Anyone from BT...

michael.dillon · January 23, 2007, 11:41am

...on the list who might be able to comment on how they/you/BT is
detecting downstream clients that are bot-infected, and how exactly
you are dealing with them?

Unfortunately, the way you phrased that question is
rather "journalistic" and in BT, as in most large companies,
employees are forbidden from answering such questions without
having the answers vetted by various Public Relations
and Legal departments.

Fortunately, published material is exempt from this rule
so Googling for an article I found this:

which contains the following:

    Using data from the system, BT's abuse team can cancel
    rogue accounts linked to spammers or add offending
    IP addresses to blacklists.

    The system also allows BT's admins to contact consumers
    whose compromised (zombie) PCs have unwittingly been
    made the part of the junk mail problem and provide advice
    on cleaning up their systems.

Seems pretty clear to me. We take the issue of botnets very
seriously and we have invested money into tools which automate
some part of the process of identifying and removing bots.
Just what was the point of your query? Do you have some issue with
traffic emanating from BT's network?

I admit that we are a rather large company with several
rather widespread IP networks, nevertheless, a simple
RIPE database query of "BT" does lead to more than one
abuse contact and also lists several real people who
you could contact directly if you need to coordinate activity.

--Michael Dillon

Tony_Finch · January 23, 2007, 2:38pm

Also http://wesii.econinfosec.org/draft.php?paper_id=47
(Google will give you an HTML version.)

Tony.

Chris_Edwards · January 23, 2007, 3:32pm

Well spotted - interesting.

This is monitoring SMTP leaving their network, right ?

I guess the yellow line on the graphs ("invalid mail" - rejected inline by
the dest mail server, for some reason) makes this somewhat related to
Richard Clayton's "extrusion detection" work. Difference being BT are
monitoring direct->MX traffic.

Aside from the invalid mails, this article suggests they're mostly
identifying spam by the source IP (ie. their customer's IP) being listed
in a DNSBL. So how come they need this super-duper real-time content
scanning infrastructure ? Why wouldn't they download the DNSBLs, and
simply run an offline grep for entries in their own IP space ?

Oops - the redirection rules as stated (underneath figure 4) look
backwards:

"Traffic from link A that will be routed out of link B, and has
a source port of 25 is redirected to link C"

s/source/destination/ (and similar for the return rule).

Tony_Finch · January 23, 2007, 4:38pm

I understood from the article that they were just describing an early
prototype and that they were planning to add content scanning checks
later - see the "other spam detection techniques" section.

Tony.