Extreme spam testing
clewis at nortelnetworks.com
Mon Dec 22 18:30:19 UTC 2003
Robin Lynn Frank wrote:
> This is not the only list where this is occurring. It has been happening on
> the spamtools list, as well. We've now dropped them at the firewall. No
> loss to us.
It's worth commenting:
Triggering relay testing can occur in a number of different ways.
Some simply scan all IPs.
Some scan particular ranges.
Some scan an IP when they receive email from it. RR and AOL do this
Some scan an IP when they receive suspicious/spam email from a given IP.
We've done this from time to time. MANY other sites do this.
Many consider scanning to be abusive in and of itself, however, there is
a considerable amount of agreement that "scanning with email in hand",
or, more stringently, "scanning with spam in hand" is perfectly
justified, as in "sending me email gives implicit permission to check
that you're secure", or, "sending me spam gives permission to check that
you're secure" respectively.
[Some people say "if they've sent you spam, why test? Simply
blacklist!". Which is silly, because you end up blacklisting everyone
sooner or later. By testing and not listing on a negative result, you
have less chance of blocking a legitimate site.]
As another dimension, some people prefer to do very aggressive scanning
- they'll test every combination of "tricks" that has been known to
bypass anti-relay. Others try to avoid "tricks" that are likely to
cause grief to the testee (eg: avoiding double bounces).
Don't assume that the testers are specifically targeting mailing lists.
Chances are that a NJABL person is on the lists, and is doing a "test if
email or spam in hand".
[I don't know what NJABL's testing criteria are.]
In the scheme of things, such testing is relatively minor, even of the
"obnoxious bounce to postmaster" variety. Tune your alarm system to
ignore them. If you consider a dozen or two relay tests to be
"extreme", I'd hate to think of what you'd think of _some_ other forms
of vulnerability testing...
By blackholing the tester, you run a _significant_ risk of getting
blacklisted, even if you don't relay or proxy. Some blacklists do that.
[I don't think NJABL does, but others do.] Secondly, some of them use
highly distributed testing. Like SORBS. You'll never get them all.
The spamming problem really has gotten so bad that many reputable
organizations feel they have no choice do test. It's a sign of the
times. It's best to not get bent out of shape over it and adjust your
processes to suit.
NJABL is reasonably well regarded. It's best not to play games with it,
otherwise, you may end up getting blocked by all of its users. We're not
using NJABL, but it is one of the ones we'd consider if some of our
current ones went down. Some medium to large sites _do_ use it.
And don't expect a "we want to be blocked so we can discourage the use
of blacklists" attitude to work anymore. From us, at best you'd get a
whitelist entry. The spamming problem really _is_ that bad.
More information about the NANOG