[dns-operations] MX record scanning

Tim Wilde twilde at cymru.com
Wed May 11 16:09:15 UTC 2011

Hash: SHA1

On 5/10/2011 11:03 AM, Tony Finch wrote:
> Antoin Verschuren <antoin.verschuren at sidn.nl> wrote:
>> The question now is, what to do with the data.
>> If you analyse your querylog with the characterisics above, you have an
>> almost certain list of affected botnet clients.
>> Should we alert local CERTs to inform ISP's to tell their customers ?
> Might also be helpful to ask Spamhaus if they could make use of the data.

If the bots are making the queries directly and the data can be
extracted with timestamps and a reasonably low false positive rate, Team
Cymru would be more than happy to take the data and report it out to our
hundreds of subscribed and vetted ISPs/ASN/netblock owners, with or
without attribution to the contributing party/parties as desired by
them.  Anyone who is looking for a clearinghouse for this data can feel
free to ping me offline (or respond on-thread here if you so desire) to
discuss further.

Tim Wilde

- -- 
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/


More information about the dns-operations mailing list