Saw this elsewhere, sounds interesting enough to forward on. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
I just today got two spams that showed me a new spammer DNS trick (new to me, at least).
Rather than use fictitious domain names, I'll use the actual names from one of the spams. The basic trick is the same either way.
nepzzz.com is spamvertised. Its registration specifies nameservers in nictxt.com. nictxt.com has been taken over by its registrar, apparently for invalid contact info (and good for them). But they didn't go quite far enough; while querying the gtld-servers.net servers for nictxt.com returns NXDOMAIN, querying them for nepzzz.com returns delegation NS records under nictxt.com _with glue A records_, thereby defeating the registrar's attempted removal of the domain.
The other spam was for ahottieiswhatiwant.com, with nameservers in 9t5.net; the basic trick is the same.
In each case, I sent a message suggesting that rather than just pointing it at their own servers, they point the domain at the names the spammers used (which require glue records) but supply glue pointing to the registrar's server(s), thereby getting the glue the spammers injected into the gtld-servers system replaced.
So be careful when poking at the DNS while spamhaus-hunting. If you query for the wrong thing you may be misled into thinking something has been taken down when it hasn't.