[Discussion] The approach to detect proxybots

Michael Scheidell scheidell at secnap.net
Sat May 30 17:49:46 UTC 2009



Nick Rogness wrote:
> This is an intersting approach.  I don't know how probablistic the delays will be however.  Most isp's will deliberately slow mail connects in the network to act as a sort of tarpit for spam farming.  I know we do at least and have talked with others about it as well. This may be in transit or at the actual mail server.  
>
> Additionally, with spammers, they are clever little SOBs.  Once you have this detection working, they will change the botnet code to react differently to avoid detection.
>
> Nonetheless, one could increase the probability of detection with a significantly higher sampling...whether using information from other sensors in one network or from other sensors in other networks.  A network of OISF sensors independently distributed across the internet would be useful for these types of detections and other like it via some sort of feedback system.  
>
> I still think it would be worth investigating as one of many ways to detect these botnets.  If you have some code to test I'll put it on our ISP network to see how well it works.
>
>
>   

we run a managed anti-spam service, as well as sell appliances, and, 
yes, we do funky things with delays in between helo and data session.

I would not count on any 'accident' but RFC compliant behavior.

p0f is still a good source of passive os detection, and from the smtp 
side, why do I want windows 95 machines running smtp servers :-)?

you might want to get with Lawrence Baldwin (mynetwatchman) he has some 
interesting data on DNS lookup timing and zombies.

in fact, he might be a good one to get involved in this project


-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090530/b81e4122/attachment-0002.html>


More information about the Discussion mailing list