[nsp-sec] Romanian IP's being DNS-bad, botnet/spamnet controllers?

Dave Mitchell davem at yahoo-inc.com
Wed Jan 7 14:04:37 EST 2009 

These were a ton of yahoo.com MX lookups last week, but I don't have
pcaps from yesterday. I'm guessing its yahoo.com + yahoo-inc.com as
we've been seeing a lot of fun v14gr4 and other p3n1s enlargement
emails. Whee, fun.

-d

On Tue, Jan 06, 2009 at 11:57:52PM -0500, Chris Morrow wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Dave Mitchell wrote:
> > Morrow,
> > 
> > Yeah, we've been seeing them hitting us off (MX lookups) and on and a ton of spam.
> > 
> 
> interesting... and good, we seem to overlap on at least:
> 89.114.153.236/32
> 
> which was added to the race after I sent my first message. I wonder
> though, these reportedly were doing MX queries for google.com NOT
> gmail.com (corp domain vs customer domains). Were yours doing, if you
> can tell, MX queries for customer or corp domains?
> 
> I've asked our other recent purchases if they'd also keep any eye open
> for this, but no word back as of yet.
> 
> - -Chris
> 
> > Here are some others I see:
> > 
> > Max BPS
> > 
> > Host 			In 		Out 		Total
> > 89.114.153.234/32	8.08 Mbps	174.00 Mbps	182.08 Mbps	
> > 89.114.153.235/32	10.99 Mbps	150.00 Mbps	160.99 Mbps	
> > 89.114.153.236/32	10.77 Mbps	149.00 Mbps	159.77 Mbps	
> > ns.kpnqwest.ro 		34.00 Kbps	245.00 Kbps	279.00 Kbps
> > 
> > I'm also seeing a lot more chattiness from other FastWeb.IT machines out
> > there. 
> > 
> > -dave
> > 
> > 
> > 
> > On Tue, Jan 06, 2009 at 05:30:31PM -0500, Chris Morrow wrote:
> >> ----------- nsp-security Confidential --------
> >>
> >> Howdy, would anyone else that runs largeish dns clusters have information 
> >> about:
> >>
> >> 78.96.154.147
> >> 193.226.19.74
> >> 86.120.67.249
> >>
> >> These 3 ips seem to REALLY like to hammer dns servers for MX (only 
> >> actually) queries... they seem to be talking to the 'right' DNS servers (my 
> >> dns servers when doing MX lookups for my domains).  I don't see anything 
> >> odd in their origin ASN, CBL, spamhaus (aside from some PBL listings which 
> >> dont' seem to apply here). Are these ips known to anyone else as having 
> >> done boatloads of DNS lookups? I remember someone else in the content-game 
> >> asking this recently, but I can't recall whom that was :(
> >>
> >> -Chris
> >> (google-security-person)
> >>
> >>
> >> _______________________________________________
> >> nsp-security mailing list
> >> nsp-security at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/nsp-security
> >>
> >> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> >> community. Confidentiality is essential for effective Internet security counter-measures.
> >> _______________________________________________
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFJZDZQr6swUqhDs2sRAmPsAJ9enZEK5ng2KAi4K3+8sCr2yCzdoQCfWrA6
> +4Ek2/Kg1CgeYlidPKiBUrM=
> =Clih
> -----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090107/3f9f44b8/attachment-0001.sig>

More information about the nsp-security mailing list