Doesn't this fall under bad things happen. Hopefully it is very clear to all on NANOG that DNS changes can have unforeseeable consequences, because of the nature of the delegation in the DNS. As such pulling DNS records (or zones) you don't fully understand the usage of, as a response to a security/spam problem, is generally a bad idea. That said ultimately a decision has to be taken, relative benefits versus risks. I'm very grateful someone arranged that all records used by the "MINIT" trojan now point to an RFC1918 private address space*, having found infected boxes failing to download their payload as a result. However pulling DNS records probably doesn't belong in the hurly burly of front line support. Simon *Anyone going to check how many DNS servers are still caching "asfasf.ath.cx", to tell how many boxes "nearly" downloaded the payload? In the style of the Sony DRM fiasco measurement.