nanog mailing list archives
Re: botted hosts
From: Suresh Ramasubramanian <ops.lists () gmail com>
Date: Tue, 5 Apr 2005 17:54:06 +0530
On Apr 5, 2005 3:33 PM, Tony Finch <dot () dotat at> wrote:
AFAIK bots use the MX of a parent domain of the infected machine's hostname to find an outgoing relay, not SPF. This is based on an incident I dealt with in September, and the Spamhaus article http://www.spamhaus.org/news.lasso?article=158 Fortunately it isn't too hard to lock down MXs to incoming only.
Some bots do that. Others just grab the smtp server (and AUTH settings if any) from your MUA - easier if its Outlook / OE - and send using that smarthost. Just that when you have SMTP AUTH usernames in your logs, and virus sign, it is quite easy to locate and lock down that user, or maybe use your radius server to drop his login session, then restrict his next login to a walled garden VLAN, or maybe cut it off altogether till the issue is fixed. -- Suresh Ramasubramanian (ops.lists () gmail com)
Current thread:
- Re: botted hosts, (continued)
- Message not available
- Re: botted hosts John Dupuy (Apr 04)
- Message not available
- Re: botted hosts John Dupuy (Apr 04)
- Re: botted hosts Valdis . Kletnieks (Apr 04)
- Re: botted hosts Christopher L. Morrow (Apr 04)
- Re: botted hosts Dean Anderson (Apr 05)
- Re: botted hosts Simon Waters (Apr 05)
- Re: botted hosts Dean Anderson (Apr 05)
- Re: botted hosts Suresh Ramasubramanian (Apr 05)
- Re: botted hosts Tony Finch (Apr 05)
- Re: botted hosts Suresh Ramasubramanian (Apr 05)
- Re: botted hosts Florian Weimer (Apr 04)