North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: McColo: Are the 'Lights On" at Telia?

  • From: Matthew Moyle-Croft
  • Date: Sun Nov 16 00:15:41 2008

Chris Lewis wrote:
Matthew Moyle-Croft wrote:

The difficulty is that local blocking is only useful to block C&C
communications from infected machine in _your_ netblock. It doesn't at
all stop inbound port 25 connections from infected machines elsewhere.
Yeah - got it. It's Sunday afternoon here ... I got all hopeful it might be easy.
In some limited cases, you might see a benefit to blocking DNS queries
from their netblocks. Some "spam-by-compromised-machine" mechanisms
have the C&C doing the MX lookups for the victims. Mostly because the
"compromised machine" is merely a proxy, and _can't_ do the MXes. I
doubt these BOTnet C&Cs do. More efficient to have the BOTs themselves
doing it.
Actually, it's a pity the compromised machines don't do DNS - then you'd be able to do some interesting things with resolvers and looking for MX lookup abnormalities.


Matthew Moyle-Croft - Internode/Agile - Networks
Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
Email: [email protected]  Web:
Direct: +61-8-8228-2909		    Mobile: +61-419-900-366
Reception: +61-8-8228-2999          Fax: +61-8-8235-6909