nanog mailing list archives
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
From: Mike Hyde <mhyde () escape ca>
Date: Thu, 09 Oct 2003 15:24:14 -0500
It looks like they are using there little team of zombie machines that are doing the port 80 redirect to also respond to DNS requests: ;; AUTHORITY SECTION: vano-soft.biz. 120 IN NS ns3.uzc12.biz. vano-soft.biz. 120 IN NS ns4.uzc12.biz. vano-soft.biz. 120 IN NS ns5.uzc12.biz. vano-soft.biz. 120 IN NS ns1.uzc12.biz. vano-soft.biz. 120 IN NS ns2.uzc12.biz. ;; ADDITIONAL SECTION: ns3.uzc12.biz. 7200 IN A 24.91.206.103 ns3.uzc12.biz. 7200 IN A 12.206.49.107 ns4.uzc12.biz. 7200 IN A 12.227.146.168 ns5.uzc12.biz. 7200 IN A 66.21.211.204 ns5.uzc12.biz. 7200 IN A 165.166.182.168 ns1.uzc12.biz. 7200 IN A 24.243.218.127 ns1.uzc12.biz. 7200 IN A 12.239.143.71 ns1.uzc12.biz. 7200 IN A 66.90.158.89 ns1.uzc12.biz. 7200 IN A 12.229.122.9 ns2.uzc12.biz. 7200 IN A 24.107.74.166 ns2.uzc12.biz. 7200 IN A 207.6.75.110 103.206.91.24.in-addr.arpa domain name pointer h00402b45512d.ne.client2.attbi.com. 168.182.166.165.in-addr.arpa domain name pointer rhhe16-168.2wcm.comporium.net 110.75.6.207.in-addr.arpa domain name pointer d207-6-75-110.bchsia.telus.net On Thu, 2003-10-09 at 11:53, Kee Hinckley wrote:
At 10:51 AM -0500 10/9/03, Chris Boyd wrote:A few minutes later, or from a different nameserver, I get Name: vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it?I think in this instance your best approach may be to go after the name servers. Anything else is going to be a game of whack-a-mole. Our spam filtering software actually uses the address of a domain's name server in it's scoring system. Sometime's that's the only way we've been able to reliably detect a spammer.
Current thread:
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes, (continued)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Hank Nussbacher (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Suresh Ramasubramanian (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Andy Ellifson (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Suresh Ramasubramanian (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Michael Airhart (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Niels Bakker (Oct 10)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Andy Ellifson (Oct 09)
- RE: Wired mag article on spammers playing traceroute games with trojaned boxes Geo. (Oct 09)
- RE: Wired mag article on spammers playing traceroute games with trojaned boxes David Keith (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Kee Hinckley (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Mike Hyde (Oct 09)
- RE: Wired mag article on spammers playing traceroute games with trojaned boxes Vinny Abello (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Joe Boyce (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Vinny Abello (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes jlewis (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes John Capo (Oct 09)