[anti-spam-wg@localhost] New spammer DNS trick
- Date: Sun, 25 Jan 2004 20:20:35 -0500 (EST)
I just today got two spams that showed me a new spammer DNS trick (new
to me, at least).
Rather than use fictitious domain names, I'll use the actual names from
one of the spams. The basic trick is the same either way.
nepzzz.com is spamvertised. Its registration specifies nameservers in
nictxt.com. nictxt.com has been taken over by its registrar,
apparently for invalid contact info (and good for them). But they
didn't go quite far enough; while querying the gtld-servers.net servers
for nictxt.com returns NXDOMAIN, querying them for nepzzz.com returns
delegation NS records under nictxt.com _with glue A records_, thereby
defeating the registrar's attempted removal of the domain.
The other spam was for ahottieiswhatiwant.com, with nameservers in
9t5.net; the basic trick is the same.
In each case, I sent a message suggesting that rather than just
pointing it at their own servers, they point the domain at the names
the spammers used (which require glue records) but supply glue pointing
to the registrar's server(s), thereby getting the glue the spammers
injected into the gtld-servers system replaced.
So be careful when poking at the DNS while spamhaus-hunting. If you
query for the wrong thing you may be misled into thinking something has
been taken down when it hasn't.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@localhost
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B