Chris Lewis wrote:
Matthew Moyle-Croft wrote:
The difficulty is that local blocking is only useful to block C&C
communications from infected machine in _your_ netblock. It doesn't at
all stop inbound port 25 connections from infected machines elsewhere.
Yeah - got it. It's Sunday afternoon here ... I got all hopeful it
might be easy.
In some limited cases, you might see a benefit to blocking DNS queries
from their netblocks. Some "spam-by-compromised-machine" mechanisms
have the C&C doing the MX lookups for the victims. Mostly because the
"compromised machine" is merely a proxy, and _can't_ do the MXes. I
doubt these BOTnet C&Cs do. More efficient to have the BOTs themselves
doing it.
Actually, it's a pity the compromised machines don't do DNS - then you'd
be able to do some interesting things with resolvers and looking for MX
lookup abnormalities.
MMC
--
Matthew Moyle-Croft - Internode/Agile - Networks
Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
Email: [EMAIL PROTECTED] Web: http://www.on.net
Direct: +61-8-8228-2909 Mobile: +61-419-900-366
Reception: +61-8-8228-2999 Fax: +61-8-8235-6909
