nanog mailing list archives

Re: botted hosts

From: Suresh Ramasubramanian <ops.lists () gmail com>
Date: Tue, 5 Apr 2005 17:54:06 +0530


On Apr 5, 2005 3:33 PM, Tony Finch <dot () dotat at> wrote:


AFAIK bots use the MX of a parent domain of the infected machine's
hostname to find an outgoing relay, not SPF. This is based on an
incident I dealt with in September, and the Spamhaus article
http://www.spamhaus.org/news.lasso?article=158
Fortunately it isn't too hard to lock down MXs to incoming only.


Some bots do that. Others just grab the smtp server (and AUTH settings
if any) from your MUA - easier if its Outlook / OE - and send using
that smarthost.

Just that when you have SMTP AUTH usernames in your logs, and virus
sign, it is quite easy to locate and lock down that user, or maybe use
your radius server to drop his login session, then restrict his next
login to a walled garden VLAN, or maybe cut it off altogether till the
issue is fixed.

-- 
Suresh Ramasubramanian (ops.lists () gmail com)

Current thread:

Re: botted hosts, (continued)
- - - Message not available
    - Re: botted hosts John Dupuy (Apr 04)
    - Message not available
    - Re: botted hosts John Dupuy (Apr 04)
    - Re: botted hosts Valdis . Kletnieks (Apr 04)
    - Re: botted hosts Christopher L. Morrow (Apr 04)
  - Re: botted hosts Valdis . Kletnieks (Apr 04)
    - Re: botted hosts Dean Anderson (Apr 05)
  - Re: botted hosts Sam Hayes Merritt, III (Apr 04)
    - Re: botted hosts Simon Waters (Apr 05)
    - Re: botted hosts Dean Anderson (Apr 05)
  - Re: botted hosts Tony Finch (Apr 05)
    - Re: botted hosts Suresh Ramasubramanian (Apr 05)
    - Re: botted hosts Tony Finch (Apr 05)
    - Re: botted hosts Suresh Ramasubramanian (Apr 05)
    - Re: botted hosts Dean Anderson (Apr 05)
- Re: botted hosts Dean Anderson (Apr 04)
  - Re: botted hosts Florian Weimer (Apr 04)
- Re: botted hosts Charles Cala (Apr 05)