I found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course.
The domain name is vano-soft.biz, and looking up the address, I get
Name: vano-soft.biz
Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97
12.229.122.9
A few minutes later, or from a different nameserver, I get
Name: vano-soft.biz
Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
12.252.185.129
This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it?
--Chris
They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others can change every 2 minutes. If you identify the server that only changes every 2 hours and track what it's replaced with every 2 hours, you're likely to find a rotating list of master servers... Another question is why is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be 2 hours and submitting those to the GTLD servers. Maybe it's just me, but that's the first time I've seen a registrar set such a low TTL on an NS record. If NeuLevel is any good they would likely have some sort of information to identify the owner of the domain, even if the information is invalid listed on their whois server. They might have a credit card transaction although that too could always be a stolen credit card number.
Any other ideas or different angles/experiences?
; <<>> DiG 9.2.2 <<>> +trace a vano-soft.biz.
;; global options: printcmd
. 80336 IN NS l.root-servers.net.
. 80336 IN NS m.root-servers.net.
. 80336 IN NS i.root-servers.net.
. 80336 IN NS e.root-servers.net.
. 80336 IN NS d.root-servers.net.
. 80336 IN NS a.root-servers.net.
. 80336 IN NS h.root-servers.net.
. 80336 IN NS c.root-servers.net.
. 80336 IN NS g.root-servers.net.
. 80336 IN NS f.root-servers.net.
. 80336 IN NS b.root-servers.net.
. 80336 IN NS j.root-servers.net.
. 80336 IN NS k.root-servers.net.
;; Received 449 bytes from 216.182.1.1#53(216.182.1.1) in 40 ms
biz. 172800 IN NS A.GTLD.biz.
biz. 172800 IN NS B.GTLD.biz.
biz. 172800 IN NS C.GTLD.biz.
biz. 172800 IN NS D.GTLD.biz.
biz. 172800 IN NS E.GTLD.biz.
biz. 172800 IN NS F.GTLD.biz.
;; Received 228 bytes from 198.32.64.12#53(l.root-servers.net) in 270 ms
vano-soft.biz. 7200 IN NS NS1.UZC12.biz.
vano-soft.biz. 7200 IN NS NS2.UZC12.biz.
vano-soft.biz. 7200 IN NS NS3.UZC12.biz.
vano-soft.biz. 7200 IN NS NS4.UZC12.biz.
vano-soft.biz. 7200 IN NS NS5.UZC12.biz.
;; Received 223 bytes from 209.173.53.162#53(A.GTLD.biz) in 150 ms
vano-soft.biz. 120 IN A 200.80.137.157
vano-soft.biz. 120 IN A 12.229.122.9
vano-soft.biz. 120 IN A 12.252.185.129
vano-soft.biz. 120 IN A 165.166.182.168
vano-soft.biz. 120 IN A 193.92.62.42
vano-soft.biz. 120 IN NS ns5.uzc12.biz.
vano-soft.biz. 120 IN NS ns1.uzc12.biz.
vano-soft.biz. 120 IN NS ns2.uzc12.biz.
vano-soft.biz. 120 IN NS ns3.uzc12.biz.
vano-soft.biz. 120 IN NS ns4.uzc12.biz.
;; Received 287 bytes from 204.210.76.197#53(NS4.UZC12.biz) in 130 ms
Vinny Abello
Network Engineer
Server Management
vinny@tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
There are 10 kinds of people in the world. Those who understand binary and those that don't.
Chris Boyd writes on 10/9/2003 9:21 PM:
A few minutes later, or from a different nameserver, I get
Name: vano-soft.biz
Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
12.252.185.129This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it?
Nope - the guy would get more trojaned boxes, no shortage of unpatched windows machines on broadband.
There are two ways to go here -
* Nullroute or bogus out in your resolvers the DNS servers for this domain --> two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com
* "Follow the money" - find out the spammer / the guy who he spams for, from payment information etc. Sic law enforcement on them.
srs
Vinny Abello writes on 10/9/2003 9:41 PM:
They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others
They are using a whole lot of stuff that's basically dynamic DNS.
low TTL on an NS record. If NeuLevel is any good they would likely have some sort of information to identify the owner of the domain, even if
They seem to have a spammer infestation though.
srs
I think we can all safely assume that the people behind this are most
probably on NANOG or reading the archives and are now aware of your idea
-Hank
This may apply w/r/t something I've been seeing for the last couple of days.
I've been seeing e-mails into our server with the following characteristics:
1). Sent to invalid user on our domain
2). Sent from varying origins; usually, groups of three arriving ~ every
half hour
3). Origin IP on mostly home broadband networks in US
4). Frequently, purported sender's e-mail address non-US domain although
originating from US domain, with the language of the e-mail text matching
the purported sender's domain (lots of German spam...guess that's the
current flavor).
