On Wed, Dec 08, 2010 at 07:43:52AM -0800, JC Dill wrote:
ISPs are not the source. The source is Microsoft. The source is their buggy OS that is easily compromised to enable the computers to be taken over as part of the botnet.
I often disagree vehemently with JC, but not this time. I've been studying bot-generated spam for most of the last decade, and to about 6 nine's, it's all been from Windows boxes. (The rest? A smattering of "indeterminate" and various 'nix systems including MacOS.) The botnet problem is a Microsoft problem. Now...whether the botnet problem will still be a Microsoft problem in 2015: can't say. Clearly attackers have plenty of reasons to attack other systems and in some cases, they'll be successful. But it appears that to date, the advantages they might accrue from owning a box running one of the superior operating systems are outweighed by the costs of the effort to do so. (With a few rare exceptions, of course.) But you don't have to take my word for this. Turn on passive OS fingerprinting on your MX's and start recording data, including DNS and rDNS, putative sender, recipient, etc. Accumulate a couple years' worth and analyze. This is why some rather effective defensive techniques (not just for spam) can be constructed by differentiating traffic based on the operating system of the host originating that traffic. ---rsk