The curious case of Spamhaus, a port scanning scandal, and an apparent U-turn

www.theregister.co.uk | 4/16/2019 | Staff
DebraS (Posted by) Level 3
Click For Photo: https://regmedia.co.uk/2019/04/15/shutterstock_580723174.jpg






















Analysis In recent months, several security researchers have said Spamhaus has been automatically blocking people for carrying out legitimate network port scanning and failed to provide a prompt means of redress.

Spamhaus, a non-profit provider of blocklists and cyber-threat detection, insists nothing like that has happened at all. "The claim you are asking about is, in the politest words we can describe it, unadulterated codswallop," said Spamhaus ops administrator Luc Rossini in an email to The Register. "While Spamhaus does have a policy of listing sources of malicious port scanning (the key word being 'malicious'), our systems simply do not work the way this individual thinks."

Individual - Refers - Vincent - Canfield - Server

"This individual" refers to Vincent Canfield, who runs server hosting and consultancy biz Ovo.sc, and recently penned a post detailing alleged problems with Spamhaus.

"Spamhaus is listing all port scanning traffic without verifying the traffic comes from where it says," Canfield states in his post. "Instead of checking for e.g. banner scans, which require a TCP handshake or two-way UDP interaction, Spamhaus' honeypot servers are blacklisting all TCP SYNs it sees."

Background

Or it was. Or never was, depending on whom you believe. But first some background.

A SYN scan, or half-open scan, waits for a SYN-ACK response from the server and if it receives a response, it does not respond. Such events generally are not logged because a TCP connection is never consummated. These port scans may be malicious reconnaissance or legitimate market and internet research, and the difference is not always obvious. But for those being blocked, the distinction matters a great deal.

Spamhaus - Damage - Google - Search - Website

Being blocked by Spamhaus can cause online damage similar to being excluded from Google Search; it means your website or internet service cannot be accessed through service providers that subscribe to its block list. As Canfield put it in his post, "being listed by Spamhaus is...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!