Re: Extreme spam testing

[Chris Brenton <cbrenton () chrisbrenton org>]

On Mon, 2003-12-22 at 16:55, Andy Dills wrote:
> > This is going to sound really snippy, but who died and made then
> > god/goddess of the Internet? Where is the document trail empowering them
> > to be spam cops of the Internet with absolute authority to probe who
> > ever they see fit?
>
> This is a can of worms with no answer. Who gives authority to IANA for
> that matter?

That was my point. I was responding to someone that was implying that
njabl was doing this for the benefit of everyone and thus had some
authority to do so. Obviously that's not the case.

> > Humm. This is something I have not run into before. Can you supply a URL
> > that explains how to relay mail though a Telnet or RADIUS server?
>
> No, but I can supply a URL that explains how to change the port that proxy
> servers bind to. I don't think you actually need that, though.
>
> You really think people who professionally hack servers and setup spam
> relay proxies put them on the standard ports?

Again, this was my point. Finding out if I have an exposed RADIUS server
is not really evidence that I'm running an open SMTP proxy. So where
does it stop? Scanning all 65K ports? Full OS fingerprinting to shun the
most compromised OS's? Maybe we insist on being provided with root
access to verify the box as being clean before we accept their e-mail?
This slope can get pretty scary.

> > LOL! I see, this is my fault because I actually take steps to secure my
> > environment. ;-)
>
> No, but it is your fault for overreacting to your IDS.

I honestly don't think I over reacted. My original post labeled the
traffic as simply "interesting" and I stated I was posting it in case
others were interested and had not noticed it in their logs. No call to
arms, flames, or rants for wide spread blacklisting, just an FYI in case
others found the info useful.

> Security doesn't require an IDS. An IDS merely tells you who's checking
> your doorknobs to see if they're locked. If you do a good enough job
> keeping your doors locked, an IDS is little more than a touchy doorbell at
> 3 AM, being tripped by the wind.

An IDS is more like an empty box. One person may look at it and see a
simple storage device. Show it to a 5 year old however and it becomes a
boat, a plane, a car, a castle, etc. etc. etc. I mentioned in another
thread that I've caught plenty of 0-day stuff with my IDS. In other
words, stuff that had no known signatures or patches. Its also helped me
out in a fair amount of troubleshooting. Its all a matter of being
inventive and knowing what to look for. If you perceive your IDS to be
"little more than a touchy doorbell", I would highly recommend attending
SANS IDS training. It'll open your mind and show you a wealth of other
possibilities. 

Regards,
Chris