Anyone from BT...
Chris Edwards
chris at eng.gla.ac.uk
Tue Jan 23 15:32:07 UTC 2007
On Tue, 23 Jan 2007, Tony Finch wrote:
| Also http://wesii.econinfosec.org/draft.php?paper_id=47
| (Google will give you an HTML version.)
Well spotted - interesting.
This is monitoring SMTP leaving their network, right ?
I guess the yellow line on the graphs ("invalid mail" - rejected inline by
the dest mail server, for some reason) makes this somewhat related to
Richard Clayton's "extrusion detection" work. Difference being BT are
monitoring direct->MX traffic.
Aside from the invalid mails, this article suggests they're mostly
identifying spam by the source IP (ie. their customer's IP) being listed
in a DNSBL. So how come they need this super-duper real-time content
scanning infrastructure ? Why wouldn't they download the DNSBLs, and
simply run an offline grep for entries in their own IP space ?
Oops - the redirection rules as stated (underneath figure 4) look
backwards:
"Traffic from link A that will be routed out of link B, and has
a source port of 25 is redirected to link C"
s/source/destination/ (and similar for the return rule).
More information about the NANOG
mailing list