On Tue, 23 Jan 2007, Tony Finch wrote: | Also http://wesii.econinfosec.org/draft.php?paper_id=47 | (Google will give you an HTML version.) Well spotted - interesting. This is monitoring SMTP leaving their network, right ? I guess the yellow line on the graphs ("invalid mail" - rejected inline by the dest mail server, for some reason) makes this somewhat related to Richard Clayton's "extrusion detection" work. Difference being BT are monitoring direct->MX traffic. Aside from the invalid mails, this article suggests they're mostly identifying spam by the source IP (ie. their customer's IP) being listed in a DNSBL. So how come they need this super-duper real-time content scanning infrastructure ? Why wouldn't they download the DNSBLs, and simply run an offline grep for entries in their own IP space ? Oops - the redirection rules as stated (underneath figure 4) look backwards: "Traffic from link A that will be routed out of link B, and has a source port of 25 is redirected to link C" s/source/destination/ (and similar for the return rule).