DigitalNation Posted March 24, 2006 Share Posted March 24, 2006 Hello! This is my first post here , although I have been reporting to SPAMCOP for 3 years now. I am not really the "chatting" type but this issue has intrigued me. I have noticed that we are seeing some consistently bad DNS packet traffic from IP addresses all within the FDCSERVERS.NET network. I did a search on Google for some of the IP address and found references to these ranges on SPAMHAUS : http://www.spamhaus.org/sbl/listings.lasso...=fdcservers.net My question is, is there evidence that spam gangs are using DNS type attacks/bad packets to somehow trick or augment their spamming systems? I would appreciate any info you can give me on this subject. We have worked very hard to secure our DNS and want to know if somehow the bad traffic is connected to inbound spam (pump & dump mostly). I will try and post here more often, as I pretty well eat and sleep mail abuse (my job here.) Thanks! M. McBride Digitalnation Vancouver CA ----------------- Link to comment Share on other sites More sharing options...
Farelf Posted March 24, 2006 Share Posted March 24, 2006 The SpamHaus listings certainly indicate the FDCSERVERS.NET network is corrupt - and there would be little point in raising the issue with the owners. http://www.dnsreport.com/tools/dnsreport.c...=FDCSERVERS.NET indicates a source of exploitation: INFO NS records at your nameservers Your NS records at your nameservers are: ns2.fdcservers.net. [66.90.66.136] [TTL=14400] ns1.fdcservers.net. [66.90.66.135] [TTL=14400] FAIL Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are: Server 66.90.66.135 reports that it will do recursive lookups. [test] Server 66.90.66.136 reports that it will do recursive lookups. [test] Link to comment Share on other sites More sharing options...
DigitalNation Posted March 24, 2006 Author Share Posted March 24, 2006 Yes, Now I see that "Pump & Dump" spammers have added an external webpage "disclaimer" to their spew. *As if they are operating a legit biz and need to have a "disclaimer!* The message has no links and is only an image in the body. It asks you to go to: http://johnnyandco.info/ (http://membres.lycos.fr/discdisc20/) to read the "disclaimer" Here is the image in the body: image ht tp://digitalnation.ca/sp_x/pandd1.jpg Looks like the "disclaimer" was tripping over too many filters This is desperate thinking and shows that they are hurting. M. Mc. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.