To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi,
How can I help? During spring of 2004, I deployed my first massive spam reporting system. I had a very reliable "spam source". Old Email addresses from a lot of my former users targeted by lots and lots of spammers. I took advantage of this wonderful reliable spam source to feed it into a really cool automated spam reporting system. It purpose was to immediately flag and identify a spam bot, and get this information to the ISP hosting that IP address within just a few minutes. The ISP's would then have to take whatever action they need to shut it down. In the beginning, as I developed my extensive CIDR --> Abuse Email converter it became easier and easier. This is a large database of CIDR's which generate the proper "abuse" email. Whois servers have to be queried to obtain a lot of this information (which became somewhat of a problem). The program was smart enough to merge adjacent CIDR's --> IE: 123.45.12/24 and 123.45.13/24 into 123.45.12/23. It got to the point where I was identifying about 25,000 spambots per day. The effectiveness of this system relies wholly on the ISP's hosting the IP blocks, the IP registrars (for providing up to date whois information) and these two "subsystems" just happen to be a weakness. Most ISP's I've had to deal with, are not equipped for handling large volumes of abuse complaints effectively. Several more progressive ones agreed to receive my reports in CSV form which streamlined their operations. From the time a spam came in, we were able to have that infected host shut off within 10 mins. The ARIN, APNIC and other IP Block management organizations are also a big problem. Their databases are outdated, and their response to this issue has been lacking and un-cooperative. The overall effect of this experiment shut down 750,000 (estimated) hosts per month (If I'm to believe the ISP's). This is a highly database driven system, but it's been invaluable my correlating IP addresses with known Spam Controlling IRC Servers by logging the IP addresses of those connecting to it. If an IP address just happens to fall within a known IRC Server's IP block, an instant flag is raised. I'm interested in sharing my experience and some code I wrote for this system (Python/PyGreSQL). I'm constantly refining my design, but I need a little more information how some new techniques are being deployed to tracking down these scum. They are like cockroaches... you can't get rid of them, but lets build them a "roach motel" :-) John _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
