Anyone from BT...

Chris Edwards chris at
Tue Jan 23 15:32:07 UTC 2007

On Tue, 23 Jan 2007, Tony Finch wrote:

| Also
| (Google will give you an HTML version.)

Well spotted - interesting.

This is monitoring SMTP leaving their network, right ?

I guess the yellow line on the graphs ("invalid mail" - rejected inline by 
the dest mail server, for some reason) makes this somewhat related to 
Richard Clayton's "extrusion detection" work.  Difference being BT are 
monitoring direct->MX traffic.

Aside from the invalid mails, this article suggests they're mostly 
identifying spam by the source IP (ie. their customer's IP) being listed 
in a DNSBL.  So how come they need this super-duper real-time content 
scanning infrastructure ?  Why wouldn't they download the DNSBLs, and 
simply run an offline grep for entries in their own IP space ?

Oops - the redirection rules as stated (underneath figure 4) look 

  "Traffic from link A that will be routed out of link B, and has
   a source port of 25 is redirected to link C"

s/source/destination/  (and similar for the return rule).

More information about the NANOG mailing list