Re: Enumerating the robots?

Mon, 21 Aug 2006 15:17:47 -0700 

From: "DAve" <[EMAIL PROTECTED]>


Loren Wilton wrote:
It was mentioned that several people are getting hammered by world-wide robot attacks. I see from the little spam I get that there is a new spam sending tool for robots that is running a stock spam. I suspect the traffic is a combination of distributing the new spam tool and sending out the new spam. 


With all this traffic from robots, lots of people here must be getting 
quite a lot of information in their logs about connections from robots.  
I wonder if there would be value in a central database that attempts to 
enumerater the robots?



Most of them are probably on dynamic ip.  But if the sending IP and 
attempted connect time could be logged at many sites and combined, there 
would be fairly conclusive evidence that a given IP had been sending 
spam at a particular time.  Perhaps that could be submitted to at least 
some of the more responsible service providers, and they could do 
something to track it back to a customer and send them an email that 
their machine is infected. (Or possibly be even more proactive, I suppose.)



The database might also be usable in front door spam blocking.  Most 
people probably shouldn't be accepting direct connections from dynamic 
ips on someone else's network, especially if that ip has a recent 
history of sending spam (say in the last 6 hours or so).  It might be 
possible to make a server that could provide yes/no answers on whether 
the IP has sent spam in the last minute/hour/6 hours/day or so.



I'd think that such a database could be built almost automatically.  For 
instance, if you log the IPs of connection attempts that you reject for 
various problems, you could just harvest those IPs once an hour or so to 
some central site, no human judgement calls required.  If the mail is 
accepted and gets a high SA score, and you can still determine the 
sending IP, then that might be automatically harvested also.


Thoughts?  Does somethign like this have any value?

       Loren



Something like http://dhsield.org, but limited to email instead of all 
ports?


Don't know. (Not going to click on THAT link. It looks like it might
lead to a typo squatter potentially with malware. {^_-}) But I suspect
the answer is yes.

{^_^}






















					Reply via email to