[bits] Am I doing this right?

Mon, 29 Apr 2002 15:46:14 -0700 

Ok, so sach is out of town, and i'm left to my own to explain to our
client why she's getting blacklist threats from spamcop.

So... bare in mind that these forensics are being done by somebody that
finds DNS to be the only thing more mystifying than women.

The problem:

our client has been accused of being a spammer because somebody recieved
some 300+ spam with a URL embedded that points to a domain that she owns.
The URL being something like:

  http://freemortgage.com@;<clientsURL>.org/cgi/test2.cgi

The actual URL was encoded even more freakily actually, it looked
something like:

  http://www.wewillgetyouthemortgageyouneed.com@%67l%6f%62%61l%323%2e=
%66%72e%65%73%68e%6cl%2e%6f%72%67/cgi-bin/test2.cgi')

with a javascript function that decodes that url into the one above

Our client has no site up at the referenced domain, and in fact, doesn't
even have domain pointed at her DNS servers.  Some investigating follows

whois <client's domain>
   Domain Name: CL.ORG
   Registrar: ENOM, INC.
   Whois Server: whois.enom.com
   Referral URL: http://www.enom.com
   Name Server: DNS1.NAME-SERVICES.COM
   Name Server: DNS2.NAME-SERVICES.COM
   Name Server: DNS3.NAME-SERVICES.COM
   Name Server: DNS4.NAME-SERVICES.COM
   Name Server: DNS5.NAME-SERVICES.COM
   Updated Date: 29-apr-2002

whois DNS1.NAME-SERVICES.COM
   Server Name: DNS1.NAME-SERVICES.COM
   IP Address: 66.150.5.62
   Registrar: ENOM, INC.
   Whois Server: whois.enom.com
   Referral URL: http://www.enom.com

nslookup <client's domain>
  Name:    xxx.org
  Address:  66.150.5.36

whois 66.150.5.36
  DNS1.EDUUNIVERSITY.COM
  NS1.PANTAIKUTA.NET
  NS.EL-SIDDIK.NET
  NS1.FURIK.COM
  NS1.FURIK.COM.FURIK.COM
  NS1.SRIZEN.COM
  NS.SHEPHERDSOFGRACE.ORG
  NS.SHEPHERDSOFGRACE.COM
  FURIK.COM.FURIK.COM
  66.150.5.36

So, what i'm inferring from all this is that our client's site which is
registered at enom, and under the control of enom resolves to the address
of one of enom's name servers.

And the real problem is that the registrar was hacked and they are being
used to send out spam that includes a reference to a script sitting on
their nameserver that redirects to a different website to foil the spamcop
tracking?

Or am i way off base here?  It seems unlikely that this involves our
client in any way, other than owning the site as she's not in control of
the DNS or hosting the site right?

-Lkb




_______________________________________________
Bits mailing list
[EMAIL PROTECTED]
http://www.sugoi.org/mailman/listinfo/bits

Reply via email to