Stealth Blocking
David Schwartz
davids at webmaster.com
Thu May 24 09:16:38 UTC 2001
Jon Lewis wrote:
> What's so bad about pre-emptive open-relay scanning? What's the
> difference between an open-relay found/used by a spammer and added to the
> RSS and an open-relay found by pre-emptive scanner and added to the RSS?
> Both sites are likely sources of relay spam.
What's so bad about pre-emptive open-relay scanning is that if you feel
that is justified, you pretty much have accepted that anybody who pleases
may scan anybody else's network for any weakness he or she would like to
probe for. And if someone else probed 40,000 of your hosts each for 500
vulnerabilitise, you would have to accept the probers answer that there's
nothing wrong with pre-emptive scanning. After all, if someone else gets
root on your system, it's a potential threat to him. I am not happy with
that result.
The difference between an open-relay found/used by a spammer and a
pre-emptive scanner is the difference between attack and defense, the
difference between searching everyone and searching only those people who
you have reason to believe pose a threat. If somebody attacks your network
from a machine, you are (at least in my opinion) perfectly justified in
running some scans against the attacking machine to better determine who
might be responsible for the attack and what type of attack it's likely to
be.
However, I certainly do agree that both sites might be likely sources of
spam. I say might be because a well-managed relay might appear open to
innocent probers and might pose very little threat of being used as a major
spam source. This is really the same problem as IP source spoofing -- the
problem is so serious that people have felt justified in taking drastic
measures that block legitimate traffic. And again, like in IP source
spoofing, the complexity of the right fix is such that 'quick fixes' are
likely to become de-facto permanent operational changes.
DS
More information about the NANOG
mailing list