get-even Posted January 5, 2005 Share Posted January 5, 2005 I have been seeing a lot of spam where the site is (mis)using DNS wildcards. This allows the hostname to change for every recipient (and possibly track the recipient from web logs or reports). In particular, it leads the SpamCop parser to state that there have been no recent reports, when I know that I have reported the same site in just the last few days. Two examples from this morning (same spammer - note identical DNS servers) are as follows (using "dig" to demonstrate the wildcarding): % dig '*.lijniahk.info' any [at]first.bubbalog.biz. ; <<>> DiG 9.3.0 <<>> *.lijniahk.info any [at]first.bubbalog.biz. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64849 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;*.lijniahk.info. IN ANY ;; ANSWER SECTION: *.lijniahk.info. 1200 IN A 65.203.151.193 *.lijniahk.info. 1200 IN A 211.144.164.201 *.lijniahk.info. 1200 IN A 200.157.21.204 ;; AUTHORITY SECTION: lijniahk.info. 1200 IN NS FIRST.bubbalog.biz. lijniahk.info. 1200 IN NS SECOND.bubbalog.biz. lijniahk.info. 1200 IN NS THIRD.bubbalog.biz. ;; ADDITIONAL SECTION: FIRST.bubbalog.biz. 1200 IN A 65.203.151.192 SECOND.bubbalog.biz. 1200 IN A 222.223.134.42 THIRD.bubbalog.biz. 1200 IN A 211.144.164.201 ;; Query time: 193 msec ;; SERVER: 65.203.151.192#53(first.bubbalog.biz.) ;; WHEN: Wed Jan 5 09:09:32 2005 ;; MSG SIZE rcvd: 202 --- AND dig '*.inflfffc.info' any [at]first.bubbalog.biz. ; <<>> DiG 9.3.0 <<>> *.inflfffc.info any [at]first.bubbalog.biz. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63501 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;*.inflfffc.info. IN ANY ;; ANSWER SECTION: *.inflfffc.info. 1200 IN A 65.203.151.193 *.inflfffc.info. 1200 IN A 211.144.164.201 *.inflfffc.info. 1200 IN A 200.157.21.204 ;; AUTHORITY SECTION: inflfffc.info. 1200 IN NS FIRST.bubbalog.biz. inflfffc.info. 1200 IN NS SECOND.bubbalog.biz. inflfffc.info. 1200 IN NS THIRD.bubbalog.biz. ;; ADDITIONAL SECTION: FIRST.bubbalog.biz. 1200 IN A 65.203.151.192 SECOND.bubbalog.biz. 1200 IN A 222.223.134.42 THIRD.bubbalog.biz. 1200 IN A 211.144.164.201 ;; Query time: 89 msec ;; SERVER: 65.203.151.192#53(first.bubbalog.biz.) ;; WHEN: Wed Jan 5 09:10:35 2005 ;; MSG SIZE rcvd: 202 Thus each recipiant gets a unique hostname reported for the site, and the parser doesn't seem able to recognize them as the same! This *really* needs to be addressed quickly. P.S. only "FIRST.bubbalog.biz" current functions, neither "SECOND.bubbalog.biz." or "THIRD.bubbalog.biz." are `up' at this moment. Link to comment Share on other sites More sharing options...
