Interesting People mailing list archives

Comcast's "Evil Bot" Scanning Project (Lauren Weinstein)

From: Dave Farber <dave () farber net>
Date: Sat, 10 Oct 2009 11:12:00 -0400





Begin forwarded message:

From: Rich Kulawiec <rsk () gsp org>
Date: October 10, 2009 10:37:58 EDT
To: David Farber <dave () farber net>
Cc: "David P. Reed" <dpreed () reed com>
Subject: Re: [IP] Re: Comcast's "Evil Bot" Scanning Project(Lauren Weinstein)

On Sat, Oct 10, 2009 at 09:52:15AM -0400, David Reed wrote:
If I send a lot of email, why does that make me a "bot"? Maybe Ijust
send a lot of email.
That's definitely not a good metric. Here's a much better one, farmore
accurate and much less invasive.  (Presuming for a moment that port 25
outbound isn't blocked.)

Count the number of outbound connections to port 25 per unit time and
the number of destinations.

Real traffic from real human beings will show very low numbers of both
of those: we don't send that much mail, and even if we're relayingoutboundtraffic through remote SMTP servers on port 25 (which we shouldn'tbe) wedon't use many of them because we're not authorized to use many ofthem.
On the other hand, spam-spewing bots, in an effort to maximizedeliveryattempts/deliveries, will initiate huge numbers of conections todiverse
destinations.

I've been looking at these numbers on different networks over the past
several years, and the differences are sharp enough -- 10e3 to 10e6 --
that they're immediately recognizable even with leaky observationmethods.
Bot-initiated spam runs make themselves visible in just a few minutes,
sometimes less.  And while certainly bot-initiated spam runs are by no
means the only form of abuse that we should be concerned about,identifyingthese systems has considerable value: it harvests the low-hangingfruit,thus stopping them from doing immediate harm (sending spam) and fromdoing
future harm (whatever they may be instructed to do next).
There are spammer countermeasures to this, of course: one is to rate-limit
the spam runs.  But judicious tuning of detection thresholds based on
local knowledge of usage patterns can make this difficult for them.
Moreover, if they *are* rate-limiting sufficiently to evade detection,
there is at least one very positive outcome of this: less spam.
Applied globally, this would severly curtail overall spam levels --
certainly not fixing the problem, by any means, but at least providing
some symptomatic relief.

---Rsk




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com

Current thread:

Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 10)
- <Possible follow-ups>
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) Dave Farber (Oct 10)
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) Dave Farber (Oct 10)
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) Dave Farber (Oct 10)
- Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) Dave Farber (Oct 10)
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 11)
- Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 11)
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 11)
- Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 12)