[Dshield] What is my ISP doing?

Chuck Lewis clewis at iquest.net
Fri Apr 9 13:00:57 GMT 2004


Yep,

I caught that late last year and wasn't sure what it was. I reported it to
"abuse: at RR and got this back:

Hello,

The securityscan.sec.rr.com machine is a Road Runner Security resource 
that is used as a tool to aid customers in determining services that may be
abused from outside sources. We fully understand your concerns 
surrounding the probing of your machine. This issue has been raised 
internally and we hope this email helps you better understand our 
process.

The intention of this process is truly not meant to be a "big brother" 
system, but we understand that some may view it as such. Our ultimate 
goal is to help our customers identify applications running on their 
system which allow one or more unknown individuals to proxy off hundreds to
thousands of customers and attack other Internet sites. It in no way 
is intended to add to your systems security, replaces your virus 
protection or any intrusion detection software you have or will install.

This process was initially developed a few years ago due to an 
application that allowed this proxy capability by default. We were being
told by a number of large Internet services that they would block all 
Road Runner customers if we did not address it. Other high-speed 
providers were also seeing this issue. The scanning tools that many 
hackers have today allow them to quickly scan large pools of dial, DSL 
or cable modem IP space and quickly identify open proxy systems. Once 
they identify the systems, they will exploit these users without their 
knowledge, leaving them and their provider accountable for the hackers 
actions.

The most recent threats are open NNTP and SMTP relays, which allows SPAM
sites to use customer computers to deliver their unsolicited email or 
Usenet posts. If abused, those open servers often end up in Blackhole 
lists such as the MAPS RSS or MAPS RBL, or, in the case of NNTP, can 
lead to a UDP (Usenet Death Penalty) for the provider. This causes the 
provider, once blocked, to lose access to many parts of the Internet, 
which in turn prevents individuals like yourself from delivering 
legitimate mail or posting legitimate Usenet news.

This issue is Internet-wide and not isolated to Road Runner. The process we
use is somewhat radical, but has helped everyone tremendously, 
especially our customers. It has saved us considerable amounts of time 
and effort by being proactive and has saved all our customers from being
blocked from valuable Internet content.

We hope that we can help you understand this and assure you that this 
process is truly done in good faith. Results of the scans are tallied 
and sent to the appropriate Road Runner affiliate. You will be contacted by
your local affiliate if there are any concerns surrounding your 
system. To request information regarding the results of the scan for 
you, please speak with your local affiliate.

If you have any further questions, you can visit http://security.rr.com 
or contact Road Runner Security via e-mail at security at security.rr.com

Thank you for taking the time to contact Road Runner.


Hope this helps !

Chuck



-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Paul Marsh
Sent: Friday, April 09, 2004 7:29 AM
To: General DShield Discussion List
Subject: RE: [Dshield] What is my ISP doing? 

Steve:

	Looks like RR scanning for open relays.  I can't find it right
now but somewhere on there site is a page detailing why they're doing
it.

Thanx, Paul 






More information about the list mailing list