[TriLUG] Somewhat OT: [Fwd: FC: Email a RoadRunner address, get scanned by their security system]

Mike Johnson mike at enoch.org
Sat Mar 15 00:39:52 EST 2003 

lfwelty [lfwelty at redback.com] wrote:
> Can anyone local comment?

Oh yes, most definately.
 
> Don't get yourself in trouble w/ ...
> Just interested in a local perspective.

Trouble?  Bah.
 
> [disclaimer: I assume all posts are personal opinions unless
>  explicitly stated otherwise. Do not assume everyone else will
>  take this position.]

Well, all I have here is personal opinion.

So, here goes...

First, this has been going on for quite some time.  My logs rotate, and
I don't keep them, but I remember first seeing this a few years ago.
This was the oldest reference about this server going active:
http://colalug.org/ml-archive/0011/msg00019.html

It comes up periodically on various security lists, and it usually ends
up with 'well, what can you do?'.  This is crap, if you ask me.  RR is
doing the exact same things that would get your average user's account
terminated.  What they're doing is checking your server, periodically
scanning mailservers that connect to them to send mail to their
subscribers to see if the system is a suspect open relay.  They have
various tests, and roughly document what they do at:
http://sec.rr.com/probing.htm
(Look at the source of the page, they clearly took a template from
either DreamWeaver, or another site)

Now, read that page further, and you'll find this fabulous quote:
PLEASE DO NOT COMPLAIN ABOUT THESE SCANS. IF YOU WANT THE SCANS TO STOP,
SIMPLY DO NOT SEND MAIL TO ROAD RUNNER SUBSCRIBERS.

Uh.  If all mailserver operators went this route, Road Runner
subscribers (well, those that us @xx.rr.com addresses) would be rightly
screwed.  The arrogance of that comment really sheds some light on their
entire philosophy.  'You are guilty until proven innocent.  You do not
pay us any money, so if you (or your listserver...) send a message to
one of our subscribers, you are agreeing to be scanned.'  Um, isn't one
of the issues with spam that it's opt-out?  They've set up an opt-out
system (you can supposedly e-mail them to ask they stop scanning you) to
'protect' -their- customers from opt-out behavior.

Of course, they're a little more active on their own subscribers.  I
have a business class connection with multiple IP addresses.
Occasionally, they scan all my IPs looking for...stuff.  While I
don't remember anywhere in my contract where I agreed to this, it's a
bit more understandable than probing systems that aren't on their own
network.

Now, let's analyze a few of their attempts:
access_log:24.30.199.228 - - [20/Jan/2003:18:44:49 -0500] "CONNECT 
	security.rr.com:25 HTTP/1.0" 405 299
access_log:24.30.199.228 - - [20/Jan/2003:18:44:49 -0500] "PUT 
	http://security.rr.com:25/ HTTP/1.1" 405 307

So, they're attempting to attack my systems with some rather old methods
that could allow a nefarious individual to relay spam.  Notice I said
the word attack.  RR is probing systems for vulnerabilities -- usually,
this act gets an account terminated.  They also attempt to connect to
the following ports:
	25, 80, 81, 1080, 1180, 3128, 4480, 6588, 8080, 8081

Guess how well this maps with the ports they -say- they're probing?
Here's the portlist from their page: 
	21, 23, 25, 80, 81, 119, 1080, 3128, 4480, 6588, 8000, 8080, 8081

1180?  Gee, that's odd.  They don't say they connect to 1180.  And
they check 21, 23, and 119?  No, they don't.  And what does telnet or
ftp, or nntp have to do with e-mail spam?  Uh.  So, this is interesting:
 "Road Runner Security currently scans the following ports for services
 that may allow OTHER persons to access your computer and perform deeds
 that are detrimental to the Road Runner network, such as spamming, or
 attacking other Internet users."

Sweet.  RR is the sheriff of the internet.  I feel safer already.  And
I'm also glad they have this disclaimer:
 "Road Runner Security in NO way attempts to circumvent your security or
 access the contents of your personal computer. We are not interested in
 its contents, nor what you do while you access the Internet."



Basically, this is crap.  I understand that spam is a problem, I
understand that insecure systems are a problem, I don't have a good
solution, however, I don't think it's right for RR to do what they're
doing.  I am certain they wouldn't take too kindly to me occasionally
scanning any of their systems that connect to mine (e-mail, web, this
port scanning box...).  I'll even let them mail me and request that they
be removed from my list, and sorta document the ports I check.

Ramblingly yours,
Mike
-- 
"If life hands you lemons, YOU BLOW THOSE LEMONS TO BITS WITH 
 YOUR LASER CANNONS!" -- Brak

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030315/023a9467/attachment.pgp>

More information about the TriLUG mailing list