get-even Posted January 6, 2005 Author Share Posted January 6, 2005 At the expense of being the only respondent to my own post. This morning a spam with a unique variation appeared; 'CNAME'' instead of 'A' wildcarded DNS records. example: % dig '*.oemlist.com' any [at]ns3.xml-soft.info.oemlist.com. ; <<>> DiG 9.3.0 <<>> *.oemlist.com any [at]ns3.xml-soft.info.oemlist.com. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9281 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;*.oemlist.com. IN ANY ;; ANSWER SECTION: *.oemlist.com. 120 IN CNAME oemlist.com. ;; AUTHORITY SECTION: oemlist.com. 120 IN NS ns3.xml-soft.info.oemlist.com. ;; Query time: 239 msec ;; SERVER: 195.85.213.146#53(ns3.xml-soft.info.oemlist.com.) ;; WHEN: Thu Jan 6 10:50:26 2005 ;; MSG SIZE rcvd: 77 What is needed is for the parser to check for wildcards in the all domains containing the URI short of the TLD. Otherwise simple math will allow a spammer to use 3 runs of a million spams, and a hundred unique hostnames, and be able to distinguish each reporter (or 9 runs with only 10 hostnames). Combined with "steath" DNS and a hundred domains the parser would never accumulate enough reports for a single host to report it. Combine 10 wildcarded 'A" or 'CNAME' records with 5 or 6 different addresses and a run could be complete before ever being recognized (reports would believe that different virtual host sites were used, and decrease in this case by a factor of 50-60x). Additionally, it should be necessary, if a wildcarded 'A' record or 'CNAME' is found, for the URI in the spam to be obfuscated to use a '*' or other identifier instead of the original unmunged link. (Sorry, don't know what to do about "fake" affiliate-like idenifiers tacked on the tail for identification -- example: ht_tp://sitea.subd.spammer.biz/?xyz678IknowYou Link to comment Share on other sites More sharing options...
Jeff G. Posted January 7, 2005 Share Posted January 7, 2005 Please stop doing your own word-wrapping, you're hurting my eyes. Thanks! Link to comment Share on other sites More sharing options...
get-even Posted January 8, 2005 Author Share Posted January 8, 2005 Please stop doing your own word-wrapping, you're hurting my eyes. Thanks! 22696[/snapback] Another 'CNAME' wildcarder; Notice the difference before and during a spam run: ---- Before, almost normal (though *.grtdnsserver.com" is an identifiable spam support server) % dig '*.dhdhbua.com' any ; <<>> DiG 9.3.0 <<>> *.dhdhbua.com any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13515 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;*.dhdhbua.com. IN ANY ;; ANSWER SECTION: *.dhdhbua.com. 60 IN CNAME dhdhbua.com. ;; AUTHORITY SECTION: dhdhbua.com. 169102 IN NS ns1.grtdnsserver.com. dhdhbua.com. 169102 IN NS ns2.grtdnsserver.com. ;; ADDITIONAL SECTION: ns1.grtdnsserver.com. 81288 IN A 200.146.101.107 ns2.grtdnsserver.com. 53961 IN A 200.146.101.107 ;; Query time: 343 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jan 7 19:12:35 2005 ;; MSG SIZE rcvd: 126 --- During the "spam run" - "*.grtdnserver.com" is in "stealth" mode, and the 'NS' records are changed % dig '*.dhdhbua.com' any [at]200.146.101.107 ; <<>> DiG 9.3.0 <<>> *.dhdhbua.com any [at]200.146.101.107 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24094 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;*.dhdhbua.com. IN ANY ;; ANSWER SECTION: *.dhdhbua.com. 60 IN CNAME dhdhbua.com. ;; AUTHORITY SECTION: dhdhbua.com. 300 IN NS dn303.dhdhbua.com. dhdhbua.com. 300 IN NS dn404.dhdhbua.com. ;; Query time: 236 msec ;; SERVER: 200.146.101.107#53(200.146.101.107) ;; WHEN: Fri Jan 7 19:13:30 2005 ;; MSG SIZE rcvd: 85 % dig 'dhdhbua.com' any [at]200.146.101.107 ; <<>> DiG 9.3.0 <<>> dhdhbua.com any [at]200.146.101.107 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40555 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dhdhbua.com. IN ANY ;; ANSWER SECTION: dhdhbua.com. 300 IN NS dn303.dhdhbua.com. dhdhbua.com. 300 IN NS dn404.dhdhbua.com. dhdhbua.com. 86400 IN SOA dn303.dhdhbua.com. webmaster.dhdhbua.com. 1104709961 14400 1800 1209600 300 dhdhbua.com. 60 IN A 200.146.101.107 ;; Query time: 264 msec ;; SERVER: 200.146.101.107#53(200.146.101.107) ;; WHEN: Fri Jan 7 19:22:41 2005 ;; MSG SIZE rcvd: 131 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.