[dns-operations] MX record scanning

Rick Wesson rick at support-intelligence.com
Wed May 18 01:00:23 UTC 2011


Jake,

for how many hours/days do the domains persist? I would be interesting to
register some of the somains and point them at a honypot to see what
protocols check in.

Happy to sink some if you would like to collaberate on watching the queries
and registering some domains, we can sink and looks at the protocols.

-rick


On Mon, May 16, 2011 at 8:26 AM, Jake Zack <jake.zack at cira.ca> wrote:

> The "spambot killer" doesn't appear to be randomly generating domains in
> real-time, or if it does, it appears to be doing a fairly lousy job at
> randomness.
>
> But if this was static content sitting on a webpage somewhere, shouldn't I
> be able to find it via Google (isn't that how the botnet runner would've
> found it?).
>
> Take these domains, for instance:
>
> 8zyhiupjnkt.ca          x12 queries by 8 separate IP's.
> fviqfdut7o.ca                   x12 queries by 3 separate IP's.
> q1x83faa55lv.ca         x12 queries by 2 separate IP's.
> e9b6iykd1yn.ca          x12 queries by 2 separate IP's.
>
> The IP address "41.191.111.18" was involved in each of the above, no other
> commonality.
>
> kx0xgtlu.ca                     x12 queries by 5 separate IP's.
> e3j3kcv2p46.ca          x12 queries by 3 separate IP's.
> k1bfv00ygbp0.ca         x12 queries by 2 separate IP's.
>
> The IP address "2.133.215.113" was involved in each of the above, no other
> commonality.
>
> aqwuf-guohu.ca          x12 queries by 7 separate IP's.
> wmt0isw5pv2z.ca x12 queries by 5 separate IP's.
> kauoc97tivd.ca          x12 queries by 5 separate IP's.
>
> The IP address "213.142.200.131" was involved in each of the above, no
> other commonality.
>
> And if it's so bad at generating randomness, why is the above so
> inconsistent?  How can 4 different IP's query the same random junk in one
> case, but not in future cases?
>
> Should we consider creating a task force along the lines of the Conficker
> Working Group to try to figure this all out?
>
>
> -Jacob Zack
> DNS Administrator - CIRA (.CA TLD)
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110517/5a74aa6b/attachment.html>


More information about the dns-operations mailing list