[Dshield] What is my ISP doing?
clewis at iquest.net
Fri Apr 9 13:00:57 GMT 2004
I caught that late last year and wasn't sure what it was. I reported it to
"abuse: at RR and got this back:
The securityscan.sec.rr.com machine is a Road Runner Security resource
that is used as a tool to aid customers in determining services that may be
abused from outside sources. We fully understand your concerns
surrounding the probing of your machine. This issue has been raised
internally and we hope this email helps you better understand our
The intention of this process is truly not meant to be a "big brother"
system, but we understand that some may view it as such. Our ultimate
goal is to help our customers identify applications running on their
system which allow one or more unknown individuals to proxy off hundreds to
thousands of customers and attack other Internet sites. It in no way
is intended to add to your systems security, replaces your virus
protection or any intrusion detection software you have or will install.
This process was initially developed a few years ago due to an
application that allowed this proxy capability by default. We were being
told by a number of large Internet services that they would block all
Road Runner customers if we did not address it. Other high-speed
providers were also seeing this issue. The scanning tools that many
hackers have today allow them to quickly scan large pools of dial, DSL
or cable modem IP space and quickly identify open proxy systems. Once
they identify the systems, they will exploit these users without their
knowledge, leaving them and their provider accountable for the hackers
The most recent threats are open NNTP and SMTP relays, which allows SPAM
sites to use customer computers to deliver their unsolicited email or
Usenet posts. If abused, those open servers often end up in Blackhole
lists such as the MAPS RSS or MAPS RBL, or, in the case of NNTP, can
lead to a UDP (Usenet Death Penalty) for the provider. This causes the
provider, once blocked, to lose access to many parts of the Internet,
which in turn prevents individuals like yourself from delivering
legitimate mail or posting legitimate Usenet news.
This issue is Internet-wide and not isolated to Road Runner. The process we
use is somewhat radical, but has helped everyone tremendously,
especially our customers. It has saved us considerable amounts of time
and effort by being proactive and has saved all our customers from being
blocked from valuable Internet content.
We hope that we can help you understand this and assure you that this
process is truly done in good faith. Results of the scans are tallied
and sent to the appropriate Road Runner affiliate. You will be contacted by
your local affiliate if there are any concerns surrounding your
system. To request information regarding the results of the scan for
you, please speak with your local affiliate.
If you have any further questions, you can visit http://security.rr.com
or contact Road Runner Security via e-mail at security at security.rr.com
Thank you for taking the time to contact Road Runner.
Hope this helps !
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Paul Marsh
Sent: Friday, April 09, 2004 7:29 AM
To: General DShield Discussion List
Subject: RE: [Dshield] What is my ISP doing?
Looks like RR scanning for open relays. I can't find it right
now but somewhere on there site is a page detailing why they're doing
More information about the list