North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
At 11:51 AM 10/9/2003, Chris Boyd wrote:
They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others can change every 2 minutes. If you identify the server that only changes every 2 hours and track what it's replaced with every 2 hours, you're likely to find a rotating list of master servers... Another question is why is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be 2 hours and submitting those to the GTLD servers. Maybe it's just me, but that's the first time I've seen a registrar set such a low TTL on an NS record. If NeuLevel is any good they would likely have some sort of information to identify the owner of the domain, even if the information is invalid listed on their whois server. They might have a credit card transaction although that too could always be a stolen credit card number.On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote:I found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course.http://www.wired.com/news/business/0,1367,60747,00.html -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Any other ideas or different angles/experiences?
; <<>> DiG 9.2.2 <<>> +trace a vano-soft.biz.
;; global options: printcmd
. 80336 IN NS l.root-servers.net.
. 80336 IN NS m.root-servers.net.
. 80336 IN NS i.root-servers.net.
. 80336 IN NS e.root-servers.net.
. 80336 IN NS d.root-servers.net.
. 80336 IN NS a.root-servers.net.
. 80336 IN NS h.root-servers.net.
. 80336 IN NS c.root-servers.net.
. 80336 IN NS g.root-servers.net.
. 80336 IN NS f.root-servers.net.
. 80336 IN NS b.root-servers.net.
. 80336 IN NS j.root-servers.net.
. 80336 IN NS k.root-servers.net.
;; Received 449 bytes from 22.214.171.124#53(126.96.36.199) in 40 ms
biz. 172800 IN NS A.GTLD.biz.
biz. 172800 IN NS B.GTLD.biz.
biz. 172800 IN NS C.GTLD.biz.
biz. 172800 IN NS D.GTLD.biz.
biz. 172800 IN NS E.GTLD.biz.
biz. 172800 IN NS F.GTLD.biz.
;; Received 228 bytes from 188.8.131.52#53(l.root-servers.net) in 270 ms
vano-soft.biz. 7200 IN NS NS1.UZC12.biz.
vano-soft.biz. 7200 IN NS NS2.UZC12.biz.
vano-soft.biz. 7200 IN NS NS3.UZC12.biz.
vano-soft.biz. 7200 IN NS NS4.UZC12.biz.
vano-soft.biz. 7200 IN NS NS5.UZC12.biz.
;; Received 223 bytes from 184.108.40.206#53(A.GTLD.biz) in 150 ms
vano-soft.biz. 120 IN A 220.127.116.11
vano-soft.biz. 120 IN A 18.104.22.168
vano-soft.biz. 120 IN A 22.214.171.124
vano-soft.biz. 120 IN A 126.96.36.199
vano-soft.biz. 120 IN A 188.8.131.52
vano-soft.biz. 120 IN NS ns5.uzc12.biz.
vano-soft.biz. 120 IN NS ns1.uzc12.biz.
vano-soft.biz. 120 IN NS ns2.uzc12.biz.
vano-soft.biz. 120 IN NS ns3.uzc12.biz.
vano-soft.biz. 120 IN NS ns4.uzc12.biz.
;; Received 287 bytes from 184.108.40.206#53(NS4.UZC12.biz) in 130 ms
(973)300-9211 x 125
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
There are 10 kinds of people in the world. Those who understand binary and those that don't.