[svlug] botnets
John Conover
conover at rahul.net
Mon Jan 8 10:55:42 PST 2007
Joe Buck writes:
>
> Example: it used to be that ordinary users routed their mail through
> their ISP, while spammers and spambots did SMTP connections directly to
> their victims, or via open relay sites. So we got black-hole lists and
> told everyone they had to route mail through their ISPs or with
> authenticated SMTP connections. Now the spambots typically route their
> mail through the ISP's SMTP connection just like the machine owner's
> regular mail. You can't block this without blocking the user's ability
> to send mail.
>
If a Linux router is used to relay email for a SOHO, the *_rate_* of
email being generated can be detected automatically, and used to
dynamically generate an iptables rule to block smtp connections from
an offending machine. Also, smtp connections to other than the
legitimate email relay should be blocked, (and probably detected by
tcpdump(8), too, which will detect a lot of malware running on the
network-it has a simple filter rules file to filter out normal
connectivity stuff.) See the --limit stuff in iptables for
particulars.
FWIW ...
John
--
John Conover, conover at rahul.net, http://www.johncon.com/
More information about the Svlug
mailing list