[unisog] Any Canadian Universities on here ?

Peter Van Epp vanepp at sfu.ca
Thu May 5 17:02:34 GMT 2005

On Thu, May 05, 2005 at 11:25:26AM -0500, PaulFM wrote:
> So you would have caught it just as fast had you logged all outgoing port 
> 25 connections rather than block them.

	This is what I am doing (which may be a case where argus tells me too
much though :-)). We have inbound 25 restricted to our mail servers only, but
outbound is currently not blocked. Argus tells me that a fairly wide variety
of our machines send a small (but non zero) number of messages directly rather
than through our mail server (as they should be). Suggesting a block on 
outbound 25 (while admitting that I am aware there is some amount of legit 
use) caused an uproar from our support folks who don't have the resources to 
deal with the various mail clients. So at present the argus scripts that 
post process the last 24 hours of traffic ignore our mail hosts, and ignore
machines sending small amounts of mail in an hour, but provide an alarm for
any IP that sends an unreasonable amount of mail in an hour. Although its 
pretty much died out lately when I first did this a while ago there were 
multiple cases of a compromised machine being connected to late at night and
being used to spam for 20 to 40 minutes. At least some of them were obviously
for a fee (a check connection from a variety of machines in Russia, followed
by the spam run from typically a compromised US based host about 20 minutes 
later). Control channels vary from botnet IRC hosts, port 113 connections and
sometimes just some random port number (probably depending on which trojan the
machine has). In the morning the infected machine gets whacked off the network
and maybe a search for the control channel port gets run against the argus
logs to find other compromised hosts that haven't spammed yet. I so far 
haven't had a false positive, all machines identified have found malware.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list