We've built and run a prototype passive botnet tracking system in Austria for the last year. A journal paper is pending and should be ready for the conference - hopefully only a week away from the final version. The gist: Based on a darknet (i.e. unused IP addresses), we analyze incoming packets and classify them into (currently eight) different spambot types based on learned idiosyncrasies of packet and protocol, and reference data (currently by Marshall). The system is based on machine learning techniques, scales extremely well, and can utilize all kinds of reference data. However, to track all spambots worldwide (according to ShadowServer's estimates), we need about 1.5 million unused IP addresses. In times of IPv4 shortage, that is quite a tall order. Unfortunately, spammers have not switched to IPv6 yet - in the full past year, we could not find a single IPv6 packet originating from a spambot. This will probably change in the future, but until we have enough sample data to train our models, IPv6 cannot be used reliably. Lack of reference data (i.e. known botnets, bot types, DDoS/spam sending activity etc.) has been our greatest obstacle so far. We intend to extend the system towards TCP/IP stack fingerprinting (for those bots which have their own stack) and towards true botnet tracking (e.g. by analyzing access patterns & timings) Any comments are welcome. We will try to be at RIPE-58, provided we can get a small talking slot there - half an hour should suffice. Best, Alex -- Dr. Alexander K. Seewald Seewald Solutions www.seewald.at Tel. +43(664)1106886 Fax. +43(1)2533033/2764