[Dshield] What is my ISP doing?

fightback@redline.comcast.net fightback at redline.comcast.net
Fri Apr 9 13:44:23 GMT 2004



Date: Fri, 9 Apr 2004 09:27:29 -0400
From: Jeff Kinz <fightback at kinz.org>
To: General DShield Discussion List <list at lists.dshield.org>
Subject: Re: [Dshield] What is my ISP doing?

On Fri, Apr 09, 2004 at 08:00:57AM -0500, Chuck Lewis wrote:
> I caught that late last year and wasn't sure what it was. I reported it to
> "abuse: at RR and got this back:
> 
> Hello,
> The securityscan.sec.rr.com machine is a Road Runner Security resource 
...chop...chop...
>
> -----Original Message-----
> On Behalf Of Paul Marsh
> Steve:
> 	Looks like RR scanning for open relays.  I can't find it right
> now but somewhere on there site is a page detailing why they're doing
> it.

I don't think its his ISP doing a scan.  The IP 24.210.214.179 resolves
to a dynamic assigned dialup port which has six positives in the the
various DNSBLs (http://openrbl.org/).

The IP for securityscan.sec.rr.com is 	24.30.199.228, not
24.210.214.179.  If it were securityscan.sec.rr.com doing a scan you
would very likely see a different IP.

Steve - if I were you I would put any IP addresses you see doing this
kind of activity in your IP-rejectlist within your firewall.

I have a script which scans my IP-Tables output and add IPs to my
rejectlist whenever they do this type of thing.  

-- 
Jeff Kinz, Open-PC, Emergent Research,  Hudson, MA.  






More information about the list mailing list