clickbank.net and bundleway.com

Paul Vixie vixie at isc.org
Sun Apr 13 18:35:20 UTC 2008


Jon.Kibler at aset.com ("Jon R. Kibler") writes:

> Anyone have any info on either of these domains?
> 
> I have seen several recent web sites that had an iframe
> that pointed to clickbank.net and "interesting" / hidden
> links to bundleway.com.
> 
> Haven't found much of use in a quick search of Google,
> except for a few claims of fraud against them. I suspect
> that they are some how related to affiliate programs?
> 
> TIA for anything you may be able to tell me!

the nameservers who answered questions about bundleway.com in the last ~150
days were:

        216.129.109.1
        66.117.40.198
        205.234.154.1
        205.234.170.165
        63.219.151.3
        216.49.92.249

the A RR is stable, no flux at all.  the nameservers are stable, also no flux.

1198886670 an bundleway.com IN A 1800,64.40.117.19 216.129.109.1
1197752951 ns bundleway.com IN NS 1800,ns0.dnsmadeeasy.com \
        1800,ns0.dnsmadeeasy.com.bundleway.com \
        1800,ns1.dnsmadeeasy.com \
        1800,ns1.dnsmadeeasy.com.bundleway.com \
        1800,ns2.dnsmadeeasy.com \
        1800,ns2.dnsmadeeasy.com.bundleway.com \
        1800,ns3.dnsmadeeasy.com \
        1800,ns3.dnsmadeeasy.com.bundleway.com \
        1800,ns4.dnsmadeeasy.com \
        1800,ns4.dnsmadeeasy.com.bundleway.com \
        216.129.109.1

note that there are no actual ".dnsmadeeasy.com.bundleway.com" nameservers,
so i suspect that somebody somewhere forgot a trailing "." or had the wrong
$ORIGIN or something.  this is in the zone, or at least, it's in all answers
from the zone's servers, it's consistent enough that i expect it's in-zone
rather than some kind of dns load balancing error.

most traffic seen under clickbank.net is A RR responses, here are the top 10
out of ~4600 or so:

        roeib.4idiots.hop.clickbank.net
        mediafire.noadware.hop.clickbank.net
        mediafire.spywarebot.hop.clickbank.net
        mediafire.regsmart.hop.clickbank.net
        mediafire.adalert.hop.clickbank.net
        mediafire.regcure.hop.clickbank.net
        delusions.sharezone.hop.clickbank.net
        rvrsephone.phonesrch.hop.clickbank.net
        esearching.movies01.hop.clickbank.net
        vvllc2.phonesrch.hop.clickbank.net
	...

it's pretty damning stuff.  the nameservers who produce these are, in order
by frequency (downward):

        209.81.12.120
        209.81.12.121
        64.128.87.120
        64.128.87.121
        216.99.132.5
        216.99.132.104

(no overlap with the dnsmadeeasy.com nameservers shown earlier.)  the A RR's
given by these *.hop.clickbank.net answers are always one of these three:

        900,209.81.12.132 900,209.81.12.133
        900,64.128.87.132 900,64.128.87.133
        900,209.81.12.134 900,209.81.12.135

that is, two A RRs in an RRset, TTL 900.  the first two are overwhelmingly
more frequent than the third one.  looks like some kind of load balancing.

there's a similar but less frequent pattern, *.pay.clickbank.net, whose A RRs
are always one of these two sets:

	900,209.81.12.134 900,209.81.12.135
	900,64.128.87.134 900,64.128.87.135

the MX RRs for clickbank.net are always

	900,10,a-mx.coloc8.net 900,20,b-mx.coloc8.net

except one recent sighting of the following:

	900,10,mx1.clickbank.net 900,10,mx2.clickbank.net

there are also A RRs for 3LDs hop, www, ssl, and zzz, plus a 2LD A RR.

i hope this helps.  it's all courtesy of ISC SIE and our generous sensors,
of whom i would welcome more.  if you run a recursive nameserver for some
population, and are willing to share your upstream server-to-server traffic
with ISC for use in security research and operations, plz send me e-mail.
-- 
Paul Vixie



More information about the NANOG mailing list