Jump to content
Sign in to follow this  
get-even

Wildcarded DNS to avoid accumulating reports

Recommended Posts

I have been seeing a lot of spam where the site is (mis)using DNS wildcards. This allows the

hostname to change for every recipient (and possibly track the recipient from web logs or reports).

In particular, it leads the SpamCop parser to state that there have been no recent reports, when I

know that I have reported the same site in just the last few days.

Two examples from this morning (same spammer - note identical DNS servers) are as follows

(using "dig" to demonstrate the wildcarding):

% dig '*.lijniahk.info' any [at]first.bubbalog.biz.

; <<>> DiG 9.3.0 <<>> *.lijniahk.info any [at]first.bubbalog.biz.

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64849

;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:

;*.lijniahk.info. IN ANY

;; ANSWER SECTION:

*.lijniahk.info. 1200 IN A 65.203.151.193

*.lijniahk.info. 1200 IN A 211.144.164.201

*.lijniahk.info. 1200 IN A 200.157.21.204

;; AUTHORITY SECTION:

lijniahk.info. 1200 IN NS FIRST.bubbalog.biz.

lijniahk.info. 1200 IN NS SECOND.bubbalog.biz.

lijniahk.info. 1200 IN NS THIRD.bubbalog.biz.

;; ADDITIONAL SECTION:

FIRST.bubbalog.biz. 1200 IN A 65.203.151.192

SECOND.bubbalog.biz. 1200 IN A 222.223.134.42

THIRD.bubbalog.biz. 1200 IN A 211.144.164.201

;; Query time: 193 msec

;; SERVER: 65.203.151.192#53(first.bubbalog.biz.)

;; WHEN: Wed Jan 5 09:09:32 2005

;; MSG SIZE rcvd: 202

--- AND

dig '*.inflfffc.info' any [at]first.bubbalog.biz.

; <<>> DiG 9.3.0 <<>> *.inflfffc.info any [at]first.bubbalog.biz.

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63501

;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:

;*.inflfffc.info. IN ANY

;; ANSWER SECTION:

*.inflfffc.info. 1200 IN A 65.203.151.193

*.inflfffc.info. 1200 IN A 211.144.164.201

*.inflfffc.info. 1200 IN A 200.157.21.204

;; AUTHORITY SECTION:

inflfffc.info. 1200 IN NS FIRST.bubbalog.biz.

inflfffc.info. 1200 IN NS SECOND.bubbalog.biz.

inflfffc.info. 1200 IN NS THIRD.bubbalog.biz.

;; ADDITIONAL SECTION:

FIRST.bubbalog.biz. 1200 IN A 65.203.151.192

SECOND.bubbalog.biz. 1200 IN A 222.223.134.42

THIRD.bubbalog.biz. 1200 IN A 211.144.164.201

;; Query time: 89 msec

;; SERVER: 65.203.151.192#53(first.bubbalog.biz.)

;; WHEN: Wed Jan 5 09:10:35 2005

;; MSG SIZE rcvd: 202

Thus each recipiant gets a unique hostname reported for the site, and the parser doesn't seem

able to recognize them as the same!

This *really* needs to be addressed quickly.

P.S. only "FIRST.bubbalog.biz" current functions, neither "SECOND.bubbalog.biz." or

"THIRD.bubbalog.biz." are `up' at this moment.

Edited by get-even

Share this post


Link to post
Share on other sites

At the expense of being the only respondent to my own post. This morning a spam with a unique

variation appeared; 'CNAME'' instead of 'A' wildcarded DNS records.

example:

% dig '*.oemlist.com' any [at]ns3.xml-soft.info.oemlist.com.

; <<>> DiG 9.3.0 <<>> *.oemlist.com any [at]ns3.xml-soft.info.oemlist.com.

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9281

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;*.oemlist.com. IN ANY

;; ANSWER SECTION:

*.oemlist.com. 120 IN CNAME oemlist.com.

;; AUTHORITY SECTION:

oemlist.com. 120 IN NS ns3.xml-soft.info.oemlist.com.

