North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [Fwd: FC: Email a RoadRunner address, get scanned by their

  • From: jlewis
  • Date: Sun Mar 16 18:19:39 2003

I got the following personal message from Mark Herrick of rr.com (which
I'm passing along with his permission/request).  I hope (and I think he
hopes) that by passing it along, some questions can be answered and
misunderstandings explained.

In an additional message, he answered my question of "how does rr.com 
security define 'network owner'?" with the following URL.

http://security.rr.com/subdelegation.htm

So as long as space is swipped or documented in a publicly accessible
rwhois server, if you're a contact for the IP block, you should be
accepted as the 'network owner'.

BTW...for the time being, rr.com has stopped SMTP relay testing and is
focusing entirely on finding and blocking mail from open proxies that have
been used to spam their customers.
 
---------- Forwarded message ----------
Date: Sun, 16 Mar 2003 12:56:30 -0500
From: "W. Mark Herrick, Jr." <[email protected]>
To: [email protected]
Subject: Re: Your NANOG post


Hi Jon,

I was pointed to the thread on NANOG through another person, and I saw your 
post on the Merit website (below).

As I'm not subscribed to NANOG, and unfortunately I am prohibited (from a 
time resource standpoint, not administratively) from subscribing to that 
list at this time, but I thought that I'd comment on your post 
specifically, since it touched on more than one area. If you are so 
included, feel free to pass this along to NANOG, with my regards.

So, just to set one ground rule here - we're talking about proxy and relay 
testing, not full-out penetration testing. With that in mind...

To directly answer your first paragraph, you are absolutely correct - we 
have absolutely NO objection to open proxy or relay scanning of IP 
addresses from a system that either:

1. Has spam in hand (a la MAPS RSS).
2. Has received a direct connection from our subscriber IP address or SMTP 
server (a la AOL, Outblaze).

That being said, we have, and will continue to have, a severe issue with 
so-called 'scanning services', that *proactively* scan IP addresses (e.g., 
DSBL), or services that accept requests from anywhere to perform 
'on-demand' scans (e.g., hatcheck.org) without first requiring (and keeping 
on hand) proof (e.g., spam-in-hand) that the IP address is a source of 
spam, open to third party relay, or has an open proxy service.

At no time has Road Runner performed any PROACTIVE scanning on any IP 
address that does not belong to Road Runner.

Furthermore, we perform no REACTIVE scanning unless it meets one of the 
above criteria, and in addition, regardless of whether or not there has 
EVER been an issue with the network, we will not REACTIVELY scan ANY IP 
address when there is a request from the *network owner* that we do not do 
so. We have no wish to be abusive, and as such, we limit scans of an IP to 
one per week.

This is all clearly explained at http://security.rr.com.

You brought up another issue, which I *think* may be pointing to an 
argument that I had with Ron Guilmette some time ago, when his service was 
performing relay scans on our IP space or some such. I am fairly certain 
that this argument took place because I viewed Ron's scans to be proactive 
in nature.

Our stance on proactive scanning has not changed in the 5 years that I have 
been with Road Runner.

Anyways, as far as your last statement - since the inception of our 
scanning initiative (1st week in January), we have identified over 50,000 
open proxy servers. The problem is big, it's only getting bigger, and it's 
not going to go away, unfortunately.

Best,
Mark Herrick
Director - Operations Security
Road Runner