Zombie Botnet
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Other forums
- :
- Tech Help - Software/Hardware etc
- :
- Zombie Botnet
Zombie Botnet
10-09-2007 10:44 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Some ISP's in the US are restricting accounts that are determined to be compromised - putting them into a 'sandbox' connection type and directing them towards virus scanners and malware scanners.
Does PN have any plans regarding this?
B.
Re: Zombie Botnet
10-09-2007 10:56 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Zombie Botnet
10-09-2007 11:23 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Zombie Botnet
10-09-2007 11:51 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
B.
Re: Zombie Botnet
10-09-2007 11:58 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Identifying this for a userbase of 15-20,000 customers is considerably easier than for a userbase of 200,000! It was generally very time consuming and often resulted in phonecalls to the tune of half an hour or so.
We're currently looking into doing something similar for customers that are sending out large quantities of email.
Re: Zombie Botnet
10-09-2007 12:14 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: James We're currently looking into doing something similar for customers that are sending out large quantities of email.
I think that's a key point, actually.
I'm sure there are methods for detecting this on the Ellacoyas, and perhaps instigating a block on port 25 (except to the relay servers) until the customer has cleared the problem would go some way towards the "global spam problem"
If only all ISPs actually acted as responsibly
B.
Re: Zombie Botnet
10-09-2007 12:31 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The response to the customer probably shouldn't be totally automated - the intervention of a human would certainly be called for before any serious action was taken, but an initial landing page for suspect connections would be a good idea, assuming that is technically possible without stopping further web browsing.
From Plusnet's point of view, bringing the problem to the customer's attention may promote the idea that Plusnet will now help the customer to sort the problem. While that is a nice idea, it's clearly not economic for Plusnet (i.e you & me, through our subscriptions) to carry the cost of technical support to compromised customers. If the phone calls only last half an hour, that sounds like a remarkably efficient fix to me.
A sensitively worded landing page, matched with a similar email, directing the customer to relevant Help & Support pages would seem to be the place to start. Failure to act after a reasonable period of time - to allow for holidays, business trips etc, should lead to ever increasing restrictions. Ultimately, it will benefit the individual customer, the customer base in general & Plusnet itself.
You can promote this action as a benefit to the uninitiated, not as a limitation. Most customers will be only too pleased to have the problem flagged up to them, particularly if it is coupled with pointers towards the solution. But it must be made clear that it is the customer's responsibility to provide (& fund) the solution, to prevent unrealistic expectations being raised.
P.S. ... and then, not for the first time, you can flog your expertise to other ISPs. I suppose BT will expect it for free though these days.
[edit to add P.S.]
Re: Zombie Botnet
10-09-2007 12:57 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
However, I do agree that there should be a consultation. Anything on PUGIT regarding the "looking at it" that was mentioned earlier?
B.
Re: Zombie Botnet
10-09-2007 1:35 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Zombie Botnet
10-09-2007 1:37 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
We have used the Ellacoyas in the past to detect PCs that were infected with viruses and malware with a good degree of success. It isn't exactly straight forward but it can work quite well. We can do it in a number of ways, we can analyse the traffic for certain patterns, lots of outbound mail can be a trigger (although of course it can also be legitimate) as well as patterns of outbound mail. Whilst there are worms (think Blaster or SQL Slammer types) that use certain ports or have certain signatures which can be identified.
There are plans to do more with this and be a bit more proactive, a topic of the things we might want to do is something I'm thinking about for a future blog which we can then use to get a debate going and develop the ideas.
Enterprise Architect - Network & OSS
Plusnet Technology
Re: Zombie Botnet
10-09-2007 1:37 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
In no way automated but of a similar vain anyway...
I touched on some of the housekeeping we've been doing recently in the blog post I published late last week.
Each day we've been collating a list of customers who have been unintentionally spamming the relays. I've been personally contacting them to get to the bottom of their problems (which is normally virus/malware related or something to do with a misconfigured mail server).
Whilst good this doesn't catch the botnet generated traffic that gets sent directly from customers machines. I know we've collated information in the past on the heaviest users by email traffic but IIRC most of the customers we contacted had legitimate reasons for the volumes of traffic we were seeing.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Zombie Botnet
10-09-2007 1:41 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I'd be interested in getting involved somehow - obviously there will be a different impact for business products over residential products which would need to be catered for (as raised by James_H for example).
However, I do think that as long as it can be automated *to some degree* then it could be another USP that PN can bring to the table.
I don't think anything as drastic as knocking someone's internet connection offline completely is required. A certain amount of logic can be applied, and varying levels of redirection or information can be provided to the end user.
I think a reasonable point made above was to emphasise that PN aren't responsible for the 'cure' though.
B.
Re: Zombie Botnet
10-09-2007 1:46 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: James_H Also, I don't see a strong argument for sending stuff via PN's servers.
Actually, that's very true. The only reason I can think of is to ensure that mail is delivered - some spam filters will refuse mail direct from 'residential' or 'isp' netblocks.
Of course, guaranteeing mail is delivered via the PN relays could be called into question
I'd be interested to hear the opinion of some residential customers actually - Those would likely be the first impacted by any sort of traffic management.
B.
Re: Zombie Botnet
10-09-2007 2:04 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Zombie Botnet
10-09-2007 2:37 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
For example, my SA configuration on postfix here gives a score of 0.9 for a mail originating from an IP in the sorbs.net dnsbl
Quote 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[xxx.xxx.xxx.xxx listed in dnsbl.sorbs.net]
sorbs.net basically contains lists of all 'dynamic' and 'residential' IP address blocks.
You can actually petition to remove a particular IP address from the list - however if you are using an ISP, your ip will generally be on the list from the word go.
However, AOL certainly *used* to block all mail originating directly from IPs in sorbs (or similar) checklists.
B.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page