North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Extreme spam testing

  • From: Chris Brenton
  • Date: Mon Dec 22 15:09:14 2003

On Mon, 2003-12-22 at 13:46, Andy Dills wrote:
> > Agreed. My spam is _my_ problem and fixing it should not include making
> > it everyone else's problem. Forget whether its legal, its pretty
> > inconsiderate as many environments flag this stuff as malicious so it
> > triggers alerts.
> Hmm...actually, YOUR spam is MY problem.
>  That's how this works.

Except its broken because the message in question was not spam. It was a
technical post to the NANOG mailing list that triggered the 100+ port
scan, as well as about 15 different variations attempting to relay
e-mail through my sever. Am I missing the Viagra ad that gets tacked to
the end of all NANOG posts? ;-)

> I applaud njabl.

I guess I don't. I can *totally* understand wanting to control the
amount of spam that an environment receives. I obviously deal with this
problem as well. I guess in my mind however I feel like the cost/burden
of dealing with that spam should be my responsibility, and I should not
expect legitimate organizations that are not part of the problem to
incur a financial impact due to my efforts.

For example their scans and probes would easily trigger an alert in most
environments (they did in mine and I'm by no means high security). This
means that a security analyst now has to check out the traces and see if
its a real attack. Then a decision has to be made as to how to deal with
it, which may well require (depending on policy) multiple resources. So
I end up spending money so njabl can try and reduce the amount of spam
they receive. Oh joy, oh rapture.

Also, I don't see this as a totally effective solution. This works if
the spam comes through an open relay, but fails if it does not. That
means you need some other layer of checking to deal with the non-relay
spam. Something like Spamassassin for example. Of course Spamassassin
can also easily deal with the open relay spam as well, without requiring
an obtrusive check back system.

Finally, I used to blacklist known spammer's IP addresses as well, but
stopped after I crunched some numbers. When you blacklist the spammers
IP, they don't give up and remove your address, they just keep trying.
The bandwidth lost to the retries (on average) is greater than the
bandwidth used to transmit the actual spam. So blocking spam saves you
some temporary disk space, but increase network utilization.

> If you have open relays, proxies, or whatnot, I want to know about it, so
> I can reject all mail from you.

Again, except I don't. If I transmit spam, I should expect to be poked
and probed. When one receives an unprovoked probe/attack like this, the
target is going to assume the source is hostile. Its not till you spend
time looking into it (in other words, burn $$$ on resources) that you
figure out that someone actually considers this pattern to be "a

>  If we have a single entitity that does all
> this scanning, we as individual entities do not need to scan ourselves.

This is going to sound really snippy, but who died and made then
god/goddess of the Internet? Where is the document trail empowering them
to be spam cops of the Internet with absolute authority to probe who
ever they see fit? 

Also, it does not quite work out that they are the only ones doing it
(see earlier thread on AOL). They just seem to be more aggressive than

> Therefore, njabl is REDUCING the number of people scanning your netblocks
> for proxies. If they didn't do it for me, I'd be doing it myself, along
> with numerous other networks.

I guess we can "agree to disagree" here as I'm not a "ends justifies the
means" type of person. I want to reduce the amount of spam I receive as
well, and certainly would not mind making the spammer's lives a bit more
difficult. I don't want to do that however at the cost of
annoying/sucking money out of legitimate Internet users.

> > As a follow up, it also looks like they did a pretty aggressive port
> > scan of my system. Not sure how checking Telnet, X-Windows or RADIUS
> > will tell them if I'm a spammer, but what ever.
> proxies, proxies, proxies.

Humm. This is something I have not run into before. Can you supply a URL
that explains how to relay mail though a Telnet or RADIUS server?

>  But like you say, "whatever". It's not like you
> would have noticed if you didn't obsessively scan your logfiles or have an
> IDS.

LOL! I see, this is my fault because I actually take steps to secure my
environment. ;-)

Thanks for the chuckle,