[Dshield] security.scan.sec.rr.com

Doug White doug at dwhite.ws
Wed Jun 18 22:51:50 GMT 2003


I am not sure what they are trying to accomplish.   The boilerplate reply is
somewhat generic, however, My point is that they should spend at least that
amount of effort on closing open relays within their own net block - this is
where the failure seems to be.

As for me, I provide a commercial email gateway, set up explicitly for the
purpose of filtering spam for many domains, then forward the cleaned mail on to
the customer's mail server.  I use a combination of analysis, and some of the
open relay block lists and an anti-virus scanner.    I have to be selective as
to which block list I use, because so many of them are not only slow to update,
but some return far too many false positives,   What I don't want to do is to
stop even one legitimate email message from being delivered to the customers'
inbox.

My own log analysis reveals the open relay rape that goes on constantly, and
currently there are 6 in the RR system (all in either NY or FL) which have been
open for at least six months on static IP numbers. These six machines are
cranking out several million spam emails every 24 hours, according to reports.
I am also experiencing multiple scans from the rr network every 5 days.  When
they come in they are intensive. Thus far, they have not been able to penetrate
my system, it does make me wonder just how many they are able to "discover."
Most spammers move from relay to relay, and originate from many accounts.  By
the time an ISP shuts one down they are already two or three accounts ahead of
them and continue the spew.  I have seen as many as 20 spams per hours just to
my server, all identical but transmitted through different open relays.  I think
it reasonable that these are all the same spammer, and transmitted from the same
source, which is not always accurately reported by the relay machine.

Your own experience is evidence of the harm it does to legitimate users, because
of the abuse by spammers. and I don't use Osirusoft.

======================================
Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
======================================
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "TQMcube" <TQMcube at verizon.net>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Wednesday, June 18, 2003 4:40 PM
Subject: Re: [Dshield] security.scan.sec.rr.com


| On Wed, 2003-06-18 at 16:38, Doug White wrote:
| > I can understand what RR is trying to do, but it seems like a sledge hammer
is
| > being used to break watermelons.  All they seem to be doing is to be adding
to
| > the congestion on the net.
| >
| Judging from your posts you are considerably more knowledgeable than I
| am. Frankly, I support RR's policy since they are relying upon actual,
| tested data - in contrast to using Osirusoft. They only scan me when I
| send mail through their SMTP gateway.
|
| OK. To be fair I have an ax to grind. In spite of having the same static
| IP for more than five years I'm listed as part of a dial-up pool.
| Osirusoft won't make an exception (in spite of the fact that I have
| provided them with ample proof) and VOL is, well, post Bellatlantic
| Verizon. So, for me, the RR system enables me to send mail via MX where,
| perhaps, I might not otherwise be able to. I suspect that by denying
| access to open relays they are doing a real service for their
| subscribers.
|
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
|
|




More information about the list mailing list