Extreme spam testing

Matthew Sullivan matthew at sorbs.net
Mon Dec 22 20:15:47 UTC 2003

Speaking as and for SORBS (another hated and loved antispam bl)..

Chris Lewis wrote:

> It's worth commenting:
> Triggering relay testing can occur in a number of different ways.
> Some simply scan all IPs. 

I consider this abuse and don't do it.

> Some scan particular ranges. 

Same as above ;-)

> Some scan an IP when they receive email from it.  RR and AOL do this 
> amongst biggies. 

This is what SORBS started doing - now the volume is so high, and the 
number of ports to check (and ways to check them) are so large I cannot 
do it.

> Some scan an IP when they receive suspicious/spam email from a given 
> IP. We've done this from time to time.  MANY other sites do this. 

This is what SORBS does now.  If we receive a mail to a SORBS feeder 
server with a spam assassin score of 5 or more, we automatically scan 
the host for proxies and relays.

> Many consider scanning to be abusive in and of itself, however, there 
> is a considerable amount of agreement that "scanning with email in 
> hand", or, more stringently, "scanning with spam in hand" is perfectly 
> justified, as in "sending me email gives implicit permission to check 
> that you're secure", or, "sending me spam gives permission to check 
> that you're secure" respectively.
> [Some people say "if they've sent you spam, why test?  Simply 
> blacklist!".  Which is silly, because you end up blacklisting everyone 
> sooner or later.  By testing and not listing on a negative result, you 
> have less chance of blocking a legitimate site.] 

SORBS scans after listing with 'spam in hand' for a number of reasons....

1/ Not everyone uses the spam DB for blocking (eg: I use it for 
weighting at the ISP I run - I use it for blocking on my home mail)
2/ People listed will demand delisting immediately regardless (they 
don't care - it's their "right to send email"), and if they have an open 
proxy/relay, telling them to fix that first is the best way of stopping 
future spam.
3/ Proxy and relay scanning takes on average 2 hours per host (purely 
because we don't want to crash it, or the testers for that matter).  
SORBS updates ever 20 minutes.

> As another dimension, some people prefer to do very aggressive 
> scanning - they'll test every combination of "tricks" that has been 
> known to bypass anti-relay.  Others try to avoid "tricks" that are 
> likely to cause grief to the testee (eg: avoiding double bounces). 

We do 19 relay tests, and we perform them twice 2 sets of to and from 
data.  Some of our tests cause bounces - we do try to avoid upsetting 
people, but the 'from postmaster at domain' test is an important one, so we 
do use it.  The test message does include a details description of what 
it is and who to contact if there is a problem though.

> In the scheme of things, such testing is relatively minor, even of the 
> "obnoxious bounce to postmaster" variety.  Tune your alarm system to 
> ignore them.  If you consider a dozen or two relay tests to be 
> "extreme", I'd hate to think of what you'd think of _some_ other forms 
> of vulnerability testing... 

wait till he triggers SORBS - it starts with a full port scan... :-/

> By blackholing the tester, you run a _significant_ risk of getting 
> blacklisted, even if you don't relay or proxy.  Some blacklists do 
> that. [I don't think NJABL does, but others do.]  Secondly, some of 
> them use highly distributed testing.  Like SORBS.  You'll never get 
> them all. 

That's right an if SORBS detects firewalling to avoid open-relay 
detection you get listed as a test blocker in the system, and should you 
get listed for spam, you will find it near on impossible to get out 
(even if it was one of your users) - just because you are considered to 
be someone 'hiding something'.

SORBS makes a point of being up front and port scanning uses no stealth 
features of nmap.  It also doesn't do stealth testing.

> The spamming problem really has gotten so bad that many reputable 
> organizations feel they have no choice do test.  It's a sign of the 
> times.  It's best to not get bent out of shape over it and adjust your 
> processes to suit.
> NJABL is reasonably well regarded.  It's best not to play games with 
> it, otherwise, you may end up getting blocked by all of its users. 
> We're not using NJABL, but it is one of the ones we'd consider if some 
> of our current ones went down. Some medium to large sites _do_ use it.
> And don't expect a "we want to be blocked so we can discourage the use 
> of blacklists" attitude to work anymore.  From us, at best you'd get a 
> whitelist entry.  The spamming problem really _is_ that bad.
...and I'll be a very happy man the day I shut down SORBS because spam 
is no longer an issue.  I might get a life then.

/ Mat

More information about the NANOG mailing list