Ok, got a few off list replies that secureserver.net is godaddy which is fine - makes sense. I just wish this would link back to them easier (some backup ns being something.godaddy.com or some SOA of an IP listed in the spf being something.godaddy.com or whatever). Thank y'all for the info. On Mon, Oct 27, 2014 at 11:57 AM, shawn wilson <ag4ve.us@gmail.com> wrote:
We get lots of probes from subdomains of southwestdoor.com and secureserver.net 's SOA and I'm curious who these guys are?
The only web page I could find was southwestdoor redirects to http://www.arcadiacustoms.com and then to http://arcadia-custom.com/ (a hardware company is causing unwanted network traffic - not unless they're owned)
Traceroute for southwestdoor.com goes through secureserver.net and they have lots of references (in dns) to themselves, jomax.net and domaincontrol.com.
Can someone give me a better picture of how this all fits together on a company level - as in how do these guys make money and why are they probing our network? I understand scans from ISPs and colos, but I can't directly identify these guys as either.