Extreme spam testing

Chris Lewis clewis at nortelnetworks.com
Mon Dec 22 18:30:19 UTC 2003

Robin Lynn Frank wrote:

> This is not the only list where this is occurring.  It has been happening on 
> the spamtools list, as well.  We've now dropped them at the firewall.  No 
> loss to us.

It's worth commenting:

Triggering relay testing can occur in a number of different ways.

Some simply scan all IPs.

Some scan particular ranges.

Some scan an IP when they receive email from it.  RR and AOL do this 
amongst biggies.

Some scan an IP when they receive suspicious/spam email from a given IP. 
We've done this from time to time.  MANY other sites do this.

Many consider scanning to be abusive in and of itself, however, there is 
a considerable amount of agreement that "scanning with email in hand", 
or, more stringently, "scanning with spam in hand" is perfectly 
justified, as in "sending me email gives implicit permission to check 
that you're secure", or, "sending me spam gives permission to check that 
you're secure" respectively.

[Some people say "if they've sent you spam, why test?  Simply 
blacklist!".  Which is silly, because you end up blacklisting everyone 
sooner or later.  By testing and not listing on a negative result, you 
have less chance of blocking a legitimate site.]

As another dimension, some people prefer to do very aggressive scanning 
- they'll test every combination of "tricks" that has been known to 
bypass anti-relay.  Others try to avoid "tricks" that are likely to 
cause grief to the testee (eg: avoiding double bounces).

Don't assume that the testers are specifically targeting mailing lists. 
Chances are that a NJABL person is on the lists, and is doing a "test if 
email or spam in hand".

[I don't know what NJABL's testing criteria are.]

In the scheme of things, such testing is relatively minor, even of the 
"obnoxious bounce to postmaster" variety.  Tune your alarm system to 
ignore them.  If you consider a dozen or two relay tests to be 
"extreme", I'd hate to think of what you'd think of _some_ other forms 
of vulnerability testing...

By blackholing the tester, you run a _significant_ risk of getting 
blacklisted, even if you don't relay or proxy.  Some blacklists do that. 
[I don't think NJABL does, but others do.]  Secondly, some of them use 
highly distributed testing.  Like SORBS.  You'll never get them all.

The spamming problem really has gotten so bad that many reputable 
organizations feel they have no choice do test.  It's a sign of the 
times.  It's best to not get bent out of shape over it and adjust your 
processes to suit.

NJABL is reasonably well regarded.  It's best not to play games with it, 
otherwise, you may end up getting blocked by all of its users. We're not 
using NJABL, but it is one of the ones we'd consider if some of our 
current ones went down. Some medium to large sites _do_ use it.

And don't expect a "we want to be blocked so we can discourage the use 
of blacklists" attitude to work anymore.  From us, at best you'd get a 
whitelist entry.  The spamming problem really _is_ that bad.

More information about the NANOG mailing list