The problem with that would be dynamically assigned addresses, unless you included a lookup being done against your radius databases by the SMTP proxy, so that the user can be identified. Possibly, a better solution would be to analyse netflow data as it hits the collectors, and identify offending machines that way. By using netflow, you can extend detection of worms, etc to include all ports, rather than just port 25 Doing dynamic throttling of infected connections is much more difficult - there's not a large range of equipment out there that can do that reliably, although the Juniper ERX does spring to mind :-) But that's not a box you'd find in most ISPs Cheers, Gordon
-----Original Message----- From: neil gardner [mailto:neil.gardner(a)alliedtelesyn.co.nz] Sent: Thursday, 10 June 2004 3:20 p.m. To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Zombies
OK, serious thought here... Bear with me... I may be a) Describing an existing system or b) way off base.
Transparent SMTP proxy intercepts all messages and maintains a running total of emails sent per source IP. This running total is actually stored as a time distribution (ie. 10 emails in 10 minutes, then none in 10, then 100 in ten etc)
Rulebase periodically examines this time distribution for each source IP. Something like
If last 3 matches are >10, >10, >10 then block for 30 minutes per strikeout(sourceIP) and increment strikeout(sourceIP) by one.
After expiry of downtime, open them up again. After (say) 90 minutes of non-abhorrent behaviour, decrement strikeout(sourceip) by one.
If strikeout(sourceIP) gets to threshold (Say 10) then email user and 48 hours later disable account unless they contact helpdesk and claim to have addressed the situation.
You probably want cleverer rules to identify bursts of email, and possibly a training period with rules referrent to earlier data from the same source - this should be able to reliably identify legitimate high volume users - especially if you build in a time of day factor.
This should quickly throttle zombies and disable the account if not fixed, but allow for brief infections to be throttled, and if fixed, NOT need manual intervention to unblock. It may impact some legit heavy email users, but mail will bounce, and it should fix itself.
Just a thought.
Cheers - N.