...on the list who might be able to comment on how they/you/BT is detecting downstream clients that are bot-infected, and how exactly you are dealing with them?
Unfortunately, the way you phrased that question is rather "journalistic" and in BT, as in most large companies, employees are forbidden from answering such questions without having the answers vetted by various Public Relations and Legal departments. Fortunately, published material is exempt from this rule so Googling for an article I found this: http://www.theregister.co.uk/2006/10/12/bt_spam_buster/ which contains the following: Using data from the system, BT's abuse team can cancel rogue accounts linked to spammers or add offending IP addresses to blacklists. The system also allows BT's admins to contact consumers whose compromised (zombie) PCs have unwittingly been made the part of the junk mail problem and provide advice on cleaning up their systems. Seems pretty clear to me. We take the issue of botnets very seriously and we have invested money into tools which automate some part of the process of identifying and removing bots. Just what was the point of your query? Do you have some issue with traffic emanating from BT's network? I admit that we are a rather large company with several rather widespread IP networks, nevertheless, a simple RIPE database query of "BT" does lead to more than one abuse contact and also lists several real people who you could contact directly if you need to coordinate activity. --Michael Dillon
On Tue, 23 Jan 2007, michael.dillon@bt.com wrote:
Also http://wesii.econinfosec.org/draft.php?paper_id=47 (Google will give you an HTML version.) Tony. -- f.a.n.finch <dot@dotat.at> http://dotat.at/ SHANNON: NORTHERLY 4 OR 5 INCREASING 6 OR 7, PERHAPS GALE 8 LATER. MODERATE OR ROUGH BECOMING VERY ROUGH. SHOWERS. GOOD.
On Tue, 23 Jan 2007, Tony Finch wrote: | Also http://wesii.econinfosec.org/draft.php?paper_id=47 | (Google will give you an HTML version.) Well spotted - interesting. This is monitoring SMTP leaving their network, right ? I guess the yellow line on the graphs ("invalid mail" - rejected inline by the dest mail server, for some reason) makes this somewhat related to Richard Clayton's "extrusion detection" work. Difference being BT are monitoring direct->MX traffic. Aside from the invalid mails, this article suggests they're mostly identifying spam by the source IP (ie. their customer's IP) being listed in a DNSBL. So how come they need this super-duper real-time content scanning infrastructure ? Why wouldn't they download the DNSBLs, and simply run an offline grep for entries in their own IP space ? Oops - the redirection rules as stated (underneath figure 4) look backwards: "Traffic from link A that will be routed out of link B, and has a source port of 25 is redirected to link C" s/source/destination/ (and similar for the return rule).
On Tue, 23 Jan 2007, Chris Edwards wrote:
Aside from the invalid mails, this article suggests they're mostly identifying spam by the source IP (ie. their customer's IP) being listed in a DNSBL. So how come they need this super-duper real-time content scanning infrastructure ? Why wouldn't they download the DNSBLs, and simply run an offline grep for entries in their own IP space ?
I understood from the article that they were just describing an early prototype and that they were planning to add content scanning checks later - see the "other spam detection techniques" section. Tony. -- f.a.n.finch <dot@dotat.at> http://dotat.at/ FAEROES: NORTHWEST VEERING NORTH 5 TO 7 OCCASIONALLY GALE 8, LATER DECREASING 3 OR 4. ROUGH OR VERY ROUGH. WINTRY SHOWERS. GOOD.
participants (3)
-
Chris Edwards -
michael.dillon@bt.com -
Tony Finch