North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Extreme spam testing

  • From: Matthew Sullivan
  • Date: Mon Dec 22 15:19:59 2003

Speaking as and for SORBS (another hated and loved antispam bl)..

Chris Lewis wrote:

It's worth commenting:

Triggering relay testing can occur in a number of different ways.

Some simply scan all IPs.
I consider this abuse and don't do it.

Some scan particular ranges.
Same as above ;-)

Some scan an IP when they receive email from it. RR and AOL do this amongst biggies.
This is what SORBS started doing - now the volume is so high, and the number of ports to check (and ways to check them) are so large I cannot do it.

Some scan an IP when they receive suspicious/spam email from a given IP. We've done this from time to time. MANY other sites do this.
This is what SORBS does now. If we receive a mail to a SORBS feeder server with a spam assassin score of 5 or more, we automatically scan the host for proxies and relays.

Many consider scanning to be abusive in and of itself, however, there is a considerable amount of agreement that "scanning with email in hand", or, more stringently, "scanning with spam in hand" is perfectly justified, as in "sending me email gives implicit permission to check that you're secure", or, "sending me spam gives permission to check that you're secure" respectively.

[Some people say "if they've sent you spam, why test? Simply blacklist!". Which is silly, because you end up blacklisting everyone sooner or later. By testing and not listing on a negative result, you have less chance of blocking a legitimate site.]
SORBS scans after listing with 'spam in hand' for a number of reasons....

1/ Not everyone uses the spam DB for blocking (eg: I use it for weighting at the ISP I run - I use it for blocking on my home mail)
2/ People listed will demand delisting immediately regardless (they don't care - it's their "right to send email"), and if they have an open proxy/relay, telling them to fix that first is the best way of stopping future spam.
3/ Proxy and relay scanning takes on average 2 hours per host (purely because we don't want to crash it, or the testers for that matter). SORBS updates ever 20 minutes.

As another dimension, some people prefer to do very aggressive scanning - they'll test every combination of "tricks" that has been known to bypass anti-relay. Others try to avoid "tricks" that are likely to cause grief to the testee (eg: avoiding double bounces).
We do 19 relay tests, and we perform them twice 2 sets of to and from data. Some of our tests cause bounces - we do try to avoid upsetting people, but the 'from [email protected]' test is an important one, so we do use it. The test message does include a details description of what it is and who to contact if there is a problem though.

In the scheme of things, such testing is relatively minor, even of the "obnoxious bounce to postmaster" variety. Tune your alarm system to ignore them. If you consider a dozen or two relay tests to be "extreme", I'd hate to think of what you'd think of _some_ other forms of vulnerability testing...
wait till he triggers SORBS - it starts with a full port scan... :-/

By blackholing the tester, you run a _significant_ risk of getting blacklisted, even if you don't relay or proxy. Some blacklists do that. [I don't think NJABL does, but others do.] Secondly, some of them use highly distributed testing. Like SORBS. You'll never get them all.
That's right an if SORBS detects firewalling to avoid open-relay detection you get listed as a test blocker in the system, and should you get listed for spam, you will find it near on impossible to get out (even if it was one of your users) - just because you are considered to be someone 'hiding something'.

SORBS makes a point of being up front and port scanning uses no stealth features of nmap. It also doesn't do stealth testing.

The spamming problem really has gotten so bad that many reputable organizations feel they have no choice do test. It's a sign of the times. It's best to not get bent out of shape over it and adjust your processes to suit.

NJABL is reasonably well regarded. It's best not to play games with it, otherwise, you may end up getting blocked by all of its users. We're not using NJABL, but it is one of the ones we'd consider if some of our current ones went down. Some medium to large sites _do_ use it.

And don't expect a "we want to be blocked so we can discourage the use of blacklists" attitude to work anymore. From us, at best you'd get a whitelist entry. The spamming problem really _is_ that bad.

...and I'll be a very happy man the day I shut down SORBS because spam is no longer an issue. I might get a life then.

/ Mat