<html><head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head><body style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); color: rgb(0, 0, 0); background-color: rgb(255, 255,
255);" bgcolor="#FFFFFF" text="#000000">
today's spam brought the usual stuff, but it's sunday so i decided to
have a look. defanged:<br>
<div style="margin-left: 40px;"><span><pre wrap="">nizeteh
<a class="moz-txt-link-freetext" href="http://sieuthithamsan.com/movie.htm">h t t p ://sieuthithamsan.com/movie.htm</a> hoxebyh qizul symu tex nyly kybi
funikuz fufysud</pre></span></div>
<span>i checked my full service resolvers ("recursive
nameservers") to see if any of my RPZ providers caught it:<br>
<br></span>
<div style="margin-left: 40px;"><span>
;; AUTHORITY SECTION:</span><br>
<span>
sieuthithamsan.com. 172056 IN NS ns29.domaincontrol.com.</span><br>
<span>
sieuthithamsan.com. 172056 IN NS ns30.domaincontrol.com.</span><br>
<span>
</span><br>
<span>
;; ADDITIONAL SECTION:</span><br>
<span>
ns29.domaincontrol.com. 8075 IN A 216.69.185.15</span><br>
<span>
ns30.domaincontrol.com. 8075 IN A 208.109.255.15</span><br>
<span></span></div>
<span>
<br>
no RPZ for it yet. so i thought i'd find out if domaincontrol had any
non-junk domains that i might miss:<br>
<br></span>
<div style="margin-left: 40px;"><span>
$ isc_dnsdb_query -l 1000000 -n \*.domaincontrol.com/ns >
/var/tmp/domaincontrol</span><br>
<span></span></div>
<span>
<br>
paging through that million-name output file showed lots of junk and no
non-junk.<br>
<br></span>
<div style="margin-left: 40px;"><span>
$ head /var/tmp/domaincontrol</span><br>
<span>
naturesremedies.biz. IN NS 51.domaincontrol.com.</span><br>
<span>
e-piphany.biz. IN NS ns.51.domaincontrol.com.</span><br>
<span>
naturesremedies.biz. IN NS 52.domaincontrol.com.</span><br>
<span>
intellecap.biz. IN NS n40.domaincontrol.com.</span><br>
<span>
fapl.biz. IN NS ns1.domaincontrol.com.</span><br>
<span>
nmts.biz. IN NS ns1.domaincontrol.com.</span><br>
<span>
soobahkdo.biz. IN NS ns1.domaincontrol.com.</span><br>
<span>
budsandbabes.biz. IN NS ns1.domaincontrol.com.</span><br>
<span>
johnshandymanservice.biz. IN NS ns1.domaincontrol.com.</span><br>
<span>
fapl.biz. IN NS ns2.domaincontrol.com.</span><br>
<span></span></div>
<span>
<br>
looking at the surrounding /24 for each of the name servers ns29 and
ns30 showed lots more junk:<br>
<br></span>
<div style="margin-left: 40px;"><span>
$ isc_dnsdb_query -i 216.69.185.0/24 | head</span><br>
<span>
ns3.igirona.biz. IN A 216.69.185.1</span><br>
<span>
ns1.investcapitalmanagement.biz. IN A 216.69.185.2</span><br>
<span>
b.ns.h3f.biz. IN A 216.69.185.3</span><br>
<span>
ns1.jeweller.biz. IN A 216.69.185.13</span><br>
<span>
ns1.angelofsoul.biz. IN A 216.69.185.13</span><br>
<span>
ns4.ip0.biz. IN A 216.69.185.15</span><br>
<span>
ns1.pennymart.biz. IN A 216.69.185.21</span><br>
<span>
ns2.easy-travel.biz. IN A 216.69.185.25</span><br>
<span>
larry.kevinkatovic.biz. IN A 216.69.185.47</span><br>
<span>
ns1.ace.biz. IN A 216.69.185.50</span><br>
<span>
</span><br>
<span>
$ isc_dnsdb_query -i 208.109.255.0/24 | head</span><br>
<span>
ns4.igirona.biz. IN A 208.109.255.1</span><br>
<span>
