[Mimedefang] Image blocking idea
Joseph Brennan
brennan at columbia.edu
Fri Apr 21 09:37:19 EDT 2006
--On Thursday, April 20, 2006 21:12 -0500 Les Mikesell
<les at futuresource.com> wrote:
> The
> logs show that it is hit by dictionary attacks fairly often
> with the interesting part being that the messages are being
> sent by many different machines at the same time but rate
> limited somehow so there are never more than a few
> simultaneous connections.
I see this too. Not only nicely rate limited but in alphabetical
order very often. This just shows how the bot nets work by having
a controller send each zombie just a few addresses, one zombie at
a time. The addresses and binary might be only in memory on the
zombie and be cleared as soon as the work is done, which is often
less than a minute. The only thing left on the zombie is whatever
allows the controller access to it. It's all designed to have
minimal impact per "owned" PC.
Joe Brennan
More information about the MIMEDefang
mailing list