cancel
Showing results for 
Search instead for 
Did you mean: 

Zombie Botnet

Community Veteran
Posts: 3,789
Registered: 08-06-2007

Zombie Botnet

Interesting article on El Reg found here
Some ISP's in the US are restricting accounts that are determined to be compromised - putting them into a 'sandbox' connection type and directing them towards virus scanners and malware scanners.
Does PN have any plans regarding this?
B.
40 REPLIES
paulby
Grafter
Posts: 1,619
Registered: 26-07-2007

Re: Zombie Botnet

I'm sure that Metronet used to do this too in the pre-PlusNet days.
James
Grafter
Posts: 21,036
Registered: 04-04-2007

Re: Zombie Botnet

They did.
Community Veteran
Posts: 3,789
Registered: 08-06-2007

Re: Zombie Botnet

I'd fully support moves like this - in a lot of cases I visit a clients house to "fix" their slow computer, only to find it absolutely infested with viruses and malware.
B.
James
Grafter
Posts: 21,036
Registered: 04-04-2007

Re: Zombie Botnet

With a userbase the size of Metronet's it was something doable.  All staff had (after training) access to the routers through which all end user traffic would pass and would be able to identify traffic being caused by viruses or trojans.
Identifying this for a userbase of 15-20,000 customers is considerably easier than for a userbase of 200,000!  It was generally very time consuming and often resulted in phonecalls to the tune of half an hour or so.
We're currently looking into doing something similar for customers that are sending out large quantities of email.
Community Veteran
Posts: 3,789
Registered: 08-06-2007

Re: Zombie Botnet

Quote from: James
We're currently looking into doing something similar for customers that are sending out large quantities of email.

I think that's a key point, actually.
I'm sure there are methods for detecting this on the Ellacoyas, and perhaps instigating a block on port 25 (except to the relay servers) until the customer has cleared the problem would go some way towards the "global spam problem"
If only all ISPs actually acted as responsibly Wink
B.
Simon_M
Grafter
Posts: 685
Registered: 05-04-2007

Re: Zombie Botnet

Plusnet have always claimed to be the experts at automated systems, so here's a chance to shine. I quite agree that it can't be a manual task, so can the user training to spot rogue traffic be codified into an automated process?
The response to the customer probably shouldn't be totally automated - the intervention of a human would certainly be called for before any serious action was taken, but an initial landing page for suspect connections would be a good idea, assuming that is technically possible without stopping further web browsing.
From Plusnet's point of view, bringing the problem to the customer's attention may promote the idea that Plusnet will now help the customer to sort the problem. While that is a nice idea, it's clearly not economic for Plusnet (i.e you & me, through our subscriptions) to carry the cost of technical support to compromised customers. If the phone calls only last half an hour, that sounds like a remarkably efficient fix to me.
A sensitively worded landing page, matched with a similar email, directing the customer to relevant Help & Support pages would seem to be the place to start. Failure to act after a reasonable period of time - to allow for holidays, business trips etc, should lead to ever increasing restrictions. Ultimately, it will benefit the individual customer, the customer base in general & Plusnet itself.
You can promote this action as a benefit to the uninitiated, not as a limitation. Most customers will be only too pleased to have the problem flagged up to them, particularly if it is coupled with pointers towards the solution. But it must be made clear that it is the customer's responsibility to provide (& fund) the solution, to prevent unrealistic expectations being raised.
P.S. ... and then, not for the first time, you can flog your expertise to other ISPs. I suppose BT will expect it for free though these days.  Smiley
[edit to add P.S.]
Community Veteran
Posts: 3,789
Registered: 08-06-2007

Re: Zombie Botnet

Well, I run a company mailserver here but route most of our mails through relay.plus.net anyway - instigating an outbound port 25 block except to relay.plus.net would be advisable
However, I do agree that there should be a consultation.  Anything on PUGIT regarding the "looking at it" that was mentioned earlier?
B.
fishter
Grafter
Posts: 78
Registered: 26-06-2007

