Anyone from BT...

• Previous message (by thread): Anyone from BT...
• Next message (by thread): Anyone from BT...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 23 Jan 2007, Tony Finch wrote:

| Also http://wesii.econinfosec.org/draft.php?paper_id=47
| (Google will give you an HTML version.)

Well spotted - interesting.

This is monitoring SMTP leaving their network, right ?

I guess the yellow line on the graphs ("invalid mail" - rejected inline by 
the dest mail server, for some reason) makes this somewhat related to 
Richard Clayton's "extrusion detection" work.  Difference being BT are 
monitoring direct->MX traffic.

Aside from the invalid mails, this article suggests they're mostly 
identifying spam by the source IP (ie. their customer's IP) being listed 
in a DNSBL.  So how come they need this super-duper real-time content 
scanning infrastructure ?  Why wouldn't they download the DNSBLs, and 
simply run an offline grep for entries in their own IP space ?


Oops - the redirection rules as stated (underneath figure 4) look 
backwards:

  "Traffic from link A that will be routed out of link B, and has
   a source port of 25 is redirected to link C"

s/source/destination/  (and similar for the return rule).

• Previous message (by thread): Anyone from BT...
• Next message (by thread): Anyone from BT...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]