|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Extreme spam testing
On Mon, 2003-12-22 at 13:46, Andy Dills wrote: > > > Agreed. My spam is _my_ problem and fixing it should not include making > > it everyone else's problem. Forget whether its legal, its pretty > > inconsiderate as many environments flag this stuff as malicious so it > > triggers alerts. > > Hmm...actually, YOUR spam is MY problem. > That's how this works. Except its broken because the message in question was not spam. It was a technical post to the NANOG mailing list that triggered the 100+ port scan, as well as about 15 different variations attempting to relay e-mail through my sever. Am I missing the Viagra ad that gets tacked to the end of all NANOG posts? ;-) > I applaud njabl. I guess I don't. I can *totally* understand wanting to control the amount of spam that an environment receives. I obviously deal with this problem as well. I guess in my mind however I feel like the cost/burden of dealing with that spam should be my responsibility, and I should not expect legitimate organizations that are not part of the problem to incur a financial impact due to my efforts. For example their scans and probes would easily trigger an alert in most environments (they did in mine and I'm by no means high security). This means that a security analyst now has to check out the traces and see if its a real attack. Then a decision has to be made as to how to deal with it, which may well require (depending on policy) multiple resources. So I end up spending money so njabl can try and reduce the amount of spam they receive. Oh joy, oh rapture. Also, I don't see this as a totally effective solution. This works if the spam comes through an open relay, but fails if it does not. That means you need some other layer of checking to deal with the non-relay spam. Something like Spamassassin for example. Of course Spamassassin can also easily deal with the open relay spam as well, without requiring an obtrusive check back system. Finally, I used to blacklist known spammer's IP addresses as well, but stopped after I crunched some numbers. When you blacklist the spammers IP, they don't give up and remove your address, they just keep trying. The bandwidth lost to the retries (on average) is greater than the bandwidth used to transmit the actual spam. So blocking spam saves you some temporary disk space, but increase network utilization. > If you have open relays, proxies, or whatnot, I want to know about it, so > I can reject all mail from you. Again, except I don't. If I transmit spam, I should expect to be poked and probed. When one receives an unprovoked probe/attack like this, the target is going to assume the source is hostile. Its not till you spend time looking into it (in other words, burn $$$ on resources) that you figure out that someone actually considers this pattern to be "a feature". > If we have a single entitity that does all > this scanning, we as individual entities do not need to scan ourselves. This is going to sound really snippy, but who died and made then god/goddess of the Internet? Where is the document trail empowering them to be spam cops of the Internet with absolute authority to probe who ever they see fit? Also, it does not quite work out that they are the only ones doing it (see earlier thread on AOL). They just seem to be more aggressive than most. > Therefore, njabl is REDUCING the number of people scanning your netblocks > for proxies. If they didn't do it for me, I'd be doing it myself, along > with numerous other networks. I guess we can "agree to disagree" here as I'm not a "ends justifies the means" type of person. I want to reduce the amount of spam I receive as well, and certainly would not mind making the spammer's lives a bit more difficult. I don't want to do that however at the cost of annoying/sucking money out of legitimate Internet users. > > As a follow up, it also looks like they did a pretty aggressive port > > scan of my system. Not sure how checking Telnet, X-Windows or RADIUS > > will tell them if I'm a spammer, but what ever. > > proxies, proxies, proxies. Humm. This is something I have not run into before. Can you supply a URL that explains how to relay mail though a Telnet or RADIUS server? > But like you say, "whatever". It's not like you > would have noticed if you didn't obsessively scan your logfiles or have an > IDS. LOL! I see, this is my fault because I actually take steps to secure my environment. ;-) Thanks for the chuckle, C
|