Re: [nznog] Zombies

OK, serious thought here... Bear with me... I may be a) Describing an existing system or b) way off base. Transparent SMTP proxy intercepts all messages and maintains a running total of emails sent per source IP. This running total is actually stored as a time distribution (ie. 10 emails in 10 minutes, then none in 10, then 100 in ten etc) Rulebase periodically examines this time distribution for each source IP. Something like If last 3 matches are >10, >10, >10 then block for 30 minutes per strikeout(sourceIP) and increment strikeout(sourceIP) by one. After expiry of downtime, open them up again. After (say) 90 minutes of non-abhorrent behaviour, decrement strikeout(sourceip) by one. If strikeout(sourceIP) gets to threshold (Say 10) then email user and 48 hours later disable account unless they contact helpdesk and claim to have addressed the situation. You probably want cleverer rules to identify bursts of email, and possibly a training period with rules referrent to earlier data from the same source - this should be able to reliably identify legitimate high volume users - especially if you build in a time of day factor. This should quickly throttle zombies and disable the account if not fixed, but allow for brief infections to be throttled, and if fixed, NOT need manual intervention to unblock. It may impact some legit heavy email users, but mail will bounce, and it should fix itself. Just a thought. Cheers - N.

...

...

Simon Lyall 10/06/2004 1:46:38 p.m. >>> It looks like there are lot of NZ based Zombies sending very large amounts of Spam ( much of it in German) to some ISPs.

This has really been going hard over the last hour. I'm seeing adsl accounts at xtra, iprolink and ihug, xtra dialups etc etc. As a related issue, how do people feel about a whitelist RBL of NZ mail servers, It looks like it's not good to just whitelist NZ IPs -- Simon J. Lyall. | Very Busy | Mail: simon(a)darkmere.gen.nz "To stay awake all night adds a day to your life" - Stilgar | eMT. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog NOTICE: This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action in reliance on it. If you have received this message in error please notify Allied Telesyn Research Ltd immediately. Any views expressed in this message are those of the individual sender, except where the sender has the authority to issue and specifically states them to be the views of Allied Telesyn Research.