Jon.Kibler@aset.com ("Jon R. Kibler") writes:

Anyone have any info on either of these domains?

I have seen several recent web sites that had an iframe that pointed to clickbank.net and "interesting" / hidden links to bundleway.com.

Haven't found much of use in a quick search of Google, except for a few claims of fraud against them. I suspect that they are some how related to affiliate programs?

TIA for anything you may be able to tell me!

the nameservers who answered questions about bundleway.com in the last ~150 days were: 216.129.109.1 66.117.40.198 205.234.154.1 205.234.170.165 63.219.151.3 216.49.92.249 the A RR is stable, no flux at all. the nameservers are stable, also no flux. 1198886670 an bundleway.com IN A 1800,64.40.117.19 216.129.109.1 1197752951 ns bundleway.com IN NS 1800,ns0.dnsmadeeasy.com \ 1800,ns0.dnsmadeeasy.com.bundleway.com \ 1800,ns1.dnsmadeeasy.com \ 1800,ns1.dnsmadeeasy.com.bundleway.com \ 1800,ns2.dnsmadeeasy.com \ 1800,ns2.dnsmadeeasy.com.bundleway.com \ 1800,ns3.dnsmadeeasy.com \ 1800,ns3.dnsmadeeasy.com.bundleway.com \ 1800,ns4.dnsmadeeasy.com \ 1800,ns4.dnsmadeeasy.com.bundleway.com \ 216.129.109.1 note that there are no actual ".dnsmadeeasy.com.bundleway.com" nameservers, so i suspect that somebody somewhere forgot a trailing "." or had the wrong $ORIGIN or something. this is in the zone, or at least, it's in all answers from the zone's servers, it's consistent enough that i expect it's in-zone rather than some kind of dns load balancing error. most traffic seen under clickbank.net is A RR responses, here are the top 10 out of ~4600 or so: roeib.4idiots.hop.clickbank.net mediafire.noadware.hop.clickbank.net mediafire.spywarebot.hop.clickbank.net mediafire.regsmart.hop.clickbank.net mediafire.adalert.hop.clickbank.net mediafire.regcure.hop.clickbank.net delusions.sharezone.hop.clickbank.net rvrsephone.phonesrch.hop.clickbank.net esearching.movies01.hop.clickbank.net vvllc2.phonesrch.hop.clickbank.net ... it's pretty damning stuff. the nameservers who produce these are, in order by frequency (downward): 209.81.12.120 209.81.12.121 64.128.87.120 64.128.87.121 216.99.132.5 216.99.132.104 (no overlap with the dnsmadeeasy.com nameservers shown earlier.) the A RR's given by these *.hop.clickbank.net answers are always one of these three: 900,209.81.12.132 900,209.81.12.133 900,64.128.87.132 900,64.128.87.133 900,209.81.12.134 900,209.81.12.135 that is, two A RRs in an RRset, TTL 900. the first two are overwhelmingly more frequent than the third one. looks like some kind of load balancing. there's a similar but less frequent pattern, *.pay.clickbank.net, whose A RRs are always one of these two sets: 900,209.81.12.134 900,209.81.12.135 900,64.128.87.134 900,64.128.87.135 the MX RRs for clickbank.net are always 900,10,a-mx.coloc8.net 900,20,b-mx.coloc8.net except one recent sighting of the following: 900,10,mx1.clickbank.net 900,10,mx2.clickbank.net there are also A RRs for 3LDs hop, www, ssl, and zzz, plus a 2LD A RR. i hope this helps. it's all courtesy of ISC SIE and our generous sensors, of whom i would welcome more. if you run a recursive nameserver for some population, and are willing to share your upstream server-to-server traffic with ISC for use in security research and operations, plz send me e-mail. -- Paul Vixie

On Sun, Apr 13, 2008 at 10:34:58AM -0400, Jon R. Kibler wrote:

Anyone have any info on either of these domains?

Yes. clickbank.net are like a rash all over spammer domain lists. I recommend blacklisting them permanently. While you're at it, deal with these as well: clickbank.com keynetics.com paytrack.com because they're the same spammer/spamgang. bundleway.com is new on my radar; however I note with interest that they share an A record with adwarexterminator.com antiviruspremium.com antivirusprotectionsite.com antivirusprotector.com spywarexp.com and quite a few other similarly-named domains that are listed in Snort's domain database as containing trojan/spyware threats. Given the size of the database I'm referencing, and that no other domains in it match, it's unlikely that this is a coincidence. ---Rsk