Extreme spam testing
Matthew Sullivan
matthew at sorbs.net
Mon Dec 22 20:15:47 UTC 2003
Speaking as and for SORBS (another hated and loved antispam bl)..
Chris Lewis wrote:
> It's worth commenting:
>
> Triggering relay testing can occur in a number of different ways.
>
> Some simply scan all IPs.
I consider this abuse and don't do it.
> Some scan particular ranges.
Same as above ;-)
> Some scan an IP when they receive email from it. RR and AOL do this
> amongst biggies.
This is what SORBS started doing - now the volume is so high, and the
number of ports to check (and ways to check them) are so large I cannot
do it.
> Some scan an IP when they receive suspicious/spam email from a given
> IP. We've done this from time to time. MANY other sites do this.
This is what SORBS does now. If we receive a mail to a SORBS feeder
server with a spam assassin score of 5 or more, we automatically scan
the host for proxies and relays.
> Many consider scanning to be abusive in and of itself, however, there
> is a considerable amount of agreement that "scanning with email in
> hand", or, more stringently, "scanning with spam in hand" is perfectly
> justified, as in "sending me email gives implicit permission to check
> that you're secure", or, "sending me spam gives permission to check
> that you're secure" respectively.
>
> [Some people say "if they've sent you spam, why test? Simply
> blacklist!". Which is silly, because you end up blacklisting everyone
> sooner or later. By testing and not listing on a negative result, you
> have less chance of blocking a legitimate site.]
SORBS scans after listing with 'spam in hand' for a number of reasons....
1/ Not everyone uses the spam DB for blocking (eg: I use it for
weighting at the ISP I run - I use it for blocking on my home mail)
2/ People listed will demand delisting immediately regardless (they
don't care - it's their "right to send email"), and if they have an open
proxy/relay, telling them to fix that first is the best way of stopping
future spam.
3/ Proxy and relay scanning takes on average 2 hours per host (purely
because we don't want to crash it, or the testers for that matter).
SORBS updates ever 20 minutes.
> As another dimension, some people prefer to do very aggressive
> scanning - they'll test every combination of "tricks" that has been
> known to bypass anti-relay. Others try to avoid "tricks" that are
> likely to cause grief to the testee (eg: avoiding double bounces).
We do 19 relay tests, and we perform them twice 2 sets of to and from
data. Some of our tests cause bounces - we do try to avoid upsetting
people, but the 'from postmaster at domain' test is an important one, so we
do use it. The test message does include a details description of what
it is and who to contact if there is a problem though.
> In the scheme of things, such testing is relatively minor, even of the
> "obnoxious bounce to postmaster" variety. Tune your alarm system to
> ignore them. If you consider a dozen or two relay tests to be
> "extreme", I'd hate to think of what you'd think of _some_ other forms
> of vulnerability testing...
wait till he triggers SORBS - it starts with a full port scan... :-/
> By blackholing the tester, you run a _significant_ risk of getting
> blacklisted, even if you don't relay or proxy. Some blacklists do
> that. [I don't think NJABL does, but others do.] Secondly, some of
> them use highly distributed testing. Like SORBS. You'll never get
> them all.
That's right an if SORBS detects firewalling to avoid open-relay
detection you get listed as a test blocker in the system, and should you
get listed for spam, you will find it near on impossible to get out
(even if it was one of your users) - just because you are considered to
be someone 'hiding something'.
SORBS makes a point of being up front and port scanning uses no stealth
features of nmap. It also doesn't do stealth testing.
> The spamming problem really has gotten so bad that many reputable
> organizations feel they have no choice do test. It's a sign of the
> times. It's best to not get bent out of shape over it and adjust your
> processes to suit.
>
> NJABL is reasonably well regarded. It's best not to play games with
> it, otherwise, you may end up getting blocked by all of its users.
> We're not using NJABL, but it is one of the ones we'd consider if some
> of our current ones went down. Some medium to large sites _do_ use it.
>
> And don't expect a "we want to be blocked so we can discourage the use
> of blacklists" attitude to work anymore. From us, at best you'd get a
> whitelist entry. The spamming problem really _is_ that bad.
>
...and I'll be a very happy man the day I shut down SORBS because spam
is no longer an issue. I might get a life then.
/ Mat
More information about the NANOG
mailing list