|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Wired mag article on spammers playing traceroute games with trojaned boxes
At 11:51 AM 10/9/2003, Chris Boyd wrote: They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others can change every 2 minutes. If you identify the server that only changes every 2 hours and track what it's replaced with every 2 hours, you're likely to find a rotating list of master servers... Another question is why is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be 2 hours and submitting those to the GTLD servers. Maybe it's just me, but that's the first time I've seen a registrar set such a low TTL on an NS record. If NeuLevel is any good they would likely have some sort of information to identify the owner of the domain, even if the information is invalid listed on their whois server. They might have a credit card transaction although that too could always be a stolen credit card number.On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote:I found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course.http://www.wired.com/news/business/0,1367,60747,00.html -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations Any other ideas or different angles/experiences? ; <<>> DiG 9.2.2 <<>> +trace a vano-soft.biz. ;; global options: printcmd . 80336 IN NS l.root-servers.net. . 80336 IN NS m.root-servers.net. . 80336 IN NS i.root-servers.net. . 80336 IN NS e.root-servers.net. . 80336 IN NS d.root-servers.net. . 80336 IN NS a.root-servers.net. . 80336 IN NS h.root-servers.net. . 80336 IN NS c.root-servers.net. . 80336 IN NS g.root-servers.net. . 80336 IN NS f.root-servers.net. . 80336 IN NS b.root-servers.net. . 80336 IN NS j.root-servers.net. . 80336 IN NS k.root-servers.net. ;; Received 449 bytes from 216.182.1.1#53(216.182.1.1) in 40 ms biz. 172800 IN NS A.GTLD.biz. biz. 172800 IN NS B.GTLD.biz. biz. 172800 IN NS C.GTLD.biz. biz. 172800 IN NS D.GTLD.biz. biz. 172800 IN NS E.GTLD.biz. biz. 172800 IN NS F.GTLD.biz. ;; Received 228 bytes from 198.32.64.12#53(l.root-servers.net) in 270 ms vano-soft.biz. 7200 IN NS NS1.UZC12.biz. vano-soft.biz. 7200 IN NS NS2.UZC12.biz. vano-soft.biz. 7200 IN NS NS3.UZC12.biz. vano-soft.biz. 7200 IN NS NS4.UZC12.biz. vano-soft.biz. 7200 IN NS NS5.UZC12.biz. ;; Received 223 bytes from 209.173.53.162#53(A.GTLD.biz) in 150 ms vano-soft.biz. 120 IN A 200.80.137.157 vano-soft.biz. 120 IN A 12.229.122.9 vano-soft.biz. 120 IN A 12.252.185.129 vano-soft.biz. 120 IN A 165.166.182.168 vano-soft.biz. 120 IN A 193.92.62.42 vano-soft.biz. 120 IN NS ns5.uzc12.biz. vano-soft.biz. 120 IN NS ns1.uzc12.biz. vano-soft.biz. 120 IN NS ns2.uzc12.biz. vano-soft.biz. 120 IN NS ns3.uzc12.biz. vano-soft.biz. 120 IN NS ns4.uzc12.biz. ;; Received 287 bytes from 204.210.76.197#53(NS4.UZC12.biz) in 130 ms Vinny Abello Network Engineer Server Management [email protected] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
|