You are here: Home > Participate > Join a Discussion > Mailman Archives
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

[anti-spam-wg@localhost] New spammer DNS trick

  • From: der Mouse < >
  • Date: Sun, 25 Jan 2004 20:20:35 -0500 (EST)

I just today got two spams that showed me a new spammer DNS trick (new
to me, at least).

Rather than use fictitious domain names, I'll use the actual names from
one of the spams.  The basic trick is the same either way. is spamvertised.  Its registration specifies nameservers in has been taken over by its registrar,
apparently for invalid contact info (and good for them).  But they
didn't go quite far enough; while querying the servers
for returns NXDOMAIN, querying them for returns
delegation NS records under _with glue A records_, thereby
defeating the registrar's attempted removal of the domain.

The other spam was for, with nameservers in; the basic trick is the same.

In each case, I sent a message suggesting that rather than just
pointing it at their own servers, they point the domain at the names
the spammers used (which require glue records) but supply glue pointing
to the registrar's server(s), thereby getting the glue the spammers
injected into the gtld-servers system replaced.

So be careful when poking at the DNS while spamhaus-hunting.  If you
query for the wrong thing you may be misled into thinking something has
been taken down when it hasn't.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>