It looks like they are using there little team of zombie machines that are doing the port 80 redirect to also respond to DNS requests: ;; AUTHORITY SECTION: vano-soft.biz. 120 IN NS ns3.uzc12.biz. vano-soft.biz. 120 IN NS ns4.uzc12.biz. vano-soft.biz. 120 IN NS ns5.uzc12.biz. vano-soft.biz. 120 IN NS ns1.uzc12.biz. vano-soft.biz. 120 IN NS ns2.uzc12.biz. ;; ADDITIONAL SECTION: ns3.uzc12.biz. 7200 IN A 24.91.206.103 ns3.uzc12.biz. 7200 IN A 12.206.49.107 ns4.uzc12.biz. 7200 IN A 12.227.146.168 ns5.uzc12.biz. 7200 IN A 66.21.211.204 ns5.uzc12.biz. 7200 IN A 165.166.182.168 ns1.uzc12.biz. 7200 IN A 24.243.218.127 ns1.uzc12.biz. 7200 IN A 12.239.143.71 ns1.uzc12.biz. 7200 IN A 66.90.158.89 ns1.uzc12.biz. 7200 IN A 12.229.122.9 ns2.uzc12.biz. 7200 IN A 24.107.74.166 ns2.uzc12.biz. 7200 IN A 207.6.75.110 103.206.91.24.in-addr.arpa domain name pointer h00402b45512d.ne.client2.attbi.com. 168.182.166.165.in-addr.arpa domain name pointer rhhe16-168.2wcm.comporium.net 110.75.6.207.in-addr.arpa domain name pointer d207-6-75-110.bchsia.telus.net On Thu, 2003-10-09 at 11:53, Kee Hinckley wrote:
At 10:51 AM -0500 10/9/03, Chris Boyd wrote:
A few minutes later, or from a different nameserver, I get
Name: vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129
This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it?
I think in this instance your best approach may be to go after the name servers. Anything else is going to be a game of whack-a-mole. Our spam filtering software actually uses the address of a domain's name server in it's scoring system. Sometime's that's the only way we've been able to reliably detect a spammer.