North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Extreme spam testing

  • From: Chris Lewis
  • Date: Mon Dec 22 13:35:12 2003

Robin Lynn Frank wrote:

This is not the only list where this is occurring. It has been happening on the spamtools list, as well. We've now dropped them at the firewall. No loss to us.
It's worth commenting:

Triggering relay testing can occur in a number of different ways.

Some simply scan all IPs.

Some scan particular ranges.

Some scan an IP when they receive email from it. RR and AOL do this amongst biggies.

Some scan an IP when they receive suspicious/spam email from a given IP. We've done this from time to time. MANY other sites do this.

Many consider scanning to be abusive in and of itself, however, there is a considerable amount of agreement that "scanning with email in hand", or, more stringently, "scanning with spam in hand" is perfectly justified, as in "sending me email gives implicit permission to check that you're secure", or, "sending me spam gives permission to check that you're secure" respectively.

[Some people say "if they've sent you spam, why test? Simply blacklist!". Which is silly, because you end up blacklisting everyone sooner or later. By testing and not listing on a negative result, you have less chance of blocking a legitimate site.]

As another dimension, some people prefer to do very aggressive scanning - they'll test every combination of "tricks" that has been known to bypass anti-relay. Others try to avoid "tricks" that are likely to cause grief to the testee (eg: avoiding double bounces).

Don't assume that the testers are specifically targeting mailing lists. Chances are that a NJABL person is on the lists, and is doing a "test if email or spam in hand".

[I don't know what NJABL's testing criteria are.]

In the scheme of things, such testing is relatively minor, even of the "obnoxious bounce to postmaster" variety. Tune your alarm system to ignore them. If you consider a dozen or two relay tests to be "extreme", I'd hate to think of what you'd think of _some_ other forms of vulnerability testing...

By blackholing the tester, you run a _significant_ risk of getting blacklisted, even if you don't relay or proxy. Some blacklists do that. [I don't think NJABL does, but others do.] Secondly, some of them use highly distributed testing. Like SORBS. You'll never get them all.

The spamming problem really has gotten so bad that many reputable organizations feel they have no choice do test. It's a sign of the times. It's best to not get bent out of shape over it and adjust your processes to suit.

NJABL is reasonably well regarded. It's best not to play games with it, otherwise, you may end up getting blocked by all of its users. We're not using NJABL, but it is one of the ones we'd consider if some of our current ones went down. Some medium to large sites _do_ use it.

And don't expect a "we want to be blocked so we can discourage the use of blacklists" attitude to work anymore. From us, at best you'd get a whitelist entry. The spamming problem really _is_ that bad.