[dns-operations] MX record scanning

Warren Kumari warren at kumari.net
Wed May 18 02:45:03 UTC 2011


What occurs to me is that some of the TLDs that have wildcards may already have much / may be able to collect this data -- I seem to remember "chatting" with a ccTLD operator who said that they have a wildcard, answer MX and have an SMTP server listening... I got sufficiently irritated at this point that I wandered / stomped off, but...

Easy to check (but not right now...)

W

Warren Kumari
------
Please excuse typing, etc -- This was sent from a device with a tiny keyboard.

On May 17, 2011, at 9:00 PM, Rick Wesson <rick at support-intelligence.com> wrote:

> Jake,
> 
> for how many hours/days do the domains persist? I would be interesting to register some of the somains and point them at a honypot to see what protocols check in.
> 
> Happy to sink some if you would like to collaberate on watching the queries and registering some domains, we can sink and looks at the protocols.
> 
> -rick
> 
> 
> On Mon, May 16, 2011 at 8:26 AM, Jake Zack <jake.zack at cira.ca> wrote:
> The "spambot killer" doesn't appear to be randomly generating domains in real-time, or if it does, it appears to be doing a fairly lousy job at randomness.
> 
> But if this was static content sitting on a webpage somewhere, shouldn't I be able to find it via Google (isn't that how the botnet runner would've found it?).
> 
> Take these domains, for instance:
> 
> 8zyhiupjnkt.ca          x12 queries by 8 separate IP's.
> fviqfdut7o.ca                   x12 queries by 3 separate IP's.
> q1x83faa55lv.ca         x12 queries by 2 separate IP's.
> e9b6iykd1yn.ca          x12 queries by 2 separate IP's.
> 
> The IP address "41.191.111.18" was involved in each of the above, no other commonality.
> 
> kx0xgtlu.ca                     x12 queries by 5 separate IP's.
> e3j3kcv2p46.ca          x12 queries by 3 separate IP's.
> k1bfv00ygbp0.ca         x12 queries by 2 separate IP's.
> 
> The IP address "2.133.215.113" was involved in each of the above, no other commonality.
> 
> aqwuf-guohu.ca          x12 queries by 7 separate IP's.
> wmt0isw5pv2z.ca x12 queries by 5 separate IP's.
> kauoc97tivd.ca          x12 queries by 5 separate IP's.
> 
> The IP address "213.142.200.131" was involved in each of the above, no other commonality.
> 
> And if it's so bad at generating randomness, why is the above so inconsistent?  How can 4 different IP's query the same random junk in one case, but not in future cases?
> 
> Should we consider creating a task force along the lines of the Conficker Working Group to try to figure this all out?
> 
> 
> -Jacob Zack
> DNS Administrator - CIRA (.CA TLD)
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110517/eb35938a/attachment.html>


More information about the dns-operations mailing list