[79384] in North American Network Operators' Group
Re: botted hosts
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Tue Apr 5 08:24:36 2005
Date: Tue, 5 Apr 2005 17:54:06 +0530
From: Suresh Ramasubramanian <ops.lists@gmail.com>
Reply-To: Suresh Ramasubramanian <ops.lists@gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: Dean Anderson <dean@av8.com>, Dave Rand <dlr@bungi.com>,
Petri Helenius <pete@he.iki.fi>, Nanog <nanog@nanog.org>
In-Reply-To: <Pine.LNX.4.60.0504051057470.17192@hermes-1.csi.cam.ac.uk>
Errors-To: owner-nanog@merit.edu
On Apr 5, 2005 3:33 PM, Tony Finch <dot@dotat.at> wrote:
>
> AFAIK bots use the MX of a parent domain of the infected machine's
> hostname to find an outgoing relay, not SPF. This is based on an
> incident I dealt with in September, and the Spamhaus article
> http://www.spamhaus.org/news.lasso?article=158
> Fortunately it isn't too hard to lock down MXs to incoming only.
>
Some bots do that. Others just grab the smtp server (and AUTH settings
if any) from your MUA - easier if its Outlook / OE - and send using
that smarthost.
Just that when you have SMTP AUTH usernames in your logs, and virus
sign, it is quite easy to locate and lock down that user, or maybe use
your radius server to drop his login session, then restrict his next
login to a walled garden VLAN, or maybe cut it off altogether till the
issue is fixed.
--
Suresh Ramasubramanian (ops.lists@gmail.com)
