[dns-operations] MX record scanning

Rick Wesson rick at support-intelligence.com
Mon May 9 17:30:32 UTC 2011


FWIW, when we deploy a new domain into our smtp traps, it takes less than 24
hours for the MX to be found and for the servers listed in the MX to start
recieveing spam. MX scanning has been going on for a very long time, but it
looks like the ccTLDs are being specifically targeted. Interesting as this
would indicate that your zone contents has leaked to someone thus allowing
them to scan your dns names.

What would be interesting is how long a new delegation takes to be scanned.

-rick


On Mon, May 9, 2011 at 9:46 AM, Simon Munton
<Simon.Munton at communitydns.net>wrote:

> We are also seeing this across four of the ccTLDs we host, we notified the
> ccTLD managers when we were confident it wasn't just going to go away.
>
> It started about 8pm Friday (UTC) and has been going on since, for example
> :-
>
> http://stats.cdns.net/public/0.0.0.1/00116B-933516.html
>
> The pattern of nodes it is hitting suggests the traffic is originating from
> China Telecom, but we've not substantiated that for certain yet.
>
> Its using a wide range of different source IP Addresses, but isn't really
> high enough in volume to be called an "attack".
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110509/d5d24b8c/attachment.html>


More information about the dns-operations mailing list