[79382] in North American Network Operators' Group
Re: botted hosts
daemon@ATHENA.MIT.EDU (Tony Finch)
Tue Apr 5 06:04:00 2005
Date: Tue, 5 Apr 2005 11:03:14 +0100
From: Tony Finch <dot@dotat.at>
To: Dean Anderson <dean@av8.com>
Cc: Dave Rand <dlr@bungi.com>, Petri Helenius <pete@he.iki.fi>,
Nanog <nanog@nanog.org>
In-Reply-To: <Pine.LNX.4.44.0504041526560.9069-100000@localhost.localdomain>
Errors-To: owner-nanog@merit.edu
On Mon, 4 Apr 2005, Dean Anderson wrote:
>
> Err, not likely. SPF came out, and now bots can find the ISPs "closed
> relays" with very little trouble at all.
AFAIK bots use the MX of a parent domain of the infected machine's
hostname to find an outgoing relay, not SPF. This is based on an
incident I dealt with in September, and the Spamhaus article
http://www.spamhaus.org/news.lasso?article=158
Fortunately it isn't too hard to lock down MXs to incoming only.
Tony.
--
f.a.n.finch <dot@dotat.at> http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
GOOD.
