[BBLISA] DNS scams
Dean Anderson
dean at av8.com
Fri Sep 18 15:27:42 EDT 2009
I've been getting a ton of these in my logs lately. At first I thought
they might be an attack on the logging system or a seriously
misconfigured spambot.
Of course, nothing is queued and I was just about to configure SEC to
automatically add these to my local blacklist. But then it occurred to
me that any automatic additions in a DNS failure would break legitimate
email. If a DNS attack were used to spoof NXDOMAIN responses or DNS were
to fail for some other reason, it would really make a mess. Of course,
from there, it was just another hop to recall the Kaminsky/Vixie scam to
promote DNSSEC--and this seems like another promotion of DNSSEC...
reject=553 5.1.8 <spliced67 at 027cf7c2acfd4f3>... Domain of sender address
spliced67 at 027cf7c2acfd4f3 does not exist
Not that non-existant domains are anything new, but the volume has
changed: thousands and thousands of message attempts from 4700+ IP
addresses in last few days. That's quite a bit higher than usual for
our servers. And I might have pissed off SOSDG/AHBL, too. The spam
servers never use valid domains, and nmap scans show they aren't open
proxies. Its basically just annoyance, rather than a real problem.
But:
Are other people seeing similar increases of domain rejections in their
mail logs?
Is anyone seeing DNS attacks which might spoof NXDOMAIN?
Appreciate it if you keep me apprised.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 256 5494
More information about the bblisa
mailing list