On Wed, Mar 04, 2009 at 10:20:06AM +0100, Florian Weimer wrote:
* Alexander K. Seewald:
The gist: Based on a darknet (i.e. unused IP addresses), we analyze incoming packets and classify them into (currently eight) different spambot types based on learned idiosyncrasies of packet and protocol, and reference data (currently by Marshall).
Why do you expect bots to touch dark address space?
Or put differently, I think any approach based on darkspace monitoring signficantly restricts the types of bots you can detect.
Not if you use "dark" corners of your own PA space, eg unused /28s in your DSL space, or hosting space. -- Jan-Pieter Cornet <johnpc@xs4all.nl> !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !!