From: Matthew Moyle-Croft (no email)
Date: Sun Nov 16 2008 - 00:15:17 EST
Chris Lewis wrote:
> Matthew Moyle-Croft wrote:
>
>
> The difficulty is that local blocking is only useful to block C&C
> communications from infected machine in _your_ netblock. It doesn't at
> all stop inbound port 25 connections from infected machines elsewhere.
>
Yeah - got it. It's Sunday afternoon here ... I got all hopeful it
might be easy.
> In some limited cases, you might see a benefit to blocking DNS queries
> from their netblocks. Some "spam-by-compromised-machine" mechanisms
> have the C&C doing the MX lookups for the victims. Mostly because the
> "compromised machine" is merely a proxy, and _can't_ do the MXes. I
> doubt these BOTnet C&Cs do. More efficient to have the BOTs themselves
> doing it.
>
Actually, it's a pity the compromised machines don't do DNS - then you'd
be able to do some interesting things with resolvers and looking for MX
lookup abnormalities.
MMC
-- Matthew Moyle-Croft - Internode/Agile - Networks Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia Email: Web: http://www.on.net Direct: +61-8-8228-2909 Mobile: +61-419-900-366 Reception: +61-8-8228-2999 Fax: +61-8-8235-6909
|
|
|