On Wed, Feb 04, 2004 at 01:54:26AM +1100, Ted Cooper wrote:
> There are already companies that make their money out of scanning the
> internet looking at who is running what web server, how come there isn't
> one out there scanning the internet for all the mail servers?
Because there's very little incentive to do so.
> I have some bandwidth to waste and some time to spare, I wonder how much
> of a storm I would bring down upon myself if I started scanning the
> internet at random and collating the results. There would of course have
> to be some rules in place to prevent legal action and such.
>
> - A way to opt your servers/net range out of the scan
> - No association between IP and results, just record the greeting, help
> reply.
> - _PERHAPS_ testing for open relay and not keeping the IP, just count
> the number of close/open/keep and reject mail servers out there. Someone
> out there is already doing that and I hear it's rather controversial
> - Greet with a valid HELO that has a website explaining the whole
> proceedure and presenting results.
> - To keep the data up to date, expire data and revisit IP's about once
> a year.
Had the same ideas I have about a year ago.
> Information provided by the site could be some of the following.
> - Amount of the internet scanned
> - Amount of the internet that is not being scanned after being asked
> not to
> - Percentage of hosts running each main type
> - Percentage of version strings presented for each type
> - Percentage of open relays
>
> I have re-evaluated my time in the last 30 seconds and I now think that
> this would bring down such a storm that neither I, nor my internet
> connection could handle the results of this little experiment. Perhaps
> I'll just throw this out there and see if anyone else would be
> interested in taking up the challenge.
I gave it a whirl for a while.
Started out using nmap's -O flag to guess at the OS running, had to drop that
as it was too intrusive. Later surveys just did port 25 looking for SYNACK, then
netcat to grab the banner, ehlo and help output. Loaded it all into mysql for
analysis.
In the end, the seemingly innocuous scanning triggered some IDSes at .mil sites.
I ended up being cutoff by my ISP for AUP violation(s) & had to be
very nice and apologetic just to get my net connection turned back on.
--
Some days it's just not worth chewing through the restraints...
Mark Foster <mark@???>
http://mark.foster.cc/