Re: McColo: Are the 'Lights On" at Telia?

[Matthew Moyle-Croft <mmc () internode com au>]

Chris Lewis wrote:
> Matthew Moyle-Croft wrote:
>   
>
> The difficulty is that local blocking is only useful to block C&C
> communications from infected machine in _your_ netblock.  It doesn't at
> all stop inbound port 25 connections from infected machines elsewhere.
>   
Yeah - got it.  It's Sunday afternoon here ... I got all hopeful it 
might be easy.
> In some limited cases, you might see a benefit to blocking DNS queries
> from their netblocks.  Some "spam-by-compromised-machine" mechanisms
> have the C&C doing the MX lookups for the victims.  Mostly because the
> "compromised machine" is merely a proxy, and _can't_ do the MXes.  I
> doubt these BOTnet C&Cs do.  More efficient to have the BOTs themselves
> doing it.
>   
Actually, it's a pity the compromised machines don't do DNS - then you'd 
be able to do some interesting things with resolvers and looking for MX 
lookup abnormalities.


MMC

--
Matthew Moyle-Croft - Internode/Agile - Networks
Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
Email: mmc () internode com au  Web: http://www.on.net
Direct: +61-8-8228-2909             Mobile: +61-419-900-366
Reception: +61-8-8228-2999          Fax: +61-8-8235-6909