Interesting use of DNS glue records by spammers

Suresh Ramasubramanian suresh at outblaze.com
Mon Jan 26 03:37:05 UTC 2004


Saw this elsewhere, sounds interesting enough to forward on.

-- 
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations

> I just today got two spams that showed me a new spammer DNS trick (new
> to me, at least).
> 
> Rather than use fictitious domain names, I'll use the actual names from
> one of the spams.  The basic trick is the same either way.
> 
> nepzzz.com is spamvertised.  Its registration specifies nameservers in
> nictxt.com.  nictxt.com has been taken over by its registrar,
> apparently for invalid contact info (and good for them).  But they
> didn't go quite far enough; while querying the gtld-servers.net servers
> for nictxt.com returns NXDOMAIN, querying them for nepzzz.com returns
> delegation NS records under nictxt.com _with glue A records_, thereby
> defeating the registrar's attempted removal of the domain.
> 
> The other spam was for ahottieiswhatiwant.com, with nameservers in
> 9t5.net; the basic trick is the same.
> 
> In each case, I sent a message suggesting that rather than just
> pointing it at their own servers, they point the domain at the names
> the spammers used (which require glue records) but supply glue pointing
> to the registrar's server(s), thereby getting the glue the spammers
> injected into the gtld-servers system replaced.
> 
> So be careful when poking at the DNS while spamhaus-hunting.  If you
> query for the wrong thing you may be misled into thinking something has
> been taken down when it hasn't.




More information about the NANOG mailing list