After sending an email to a friend at a RoadRunner address, I see this in
my web access log:24.30.199.228 - - [13/Mar/2003:15:11:25 -0500] "CONNECT security.rr.com:25
HTTP/1.0" 404 535 "" ""Basically, RoadRunner tried to spam themselves using my server. I mailed
abuse@rr.com about this, and received a canned response, enclosed. It's a
humble response, but woefully inadequate. Have anti-spam measures come to
this? This seems like an ill-considered compromise between privacy and
anti-spam efforts. A blunt instrument that betrays less-than-careful
thinking. The opt-out option, which was revealed only after my complaint,
is even more obnoxious.
Sending email to many servers means that your mail server will be probed for
open proxies and open relays. It's only seriously taboo when it leaves the
actual connecting server to scan the rest of the network. This is why I
posted previously about a centralized system so that we can limit these
probes. In the case of RoadRunner, it is only inappropriate because RR
themselves complains and throughs a fit about being probed, and yet they
probe others.
-Jack
From: Gunnar Hellekson <gunnar@onepeople.org>
Basically, RoadRunner tried to spam themselves using my server. I mailed abuse@rr.com about this, and received a canned response, enclosed.
Under their logic, I feel entitled to poke and prod their customers, just to make sure they don't spam me. Is that fair? I promise to provide an opt-out if anyone complains.
Oh no, they'll bitch, at great length. This was recently discussed on SPAM-L ( http://peach.ease.lsoft.com/scripts/wa.exe?LIST=SPAM-L ).
Jeff
<snip>
After sending an email to a friend at a RoadRunner address, I see this in
my web access log:24.30.199.228 - - [13/Mar/2003:15:11:25 -0500] "CONNECT
security.rr.com:25 HTTP/1.0" 404 535 "" ""
<snip>
spam-l is over there -->
Actually, if you go a few rounds with Mr. Herrick of rr.com, and explain
that you want to do the same sort of testing under the same ground rules
as security.rr.com, I think you'll find that he will not object.
It is quite ironic (perhaps a sign of how bad the problem of spam on the
internet has gotten) that rr.com has decided to emulate those that they
have attacked in the past.
I suspect we've gotten to the point now that there are more open proxies
than open relays on the net, and it seems the proxies are more heavily
abused.
I suspect we've gotten to the point now that there are more open proxies
than open relays on the net, and it seems the proxies are more heavily
abused.
Perhaps it is because trojans and worms aren't setup to install open relays
but to install open proxies. Proxies also have the advantage of hiding the
original sender. I suspect that the next thing we will see is open proxies
abused and then all traces wiped out by self protecting worms.
-Jack
I only find it humorous that a majority of the network probes against my
network come from RoadRunner cable modems as it is, yet they want to add to it
by having their own server run a probe... Not that I email many RR customers as
it is directly through my mail servers... I also enjoy the ironic humor in the
fact my home network is on statically assigned DSL IP space that I hold forward
and reverse DNS control for but by their own statements I could not opt-out even
though it is SWIP'd to me but is a DSL allocation... No worries the only
machines on my network that would send outgoing email are behind a NAT that does
port forwarding so even if they connect back on port 80 from the IP that
connects to port 25 on their server doesn't mean they're talking back to even
the same machine here...
In all fairness though looking at the top 15 source addresses my IDS has
pick'd up lately... 9 of the 15 are from my own providers space and they don't
even react to reports... 90% of the hits are still CodeRed no less...
Jeremy
I only find it humorous that a majority of the network probes
against my network come from RoadRunner cable modems as it is, yet
they want to add to it by having their own server run a probe...
RR scans their own network far more intrusively than they scan outside
mail senders and thwack their own users all the time, only of course
nobody hears about that.
As I've said elsewhere, most of a network's real mail comes from
places that have sent mail before. If you get mail from a host that's
never sent you mail before, it is far more likely to be a compromised
relay or proxy sending spam than a legit mail server. Of course they
test it.
Put yourself in their shoes. They have a network with tens, probably
hundreds of thousands of users, all with a swell high-speed
connection, all under continuous attack by various sorts of malware.
Most of the users are running Windows 98 or XP systems which are at
least 30 critical security patches (that is to say, more than a month)
out of date. Realistically, what would you do?