Re: Anyone from BT...
...on the list who might be able to comment on how they/you/BT is detecting downstream clients that are bot-infected, and how exactly you are dealing with them? Unfortunately, the way you phrased that question is rather journalistic and in BT, as in most large companies, employees are forbidden from answering such questions without having the answers vetted by various Public Relations and Legal departments. Fortunately, published material is exempt from this rule so Googling for an article I found this: http://www.theregister.co.uk/2006/10/12/bt_spam_buster/ which contains the following: Using data from the system, BT's abuse team can cancel rogue accounts linked to spammers or add offending IP addresses to blacklists. The system also allows BT's admins to contact consumers whose compromised (zombie) PCs have unwittingly been made the part of the junk mail problem and provide advice on cleaning up their systems. Seems pretty clear to me. We take the issue of botnets very seriously and we have invested money into tools which automate some part of the process of identifying and removing bots. Just what was the point of your query? Do you have some issue with traffic emanating from BT's network? I admit that we are a rather large company with several rather widespread IP networks, nevertheless, a simple RIPE database query of BT does lead to more than one abuse contact and also lists several real people who you could contact directly if you need to coordinate activity. --Michael Dillon
Re: Anyone from BT...
On Tue, 23 Jan 2007, [EMAIL PROTECTED] wrote: http://www.theregister.co.uk/2006/10/12/bt_spam_buster/ Also http://wesii.econinfosec.org/draft.php?paper_id=47 (Google will give you an HTML version.) Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ SHANNON: NORTHERLY 4 OR 5 INCREASING 6 OR 7, PERHAPS GALE 8 LATER. MODERATE OR ROUGH BECOMING VERY ROUGH. SHOWERS. GOOD.
Re: Anyone from BT...
On Tue, 23 Jan 2007, Tony Finch wrote: | Also http://wesii.econinfosec.org/draft.php?paper_id=47 | (Google will give you an HTML version.) Well spotted - interesting. This is monitoring SMTP leaving their network, right ? I guess the yellow line on the graphs (invalid mail - rejected inline by the dest mail server, for some reason) makes this somewhat related to Richard Clayton's extrusion detection work. Difference being BT are monitoring direct-MX traffic. Aside from the invalid mails, this article suggests they're mostly identifying spam by the source IP (ie. their customer's IP) being listed in a DNSBL. So how come they need this super-duper real-time content scanning infrastructure ? Why wouldn't they download the DNSBLs, and simply run an offline grep for entries in their own IP space ? Oops - the redirection rules as stated (underneath figure 4) look backwards: Traffic from link A that will be routed out of link B, and has a source port of 25 is redirected to link C s/source/destination/ (and similar for the return rule).
Re: Anyone from BT...
On Tue, 23 Jan 2007, Chris Edwards wrote: Aside from the invalid mails, this article suggests they're mostly identifying spam by the source IP (ie. their customer's IP) being listed in a DNSBL. So how come they need this super-duper real-time content scanning infrastructure ? Why wouldn't they download the DNSBLs, and simply run an offline grep for entries in their own IP space ? I understood from the article that they were just describing an early prototype and that they were planning to add content scanning checks later - see the other spam detection techniques section. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ FAEROES: NORTHWEST VEERING NORTH 5 TO 7 OCCASIONALLY GALE 8, LATER DECREASING 3 OR 4. ROUGH OR VERY ROUGH. WINTRY SHOWERS. GOOD.
Re: Anyone from BT...
On Mon, Jan 22, 2007 at 04:09:48AM +, Fergie wrote: ...on the list who might be able to comment on how they/you/BT is detecting downstream clients that are bot-infected, and how exactly you are dealing with them? Which bit of BT? They've got their fingers in quite a lot of pies, and the Clue level varies wildly. Although given you've asked that question, I suspect that you're enquiring about their retail Internet offerings, and my impression is that they don't bother to check for or deal with infected hosts.
Re: Anyone from BT...
Peter Corlett wrote: On Mon, Jan 22, 2007 at 04:09:48AM +, Fergie wrote: ...on the list who might be able to comment on how they/you/BT is detecting downstream clients that are bot-infected, and how exactly you are dealing with them? Which bit of BT? They've got their fingers in quite a lot of pies, and the Clue level varies wildly. Although given you've asked that question, I suspect that you're enquiring about their retail Internet offerings, and my impression is that they don't bother to check for or deal with infected hosts. I believe fergdawg referred to bt the platform rather than to BT the provider. Although I have only one contact in the latter, that contact is clueful and attempts to check for infected hosts. As is so often the case, topology and customer-base add complexity to the dealing with part of problems.
Re: Anyone from BT...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Peter Corlett [EMAIL PROTECTED] wrote: On Mon, Jan 22, 2007 at 04:09:48AM +, Fergie wrote: ...on the list who might be able to comment on how they/you/BT is detecting downstream clients that are bot-infected, and how exactly you are dealing with them? Which bit of BT? They've got their fingers in quite a lot of pies, and the Clue level varies wildly. Although given you've asked that question, I suspect that you're enquiring about their retail Internet offerings, and my impression is that they don't bother to check for or deal with infected hosts. Well, thanks for the response :-) but I am looking for anyone who could shed some light on this statement: BT has launched an automated system to identify professional spammers and 'botnet'-infected customers on the BT broadband network. ref: http://www.networkworld.com/news/2006/101306-bt-fires-back-at.html I am curious as to what they're actually doing. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFtPjSq1pz9mNUZTMRAnziAJ0dur37zDjC5ji7r+LKz8GwP7w8UgCg8dqH omyWrRvl4I1WffMdZegUEEY= =3jjq -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
