ietf-asrg
[Top] [All Lists]

Re: [Asrg] Countering Botnets to Reduce Spam

2012-12-14 07:40:21
In addition to Chris's excellent comments:

- Connecting a [Linux or other] server to a P2P network may not be possible
or desirable in many/most instances.

- Use of a technique like this might leak information on which software
is installed, which versions, etc.

- It will trigger false positives whenever software is upgraded/patched.
(I say "will" because very long experience with tripwire and similar
taught me this a long time ago.)

- If the server has been subverted, then this mechanism can also
be subverted.

- Linux systems are not a significant component of botnets.  I've been
doing passive OS fingerprinting for most of a decade, and they're in
the noise floor.  It's still true now, as it was years ago, that
bot-originated spam comes from Windows systems to about six 9's.

- Better techniques already exist, such a firewalling outbound port 25
by default and only punching holes for systems that actually need to
send mail.  Another example: monitoring the TCP connection rate to
port 25 on remote systems -- spam-senders are likely to push it much
higher than "normal".

---rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg