>>From [EMAIL PROTECTED] Wed Jan 19 06:22:05 2005
>Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
>...
>List-Id: <users.spamassassin.apache.org>
>Delivered-To: mailing list users@spamassassin.apache.org
>...
>
>At 10:44 PM 1/18/2005, List Mail User wrote:
>> I don't know about digex, but dnsstuff.com is listed in SPEWS level 1
>>and level 2, completewhois.org and whois.rfc-ignnorant.org. BTW. I personally
>>don't trust anyone with a disconnected telephone number, and they seem to
>>probe my own address space quite often (both DNS and SMTP testing), always
>>tracing back to a dial-up account or a proxy somewhere (with those irritating
>>"ad"'s saying "this is not abuse" - example from one of their "relay" tests:
>>
>>to=<[EMAIL PROTECTED]>.
>>
>> At least that's what the email triggered on my SA report (and of
>>course spamhaus is on rfci's abuse list, like many anti-spam organizations
>>are on either the abuse and/or the postmaster lists - they can't afford to
>>devote a human to processing the mail-bombing that occurs, though I believe
>>ISPs can't justify the same excuse - they are run-for-profit concerns, and
>>that should be just one of the costs of doing business).
>
>I find that entire complaint amusing.
>
>So, you consider open relay tests mailbombs...
>
>Why are you accepting them in the first place?
>
>
Not that I do or don't accept them, just an attempt to verify who
dnsstuff.com/dnsreports.com is, shows invalid whois data. Since the last time
they hit me (and I believe the operator *may* be well meaning), he's gotten
listed in SPEWS, completewhois.org and I nominated him for rfci. His machines
don't get through anymore, for those reasons (I'm loath to block at the IP
level, because you cannot "return" a reason why the connection is refused
- though sometimes it is the only recourse). Also, during a few of his
"report generations", I was able to back trace the machine doing the dial-up
to "known" malicious users (e.g. The "reported" address requesting the test
had open ports and services identifying the host by a non-dial-up name and
checking the identified hosts by IP would show the same "fingerprint" for
services and the software version running them - and of course, the non-dial-up
address was in the SBL or SPEWS itself). I just happen to distinguish between
someone like orbs testing or the Icann periodic ping testing and a commercial
service (with banner ads on his pages), who attempts to relay for whatever
reason.
Simply, there are legitimate reasons for some people/organizations
to test my servers; I just don't think he has any (unlike some services
either require the request to come from the domain itself or non-commercial
services who provide a community service) and when he tests, he both "bangs
hard" and misreports the data to the requester very often - basically the
service and the provider have no valid excuse, in my mind, for what they do.
Also, regular parsing of the logs for relay attempts has provided me
with a list of `hunters' for further investigation *my* favorite is the set
of email addresses "[EMAIL PROTECTED]" (Sorry I enjoy the humor and forthright
attitude it shows), but the most prolific is "[EMAIL PROTECTED]; This morning
the second one was using "[EMAIL PROTECTED]", "[EMAIL PROTECTED]",
"[EMAIL PROTECTED]". and "[EMAIL PROTECTED]". Maybe a few others out
there will check and see these in logs also.
Paul Shupak