Re: Zombie Botnet

Why do you need to send the mail from your own server?  Is it such a bother to send it via relay.plus.net?
Plusnet Staff
Plusnet Staff
Posts: 12,169
Thanks: 18
Fixes: 1
Registered: 04-04-2007

Re: Zombie Botnet

Hi,
We have used the Ellacoyas in the past to detect PCs that were infected with viruses and malware with a good degree of success. It isn't exactly straight forward but it can work quite well. We can do it in a number of ways, we can analyse the traffic for certain patterns, lots of outbound mail can be a trigger (although of course it can also be legitimate) as well as patterns of outbound mail. Whilst there are worms (think Blaster or SQL Slammer types) that use certain ports or have certain signatures which can be identified.
There are plans to do more with this and be a bit more proactive, a topic of the things we might want to do is something I'm thinking about for a future blog which we can then use to get a debate going and develop the ideas.
Community Gaffer
Community Gaffer
Posts: 13,428
Thanks: 1,187
Fixes: 92
Registered: 04-04-2007

Re: Zombie Botnet

Hi guys,
In no way automated but of a similar vain anyway...
I touched on some of the housekeeping we've been doing recently in the blog post I published late last week.
Each day we've been collating a list of customers who have been unintentionally spamming the relays. I've been personally contacting them to get to the bottom of their problems (which is normally virus/malware related or something to do with a misconfigured mail server).
Whilst good this doesn't catch the botnet generated traffic that gets sent directly from customers machines. I know we've collated information in the past on the heaviest users by email traffic but IIRC most of the customers we contacted had legitimate reasons for the volumes of traffic we were seeing.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Community Veteran
Posts: 3,789
Registered: 08-06-2007

Re: Zombie Botnet

Thanks for the response Dave,
I'd be interested in getting involved somehow - obviously there will be a different impact for business products over residential products which would need to be catered for (as raised by James_H for example).
However, I do think that as long as it can be automated *to some degree* then it could be another USP that PN can bring to the table.
I don't think anything as drastic as knocking someone's internet connection offline completely is required.  A certain amount of logic can be applied, and varying levels of redirection or information can be provided to the end user.
I think a reasonable point made above was to emphasise that PN aren't responsible for the 'cure' though.
B.
Community Veteran
Posts: 3,789
Registered: 08-06-2007

Re: Zombie Botnet

Quote from: James_H
Also, I don't see a strong argument for sending stuff via PN's servers.

Actually, that's very true.  The only reason I can think of is to ensure that mail is delivered - some spam filters will refuse mail direct from 'residential' or 'isp' netblocks.
Of course, guaranteeing mail is delivered via the PN relays could be called into question Wink
I'd be interested to hear the opinion of some residential customers actually - Those would likely be the first impacted by any sort of traffic management. 
B.
itsme
Grafter
Posts: 5,924
Thanks: 1
Registered: 07-04-2007

Re: Zombie Botnet

AOL refuse mail if it's not from an ISP, so I had to set up a rule to use relay.plus.net for AOL accounts. But, PN servers do sometimes appear on blacklists so far my mailserver have not.
Community Veteran
Posts: 3,789
Registered: 08-06-2007

Re: Zombie Botnet

It does depends heavily on how the remote mailservers are configured.
For example, my SA configuration on postfix here gives a score of 0.9 for a mail originating from an IP in the sorbs.net dnsbl
Quote
0.9 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
                            [xxx.xxx.xxx.xxx listed in dnsbl.sorbs.net]

sorbs.net basically contains lists of all 'dynamic' and 'residential' IP address blocks.
You can actually petition to remove a particular IP address from the list - however if you are using an ISP, your ip will generally be on the list from the word go.
However, AOL certainly *used* to block all mail originating directly from IPs in sorbs (or similar) checklists. 
B.