[anti-abuse-wg] passive botnet tracker (combined reply)

Peter,

I think that focussing just on spam is misleading. Although it is
currently the most profitable use of botnets, other uses are already
demonstrated, such as DDoS, distributed password/encryption
cracking, phishing - which could work without spam in several
scenarios (e.g. changing HOSTS on the local PC, hacking DNS servers,
etc..) - and most of these would tend to give spammers a way to make
money without spam. So it is important to find out what they are
doing and how many there are.


Frank, 

I applaud your system. By your fast response you even get rid of the
problem with static vs. dynamic IP addresses. As long as the major
business for botnets is spam, this will continue to work. Of course if
only a small set of providers use it, spammers will simply stop using
your mailserver to send spam, once it begins to hurt them. Yes, it is
relatively trivial to get the IP from the full mail headers (although
it is safer to check the IP during the SMTP conversation - I once did
a test and there was a difference of about 1% where IP addresses did
not match)

I even once wrote a system in 2004 to analyze each mail, check whois, find
out the abuse email address and send an automatically generated
abuse report there... used it for a few months, but as there was
absolutely no reponse (well, some email providers complained that
they cannot control what their users do...) I stopped it.

Our system could be used in a similar way, but tracks even inactive
bots which are currently not used to send out spam. Of course they
need to generate some other traffic, the nature of which is
currently not well understood.

Best,
  Alex
-- 
Dr. Alexander K. Seewald

Seewald Solutions
www.seewald.at
Tel. +43(664)1106886
Fax. +43(1)2533033/2764