nanog mailing list archives
Re: Anyone from BT...
From: Chris Edwards <chris () eng gla ac uk>
Date: Tue, 23 Jan 2007 15:32:07 +0000 (GMT)
On Tue, 23 Jan 2007, Tony Finch wrote: | Also http://wesii.econinfosec.org/draft.php?paper_id=47 | (Google will give you an HTML version.) Well spotted - interesting. This is monitoring SMTP leaving their network, right ? I guess the yellow line on the graphs ("invalid mail" - rejected inline by the dest mail server, for some reason) makes this somewhat related to Richard Clayton's "extrusion detection" work. Difference being BT are monitoring direct->MX traffic. Aside from the invalid mails, this article suggests they're mostly identifying spam by the source IP (ie. their customer's IP) being listed in a DNSBL. So how come they need this super-duper real-time content scanning infrastructure ? Why wouldn't they download the DNSBLs, and simply run an offline grep for entries in their own IP space ? Oops - the redirection rules as stated (underneath figure 4) look backwards: "Traffic from link A that will be routed out of link B, and has a source port of 25 is redirected to link C" s/source/destination/ (and similar for the return rule).
Current thread:
- Anyone from BT... Fergie (Jan 21)
- Re: Anyone from BT... Peter Corlett (Jan 22)
- Re: Anyone from BT... RL Vaughn (Jan 22)
- <Possible follow-ups>
- Re: Anyone from BT... Fergie (Jan 22)
- Re: Anyone from BT... michael.dillon (Jan 23)
- Re: Anyone from BT... Tony Finch (Jan 23)
- Re: Anyone from BT... Chris Edwards (Jan 23)
- Re: Anyone from BT... Tony Finch (Jan 23)
- Re: Anyone from BT... Tony Finch (Jan 23)
- Re: Anyone from BT... Peter Corlett (Jan 22)