<html><body bgcolor="#FFFFFF"><div>What occurs to me is that some of the TLDs that have wildcards may already have much / may be able to collect this data -- I seem to remember "chatting" with a ccTLD operator who said that they have a wildcard, answer MX and have an SMTP server listening... I got sufficiently irritated at this point that I wandered / stomped off, but...</div><div><br></div><div>Easy to check (but not right now...)</div><div><br></div><div>W</div><div><br><div>Warren Kumari</div><div>------</div>Please excuse typing, etc -- This was sent from a device with a tiny keyboard.</div><div><br>On May 17, 2011, at 9:00 PM, Rick Wesson <<a href="mailto:rick@support-intelligence.com">rick@support-intelligence.com</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div>Jake,<div><br></div><div>for how many hours/days do the domains persist? I would be interesting to register some of the somains and point them at a honypot to see what protocols check in.</div><div><br></div><div>Happy to sink some if you would like to collaberate on watching the queries and registering some domains, we can sink and looks at the protocols.</div>
<div><br></div><div>-rick</div><div><br><br><div class="gmail_quote">On Mon, May 16, 2011 at 8:26 AM, Jake Zack <span dir="ltr"><<a href="mailto:jake.zack@cira.ca"><a href="mailto:jake.zack@cira.ca">jake.zack@cira.ca</a></a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
The "spambot killer" doesn't appear to be randomly generating domains in real-time, or if it does, it appears to be doing a fairly lousy job at randomness.<br>
<br>
But if this was static content sitting on a webpage somewhere, shouldn't I be able to find it via Google (isn't that how the botnet runner would've found it?).<br>
<br>
Take these domains, for instance:<br>
<br>
<a href="http://8zyhiupjnkt.ca" target="_blank"><a href="http://8zyhiupjnkt.ca">8zyhiupjnkt.ca</a></a> x12 queries by 8 separate IP's.<br>
<a href="http://fviqfdut7o.ca" target="_blank"><a href="http://fviqfdut7o.ca">fviqfdut7o.ca</a></a> x12 queries by 3 separate IP's.<br>
<a href="http://q1x83faa55lv.ca" target="_blank"><a href="http://q1x83faa55lv.ca">q1x83faa55lv.ca</a></a> x12 queries by 2 separate IP's.<br>
<a href="http://e9b6iykd1yn.ca" target="_blank"><a href="http://e9b6iykd1yn.ca">e9b6iykd1yn.ca</a></a> x12 queries by 2 separate IP's.<br>
<br>
The IP address "41.191.111.18" was involved in each of the above, no other commonality.<br>
<br>
<a href="http://kx0xgtlu.ca" target="_blank"><a href="http://kx0xgtlu.ca">kx0xgtlu.ca</a></a> x12 queries by 5 separate IP's.<br>
<a href="http://e3j3kcv2p46.ca" target="_blank"><a href="http://e3j3kcv2p46.ca">e3j3kcv2p46.ca</a></a> x12 queries by 3 separate IP's.<br>
<a href="http://k1bfv00ygbp0.ca" target="_blank"><a href="http://k1bfv00ygbp0.ca">k1bfv00ygbp0.ca</a></a> x12 queries by 2 separate IP's.<br>
<br>
The IP address "<a href="tel:2.133.215.113" value="+12133215113" target="_blank">2.133.215.113</a>" was involved in each of the above, no other commonality.<br>
<br>
<a href="http://aqwuf-guohu.ca" target="_blank"><a href="http://aqwuf-guohu.ca">aqwuf-guohu.ca</a></a> x12 queries by 7 separate IP's.<br>
<a href="http://wmt0isw5pv2z.ca" target="_blank"><a href="http://wmt0isw5pv2z.ca">wmt0isw5pv2z.ca</a></a> x12 queries by 5 separate IP's.<br>
<a href="http://kauoc97tivd.ca" target="_blank"><a href="http://kauoc97tivd.ca">kauoc97tivd.ca</a></a> x12 queries by 5 separate IP's.<br>
<br>
The IP address "213.142.200.131" was involved in each of the above, no other commonality.<br>
<br>
And if it's so bad at generating randomness, why is the above so inconsistent? How can 4 different IP's query the same random junk in one case, but not in future cases?<br>
<br>
Should we consider creating a task force along the lines of the Conficker Working Group to try to figure this all out?<div class="im"><br>
<br>
-Jacob Zack<br>
DNS Administrator - CIRA (.CA TLD)<br>
<br></div><div><div></div><div class="h5">
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank"><a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a></a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" target="_blank"><a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a></a><br>
dns-jobs mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank"><a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a></a><br>
</div></div></blockquote></div><br></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>dns-operations mailing list</span><br><span><a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a></span><br><span><a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a></span><br><span>dns-jobs mailing list</span><br><span><a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a></span></div></blockquote></body></html>