[nsp-sec] Romanian IP's being DNS-bad, botnet/spamnet controllers?

Chris Morrow morrowc at ops-netman.net
Tue Jan 6 23:57:52 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Mitchell wrote:
> Morrow,
> 
> Yeah, we've been seeing them hitting us off (MX lookups) and on and a ton of spam.
> 

interesting... and good, we seem to overlap on at least:
89.114.153.236/32

which was added to the race after I sent my first message. I wonder
though, these reportedly were doing MX queries for google.com NOT
gmail.com (corp domain vs customer domains). Were yours doing, if you
can tell, MX queries for customer or corp domains?

I've asked our other recent purchases if they'd also keep any eye open
for this, but no word back as of yet.

- -Chris

> Here are some others I see:
> 
> Max BPS
> 
> Host 			In 		Out 		Total
> 89.114.153.234/32	8.08 Mbps	174.00 Mbps	182.08 Mbps	
> 89.114.153.235/32	10.99 Mbps	150.00 Mbps	160.99 Mbps	
> 89.114.153.236/32	10.77 Mbps	149.00 Mbps	159.77 Mbps	
> ns.kpnqwest.ro 		34.00 Kbps	245.00 Kbps	279.00 Kbps
> 
> I'm also seeing a lot more chattiness from other FastWeb.IT machines out
> there. 
> 
> -dave
> 
> 
> 
> On Tue, Jan 06, 2009 at 05:30:31PM -0500, Chris Morrow wrote:
>> ----------- nsp-security Confidential --------
>>
>> Howdy, would anyone else that runs largeish dns clusters have information 
>> about:
>>
>> 78.96.154.147
>> 193.226.19.74
>> 86.120.67.249
>>
>> These 3 ips seem to REALLY like to hammer dns servers for MX (only 
>> actually) queries... they seem to be talking to the 'right' DNS servers (my 
>> dns servers when doing MX lookups for my domains).  I don't see anything 
>> odd in their origin ASN, CBL, spamhaus (aside from some PBL listings which 
>> dont' seem to apply here). Are these ips known to anyone else as having 
>> done boatloads of DNS lookups? I remember someone else in the content-game 
>> asking this recently, but I can't recall whom that was :(
>>
>> -Chris
>> (google-security-person)
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJZDZQr6swUqhDs2sRAmPsAJ9enZEK5ng2KAi4K3+8sCr2yCzdoQCfWrA6
+4Ek2/Kg1CgeYlidPKiBUrM=
=Clih
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list