Discuss mailing list

["mail" <mail AT lseitz.de>]

Sorry the Spam tag was my rspamd.

So, after some more debugging and VPN hopping i managed to get the same anycast server that serves your requests:

dig whoami.akamai.net @185.121.177.177  +short
104.156.252.143

And now i can confirm that i see phishy records as well, for example this:

dig duckduckgo.com @185.121.177.177 +short
69.171.244.11
which belongs to dropbox?

or this:

dig example.com @185.121.177.177 +short
61.244.67.111

I also checked multiple other anycast instances that are running on 185.121.177.177, which all seem fine expect 104.156.252.143 which indeed seems to resolve wrong records.

I would highly suggest to get in contact with fusl, she is in the community for quite a while and i cant imangine that she is doing this on porpuse. Perhaps some system got infected.



Am Donnerstag, September 02, 2021 03:26 CEST, schrieb Se7en <se7en AT cock.email>:
 
> On 21-09-02 03:21:00, Lennart Seitz wrote:
> > I dont think thats the problem here since Duckduckgo.com resolves to
> > facebook IPs for him and also shows https certificates that are related
> > to facebook.com when visiting duckduckgo.com
> >
> > Can you please check what
> > dig whoami.akamai.net
> > gives you when you use opennic and quad9 (for example).
>
> For some reason this changed to *** SPAM *** in the subject
> line. Please give ATTN to the List Moderator to fix this. I don't want
> this filtered.
>
> # ON Quad9
>
> $ dig whoami.akamai.net
>
> ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> whoami.akamai.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10586
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;whoami.akamai.net. IN A
>
> ;; ANSWER SECTION:
> whoami.akamai.net. 180 IN A 74.63.16.248
>
> # This IP is registered to WoodyNet
>
> ;; Query time: 49 msec
> ;; SERVER: 192.168.1.1#53(192.168.1.1)
> ;; WHEN: Wed Sep 01 18:22:46 PDT 2021
> ;; MSG SIZE rcvd: 62
>
> # On OpenNIC Wiki's Anycast
>
> ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> whoami.akamai.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42082
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;whoami.akamai.net. IN A
>
> ;; ANSWER SECTION:
> whoami.akamai.net. 174 IN A 104.156.252.143
>
> ;; Query time: 5 msec
> ;; SERVER: 192.168.1.1#53(192.168.1.1)
> ;; WHEN: Wed Sep 01 18:23:33 PDT 2021
> ;; MSG SIZE rcvd: 62
>
> # This IP is registerd to The Constant Company, LLC
>
> Note that /this time/ when I changed back to the OpenNICProject's
> Wiki's Anycast, it now has the MITM again, redirecting sites to the
> 190.vip fradulent Chinese domain register.
>
> --
> |-----/ | Se7en
> / The One and Only! | se7en AT cock.email
> / | 0x0F83F93882CF6116
> / | https://se7en-site.neocities.org