Being Scanned

[DjM]

Originally posted here by Maestr0
You did by connecting to their mail server and attempting to relay mail through THEIR servers.

Please.....if they don't want people to use their email service, the answer is simple, don't allow inbound SMTP. We weren't attempting to "relay" through THEIR servers, an email was sent to someone that subscribed to their ISP service, that is what trigger the scan.

These scans are done only on those servers that have sent our subscriber base mail.

This isnt like them rattling your doors to see if they are locked

It's exactly like that.


Cheers:

[Maestr0]

It's more like I'm the mailman, delivering mail and then after I've left behind the mail, they come out and search me for contraband.

Only if you bring a wheelbarrow of junkmail.

If they are doing this, they are adding extra internet network traffic because every SMTP server that connects to them to relay messages is getting scanned. And there's enough extra crap running around the Internet that these guys shouldn't be doing it

Are you serious MsM? Come on, I counted the list of ports. Thirty eight ports. So if we are using a full TCP connect scan your looking at approximately 60-78 bytes per packet, 3 packets per port, about 8.5k of traffic. You have to be shitting me if you think thats more traffic then one spammer can send in 3 seconds (on dial-up ). Look, I can go as far to say it may be rude, but if I had a Canadian dollar for every time someone scanned an address on the network, I'd have my own plane. If someone on your network connects to an IRC server, and the IRC server performs a proxy check back, are you going to sue them too?

Please.....if they don't want people to use their email service, the answer is simple, don't allow inbound SMTP.

And if you dont want this crap in your logs then dont allow inbound connections from them, I'm sorry I just dont see what the big deal is, I dont think attempting to connect to a service is rattling anything its like looking for an "open" sign, if the port is closed... fine. no further connections are made to that service.

-Maestr0

[MrLinus]

Come on, I counted the list of ports. Thirty eight ports. So if we are using a full TCP connect scan your looking at approximately 60-78 bytes per packet, 3 packets per port, about 8.5k of traffic.

Fair enough and only if they do one. What if other ISPs started doing this as well? And why 38 ports? Why not just scan for port 25 (since the concern is Spam Relay)? Why are they scanning all those ports? Fair enough they are saying Proxy but last I checked 23 wasn't proxy. So why not include 21 (FTP Bounce) or 22 (ssh hijacking)? or 12345/12346 (trojan)?

If someone on your network connects to an IRC server, and the IRC server performs a proxy check back, are you going to sue them too?

I never suggested suing them. I do however think that it's unnecessary. They are not the Internet police. It was not asked of them to do this. And, what stops them from going further than just a simple TCP Connect() scan? I know they say that they aren't interested in anything that DjM or others have but I have seen some scans cause machines to crash. Will they take responsibility for the potential DoS from that?

It's fine if you think it's ok. I don't. When Spam first appeared in 1994/95 when I was on the Internet, it didn't have HTML in it. It was plain text. They said it doesn't take up much space and all you have to do is delete it. Look where we are today. I still don't agree with them doing this.

[DjM]

Well Maestr0 my friend, I see you have failed to see the point. If I came around rattling your doors and windows in the middle of the night, the very least I would expect is you chasing me down the street with a freaking baseball bat. If you choose to let every Tom, Dick & Harry scan your systems at any time for any reason, that is your call, go for it. By the way the 38 ports they say they scan generated approx. 150 to 175 entries in my firewall log, that leads me to believe they are taking multipal passes at the ports.
I, on the other hand, hire people to do this under my supervision and within my policies and my timetable. I do not need some ISP on a crusade against spam to do it for me.

I will, as stated before, continue to pursue this.


Cheers:

[Maestr0]

*Shrugs*
This has all been argued before but the practice continues.

-Maestr0

http://archives.neohapsis.com/archiv...3-04/0121.html
http://archives.neohapsis.com/archiv...3-04/0137.html
http://www.dshield.org/pipermail/lis...ary/007088.php
http://lists.jammed.com/crime/2003/05/0075.html

[MrLinus]

Maestr0,

The first 3 aren't relavent IMHO since it's an ISP scanning Customers. Many ISP AUPs have clauses that say no servers and that they may scan networks to detect those servers. I see regular visits from my ISP looking for only NNTP, SMTP and Web servers (3 ports). I expect that and am aware of that. I can accept it because it's their network I pay to have the privilege of using.

