North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Interesting new dns failures
- From: Jason Frisvold
- Date: Mon May 21 13:59:46 2007
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=X3j+nLNGQN+Jlhmc137xhL4PqRSDNhHVVUMq+cGJxfHXLTjRUn8eLCs+lXOUSSRILnHbecZzElxUx/8TJW/ELl6PszvNFbi2kLl34tJQ3sJeduG3ss5aW1x4Dp7TTv3aTIu3/jnF8qTlRECoEnakJ/+LxwdSO18Pi0U7Eavq6hc=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=P9y8R4+jY/b4IXqhg0ONrIl3yNPG3Wqr1/MDRlfIOFPDHJdOcV2YcpmnABrK3UauN1DrTFVFyqVv7izubFEiHbddvOqx7she+hocKKfK+T/vcTmx5eLZan1ofS8jiwy7XlMIAcB+BIgxsZzhm6bJjLQrrKDjfhb/kI/yuV5rqYk=
On 5/20/07, Roger Marquis <[email protected]> wrote:
Most of the individual nameservers do not answer queries, the ones
that do are open to recursion, and all are hosted in cable/dsl/dial-up
address space with correspondingly rfc-illegal reverse zones. Running
'host -at ns' a few times shows the list of nameservers is rotated
every few seconds, and occasionally returns "server localhost".
They're likely not name servers, or at least not all name servers..
I'd venture a guess as to these being part of a "Snowshoe" spammer
network... I've been getting hit by similar domains for a few weeks
now.. Blocking seems to be the best way to handle them..
Looks like some of these are running nginx (http://nginx.net/) as a
web server... I've seen others with centos installs.. My guess is
that the web servers are for management of the spamming software..
Roger Marquis
--
Jason 'XenoPhage' Frisvold
[email protected]
http://blog.godshell.com
|