nanog mailing list archives

Re: botted hosts

From: Tony Finch <dot () dotat at>
Date: Tue, 5 Apr 2005 11:03:14 +0100


On Mon, 4 Apr 2005, Dean Anderson wrote:


Err, not likely. SPF came out, and now bots can find the ISPs "closed
relays" with very little trouble at all.


AFAIK bots use the MX of a parent domain of the infected machine's
hostname to find an outgoing relay, not SPF. This is based on an
incident I dealt with in September, and the Spamhaus article
http://www.spamhaus.org/news.lasso?article=158
Fortunately it isn't too hard to lock down MXs to incoming only.

Tony.
-- 
f.a.n.finch  <dot () dotat at>  http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
GOOD.

Current thread:

Re: botted hosts, (continued)
- Re: botted hosts Dean Anderson (Apr 04)
  - Message not available
    - Re: botted hosts John Dupuy (Apr 04)
    - Message not available
    - Re: botted hosts John Dupuy (Apr 04)
    - Re: botted hosts Valdis . Kletnieks (Apr 04)
    - Re: botted hosts Christopher L. Morrow (Apr 04)
  - Re: botted hosts Valdis . Kletnieks (Apr 04)
    - Re: botted hosts Dean Anderson (Apr 05)
  - Re: botted hosts Sam Hayes Merritt, III (Apr 04)
    - Re: botted hosts Simon Waters (Apr 05)
    - Re: botted hosts Dean Anderson (Apr 05)
  - Re: botted hosts Tony Finch (Apr 05)
    - Re: botted hosts Suresh Ramasubramanian (Apr 05)
    - Re: botted hosts Tony Finch (Apr 05)
    - Re: botted hosts Suresh Ramasubramanian (Apr 05)
    - Re: botted hosts Dean Anderson (Apr 05)
- Re: botted hosts Dean Anderson (Apr 04)
  - Re: botted hosts Florian Weimer (Apr 04)
- Re: botted hosts Charles Cala (Apr 05)