[dns-operations] MX record scanning
Warren Kumari
warren at kumari.net
Wed May 18 02:45:03 UTC 2011
What occurs to me is that some of the TLDs that have wildcards may already have much / may be able to collect this data -- I seem to remember "chatting" with a ccTLD operator who said that they have a wildcard, answer MX and have an SMTP server listening... I got sufficiently irritated at this point that I wandered / stomped off, but...
Easy to check (but not right now...)
W
Warren Kumari
------
Please excuse typing, etc -- This was sent from a device with a tiny keyboard.
On May 17, 2011, at 9:00 PM, Rick Wesson <rick at support-intelligence.com> wrote:
> Jake,
>
> for how many hours/days do the domains persist? I would be interesting to register some of the somains and point them at a honypot to see what protocols check in.
>
> Happy to sink some if you would like to collaberate on watching the queries and registering some domains, we can sink and looks at the protocols.
>
> -rick
>
>
> On Mon, May 16, 2011 at 8:26 AM, Jake Zack <jake.zack at cira.ca> wrote:
> The "spambot killer" doesn't appear to be randomly generating domains in real-time, or if it does, it appears to be doing a fairly lousy job at randomness.
>
> But if this was static content sitting on a webpage somewhere, shouldn't I be able to find it via Google (isn't that how the botnet runner would've found it?).
>
> Take these domains, for instance:
>
> 8zyhiupjnkt.ca x12 queries by 8 separate IP's.
> fviqfdut7o.ca x12 queries by 3 separate IP's.
> q1x83faa55lv.ca x12 queries by 2 separate IP's.
> e9b6iykd1yn.ca x12 queries by 2 separate IP's.
>
> The IP address "41.191.111.18" was involved in each of the above, no other commonality.
>
> kx0xgtlu.ca x12 queries by 5 separate IP's.
> e3j3kcv2p46.ca x12 queries by 3 separate IP's.
> k1bfv00ygbp0.ca x12 queries by 2 separate IP's.
>
> The IP address "2.133.215.113" was involved in each of the above, no other commonality.
>
> aqwuf-guohu.ca x12 queries by 7 separate IP's.
> wmt0isw5pv2z.ca x12 queries by 5 separate IP's.
> kauoc97tivd.ca x12 queries by 5 separate IP's.
>
> The IP address "213.142.200.131" was involved in each of the above, no other commonality.
>
> And if it's so bad at generating randomness, why is the above so inconsistent? How can 4 different IP's query the same random junk in one case, but not in future cases?
>
> Should we consider creating a task force along the lines of the Conficker Working Group to try to figure this all out?
>
>
> -Jacob Zack
> DNS Administrator - CIRA (.CA TLD)
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110517/eb35938a/attachment.html>
More information about the dns-operations
mailing list