anti-spam vs network abuse

Andy Dills andy at xecu.net
Fri Feb 28 21:54:47 UTC 2003


On Fri, 28 Feb 2003, Charlie Clemmer wrote:

> At 03:52 PM 2/28/2003 -0500, Andy Dills wrote:
> >Why is probing networks wrong?
>
> Depends on why you're doing the probing.

If so, why outlaw the act of probing? Why not outlaw "probing for the
purposes of..."?

> If you're randomly walk up to my house and check to see if the door is
> unlocked, you better be ready for a reaction. Same thing with unsolicited
> probes, in my opinion. Can I randomly walk up to your car to see if it's
> unlocked without getting a reaction out of you?

This is different. Metaphors applying networking concepts to real world
scenarios are tenuous at best.

In this case, your door being unlocked cannot cause me harm. However, an
"unlocked proxy" can. Legit probes are an attempt to mitigate network
abuse, not increase it. If there was a sanctioned body who was trusted to
scan for such things, maybe this wouldn't be an issue. But there's not, so
it's a vigilante effort.

> Where this thread got started, the scenario was around if I connect to your
> SMTP server to attempt to relay mail, is it then right to probe me for open
> relays and so forth. In that case, I can see the reasoning, as I initiated
> the connection, so you're checking to see if I'm sane or not. The line gets
> drawn though as to how much probing is reasonable ... can you probe my
> system for ALL open ports/exploits just because I tried to send mail
> through you, or can you probe all machines that fit in my address range
> (and how do you determine my address range?) ... that's where the larger
> debate comes in.

Actually, I think the debate starts with Paul telling Jon that Jon isn't
passively scanning connection hosts, he's actively trawling for open
proxies, that Paul has the logs to prove it, and that since Paul is in
California, Jon has broken the law.

Paul has only indicated his point of view objectively; he hasn't yet
indicated he wants to do something about it (or that he personally feels
that he should do something about it).

> I have servers hosted at shared colo facilities. If you were to scan the
> entire netblock for my colo provider because a different customer at the
> same facility tried to send mail through you, how am I to determine your
> cause, or determine that it was not a scan for a vulnerability?

You don't have to. This is why I never understood why people care so much
about probing. If you do a good job with your network, probing will have
zero affect on you. All the person probing can do (regardless of their
intent) is say "Gee, I guess there aren't any vulnerabilities with this
network."

Andy

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills                              301-682-9972
Xecunet, LLC                            www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access




More information about the NANOG mailing list