a.ns.h3f.biz. IN A 208.109.255.2</span><br>
<span>
ns2.investcapitalmanagement.biz. IN A 208.109.255.2</span><br>
<span>
ns2.jeweller.biz. IN A 208.109.255.13</span><br>
<span>
ns2.angelofsoul.biz. IN A 208.109.255.13</span><br>
<span>
ns2.pennymart.biz. IN A 208.109.255.21</span><br>
<span>
ns1.easy-travel.biz. IN A 208.109.255.25</span><br>
<span>
calvin.kevinkatovic.biz. IN A 208.109.255.47</span><br>
<span>
ns2.ace.biz. IN A 208.109.255.50</span><br>
<span>
ns2.aez.biz. IN A 208.109.255.50</span><br>
<span></span></div>
<span>
<br>
and what about the rest of the *.domaincontrol.com name servers -- are
they in the same IP block as the first two?<br>
<br></span>
<div style="margin-left: 40px;"><span>
isc_dnsdb_query -r \*.domaincontrol.com/a | grep 'IN A' | head</span><br>
<span>
domaincontrol.com. IN A 68.178.211.104</span><br>
<span>
ns01.domaincontrol.com. IN A 216.69.185.1</span><br>
<span>
ns02.domaincontrol.com. IN A 208.109.255.1</span><br>
<span>
ns03.domaincontrol.com. IN A 216.69.185.2</span><br>
<span>
ns04.domaincontrol.com. IN A 208.109.255.2</span><br>
<span>
ns05.domaincontrol.com. IN A 216.69.185.3</span><br>
<span>
ns06.domaincontrol.com. IN A 208.109.255.3</span><br>
<span>
ns07.domaincontrol.com. IN A 216.69.185.4</span><br>
<span>
ns08.domaincontrol.com. IN A 208.109.255.4</span><br>
<span>
ns09.domaincontrol.com. IN A 216.69.185.5</span><br>
<span></span></div>
<span>
<br>
so while i could have just RPZ'd the domain name that spammed me, that's
a throwaway name, the attacker won't miss it. and i could have RPZ'd
the name server names, it turns out this attacker has quite a few and
they aren't all in "*.domaincontrol.com". so i'm going to RPZ out all
nameservers in these two /24 blocks. in my private enterprise RPZ zone,
this looks as follows:<br>
<br>
</span>
<div style="margin-left: 40px;"><span>; domaincontrol</span><br>
<span>24.0.255.109.208.rpz-nsip CNAME . ;
208.109.255.0/24</span><br>
<span>24.0.185.69.216.rpz-nsip CNAME . ;
216.69.185.0/24</span><br>
<span></span></div>
<span><br>
here's what it looks like on the wire:<br>
<br>
</span>
<div style="margin-left: 40px;"><span>; <<>> DiG
9.9.3-rpz2+rl.13204.02-P2 <<>> ans01.domaincontrol.com</span><br>
<span>;; global options: +cmd</span><br>
<span>;; Got answer:</span><br>
<span>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:
63374</span><br>
<span>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
ADDITIONAL: 1</span><br>
<span></span><br>
<span>;; OPT PSEUDOSECTION:</span><br>
<span>; EDNS: version: 0, flags:; udp: 4096</span><br>
<span>;; QUESTION SECTION:</span><br>
<span>;ans01.domaincontrol.com. IN A</span><br>
<span></span><br>
<span>;; AUTHORITY SECTION:</span><br>
<span>dns-policy.vix.com. 30 IN SOA nsa.vix.su.
hostmaster.vix.su. 67 3600 1800 604800 30</span><br>
<span></span><br>
<span>;; Query time: 1 msec</span><br>
<span>;; SERVER: 2001:559:8000:cb::2#53(2001:559:8000:cb::2)</span><br>
<span>;; WHEN: Tue Aug 27 06:13:44 UTC 2013</span><br>
<span>;; MSG SIZE rcvd: 124</span><br>
<span></span></div>
<span><br>
this won't stop the spam from arriving, but it will make sure nobody can
click on links inside such e-mail.<br>
<br>
vixie<br>
</span>
</body></html>