[Dshield] Tracking Botnets

David Cary Hart DShield at TQMcube.com
Sat Nov 19 16:59:12 GMT 2005


Every smtp relay attempt I see comes in what looks like a cluster.
Here's an example:

        1) Nov 18 21:16:59 smtp postfix/smtpd[27060]: NOQUEUE: reject:
        RCPT from unknown[217.216.53.148]: 554
        <joh at jaadey.freeserve.co.uk>: Relay access denied;
        from=<wslcrkryswavmv at hotmail.com>
        to=<joh at jaadey.freeserve.co.uk> proto=SMTP
        helo=<148.red-217-216-53.user.auna.net>
        
        2) Nov 18 21:17:52 smtp postfix/smtpd[27152]: NOQUEUE: reject:
        RCPT from unknown[216.183.52.197]: 554
        <joh at jaadey.freeserve.co.uk>: Relay access denied;
        from=<wslcrkryswavmv at hotmail.com>
        to=<joh at jaadey.freeserve.co.uk> proto=SMTP helo=<68.236.166.73>
        
        3) Nov 18 21:18:14 smtp postfix/smtpd[27149]: NOQUEUE: reject:
        RCPT from S010600d009dae68a.su.shawcable.net[24.109.16.18]: 554
        <joh at jaadey.freeserve.co.uk>: Relay access denied;
        from=<wslcrkryswavmv at hotmail.com>
        to=<joh at jaadey.freeserve.co.uk> proto=SMTP
        helo=<S010600d009dae68a.su.shawcable.net>
        
        4) Nov 18 21:18:40 smtp postfix/smtpd[27241]: NOQUEUE: reject:
        RCPT from
        pool-71-243-78-106.bos.east.verizon.net[71.243.78.106]: 554
        <joh at jaadey.freeserve.co.uk>: Relay access denied;
        from=<wslcrkryswavmv at hotmail.com>
        to=<joh at jaadey.freeserve.co.uk> proto=SMTP
        helo=<pool-71-243-78-106.bos.east.verizon.net>
        
        5) Nov 18 21:19:03 smtp postfix/smtpd[27295]: NOQUEUE: reject:
        RCPT from unknown[222.108.222.11]: 554 Service unavailable;
        Client host [222.108.222.11] blocked using clients.tqmrbl.com;
        DNSBLK.  Banned origination area.
        to=<joh at jaadey.freeserve.co.uk> proto=SMTP helo=<68.236.166.73>

It is reasonable to assume that these five different clients/machines
are under (remote) common control? Does this, in turn, suggest a
strategy for dismantling these nets?

-- 
Our DNSRBL - 
       Eliminate Spam: http://www.TQMcube.com/spam_trap.htm
        Zombie Graphs: http://www.TQMcube.com/zombies.php
          GeoGraphics: http://www.TQMcube.com/origins.php


More information about the list mailing list