Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Fwd: Re: FINAL REMINDER: Malware DNS server at 185.121.177.177 [SBL325026]

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Fwd: Re: FINAL REMINDER: Malware DNS server at 185.121.177.177 [SBL325026]


Chronological Thread 
  • From: Jonah Aragon <jonaharagon AT gmail.com>
  • To: discuss <discuss AT lists.opennicproject.org>
  • Subject: Re: [opennic-discuss] Fwd: Re: FINAL REMINDER: Malware DNS server at 185.121.177.177 [SBL325026]
  • Date: Wed, 4 Jan 2017 17:27:49 -0600

This is why I find it rediculous. If they used some terribly unregulated ccTLD instead of .bit, of which tons exist because certain governments clearly can't regulate their namespaces, they wouldn't go after *all DNS servers* that can resolve it, they would go after the actual server. This shouldn't be handled any differently, fusl is just operating a simple DNS resolver.

Jonah

On Jan 4, 2017 5:24 PM, "Christopher" <weblionx AT gmail.com> wrote:
Not to mention that there's nothing stopping the malware from using a
different .bit domain, or a .geek, or even a .com or .info TLD.

My assumption is that the reason they're even doing this is because
unlike .geek or .com, there is no one to talk with to get the domain
removed, so they just went "well you're making it easy for them so
nyeh". What's to stop a new version of malware from using .bit
directly without a T2 acting as a proxy?

