Chris Lewis wrote:
Matthew Moyle-Croft wrote:
The difficulty is that local blocking is only useful to block C&C communications from infected machine in _your_ netblock. It doesn't at all stop inbound port 25 connections from infected machines elsewhere.
Yeah - got it. It's Sunday afternoon here ... I got all hopeful it might be easy.
In some limited cases, you might see a benefit to blocking DNS queries from their netblocks. Some "spam-by-compromised-machine" mechanisms have the C&C doing the MX lookups for the victims. Mostly because the "compromised machine" is merely a proxy, and _can't_ do the MXes. I doubt these BOTnet C&Cs do. More efficient to have the BOTs themselves doing it.
Actually, it's a pity the compromised machines don't do DNS - then you'd be able to do some interesting things with resolvers and looking for MX lookup abnormalities. MMC -- Matthew Moyle-Croft - Internode/Agile - Networks Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia Email: mmc@internode.com.au Web: http://www.on.net Direct: +61-8-8228-2909 Mobile: +61-419-900-366 Reception: +61-8-8228-2999 Fax: +61-8-8235-6909