Jump to content

HOSTNOC Update


couttsj
 Share

Recommended Posts

The good news is that our server is no longer being bombarded by spam originating from servers housed at Network Operations Center in Scranton PA. The domains are still up and running, so I don't know if it's just our server that isn't being targeted, or if it is general in nature.

The bad news is that the spam continues from other hosting sites scattered throughout the US, but at a much reduced volume. This is a very sophisticated operation that is likely bypassing most DNSBL servers. The envelope sender (MAIL FROM:), the EHLO domain name, and the IP address all correlate. The reverse address (PTR) is correctly configured, and the mail server is configured to verify that it is capable of receiving email. The domain names used are domains that have recently become available, and all of them have been newly registered at Moniker Privacy Services using the the following DNS servers:

ns1.monikerdns.net [208.73.210.41]

ns2.monikerdns.net [208.73.211.42]

ns3.monikerdns.net [50.57.11.89]

ns4.monikerdns.net [50.57.11.88]

This has got to be an expensive operation, because the IP addresses are only used once (at least on our server). Using this methodology more than likely allows them to bypass all DNS based Black Lists. I do not have an example of the actual spam because our server does not receive any outside email. If someone has an email that matches this description, I would like to know how they are making enough money to support this operation.

J.A. Coutts

Link to comment
Share on other sites

  • 3 weeks later...

The domain names used are domains that have recently become available, and all of them have been newly registered at Moniker Privacy Services using the the following DNS servers:

J.A. Coutts

I noticed this over a year ago. The spammer(s) seem to get entire /24 or so blocks of addresses, since I will see a variety of spams come from the same handful of related addresses (again, all Moniker DNS/Privacy domains) for a period of time.

I'm considering null-routing all of Monikers DNS servers, so that even if their spams get through, no one within our network can activate any of the web links for their web sites to enable their addresses to be 'verified'.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...