McColo: Are the 'Lights On" at Telia?
Matthew Moyle-Croft
mmc at internode.com.au
Sun Nov 16 05:15:17 UTC 2008
Chris Lewis wrote:
> Matthew Moyle-Croft wrote:
>
>
> The difficulty is that local blocking is only useful to block C&C
> communications from infected machine in _your_ netblock. It doesn't at
> all stop inbound port 25 connections from infected machines elsewhere.
>
Yeah - got it. It's Sunday afternoon here ... I got all hopeful it
might be easy.
> In some limited cases, you might see a benefit to blocking DNS queries
> from their netblocks. Some "spam-by-compromised-machine" mechanisms
> have the C&C doing the MX lookups for the victims. Mostly because the
> "compromised machine" is merely a proxy, and _can't_ do the MXes. I
> doubt these BOTnet C&Cs do. More efficient to have the BOTs themselves
> doing it.
>
Actually, it's a pity the compromised machines don't do DNS - then you'd
be able to do some interesting things with resolvers and looking for MX
lookup abnormalities.
MMC
--
Matthew Moyle-Croft - Internode/Agile - Networks
Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
Email: mmc at internode.com.au Web: http://www.on.net
Direct: +61-8-8228-2909 Mobile: +61-419-900-366
Reception: +61-8-8228-2999 Fax: +61-8-8235-6909
More information about the NANOG
mailing list