admittedly, the scans are not difficult to block, but for me at least, 
> that doesn't change the issue. Whether I'm an ADSL customer, a DSL 
> customer or even a dial-up user, my relationship with and obligation 
> to my ISP ends at my modem/router/whatever. To my mind, when they 
> intrude past that they become hackers.
>
> To the best of my knowledge, none of our hosted domains have ever been 
> accused of spamming, moreover, our mailservers use numerous UBE 
> lookups, Header, Body & AV scans. I might point out that our settings 
> were sufficient to catch (and bar) the BT connections without 'human' 
> intervention.
>
> I must admit to ignorance as to the legal situation here. I'm aware BT 
> operate AUP's - I'm intrigued to know the result if THEY abuse them.
>
> Anyway - BT response so far - Dear Sir - what time zone are your logs? 
> (... Hmmmm.)

Many large broadband ISPs are starting to do these types of scans.  I 
think that it's a small price to pay to help reduce the number of open 
relays and proxies that can be exploited by spammers.  See 
http://security.rr.com/probing.htm for one example.  Rather than null 
route them as others have suggested, you may want to leave the door 
open for them just to make sure your IDS is still working.

Also, if you own the network, do you think that the AUP really applies? 
 As you've seen, people are out to get you on the 'net.  If the ISP can 
find a problem box and shut it down before it's used to attack you, 
isn't that a good thing?


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------