Re: [dispatch] Proposal for scantxt; scanning opt-in/out, identification, verification, notification, and reporting

John R Levine <johnl@taugh.com> Sun, 04 December 2022 18:37 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26A38C14F735 for <dispatch@ietfa.amsl.com>; Sun, 4 Dec 2022 10:37:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=DnAf/CaI; dkim=pass (2048-bit key) header.d=taugh.com header.b=DfYtp0Ii
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zuYsmZDQZvT0 for <dispatch@ietfa.amsl.com>; Sun, 4 Dec 2022 10:37:29 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 054C2C14F612 for <dispatch@ietf.org>; Sun, 4 Dec 2022 10:37:28 -0800 (PST)
Received: (qmail 1828 invoked from network); 4 Dec 2022 18:37:26 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=721.638ce8e6.k2212; bh=dsfEnj1MGNuF5gM1zr31NQVjdwmQ7cPbdNNVeqBVVHU=; b=DnAf/CaI4wkgRl+Gvk2CHY4GUa0tfiQ3b5Ua06aE6cUMlfkyG4hDnB3cBxZkuD6MgP1RoBma4Xc9ntNmmlwbY7LSU8VMTG84tB5S1zmzFpFiwNq9KEo0GcinR2XlaERu3Y8EgDEEDoHUexqs3g7Ix69s2rnzNrPxogR6GzNAaQxYVU6QMIxoyrskl3Hgx0a1no52OKFp9ohyRhRIeAn3I2vUr54pk71X2Q6mYMVR+9nQtpLiLP0BWOPVNG/vA3bn9PbOFcSylSMmb68Zb/R/aMO5oqvp8y8wza50NTJtWbTUxR4LyKZR3nAe81iHF95qxsQeXZ4omUUjQ8cVsrQRxQ==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=721.638ce8e6.k2212; bh=dsfEnj1MGNuF5gM1zr31NQVjdwmQ7cPbdNNVeqBVVHU=; b=DfYtp0Ii4U5wAlHYuR/1PBpSx23ohE4eJj4StRxW0WLriicl7Xi3NXz0qbsEj7eZ8miF44XW1NJ39HgCdjPyZ3SfPgGPjLgmEz7jS/7zcVZkzTEWZm5BMvjfrzpcWk0RkxAhtIPvuafLQuyXSUncaXz2VJP1cyiZjs/zuXodj+jy9P1NtdsDRXRFe1UFTrsWQlYdQtXymtDLoXWnSlm3B/eOfP6LfT7Pgbw2o5C85ue2LAYbhog2NGbmViH/Lq3kPcnIrRuS6T9bwKqj2ReTwaldywE9oL5926w5OtZe8pNvwq/XCdC4khcyWjlvsH0mopl4SX613/4EaWq84YytlA==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 04 Dec 2022 18:37:26 -0000
Received: by ary.qy (Postfix, from userid 501) id B02FC508A5C2; Sun, 4 Dec 2022 13:37:25 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 40644508A5A4; Sun, 4 Dec 2022 13:37:25 -0500 (EST)
Date: Sun, 04 Dec 2022 13:37:25 -0500
Message-ID: <059faafd-80b2-66c0-7d8d-0087220f92ab@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Ollie IETF <ietf@olliejc.uk>, Dispatch WG <dispatch@ietf.org>
X-X-Sender: johnl@ary.qy
In-Reply-To: <-Qj162OnP3i43R95dL09E0OpifUzGvXqwTWEE8n14tndS8OQ902nGVvUTizxttYYEdamlyG54XdgeJCyFfntI8UJnVPbPRTvJk3VL_PMgqU=@olliejc.uk>
References: <20221204051320.0FF0650855F1@ary.qy> <-Qj162OnP3i43R95dL09E0OpifUzGvXqwTWEE8n14tndS8OQ902nGVvUTizxttYYEdamlyG54XdgeJCyFfntI8UJnVPbPRTvJk3VL_PMgqU=@olliejc.uk>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/lVf1T45lvXQbas4rI7Nja36C48I>
Subject: Re: [dispatch] Proposal for scantxt; scanning opt-in/out, identification, verification, notification, and reporting
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Dec 2022 18:37:35 -0000

> Perhaps generic probing is mostly malicious but if you include services that people and businesses often use or sign up for, it likely isn't all that malicious. Consider the following as scanners (not recommendations, just examples): MXToolBox, Detectify, Hardenize, Snyk

I take your point about scanning by request, but that makes the problem a 
whole lot simpler.

It's not hard to see how you could come up with standard ways for scanners 
to say here's the kinds of scanning they do and here's the IPs they scan 
from, and for the victims to say here's the IP ranges you can scan and the 
ports you can probe, and replies from the scanners saying here's what we 
found.  Since the parties already know wach other you can wrap it in OAUTH 
or the like to authenticate it.

Beyond that, I still don't see the point.  It's hard to think of anything 
other than http that lets you bundle an authentication token with a probe 
and even there, one of the major points of scanning is to find ports and 
servers that are open by mistake so they wouldn't be looking for the 
token.  To identify the scanners, do the scans from dedicated IPs.

It's hard to imagine a use for a public "go ahead and scan this range" (as 
distinct from sending a message to a known party) other than as a honeypot 
or security challenge.  The bad guys will scan anyway, and challenges have 
a poor reputation in the security world.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly