Re: [Asrg] Countering Botnets to Reduce Spam

Rich Kulawiec <rsk@gsp.org> Fri, 14 December 2012 13:39 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D22821F86E9 for <asrg@ietfa.amsl.com>; Fri, 14 Dec 2012 05:39:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.449
X-Spam-Level:
X-Spam-Status: No, score=-6.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pV9GyUYXGfoZ for <asrg@ietfa.amsl.com>; Fri, 14 Dec 2012 05:39:46 -0800 (PST)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) by ietfa.amsl.com (Postfix) with ESMTP id 797AC21F86D9 for <asrg@irtf.org>; Fri, 14 Dec 2012 05:39:46 -0800 (PST)
Received: from gsp.org (bltmd-207.114.17.210.dsl.charm.net [207.114.17.210]) by taos.firemountain.net (8.14.5/8.14.5) with ESMTP id qBEDdhtt002319 for <asrg@irtf.org>; Fri, 14 Dec 2012 08:39:44 -0500 (EST)
Date: Fri, 14 Dec 2012 08:39:37 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <20121214133937.GA23699@gsp.org>
References: <SNT002-W143FB9A867C92FA80D90E04C54E0@phx.gbl> <DA14FA4D-13CB-4C61-90C4-4E690F0EC745@blighty.com> <SNT002-W1393526B62C0940EF697B2C54E0@phx.gbl> <20682.3413.665708.640636@world.std.com> <50CA0E91.2080304@mtcc.com> <20682.23612.451287.246798@world.std.com> <50CA805E.3010100@mtcc.com> <50CAA612.3070000@mustelids.ca> <SNT002-W117523E9206C73F54784577C54D0@phx.gbl> <50CABCB4.1030103@mustelids.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <50CABCB4.1030103@mustelids.ca>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: [Asrg] Countering Botnets to Reduce Spam
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2012 13:39:47 -0000

In addition to Chris's excellent comments:

- Connecting a [Linux or other] server to a P2P network may not be possible
or desirable in many/most instances.

- Use of a technique like this might leak information on which software
is installed, which versions, etc.

- It will trigger false positives whenever software is upgraded/patched.
(I say "will" because very long experience with tripwire and similar
taught me this a long time ago.)

- If the server has been subverted, then this mechanism can also
be subverted.

- Linux systems are not a significant component of botnets.  I've been
doing passive OS fingerprinting for most of a decade, and they're in
the noise floor.  It's still true now, as it was years ago, that
bot-originated spam comes from Windows systems to about six 9's.

- Better techniques already exist, such a firewalling outbound port 25
by default and only punching holes for systems that actually need to
send mail.  Another example: monitoring the TCP connection rate to
port 25 on remote systems -- spam-senders are likely to push it much
higher than "normal".

---rsk