Why did you "portscan" me?

First, some quick background info -- TCP port 119 is used for NNTP -- the Network News Transfer Protocol. NNTP is used between a news client and a news server to read or post USENET news, or between two peering news servers to exchange news. TCP port 563 is used for "secure NNTP"; aka "SNEWS" or SSLified NNTP.

I run a website (www.newzbot.com) that lists publicly accessible USENET news servers. To populate this site, I go out and connect to various hosts looking for USENET services on port 119 (NNTP) and 563 (NNTP over SSL); I then put the results in a database and publish them in various formats.

Conceptually, this works much like a web spider which talk to hosts to determine if they offer web services, and if so, "spiders" the pages for indexing, except mine is more of a meta-search engine, not offering the USENET news itself, but where to find it.

How do I know you're not trying to hack me?

This is an excellent question. One of the things to look for is what services are being probed. A connection to just one or two ports is generally not suspicious. A connection to multiple ports is -- particularly ports 21 (ftp), 23 (telnet), 25 (smtp), 79 (finger), 110 (pop3), 111 (Unix RPC), 139 (Microsoft RPC), 143 (IMAP) or 2049 (Unix file services). If you see connections to more than one of those ports, then it's likely you are being portscanned with the intent to identify vulnerable services on your host.

Furthermore, if your firewalling software can detect a so-called "stealth scan" -- such as SYNs w/ no ACK -- this almost (almost!) always indicates a portscan.

In general, there have been few NNTP-related security problems, aside from a bad one a couple years back that affected Unix boxes running INN, so connections to port 119 or 563 usually indicate a probe to determine if a public news server is available, but little else.

So what if I'm *not* running a news server?

When a NNTP server accepts a connection, it reponds with what is sometimes refered to as a "200 message", something that looks like this:

200 avalon.jammed.com NNTPcache server V1.0.6 Sep 1 1997 ready (posting ok).

However, when a news server refuses a connection from a client, it will issue a "500 message", a-la

502 You have no permission to talk. Goodbye.

If my robot connects to a server it gets anything other than a 200 message, I automatically add it to an exclude database, which means I will never scan it again. This way I don't bang on people's news servers if they've told me to go away -- again, very similar to the 'robots.txt' file that websites put up to keep (polite) spiders at bay.

However -- if your host is firewalled, then this "automatic exclusion" won't work, since they'll just appear to be offline. Most firewalls (personal and otherwise) will silently drop packets, as opposed to accepting the connection, saying "Go away", and disconnecting. They are, from a network's perspective, unreachable.

I run a news server that allows anonymous connections, but you're connecting to ports other than 119 and 563!

If your host is a public news server, then newzbot attempts to determine its operating system. It does this by using the nmap tool with the -O option to "fingerprint" the OS. These probes will almost always come from the machine 'flagstaff.jammed.com'.

Note that nmap is only used for OS detection; as newzbot is only interested in ports 119 and 563, there is no need for it to identify every listening service on a host ("portscanning"). Newzbot only performs OS detection on hosts that are public news servers; it will not bother your host if it is unreachable or private.

Please don't probe my machine for news services again.

I am happy to accomodate you, but I need to know who you are :-) You can visit this page to automatically exclude the machine you're visiting from. If you have problems excluding your host, or have any questions, please feel free to contact webmaster @ newzbot.com.

Keep in mind that I may still connect to your machine or network. I may ping you, I may try to visit your web site, or I may try to send you mail -- particularly if you send me mail about this issue.

$Id: portscan.html,v 1.4 2003/04/13 02:47:41 jwa Exp $