[dns-operations] negative caching of throwaway spam domains

william(at)elan.net william at elan.net
Thu Jul 6 22:15:11 UTC 2006 

On Thu, 6 Jul 2006, Rick Wesson wrote:

> william(at)elan.net wrote:
>> 
>> I actually not exactly sure what you mean above. But in the same space
>> for complex email filtering systems (that don't just do pass/fail), the 
>> total domain time of registration of the domain (i.e. creation date from 
>> whois) is a good input, i.e. while < 1 day old might be viewed as -2 
>> negative score, > 3 years old  might be viewed as +2 positive input score.
>> 
>> DNS zone parsing is not a good parameter for this, but as I mentioned on
>> nanog long ago internic whois is (although its not really designed for
>> high-rate tests with caching it works).
>> 
>
> we aren't talk to the whois, we watch to see what is registered each day and 
> compile a list from that which is published via dnsrbl.

I know. That is why I said same method you use can not work when you
want answer longer then given fixed small timeperiod.

---

BTW - as rar as .com/.net zonefile I do really wish they provided deltas
sometime ago I asked for.... Especially as I had recently noticed 
increased queries for same domains which in whois show up different 
information as far nameserver ip address then what it was previous hour.
Looking at one of these manually gave me a glimpse where spammer had
installed proxy redirectors on zombied machines (redirecting data
destined to ports 53 & 80) and then have dns server that dynamically
answer with different list of ip addresses based on currently active
zombies spammer controls. The answer is actually rather strange - the 
nameserver provides empty list when quieried for NS but provides list
of addresses for A query for domain or subdomain (i.e. wildcard). 
When I tried dns fingerprinting it said that its running "MyDNS".
You can find my view of the data in the following usenet post:

http://groups.google.com/group/news.admin.net-abuse.email/msg/402a501ce09f4909?dmode=source&hl=en

I wanted to try to see if I actually receive an answer from same network 
where the query was sent to (i.e. if they redirect answer back through
zombied pc or send it out directly), but I unfortunetly I don't have
wide enough network to test this for certain (nor could I get good
enough response latency data to know it based on the answer). Anybody
here has more familiarity with above tactics by spammers? (answer
privately is ok if you can not share it on public list right now)

-- 
William Leibzon
Elan Networks
william at elan.net

More information about the dns-operations mailing list