US DOJ victim letter

Andrew D. Dibble adibble at
Thu Jan 19 21:15:28 UTC 2012

Operation Ghost Click - someone in your AS has malware which changes their DNS server to an evil IP.  ICANN (IIRC) replaced these servers with clean ones around November 2011 and now it seems like the FBI is trying to contact everyone who is still talking to that server.

FBI seems to have a list of netblocks hosting rogue DNS servers here:

So if one of the computers inside your network is talking to one of those IPs for DNS, you probably have malware.


On Jan 19, 2012, at 1:03 PM, Tim Jackson wrote:

> The 3rd email they sent:
> This email is intended to provide clarification on a previous email
> sent to you. You will be receiving a letter by U.S. Postal Service in
> the coming days.  In the meantime, please visit the link below which
> provides more details on the investigation and identifying you as a
> possible victim:
> --
> Tim

More information about the NANOG mailing list