Interesting use of DNS glue records by spammers
Suresh Ramasubramanian
suresh at outblaze.com
Mon Jan 26 03:37:05 UTC 2004
Saw this elsewhere, sounds interesting enough to forward on.
--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations
> I just today got two spams that showed me a new spammer DNS trick (new
> to me, at least).
>
> Rather than use fictitious domain names, I'll use the actual names from
> one of the spams. The basic trick is the same either way.
>
> nepzzz.com is spamvertised. Its registration specifies nameservers in
> nictxt.com. nictxt.com has been taken over by its registrar,
> apparently for invalid contact info (and good for them). But they
> didn't go quite far enough; while querying the gtld-servers.net servers
> for nictxt.com returns NXDOMAIN, querying them for nepzzz.com returns
> delegation NS records under nictxt.com _with glue A records_, thereby
> defeating the registrar's attempted removal of the domain.
>
> The other spam was for ahottieiswhatiwant.com, with nameservers in
> 9t5.net; the basic trick is the same.
>
> In each case, I sent a message suggesting that rather than just
> pointing it at their own servers, they point the domain at the names
> the spammers used (which require glue records) but supply glue pointing
> to the registrar's server(s), thereby getting the glue the spammers
> injected into the gtld-servers system replaced.
>
> So be careful when poking at the DNS while spamhaus-hunting. If you
> query for the wrong thing you may be misled into thinking something has
> been taken down when it hasn't.
More information about the NANOG
mailing list