Re: McColo: Are the 'Lights On" at Telia?

From: Matthew Moyle-Croft (no email)
Date: Sun Nov 16 2008 - 00:15:17 EST

  • Next message: Justin Shore: "Re: McColo: Are the 'Lights On" at Telia?"

    Chris Lewis wrote:
    > Matthew Moyle-Croft wrote:
    > The difficulty is that local blocking is only useful to block C&C
    > communications from infected machine in _your_ netblock. It doesn't at
    > all stop inbound port 25 connections from infected machines elsewhere.
    Yeah - got it. It's Sunday afternoon here ... I got all hopeful it
    might be easy.
    > In some limited cases, you might see a benefit to blocking DNS queries
    > from their netblocks. Some "spam-by-compromised-machine" mechanisms
    > have the C&C doing the MX lookups for the victims. Mostly because the
    > "compromised machine" is merely a proxy, and _can't_ do the MXes. I
    > doubt these BOTnet C&Cs do. More efficient to have the BOTs themselves
    > doing it.
    Actually, it's a pity the compromised machines don't do DNS - then you'd
    be able to do some interesting things with resolvers and looking for MX
    lookup abnormalities.


    Matthew Moyle-Croft - Internode/Agile - Networks
    Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
    Email:   Web:
    Direct: +61-8-8228-2909		    Mobile: +61-419-900-366
    Reception: +61-8-8228-2999          Fax: +61-8-8235-6909

  • Next message: Justin Shore: "Re: McColo: Are the 'Lights On" at Telia?"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD