Forwarded from: *Hobbit* <hobbit (at) avian.org> Breathless articles like this just piss me off. It isn't about whose botnet is bigger or more secretive or what its C2 protocol is. It's really about the fact that they're permitted to exist at all, let alone successfully send huge volumes of spam. If the ISPs would actually grow a pair one of these days and curtail untrusted customer netblocks full of known-infested machines from sending ANY direct SMTP traffic to anywhere but the ISP's own authorized and well-controlled egress relay, there would be no point in spam botnets. I wrote at length about this over two years ago and suggested some local [and arguably somewhat lame] mitigation strategies, in http://www.usenix.org/publications/login/2005-10/openpdfs/hobbit.pdf but how many people actually read Usenix papers, anyways. The point here is that the ISPs are a very large percentage AT FAULT for the continued existence and appeal of botnets. If you work for an ISP, go ahead, be as angry as you want at me for saying that, but you know how true it is. Have you ever spent *4 hours* on the phone with reps in the Phillipines for Verizon or Comcast [to pick on the big boys] trying to find someone who can even spell SMTP, let alone do anything to solve a problem or track spam? GFL. How hard is it to add some anti-forgery header rules to the egress dropoff mailservers that ALREADY exist, special-case a few people who actually know what they're doing, and then hop on the edge routers and clamp down on any other TCP 25 noise emerging from subscriber clouds? HOW HARD IS IT?? Don't give me that lame "common carrier, can't do it" excuse -- you wouldn't be blocking ingress CIFS and the like either if that held any water. If you're an ISP and continuing to let botnets work under your noses, you are an overt threat to the security of many nations at once. Get busy. Oh, and you could try answering your abuse@ mailboxes once in a while. _H* ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Fri Feb 15 2008 - 00:22:13 PST