The last link points to someone else who evidentally is having the same issue as DjM since the ports match and the letter is the same. And if you read the last one, you see that most of them didn't agree with the multiple scans issue. If it was one, fine but as was pointed out, implementation wasn't done right.

[nihil]

Well, my views might be old fashioned, but when I put a letter into the "snailbox" I don't expect the postman to come checking on me?

If I sent 5000 letters, I would EXPECT someone to come checking.......assuming that I was not a registered business user?

There really isn't much difference on the net IMHO...........DjM seems pissed off that one letter brings a scan............I really have to agree with him that it is gross over-reaction.

If there are scans for every piece of mail sent these guys, then this is as bad as a worm?

I also consider it to be the grossest bad manners and a demonstration of the crassest unproffesionalism I have encountered recently

Haven't they got a few little code monkeys who could write something to trigger such activity on the basis of unacceptable volumes? If a relay is used you don't bother to spoof to protect it?

Whatever happened to the concept of innocent until proven guilty?

I bet the scum do business with anyone who will pay them money...........even if THEIR servers relay to bloody Mars?

And why do they do it?..........to produce a warm feeling of care and attention?..bollocks!

They want "to be seen to be doing something", rather than "achieving"

Sound like a shower of bloody lamers to me

Cheers

[swarisd]

I think everyone here has some very valuable points. I have to stand a little more on the side of Maestr0. My opinion is scans are a way of life on the net and I really feel you have to look at the intent of the person scanning to make a decision as to should I or should I not go after this person. The best thing you can do is block the scans and go on about your business.

Well, my views might be old fashioned, but when I put a letter into the "snailbox" I don't expect the postman to come checking on me?

It all depends on what that letter has in it nowadays. Your point is well taken though.

There really isn't much difference on the net IMHO...........DjM seems pissed off that one letter brings a scan............I really have to agree with him that it is gross over-reaction.

It may very well be that 1 server you don't check that spews mail at you the next day. A server that checks out ok today, may very well be out of compliance tomorrow. Not sure if I can agree totally with this statement, but again, I see your point.

I've learned from this thread that some practices of organizations maybe questionable and we see things a little differently as to how things should work, but a line has to be drawn in the sand so that we all "can just get along".

I bet as soon as the government or some governing entity were to step in and deem scanning to be against the law. The folks who think so lowly of it in this case would have a change of heart. Why? Because the law has now limited your capabilites and the overall nature of the net.

MsMittens, if someone has equipment at their network border that can't handle a simple scan, then shame on them. I'm not referring to the malicious scans that are meant to hose a router.

I just think bringing litigation towards a company while knowing their intention (there goes that word again) is really going overboard. Yes, it (the scans) may be a little unprofessional and yes, the coding could probably be better. Save the court time for things that need to be there.

DjM: as far as you rattling my windows and doors in the middle of the night.....well, I'll give you 10 paces and the buckshot will begin to fly...LOL.

Don't flame me for my opinion, but it's this kind of visibility to topics that tend to make things happen that we don't necessarily want to happen, such as taking away certain rights that we may feel we need as security professionals. We really need to find out if we can in fact tolerate certain things. If the government steps in, then we are all screwed. I bet we can agree on that one .

DjM: I say do whatever you have to do and I wish you the best of luck. Thanks for all the enlightenment in this thread. I was beginning to get a little bored with some of the topics.

[tabich]

I don't want to get into the debate over whether this is good or bad, but...

Im assuming this is automated....

It seems to me if they were not careful about how they did this, they are leaving themselves open for a self induced DDoS.

If someone posts this on slashdot, and it makes the main page, and everybody on the main page sends them an email from their local machine smtp server....

They probably have a big enough pipe to handle a lot of traffic, but, the coincidence of all those slashdot emails, and their automated scan back.... that could be BAD.