Re: [dispatch] Proposal for scantxt; scanning opt-in/out, identification, verification, notification, and reporting
John R Levine <johnl@taugh.com> Sun, 04 December 2022 18:37 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26A38C14F735 for <dispatch@ietfa.amsl.com>; Sun, 4 Dec 2022 10:37:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=DnAf/CaI; dkim=pass (2048-bit key) header.d=taugh.com header.b=DfYtp0Ii
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zuYsmZDQZvT0 for <dispatch@ietfa.amsl.com>; Sun, 4 Dec 2022 10:37:29 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 054C2C14F612 for <dispatch@ietf.org>; Sun, 4 Dec 2022 10:37:28 -0800 (PST)
Received: (qmail 1828 invoked from network); 4 Dec 2022 18:37:26 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=721.638ce8e6.k2212; bh=dsfEnj1MGNuF5gM1zr31NQVjdwmQ7cPbdNNVeqBVVHU=; b=DnAf/CaI4wkgRl+Gvk2CHY4GUa0tfiQ3b5Ua06aE6cUMlfkyG4hDnB3cBxZkuD6MgP1RoBma4Xc9ntNmmlwbY7LSU8VMTG84tB5S1zmzFpFiwNq9KEo0GcinR2XlaERu3Y8EgDEEDoHUexqs3g7Ix69s2rnzNrPxogR6GzNAaQxYVU6QMIxoyrskl3Hgx0a1no52OKFp9ohyRhRIeAn3I2vUr54pk71X2Q6mYMVR+9nQtpLiLP0BWOPVNG/vA3bn9PbOFcSylSMmb68Zb/R/aMO5oqvp8y8wza50NTJtWbTUxR4LyKZR3nAe81iHF95qxsQeXZ4omUUjQ8cVsrQRxQ==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=721.638ce8e6.k2212; bh=dsfEnj1MGNuF5gM1zr31NQVjdwmQ7cPbdNNVeqBVVHU=; b=DfYtp0Ii4U5wAlHYuR/1PBpSx23ohE4eJj4StRxW0WLriicl7Xi3NXz0qbsEj7eZ8miF44XW1NJ39HgCdjPyZ3SfPgGPjLgmEz7jS/7zcVZkzTEWZm5BMvjfrzpcWk0RkxAhtIPvuafLQuyXSUncaXz2VJP1cyiZjs/zuXodj+jy9P1NtdsDRXRFe1UFTrsWQlYdQtXymtDLoXWnSlm3B/eOfP6LfT7Pgbw2o5C85ue2LAYbhog2NGbmViH/Lq3kPcnIrRuS6T9bwKqj2ReTwaldywE9oL5926w5OtZe8pNvwq/XCdC4khcyWjlvsH0mopl4SX613/4EaWq84YytlA==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 04 Dec 2022 18:37:26 -0000
Received: by ary.qy (Postfix, from userid 501) id B02FC508A5C2; Sun, 4 Dec 2022 13:37:25 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 40644508A5A4; Sun, 4 Dec 2022 13:37:25 -0500 (EST)
Date: Sun, 04 Dec 2022 13:37:25 -0500
Message-ID: <059faafd-80b2-66c0-7d8d-0087220f92ab@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Ollie IETF <ietf@olliejc.uk>, Dispatch WG <dispatch@ietf.org>
X-X-Sender: johnl@ary.qy
In-Reply-To: <-Qj162OnP3i43R95dL09E0OpifUzGvXqwTWEE8n14tndS8OQ902nGVvUTizxttYYEdamlyG54XdgeJCyFfntI8UJnVPbPRTvJk3VL_PMgqU=@olliejc.uk>
References: <20221204051320.0FF0650855F1@ary.qy> <-Qj162OnP3i43R95dL09E0OpifUzGvXqwTWEE8n14tndS8OQ902nGVvUTizxttYYEdamlyG54XdgeJCyFfntI8UJnVPbPRTvJk3VL_PMgqU=@olliejc.uk>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/lVf1T45lvXQbas4rI7Nja36C48I>
Subject: Re: [dispatch] Proposal for scantxt; scanning opt-in/out, identification, verification, notification, and reporting
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Dec 2022 18:37:35 -0000
> Perhaps generic probing is mostly malicious but if you include services that people and businesses often use or sign up for, it likely isn't all that malicious. Consider the following as scanners (not recommendations, just examples): MXToolBox, Detectify, Hardenize, Snyk I take your point about scanning by request, but that makes the problem a whole lot simpler. It's not hard to see how you could come up with standard ways for scanners to say here's the kinds of scanning they do and here's the IPs they scan from, and for the victims to say here's the IP ranges you can scan and the ports you can probe, and replies from the scanners saying here's what we found. Since the parties already know wach other you can wrap it in OAUTH or the like to authenticate it. Beyond that, I still don't see the point. It's hard to think of anything other than http that lets you bundle an authentication token with a probe and even there, one of the major points of scanning is to find ports and servers that are open by mistake so they wouldn't be looking for the token. To identify the scanners, do the scans from dedicated IPs. It's hard to imagine a use for a public "go ahead and scan this range" (as distinct from sending a message to a known party) other than as a honeypot or security challenge. The bad guys will scan anyway, and challenges have a poor reputation in the security world. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- [dispatch] Proposal for scantxt; scanning opt-in/… Ollie IETF
- Re: [dispatch] Proposal for scantxt; scanning opt… John Levine
- Re: [dispatch] Proposal for scantxt; scanning opt… Stephen Farrell
- Re: [dispatch] Proposal for scantxt; scanning opt… John Levine
- Re: [dispatch] Proposal for scantxt; scanning opt… Ollie IETF
- Re: [dispatch] Proposal for scantxt; scanning opt… John R Levine
- Re: [dispatch] Proposal for scantxt; scanning opt… westhawk
- Re: [dispatch] Proposal for scantxt worley
- Re: [dispatch] Proposal for scantxt; scanning opt… Ollie IETF
- Re: [dispatch] Proposal for scantxt; scanning opt… Ollie IETF
- Re: [dispatch] Proposal for scantxt Ollie IETF
- Re: [dispatch] Proposal for scantxt; scanning opt… John R Levine
- Re: [dispatch] Proposal for scantxt; scanning opt… John R Levine
- Re: [dispatch] Proposal for scantxt worley