On Wed, Jan 4, 2017 at 3:33 PM, Jonah Aragon <jonaharagon AT gmail.com> wrote:
> There is central organization in the OpenNIC version of the .bit system. It
> certainly isn't true Namecoin connectivity.
>
> But that is the issue, yeah. Fusl blocking a domain now sets a precedent, so
> I definitely don't think this would be a good idea.
>
> I'm of the opinion that we should drop Namecoin resolution. There's little
> benefit in my opinion. How many people use OpenNIC for .bit resolution?
>
> Jonah
>
> On Jan 4, 2017 2:29 PM, "Hillebrand van de Groep"
> <hillebrand AT flippylosaurus.eu> wrote:
>
> There is no central organization in the .bit system. If one server operator
> decides to act like one, users will lose trust in the server (and it's
> operator). If a operator blocks one domain, what will stop him from blocking
> another one _without_ any malicious intent?
>
>
> On January 4, 2017 9:23:15 PM GMT+01:00, JC <jc AT motorsports-x.com> wrote:
>>
>> i agree with the sentiment of not censoring anyone... but when malware
>> traffic is out to cause harm.. i feel there is a duty to prevent that harm..
>> i would have no problem with the Access control in this case... but that's
>> just me.   i would not be upset either way to be honest.
>>
>> On Wed, Jan 4, 2017 at 1:53 PM, Fusl Dash <opennic AT lists.dedilink.eu>
>> wrote:
>>>
>>>
>>>
>>> -------- Forwarded Message --------
>>> Subject: Re: FINAL REMINDER: Malware DNS server at 185.121.177.177
>>> [SBL325026]
>>> Date: Wed, 4 Jan 2017 20:50:19 +0100
>>> From: The Spamhaus Project - SBL Removals <sbl-removals AT spamhaus.org>
>>> Organization: The Spamhaus Project
>>> To: Kevin Holly | FuslVZ Ltd <holly AT fuslvz.ws>
>>>
>>> Hello Kevin
>>>
>>> Thanks for contacting Spamhaus!
>>>
>>> Looking into the malware's botnet trafic, it appears that it is using
>>> your DNS server to resolve .bit domain names. So the easiest way to
>>> prevent that the malware can communicate with it's botnet controller
>>> (C&C) would be to create an ACL for the said botnet C&C domain
>>> (nutsystem325z.bit) to prevent that it is being resolved through your
>>> DNS server.
>>>
>>> Please understand that we are unable to remove this listing unless the
>>> documented abuse problem has been fully terminated.
>>>
>>> If you have any further questions, please do not hesitate to contact us.
>>>
>>> --
>>> Best regards
>>> Thomas Morrison
>>>
>>> SBL Removal Team
>>> The Spamhaus Project
>>> Geneva, Switzerland
>>> http://www.spamhaus.org
>>>
>>> On 04.01.2017 16:42, Kevin Holly | FuslVZ Ltd wrote:
>>> > Dear madam or sir,
>>> >
>>> > the DNS resolver in question is a *recursive* DNS resolver and part of
>>> > the OpenNIC Project (https://www.opennicproject.org/ - alternative
>>> > root-zone) responsible for offering *the* uncensored, open and democratic
>>> > DNS system and root-zone that people need in this world right at this
>>> > moment.
>>> >
>>> > › dig +short NS nutsystem325z.bit. @185.121.177.177
>>> > ns1.domaincoin.net.
>>> > ns2.domaincoin.net.
>>> > -> ns1.domaincoin.net. and ns2.domaincoin.net. are authoritative for
>>> > nutsystem325z.bit.
>>> >
>>> > › dig +short A ns1.domaincoin.net. @185.121.177.177
>>> > 83.96.168.183
>>> > › dig +short A ns2.domaincoin.net. @185.121.177.177
>>> > 108.61.40.140
>>> > -> Neither ns1 nor ns2 are in any way associated with my server
>>> > 185.121.177.177
>>> >
>>> > › dig +short A nut22.nutsystem325z.bit @83.96.168.183
>>> > 202.78.227.61
>>> > › dig +short A nut22.nutsystem325z.bit @108.61.40.140
>>> > 202.78.227.61
>>> > -> ns1.domaincoin.net. and ns2.domaincoin.net. are authoritative for
>>> > this and therefore answer with the A record in question.
>>> >
>>> > The .bit DNS zone authoritative for the domain in question is hosted by
>>> > Namecoin, a blockchain based information network similar to how Bitcoin
>>> > transactions are executed, therefore there is no single point of failure or
>>> > person or company who is able to manage or censor any domains.
>>> >
>>> >
>>> > Best regards,
>>> >
>>> > Kevin Holly | Chief Executive Officer
>>> >
>>> > kevin.holly AT fuslvz.ws | +43 699 1334 7295
>>> >  _____          ___     _______
>>> > |  ___|   _ ___| \ \   / /__  /
>>> > | |_ | | | / __| |\ \ / /  / /
>>> > |  _|| |_| \__ \ | \ V /  / /_
>>> > |_|   \__,_|___/_|  \_/  /____|
>>> >
>>> >
>>> > On 2017-01-04 16:08, notification AT spamhaus.org wrote:
>>> >>
>>> >> ------------------------------------------------------------------------
>>> >> This is an automated message from the Spamhaus Block List (SBL)
>>> >> database.
>>> >> Do not reply to this email directly. Please follow the 'Removal
>>> >> Procedure' shown on the SBL Advisory page (referenced below) instead.
>>> >>
>>> >> ------------------------------------------------------------------------
>>> >>
>>> >> Dear Sir or Madam
>>> >>
>>> >> In the past weeks, Spamhaus reached out to you several times regarding
>>> >> the following abuse issue in your network:
>>> >>
>>> >> SBL Advisory: https://www.spamhaus.org/sbl/query/SBL325026
>>> >>
>>> >> We have already sent an abuse report to you regarding this abuse
>>> >> problem on 2016-12-16 as well as a reminder on 2016-12-27. However, we still
>>> >> didn't received any response from you regarding this abuse issue and as of
>>> >> today the described abuse problem still exists, threatening thousands of
>>> >> innocent internet users.
>>> >>
>>> >> We hereby kindly ask you once again to take the appropriate action
>>> >> according to your ToS/AUP at the earliest convenience to p
>>> >>  revent further abuse being generated on your network.
>>> >>
>>> >> This is our 3rd and last reminder. Since the ongoing persistence of
>>> >> this abuse issue and your unresponsive behaviour, Spamhaus currently
>>> >> considers your network as harmful and risky to Spamhaus SBL users. Should
>>> >> your company fail to address the described abuse problem within the next 24
>>> >> hours, Spamhaus will issue an escalation listing for your network, per SBL
>>> >> escalation policy for 'knowingly providing spam support services'. This
>>> >> escalation may take effect in 24 hours time.
>>> >>
>>> >> Spamhaus SBL Policy & Listing Criteria:
>>> >> http://www.spamhaus.org/sbl/policy.html
>>> >>
>>> >> Please be aware that a listing on the SBL means that email from the IP
>>> >> addresses listed (or containing references to any web site hosted on the IP
>>> >> addresses listed) may be rejected by Internet networks that use the SBL to
>>> >> filter inbound mail.
>>> >>
>>> >> Please take action quickly.
>>> >> Thank you.
>>> >>
>>> >> --
>>> >> SBL System Robot
>>> >> The Spamhaus Project
>>> >> http://www.spamhaus.org
>>> >>
>>>
>>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
>
>
>
>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
>



--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org




Archive powered by MHonArc 2.6.19.

Top of Page