North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Wired mag article on spammers playing traceroute games withtrojaned boxes
It looks like they are using there little team of zombie machines that are doing the port 80 redirect to also respond to DNS requests: ;; AUTHORITY SECTION: vano-soft.biz. 120 IN NS ns3.uzc12.biz. vano-soft.biz. 120 IN NS ns4.uzc12.biz. vano-soft.biz. 120 IN NS ns5.uzc12.biz. vano-soft.biz. 120 IN NS ns1.uzc12.biz. vano-soft.biz. 120 IN NS ns2.uzc12.biz. ;; ADDITIONAL SECTION: ns3.uzc12.biz. 7200 IN A 24.91.206.103 ns3.uzc12.biz. 7200 IN A 12.206.49.107 ns4.uzc12.biz. 7200 IN A 12.227.146.168 ns5.uzc12.biz. 7200 IN A 66.21.211.204 ns5.uzc12.biz. 7200 IN A 165.166.182.168 ns1.uzc12.biz. 7200 IN A 24.243.218.127 ns1.uzc12.biz. 7200 IN A 12.239.143.71 ns1.uzc12.biz. 7200 IN A 66.90.158.89 ns1.uzc12.biz. 7200 IN A 12.229.122.9 ns2.uzc12.biz. 7200 IN A 24.107.74.166 ns2.uzc12.biz. 7200 IN A 207.6.75.110 103.206.91.24.in-addr.arpa domain name pointer h00402b45512d.ne.client2.attbi.com. 168.182.166.165.in-addr.arpa domain name pointer rhhe16-168.2wcm.comporium.net 110.75.6.207.in-addr.arpa domain name pointer d207-6-75-110.bchsia.telus.net On Thu, 2003-10-09 at 11:53, Kee Hinckley wrote: > At 10:51 AM -0500 10/9/03, Chris Boyd wrote: > >A few minutes later, or from a different nameserver, I get > > > >Name: vano-soft.biz > >Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 > > 12.252.185.129 > > > >This is a real Hydra. If everyone on the list looked up > >vano-soft.biz and removed the trojaned boxes, would we be able to > >kill it? > > I think in this instance your best approach may be to go after the > name servers. Anything else is going to be a game of whack-a-mole. > Our spam filtering software actually uses the address of a domain's > name server in it's scoring system. Sometime's that's the only way > we've been able to reliably detect a spammer.
|