Jump to content

Spam Zombie Detection Methods?


fred
 Share

Recommended Posts

Hi... I've used spamcop as one facet of our company e-mail server spam filtering for many years. I freekin hate spam.

Aside from that, part of our business is a small wireless ISP. We do not supply any sort of email service to our subscribers, just internet access.

We recently enhanced our ability to see and manage traffic in real-time. Holly-Smokes! Nasty Stuff out there.

Last night I watched as hundreds of outbound SMTP packets went by from one source, I immediately blocked TCP packets with outbound port 25, but over 2,000 packets went past me. Since then, I've spent many hours doing my best Sherlock Holmes impression (and hundreds of packet captures), I am pretty frustrated with what I'm finding...

Yes... it is attack of the Zombies.

I have blocked outbound port 25 from all except known legit users. But what a royal pain....

What I can not seem to find is information that would help to identify zombies.

Are there any known comand and control schemes, or traffic patterns that can help to ID zombies by an ISP?

Link to comment
Share on other sites

I have blocked outbound port 25 from all except known legit users. But what a royal pain....

What I can not seem to find is information that would help to identify zombies.

Are there any known comand and control schemes, or traffic patterns that can help to ID zombies by an ISP?

AFAIK only detected externally by Spamtraps

A zombie is a program (not a virus) that has been installed on individual machines/computers by a "user"

Once a zombie/Trojan has been installed ALL information on that computer is made available to any thug who wants it

Like pictures, home address, Phone number (Home invasions are now a reality from unsecured computers) when one is home or when they are not. Bank details, passwords etc!

A further "bonus" is it can become a relay for spam crime gangs

My signature has freeware ways of protecting individual windows computers

I would though (Windows) recommend the use of

http://onecare.live.com/standard/en-au/default.htm

A genuine Microsoft part. Perhaps you could become a reseller of it?

For ninety days it is free and in one package (except USB software and "IE-SPYAD")

It auto-updates, virus scans, has firewall, back-up,, fixes computer settings, not system heavy (yet) and not expensive (price is for 3 PC's)

As for unprotected wireless computers freeware software gives any one access to do whatever they want also (example of such software)

http://www.netstumbler.com/

Link to comment
Share on other sites

Without offering your own outbound SMTP server, it is going to be hard to detect and regulate zombies. Many ISPs have taken the approach of blocking port 25 traffic to anything off their network. That way, their users are required to send mail through the ISPs outbound mail server, and any chance of zombies sending mail direct-to-MX using their own SMTP engine is pretty much eliminated. You might ocassionally get a zombie that relays through the configured SMTP server, but this is pretty easy to detect and control, as you'll more easily be able to regulate the number of outbound messages a user can send each day.

Of course, any time you tighten down like this, you need to have some amount of flexibility for those users with other requirements. Some may have to send through another SMTP server somewhere do to SPF requirements, corporate policy, etc, and it is good to have a means in place for them to request the use of port 25 if they need it. Its also a good idea to make your methodology clear up-front so people don't complain because you blocked their email "without telling them".

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...