5). Invalid user send-to addresses arriving in groups in alphabetical order
(nice list processing)
It looks like person(s) responsible is using distributed network of trojaned
pcs, varying send-to mail servers every 3 messages or so. This way, spam
arrives at purported sender's address as undelivered mail bounce with our
address in the SMTP envelope, in low enough volume (they hope) not to
trigger filtering based on source IP.
I wonder about how long until legitimate mail servers start getting
blackholed because of bounce messages?
David Keith
Hank Nussbacher writes on 10/9/2003 10:00 PM:
I think we can all safely assume that the people behind this are most
probably on NANOG or reading the archives and are now aware of your idea
vano-soft has been extensively discussed on other forums (spam-l, nanae etc) for quite some time. But yeah - it's stayed at the "discussion" level so far.
I think in this instance your best approach may be to go after the name servers. Anything else is going to be a game of whack-a-mole. Our spam filtering software actually uses the address of a domain's name server in it's scoring system. Sometime's that's the only way we've been able to reliably detect a spammer.
Looks like there was a slight misinterpretation of the DNS records. The
2hr TTL is on the NS record from the registrar (NeuStar/*.GTLD.BIZ),
which means it would take up to 2 hours to switch DNS servers (probably
longer, due to red tape). However, the DNS servers aren't what's being
rotated. It's the data that they are giving that's rotating, hence the
2 minute ttl. ALL of the nsX.uzc12.biz servers record changes will be
seen w/in 2 minutes, not just one of them.
Also, after doing some preliminary digging, it would seem that the
GTLD.BIZ servers have very low TTLs on a lot of their domains. In fact,
7200 seems high compared to some other ones I found.
--Gar
There are two ways to go here -
* Nullroute or bogus out in your resolvers the DNS servers for this
domain --> two problems here. One is that the spammer doesn't use
vano-soft.biz in the smtp envelope, and second, he abuses open
redirectors like yahoo's srd.yahoo.com <<
There is another option, create an email filter and block any email that
includes the text ".biz/" in any email.
That will do two things, it will stop the spams from being received in the
first place and it will cause one heck of a headache for the .biz domain so
they clean up their act and deal with their problems.
Geo.
And as soon as you call law enforcement what happends? The spammer
Oops... Try this again...
And as soon as you call law enforcement what happends? The spammer is
located offshore. Then what?
Andy Ellifson writes on 10/9/2003 10:58 PM:
Oops... Try this again...
And as soon as you call law enforcement what happends? The spammer is
located offshore. Then what?
99% of them are americans - and mostly from Florida at that. See http://www.spamhaus.org/rokso/
they might subcontract stuff offshore (to India and China, where a lot of legitimate software development / BPO etc work is also going), sure.
Michael G writes on 10/9/2003 10:27 PM:
Also, after doing some preliminary digging, it would seem that the
GTLD.BIZ servers have very low TTLs on a lot of their domains. In fact,
7200 seems high compared to some other ones I found.
Any correlation with the unusually high proportion of .biz domains that are being registered by spammers?
How many times have you received SPAM selling a product from a U.S. based company? I have received plenty.... follow the money.... Hank has it right.
M
(speaking only for myself)
It looks like they are using there little team of zombie machines that
are doing the port 80 redirect to also respond to DNS requests:
;; AUTHORITY SECTION:
vano-soft.biz. 120 IN NS ns3.uzc12.biz.
vano-soft.biz. 120 IN NS ns4.uzc12.biz.
vano-soft.biz. 120 IN NS ns5.uzc12.biz.
vano-soft.biz. 120 IN NS ns1.uzc12.biz.
vano-soft.biz. 120 IN NS ns2.uzc12.biz.
;; ADDITIONAL SECTION:
ns3.uzc12.biz. 7200 IN A 24.91.206.103
ns3.uzc12.biz. 7200 IN A 12.206.49.107
ns4.uzc12.biz. 7200 IN A 12.227.146.168
ns5.uzc12.biz. 7200 IN A 66.21.211.204
ns5.uzc12.biz. 7200 IN A 165.166.182.168
ns1.uzc12.biz. 7200 IN A 24.243.218.127
ns1.uzc12.biz. 7200 IN A 12.239.143.71
ns1.uzc12.biz. 7200 IN A 66.90.158.89
ns1.uzc12.biz. 7200 IN A 12.229.122.9
ns2.uzc12.biz. 7200 IN A 24.107.74.166
ns2.uzc12.biz. 7200 IN A 207.6.75.110
103.206.91.24.in-addr.arpa domain name pointer
h00402b45512d.ne.client2.attbi.com.
168.182.166.165.in-addr.arpa domain name pointer
rhhe16-168.2wcm.comporium.net
110.75.6.207.in-addr.arpa domain name pointer
d207-6-75-110.bchsia.telus.net
* andy@ellifson.com (Andy Ellifson) [Fri 10 Oct 2003, 01:04 CEST]:
And as soon as you call law enforcement what happends? The spammer is
located offshore. Then what?
This hasn't stopped the FTC before. Recently it named a Dutch
national in a complaint: http://www.ftc.gov/opa/2003/09/fyi0357.htm
-- Niels.