[nsp-sec] Romanian IP's being DNS-bad, botnet/spamnet controllers?

Tue Jan 6 17:41:22 EST 2009

Morrow,

Yeah, we've been seeing them hitting us off (MX lookups) and on and a ton of spam.

Here are some others I see:

Max BPS

Host 			In 		Out 		Total
89.114.153.234/32	8.08 Mbps	174.00 Mbps	182.08 Mbps	
89.114.153.235/32	10.99 Mbps	150.00 Mbps	160.99 Mbps	
89.114.153.236/32	10.77 Mbps	149.00 Mbps	159.77 Mbps	
ns.kpnqwest.ro 		34.00 Kbps	245.00 Kbps	279.00 Kbps

I'm also seeing a lot more chattiness from other FastWeb.IT machines out
there. 

-dave

On Tue, Jan 06, 2009 at 05:30:31PM -0500, Chris Morrow wrote:
> ----------- nsp-security Confidential --------
>
> Howdy, would anyone else that runs largeish dns clusters have information 
> about:
>
> 78.96.154.147
> 193.226.19.74
> 86.120.67.249
>
> These 3 ips seem to REALLY like to hammer dns servers for MX (only 
> actually) queries... they seem to be talking to the 'right' DNS servers (my 
> dns servers when doing MX lookups for my domains).  I don't see anything 
> odd in their origin ASN, CBL, spamhaus (aside from some PBL listings which 
> dont' seem to apply here). Are these ips known to anyone else as having 
> done boatloads of DNS lookups? I remember someone else in the content-game 
> asking this recently, but I can't recall whom that was :(
>
> -Chris
> (google-security-person)
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090106/7d169862/attachment-0001.sig>