;; Query time: 239 msec

;; SERVER: 195.85.213.146#53(ns3.xml-soft.info.oemlist.com.)

;; WHEN: Thu Jan 6 10:50:26 2005

;; MSG SIZE rcvd: 77

What is needed is for the parser to check for wildcards in the all domains containing the URI short of

the TLD. Otherwise simple math will allow a spammer to use 3 runs of a million spams, and a hundred

unique hostnames, and be able to distinguish each reporter (or 9 runs with only 10 hostnames).

Combined with "steath" DNS and a hundred domains the parser would never accumulate enough

reports for a single host to report it. Combine 10 wildcarded 'A" or 'CNAME' records with 5 or 6

different addresses and a run could be complete before ever being recognized (reports would believe

that different virtual host sites were used, and decrease in this case by a factor of 50-60x).

Additionally, it should be necessary, if a wildcarded 'A' record or 'CNAME' is found, for the URI in the

spam to be obfuscated to use a '*' or other identifier instead of the original unmunged link. (Sorry, don't

know what to do about "fake" affiliate-like idenifiers tacked on the tail for identification -- example:

ht_tp://sitea.subd.spammer.biz/?xyz678IknowYou

Edited by get-even

Share this post


Link to post
Share on other sites

Please stop doing your own word-wrapping, you're hurting my eyes. Thanks!

Share this post


Link to post
Share on other sites
Please stop doing your own word-wrapping, you're hurting my eyes.  Thanks!

22696[/snapback]

Another 'CNAME' wildcarder; Notice the difference before and during a spam run:

---- Before, almost normal (though *.grtdnsserver.com" is an identifiable spam support server)

% dig '*.dhdhbua.com' any

; <<>> DiG 9.3.0 <<>> *.dhdhbua.com any

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13515

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:

;*.dhdhbua.com. IN ANY

;; ANSWER SECTION:

*.dhdhbua.com. 60 IN CNAME dhdhbua.com.

;; AUTHORITY SECTION:

dhdhbua.com. 169102 IN NS ns1.grtdnsserver.com.

dhdhbua.com. 169102 IN NS ns2.grtdnsserver.com.

;; ADDITIONAL SECTION:

ns1.grtdnsserver.com. 81288 IN A 200.146.101.107

ns2.grtdnsserver.com. 53961 IN A 200.146.101.107

;; Query time: 343 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Fri Jan 7 19:12:35 2005

;; MSG SIZE rcvd: 126

--- During the "spam run" - "*.grtdnserver.com" is in "stealth" mode, and the 'NS' records are changed

% dig '*.dhdhbua.com' any [at]200.146.101.107

; <<>> DiG 9.3.0 <<>> *.dhdhbua.com any [at]200.146.101.107

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24094

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:

;*.dhdhbua.com. IN ANY

;; ANSWER SECTION:

*.dhdhbua.com. 60 IN CNAME dhdhbua.com.

;; AUTHORITY SECTION:

dhdhbua.com. 300 IN NS dn303.dhdhbua.com.

dhdhbua.com. 300 IN NS dn404.dhdhbua.com.

;; Query time: 236 msec

;; SERVER: 200.146.101.107#53(200.146.101.107)

;; WHEN: Fri Jan 7 19:13:30 2005

;; MSG SIZE rcvd: 85

% dig 'dhdhbua.com' any [at]200.146.101.107

; <<>> DiG 9.3.0 <<>> dhdhbua.com any [at]200.146.101.107

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40555

;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;dhdhbua.com. IN ANY

;; ANSWER SECTION:

dhdhbua.com. 300 IN NS dn303.dhdhbua.com.

dhdhbua.com. 300 IN NS dn404.dhdhbua.com.

dhdhbua.com. 86400 IN SOA dn303.dhdhbua.com. webmaster.dhdhbua.com. 1104709961 14400 1800 1209600 300

dhdhbua.com. 60 IN A 200.146.101.107

;; Query time: 264 msec

;; SERVER: 200.146.101.107#53(200.146.101.107)

;; WHEN: Fri Jan 7 19:22:41 2005

;; MSG SIZE rcvd: 131

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×