Re: Comment Spam: new trends, failing counter-measures and why it's a big deal

[Valdis.Kletnieks () vt edu]

On Mon, 13 Feb 2006 12:09:19 EST, Dude VanWinkle said:

> You could then crawl the .info whois database for domains registered
> with matching information and blacklist all domains/IP's(netblock)
> belonging to Mr Harauzek, finding out that he regestered en masse 50
> domains with duplicate whois info.

Another useful trick - blacklist all domains that share an NS entry with
the offending one.  If a nameserver is serving one black-hat domain, it's
probably either a hijacked machine (witness the crews that do round-robin
NS records out of compromised cablemodems), or it's a blackhat site.

(And yes, there's a slight chance they're on a mostly white-hat NS.  On the
other hand, the vast majority of DNS providers have learned to be more careful
about who they create zones for, just like most registrars have gotten a clue...)

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.