[anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Previous message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Next message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Suresh Ramasubramanian
ops.lists at gmail.com
Wed Jun 26 17:23:28 CEST 2013
I did say fast flux. Take down one compromised vm in a cheap datacenter somewhere and it pops up on some random company's exposed file and print server somewhere else. On Jun 26, 2013 8:49 PM, "Frank Gadegast" <ripe-anti-spam-wg at powerweb.de> wrote: > Suresh Ramasubramanian wrote: > >> Consider, if you will, a domain that has absolutely no "content", but is >> the command and control for a fast flux botnet. Which has been the case >> with both the latvian as well as austrian cctld cases. >> > > Same thing. > The controllers must run on a server with an IP address, > destroy these servers. > > The domainname is just a name, its the hostnames in the domains > nameserver pointing to an IP and a server with whatever service > running under that IP. > Its likely that the botnet owner uses another domainname, > if you remove it. > > botnet owners arent stupid. > > > Kind regards, Frank > > >> On Jun 26, 2013 7:52 PM, "Frank Gadegast" <ripe-anti-spam-wg at powerweb.de >> <mailto:ripe-anti-spam-wg@**powerweb.de <ripe-anti-spam-wg at powerweb.de>>> >> wrote: >> >> Suresh Ramasubramanian wrote: >> >> Just want to note, that domainnames themself cant be >> dangerous (of course using a similar name could cos >> problems with trademarks and the like). >> >> Its only the content thats dangerous, eMail or webpage. >> So its more a problem of the people running the services >> and these are either hacked sites or ISPs tolerating >> or deliberatly hosting this content. >> >> Asking a TLD registry to remove domainnames because >> of pishing its then somehow to wrong place to start, >> specially for Spamhaus, they should know better and >> simply place all those IPs on their lists ... >> >> >> BTW: >> just found the service "Google Safe Browsing Alerts >> for Network Administrators" where every AS owner can >> register under >> http://www.google.com/__**safebrowsing/alerts/<http://www.google.com/__safebrowsing/alerts/> >> <http://www.google.com/**safebrowsing/alerts/<http://www.google.com/safebrowsing/alerts/> >> > >> to receive notification about doubtful content >> Google might find, when spidering your network. >> >> This could be pretty usefull to remove pishing >> and hacked sites for pretty quick. >> >> >> >> Kind regards, Frank >> >> There are of course multiple sides to that story as well. >> >> Like a massive infestation of rock phish domains which, too, were >> knowingly disregarding local law, and were present in rather >> massive >> quantities on the .at ccTLD at that time. >> >> http://www.spamhaus.org/__**organization/statement/7/<http://www.spamhaus.org/__organization/statement/7/> >> <http://www.spamhaus.org/**organization/statement/7/<http://www.spamhaus.org/organization/statement/7/> >> > >> >> --srs >> >> On Wednesday, June 26, 2013, Wilfried Woeber wrote: >> >> Erik Bais wrote: >> [...] >> > For those that want to read up on what actually happened >> on that >> specific >> > incident in Latvia (July/August 2010), have a read on the >> following open >> > letter from CERT.lv >> > >> > https://cert.lv/uploads/__**uploads/OpenLetter.pdf<https://cert.lv/uploads/__uploads/OpenLetter.pdf> >> <https://cert.lv/uploads/**uploads/OpenLetter.pdf<https://cert.lv/uploads/uploads/OpenLetter.pdf> >> > >> >> And this actually wasn't the only or the first "incident" >> with Spamhaus. >> They also tried similer *piep*^Wbullying against NIC.at >> before. >> >> Which actually has discredited Spamhaus in my personal >> opinion for sure, >> for knowingly disregarding local law, but that's slightly >> OT here - but >> maybe not... >> >> > Erik Bais >> >> Wilfried. >> >> >> >> -- >> --srs (iPad) >> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20130626/db06a2be/attachment.html>
- Previous message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Next message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]