[79394] in North American Network Operators' Group
Re: botted hosts
daemon@ATHENA.MIT.EDU (Dean Anderson)
Tue Apr 5 18:56:41 2005
Date: Tue, 5 Apr 2005 18:55:40 -0400 (EDT)
From: Dean Anderson <dean@av8.com>
To: Tony Finch <dot@dotat.at>
Cc: Dave Rand <dlr@bungi.com>, Petri Helenius <pete@he.iki.fi>,
Nanog <nanog@nanog.org>
In-Reply-To: <Pine.LNX.4.60.0504051057470.17192@hermes-1.csi.cam.ac.uk>
Errors-To: owner-nanog@merit.edu
On Tue, 5 Apr 2005, Tony Finch wrote:
> On Mon, 4 Apr 2005, Dean Anderson wrote:
> >
> > Err, not likely. SPF came out, and now bots can find the ISPs "closed
> > relays" with very little trouble at all.
>
> AFAIK bots use the MX of a parent domain of the infected machine's
> hostname to find an outgoing relay, not SPF. This is based on an
> incident I dealt with in September, and the Spamhaus article
> http://www.spamhaus.org/news.lasso?article=158
> Fortunately it isn't too hard to lock down MXs to incoming only.
Yes. Many ISPs have MXs incoming only for reasons besides spam.
But SPF identifies _outgoing_ mailservers. Just what a bot needs.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
