[Dshield] ISPs - How much monitoring is enough?
brad.madison at mail.tds.net
Sat Jan 17 01:40:12 GMT 2004
At 03:04 PM 1/16/2004 -0800, you wrote:
>You're arguing for the ISP to have traffic analysts onhand as part of
>their security detail?
>Fair enough, but as I have observed before...99% of IT people are not
>security people. Good luck trying to convince them.
Neither am I - I was a semi-competent system admin. But even I could run
(and did run) ntop, sometimes. I wasn't doing the kind of traffic analysis
I mean for now but the difference between what I did and that is
slight. For not too much money there's even a Windows version of ntop
(the Linux version is free, I think.) I suspect that routers have the
capability to do such things - but I'm also not a networking person.
IT people could look for spam server zombie systems using ntop. Just watch
for improper outbound SMTP traffic - there's your zombie. See where the
packets to that system originate and you've got at least the first piece of
a chain that leads back to the spammer - maybe. The longer the spammer
abuse is tolerated (and right now it is nearly 100% tolerated) the more
sophisticated and hard to detect, track, and stop their abuse will become.
In a browser window I'm right now looking at some captured Cyalus (Viagra
substitute, they claim) spam on a friend's open relay honeypot (Jackpot)
system.. Source is 184.108.40.206 - Korea. That's followed by some from
220.127.116.11, then some from 18.104.22.168, then 22.214.171.124 -
obviously the spammer is hitting the fake open relay from open proxies.
Altogether, about 7500 recipients in the little time window I'm observing -
none of whom got this copy of the spam, at least.
The spammer has simplified his obscuration:
yal<!--gSElrL-->us is known as a Super-Via<!--gSElrL-->gra because
Cyal<!--heKWwi-->us is known as a Super-Via<!--heKWwi-->gra because
etc., with no other imbedded html comments.
Spamming http://www.paraguanarock.com, which just expired.
Here's a tiny bit of the page for 126.96.36.199:
B4-D1AD31CF superior 04/01/17 00:05:58 GMT Dropped 99
B4-D1AD31D5 superior stuff 04/01/17 00:07:20 GMT Dropped 99
B4-D1AD31DC superior to the expensive stuff 04/01/17 00:09:16
GMT Dropped 99
B4-D1AD31E3 surprise her 04/01/17 00:10:47 GMT Dropped 99
B4-D1AD31E7 the best stuff 04/01/17 00:12:01 GMT Dropped 99
B4-D1AD31EB the new champ 04/01/17 00:13:45 GMT Dropped 99
"99" is the number of recipients. The first field is an internal pointer
to the web page for that spam - I removed some of it.. "Dropped" means it
wasn't delivered, which is good.
And "good luck" is an appropriate wish. I appreciate it - and the
implications (where "appreciate" shifts meaning from one thought to the
More information about the list