[dns-operations] MX record scanning

Rickard Dahlstrand rickard.dahlstrand at iis.se
Mon May 16 15:54:19 UTC 2011 

Hi Jake,

I read up on this last fall (we have seen this for a long time now) and from what I understand these honeytraps feed the spam-spiders with random domains as the traverse the Internet in the search for domain names. So I assume these are generated by the websites and not the spambot itself.

Found something regarding this here http://en.wikipedia.org/wiki/E-mail_address_harvesting#Anti-harvesting_methods and here http://www.fleiner.com/bots/#trap .

However I agree that is seems strange that they repeats the query, perhaps the use some broken way for spreading the load in the botnet cluster.

Rickard.

16 maj 2011 kl. 17.26 skrev Jake Zack:

> The "spambot killer" doesn't appear to be randomly generating domains  
> in real-time, or if it does, it appears to be doing a fairly lousy job  
> at randomness.
> 
> But if this was static content sitting on a webpage somewhere,  
> shouldn't I be able to find it via Google (isn't that how the botnet  
> runner would've found it?).
> 
> Take these domains, for instance:
> 
> 8zyhiupjnkt.ca		x12 queries by 8 separate IP's.
> fviqfdut7o.ca			x12 queries by 3 separate IP's.
> q1x83faa55lv.ca		x12 queries by 2 separate IP's.
> e9b6iykd1yn.ca		x12 queries by 2 separate IP's.
> 
> The IP address "41.191.111.18" was involved in each of the above, no  
> other commonality.
> 
> kx0xgtlu.ca			x12 queries by 5 separate IP's.
> e3j3kcv2p46.ca		x12 queries by 3 separate IP's.
> k1bfv00ygbp0.ca		x12 queries by 2 separate IP's.
> 
> The IP address "2.133.215.113" was involved in each of the above, no  
> other commonality.
> 
> aqwuf-guohu.ca		x12 queries by 7 separate IP's.
> wmt0isw5pv2z.ca	x12 queries by 5 separate IP's.
> kauoc97tivd.ca		x12 queries by 5 separate IP's.
> 
> The IP address "213.142.200.131" was involved in each of the above, no  
> other commonality.
> 
> And if it's so bad at generating randomness, why is the above so  
> inconsistent?  How can 4 different IP's query the same random junk in  
> one case, but not in future cases?
> 
> Should we consider creating a task force along the lines of the  
> Conficker Working Group to try to figure this all out?
> 
> -Jacob Zack
> DNS Administrator - CIRA (.CA TLD)
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list