To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Jeff Kell wrote:
>If we provide a thorough and timely list[s] as above, the remaining >question of "what to do with the drones" becomes a bit more >straightforward. If you are in a position to make use of the block >list, you should be able to track any downstream sources trying to >establish connections to those IPs. This is *much* more timely than any >notifications you might send out to abuse desks, as observing the >connection attempts is a real-time feed of infected hosts, as opposed to >potentially stale reports of what was infected at some earlier point in >time. > >In short... >* Get the net information to investigators, >* Get the C&C information to the general list, >* Downplay the drones. Anyone that has the time/resources/will to clean >them up can do it from the block list. > > I've observed it is vitally necessary to shut down the infected hosts within a few hours after infection. After that, I observed a single host can send out huge amounts of spam, and I get hit by the SAME machine at least 6 - 8 times before the ISP finally gets around to shutting it down. The average lifetime of a drone bot is about 6 - 10 days, depending on how diligent the ISP is in shutting them down. This is why SpamCop often rewards early reporters.... "Yum yum - this spam is fresh...." John _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
