Politech mailing list archives

Previous By Date Next
Previous By Thread Next

FC: Road Runner's security director replies to Politech over probes

From: Declan McCullagh <declan () well com>
Date: Mon, 17 Mar 2003 00:08:44 -0500
Previous Politech message:

"Email a RoadRunner address, get scanned by their security system"
http://www.politechbot.com/p-04556.html

---

Date: Sun, 16 Mar 2003 13:25:00 -0500
To: declan () well com
From: "W. Mark Herrick, Jr." <markh () va rr com>
Subject: Politechbot article on RR Scanning

Hello Declan,
I was pointed to the thread on Politechbot through another person, and I saw the article on http://www.politechbot.com/.
I thought that I'd comment on your article, since it is at the top of your page and pretty fresh on the minds of your readers. Feel free to post my response on that web page, or in your mailing list.
So, just to set one ground rule here - we're talking about proxy and relay testing, not full-out penetration testing. With that in mind...
The author in the article has made a fatal flaw in his mail to you, that being that are scans are proactive in nature. 

"I'm curious whether this preemptive measure is effective at all."
His assertion that our scans are proactive could not be further from the truth. At no time has Road Runner performed any PROACTIVE scanning on any IP address that does not belong to Road Runner.
Road Runner's scans are completely REACTIVE in nature. IP addresses connecting to our mail gateways are TCP-scanned for open proxy servers on a variety of ports, and then, if those ports are open, we attempt to mail ourselves via either HTTP CONNECT or SOCKS. Success equals blocking via our local block list.
We perform no REACTIVE scanning on an IP address unless one of the following conditions is met: 

1. We have spam in hand.
2. We have received a direct connection to our inbound SMTP servers from that IP.
In addition, regardless of whether or not there has EVER been an issue with the network, we will not REACTIVELY scan ANY IP address when there is a request from the *network owner* that we not do so. We have no wish to be abusive, and as such, we limit scans of an IP to one per week.
This is all clearly explained at http://security.rr.com (and http://securityscan.sec.rr.com). 

So, just to clarify some other misconceptions:
We have absolutely NO objection to REACTIVE open proxy or relay scanning of IP addresses from a system that either: 

1. Has spam in hand (a la MAPS RSS).
2. Has received a direct connection from our subscriber IP address or SMTP server (a la AOL, Outblaze). 

Why should we? IRC servers perform a similar function all day long.
Our stance on proactive scanning, however, has not changed in the 5 years that I have been with Road Runner. 

From the article:
"Under their logic, I feel entitled to poke and prod their customers, just to make sure they don't spam me. Is that fair? I promise to provide an opt-out if anyone complains."
I believe that the author is indicating that there is a relationship between our REACTIVE testing, and his desire to PROACTIVELY test our network. This is where we take issue.
We have, and will continue to have, a severe issue the proactive scanning of our networks. This includes individual users or so-called 'scanning services', that accept requests from anywhere to perform 'on-demand' scans (e.g., hatcheck.org). We also have a serious issue with blocklist systems that *proactively* scan IP addresses (e.g., DSBL), without first requiring (and keeping on hand) proof (e.g., spam-in-hand) that the IP address is a source of spam, open to third party relay, or has an open proxy service.
We have an even BIGGER problem when those same services tell us to pound sand when we tell them to stop scanning our space (specific examples include the now-defunct ORBS and ORBZ block lists, and most recently DSBL). As such, we will not work with those entities under any circumstances.
To close, the problem of open relays and proxies has exploded. To demonstrate this, since the inception of our scanning initiative (1st week in January), we have identified over 50,000 open proxy servers that constantly barrage our 3 million members with spam all day long. We MUST take steps to combat that abuse, in a responsible manner, or else our business will suffer. As the person responsible for the security of our network, I will not allow that to happen. 

Regards,
Mark Herrick
Director - Operations Security
Road Runner




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: