[dns-operations] Lots of queries for TXT records?

Paul Ferguson fergdawgster at gmail.com
Wed Apr 8 04:27:52 UTC 2009

Hash: SHA1

On Tue, Apr 7, 2009 at 9:01 PM, Rob Thomas <robt at cymru.com> wrote:

> Hey, Chris.
> Thanks for the heads-up!
>> I am seeing a lot of queries for TXT records for "deepholeforyou.info"
>> from a number of clients (many making several dozen requests per
>> second).  Earlier, this was returning huge TXT records (I was seeing 4-5
>> times as much traffic from my recursive server), but now they've been
>> replaced by a CNAME to fworld.net (with no TXT records).
> I see these queries beginning at least as early as 2009-04-03 01:50:12
> UTC, and perhaps earlier.  I'm doing more digging now.
>> Is there some virus/worm I haven't yet heard of causing this?
> Unclear.  A quick scan of our malware menagerie didn't turn up any hits,
> but I'm still looking.

This domain looks fishy (not necessarily phishy).

Right now it's parked at Cheapnames.com, but when domain registration data
shows "timjunk at mail.ru" as the tech contact, my Russkrainian cyber criminal
radar starts red-lining. :-)

A little Google foo turned up this, however:


...which indicates that this is not an isolated incident.

- - ferg

Version: PGP Desktop 9.5.3 (Build 5003)


"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 ferg's tech blog: http://fergdawg.blogspot.com/

More information about the dns-operations mailing list