There seems to be an underlying assumption that all bots gather information through scanning (possibly neighboring) addresses, but this is simply not true. No, we have collected about twelve months traffic from four /26 subnets and were able to recognize about half of the spambots from single packet data alone using a machine learnin system trained on
On Wed, Mar 04, 2009 at 11:12:35AM +0100, Florian Weimer wrote: packet features (excluding obvious correlations such as TCP source port). We suspect this is due to non-random ICMP payloads, TCP option ordering and UDP payloads. There is no compelling reason for this data to be there, we were as surprised as you seem to be. Best, Alex -- Dr. Alexander K. Seewald Seewald Solutions www.seewald.at Tel. +43(664)1106886 Fax. +43(1)2533033/2764