[Discussion] The approach to detect proxybots
Gurvinder Singh
gurvinde at stud.ntnu.no
Sat May 30 18:29:04 UTC 2009
Michael Scheidell wrote:
>
>
> Nick Rogness wrote:
>> This is an intersting approach. I don't know how probablistic the delays will be however. Most isp's will deliberately slow mail connects in the network to act as a sort of tarpit for spam farming. I know we do at least and have talked with others about it as well. This may be in transit or at the actual mail server.
>>
>> Additionally, with spammers, they are clever little SOBs. Once you have this detection working, they will change the botnet code to react differently to avoid detection.
>>
>> Nonetheless, one could increase the probability of detection with a significantly higher sampling...whether using information from other sensors in one network or from other sensors in other networks. A network of OISF sensors independently distributed across the internet would be useful for these types of detections and other like it via some sort of feedback system.
>>
>> I still think it would be worth investigating as one of many ways to detect these botnets. If you have some code to test I'll put it on our ISP network to see how well it works.
>>
>>
>>
>
> we run a managed anti-spam service, as well as sell appliances, and,
> yes, we do funky things with delays in between helo and data session.
There is a possibility to detect use of proxybots based on the inter
arrival packet time of data packets. This will add up to have small
false negative rate :)
>
> I would not count on any 'accident' but RFC compliant behavior.
>
> p0f is still a good source of passive os detection, and from the smtp
> side, why do I want windows 95 machines running smtp servers :-)?
> you might want to get with Lawrence Baldwin (mynetwatchman) he has
> some interesting data on DNS lookup timing and zombies.
>
will it be possible for me to get access of data from proxybots. ? It
would be great for me, as i am planning to write a paper and it will
help me to provide proof from real world data not just from lab :P
> in fact, he might be a good one to get involved in this project
>
>
> --
> Michael Scheidell, CTO
> Phone: 561-999-5000, x 1259
> > *| *SECNAP Network Security Corporation
>
> * Certified SNORT Integrator
> * 2008-9 Hot Company Award Winner, World Executive Alliance
> * Five-Star Partner Program 2009, VARBusiness
> * Best Anti-Spam Product 2008, Network Products Guide
> * King of Spam Filters, SC Magazine 2008
>
>
> ------------------------------------------------------------------------
>
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see www.secnap.com/products/spammertrap/
> <http://www.secnap.com/products/spammertrap/>
>
> ------------------------------------------------------------------------
>
More information about the Discussion
mailing list