Wired mag article on spammers playing traceroute games with trojaned boxes
Mike Hyde
mhyde at escape.ca
Thu Oct 9 20:24:14 UTC 2003
It looks like they are using there little team of zombie machines that
are doing the port 80 redirect to also respond to DNS requests:
;; AUTHORITY SECTION:
vano-soft.biz. 120 IN NS ns3.uzc12.biz.
vano-soft.biz. 120 IN NS ns4.uzc12.biz.
vano-soft.biz. 120 IN NS ns5.uzc12.biz.
vano-soft.biz. 120 IN NS ns1.uzc12.biz.
vano-soft.biz. 120 IN NS ns2.uzc12.biz.
;; ADDITIONAL SECTION:
ns3.uzc12.biz. 7200 IN A 24.91.206.103
ns3.uzc12.biz. 7200 IN A 12.206.49.107
ns4.uzc12.biz. 7200 IN A 12.227.146.168
ns5.uzc12.biz. 7200 IN A 66.21.211.204
ns5.uzc12.biz. 7200 IN A 165.166.182.168
ns1.uzc12.biz. 7200 IN A 24.243.218.127
ns1.uzc12.biz. 7200 IN A 12.239.143.71
ns1.uzc12.biz. 7200 IN A 66.90.158.89
ns1.uzc12.biz. 7200 IN A 12.229.122.9
ns2.uzc12.biz. 7200 IN A 24.107.74.166
ns2.uzc12.biz. 7200 IN A 207.6.75.110
103.206.91.24.in-addr.arpa domain name pointer
h00402b45512d.ne.client2.attbi.com.
168.182.166.165.in-addr.arpa domain name pointer
rhhe16-168.2wcm.comporium.net
110.75.6.207.in-addr.arpa domain name pointer
d207-6-75-110.bchsia.telus.net
On Thu, 2003-10-09 at 11:53, Kee Hinckley wrote:
> At 10:51 AM -0500 10/9/03, Chris Boyd wrote:
> >A few minutes later, or from a different nameserver, I get
> >
> >Name: vano-soft.biz
> >Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
> > 12.252.185.129
> >
> >This is a real Hydra. If everyone on the list looked up
> >vano-soft.biz and removed the trojaned boxes, would we be able to
> >kill it?
>
> I think in this instance your best approach may be to go after the
> name servers. Anything else is going to be a game of whack-a-mole.
> Our spam filtering software actually uses the address of a domain's
> name server in it's scoring system. Sometime's that's the only way
> we've been able to reliably detect a spammer.
More information about the NANOG
mailing list