[56792] in North American Network Operators' Group
Re: [Fwd: FC: Email a RoadRunner address, get scanned by their
daemon@ATHENA.MIT.EDU (jlewis@lewis.org)
Sun Mar 16 18:16:28 2003
Date: Sun, 16 Mar 2003 18:15:11 -0500 (EST)
From: jlewis@lewis.org
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
I got the following personal message from Mark Herrick of rr.com (which
I'm passing along with his permission/request). I hope (and I think he
hopes) that by passing it along, some questions can be answered and
misunderstandings explained.
In an additional message, he answered my question of "how does rr.com
security define 'network owner'?" with the following URL.
http://security.rr.com/subdelegation.htm
So as long as space is swipped or documented in a publicly accessible
rwhois server, if you're a contact for the IP block, you should be
accepted as the 'network owner'.
BTW...for the time being, rr.com has stopped SMTP relay testing and is
focusing entirely on finding and blocking mail from open proxies that have
been used to spam their customers.
---------- Forwarded message ----------
Date: Sun, 16 Mar 2003 12:56:30 -0500
From: "W. Mark Herrick, Jr." <markh@va.rr.com>
To: jlewis@lewis.org
Subject: Re: Your NANOG post
Hi Jon,
I was pointed to the thread on NANOG through another person, and I saw your
post on the Merit website (below).
As I'm not subscribed to NANOG, and unfortunately I am prohibited (from a
time resource standpoint, not administratively) from subscribing to that
list at this time, but I thought that I'd comment on your post
specifically, since it touched on more than one area. If you are so
included, feel free to pass this along to NANOG, with my regards.
So, just to set one ground rule here - we're talking about proxy and relay
testing, not full-out penetration testing. With that in mind...
To directly answer your first paragraph, you are absolutely correct - we
have absolutely NO objection to open proxy or relay scanning of IP
addresses from a system that either:
1. Has spam in hand (a la MAPS RSS).
2. Has received a direct connection from our subscriber IP address or SMTP
server (a la AOL, Outblaze).
That being said, we have, and will continue to have, a severe issue with
so-called 'scanning services', that *proactively* scan IP addresses (e.g.,
DSBL), or services that accept requests from anywhere to perform
'on-demand' scans (e.g., hatcheck.org) without first requiring (and keeping
on hand) proof (e.g., spam-in-hand) that the IP address is a source of
spam, open to third party relay, or has an open proxy service.
At no time has Road Runner performed any PROACTIVE scanning on any IP
address that does not belong to Road Runner.
Furthermore, we perform no REACTIVE scanning unless it meets one of the
above criteria, and in addition, regardless of whether or not there has
EVER been an issue with the network, we will not REACTIVELY scan ANY IP
address when there is a request from the *network owner* that we do not do
so. We have no wish to be abusive, and as such, we limit scans of an IP to
one per week.
This is all clearly explained at http://security.rr.com.
You brought up another issue, which I *think* may be pointing to an
argument that I had with Ron Guilmette some time ago, when his service was
performing relay scans on our IP space or some such. I am fairly certain
that this argument took place because I viewed Ron's scans to be proactive
in nature.
Our stance on proactive scanning has not changed in the 5 years that I have
been with Road Runner.
Anyways, as far as your last statement - since the inception of our
scanning initiative (1st week in January), we have identified over 50,000
open proxy servers. The problem is big, it's only getting bigger, and it's
not going to go away, unfortunately.
Best,
Mark Herrick
Director - Operations Security
Road Runner
