dns-operations AT lists.opennicproject.org

Subject: Dns-operations mailing list

List archive

Re: [opennic-dns-operations] Banning 206.225.82.0/24 netblock for 48 hours.

From: Kenny Taylor <kennytaylor AT runbox.com>
To: dns-operations <dns-operations AT lists.opennicproject.org>
Subject: Re: [opennic-dns-operations] Banning 206.225.82.0/24 netblock for 48 hours.
Date: Mon, 22 Apr 2013 07:34:37 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I have seen the same kind of traffic as well. (sample below) It doesn't
amount to much bandwidth. It appears that a lot of these spam blacklists use
custom DNS responses (with short TTL). See http://www.spamhaus.org/zen/ The
host seems to be a legitimate mail gateway.

22-Apr-2013 07:14:57.543 client x.x.x.x#30901: query:
33.157.53.209.sa-accredit.habeas.com IN TXT + (208.111.40.37)
22-Apr-2013 07:14:57.559 client x.x.x.x#18887: query:
33.157.53.209.list.dnswl.org IN A + (208.111.40.37)
22-Apr-2013 07:14:57.614 client x.x.x.x#44772: query:
33.157.53.209.zen.spamhaus.org IN A + (208.111.40.37)
22-Apr-2013 07:14:57.615 client x.x.x.x#17200: query:
33.157.53.209.bl.spamcop.net IN TXT + (208.111.40.37)
22-Apr-2013 07:14:57.616 client x.x.x.x#53245: query:
33.157.53.209.psbl.surriel.com IN A + (208.111.40.37)
22-Apr-2013 07:14:57.617 client x.x.x.x#51881: query:
33.157.53.209.list.dnswl.org IN A + (208.111.40.37)
22-Apr-2013 07:14:57.617 client x.x.x.x#10925: query:
33.157.53.209.bb.barracudacentral.org IN A + (208.111.40.37)
22-Apr-2013 07:14:57.618 client x.x.x.x#53018: query:
33.157.53.209.bl.score.senderscore.com IN A + (208.111.40.37)
22-Apr-2013 07:14:57.634 client x.x.x.x#10569: query:
33.157.53.209.sa-trusted.bondedsender.org IN TXT + (208.111.40.37)
22-Apr-2013 07:14:57.719 client x.x.x.x#61723: query:
rdiamondgroup.com.rhsbl.ahbl.org IN A + (208.111.40.37)

- ----- Start Original Message -----
Sent: Sun, 21 Apr 2013 15:04:19 -0600
From: Jeff Taylor <shdwdrgn AT sourpuss.net>
To: dns-operations AT lists.opennicproject.org
Subject: Re: [opennic-dns-operations] Banning 206.225.82.0/24 netblock for
48 hours.

> I am seeing the same type of traffic here from this IP block. It
> appears to be querying in cycles of 1 second --- making about 50
> requests for 1 second, then stopping all activity for 1 second. I am
> adding this IP to my blocklist as well. If someone wants to make
> commercial use of OpenNic, I see no problems with this, however they
> should be running their own DNS server for this amount of traffic.
>
> I'm pasting a small sampling of the tcpdump below for reference...
>
> 14:56:05.304385 IP 206.225.82.240.33941 > 216.87.84.211.53: 15+ A?
> 178.180.214.67.cbl.abuseat.org. (48)
> 14:56:05.305146 IP 206.225.82.240.56948 > 216.87.84.211.53: 26+ A?
> 178.180.214.67.dnsbl.inps.de. (46)
> 14:56:05.318239 IP 206.225.82.246.53393 > 216.87.84.211.53: 112+ A?
> 178.180.214.67.rbl-plus.mail-abuse.org. (56)
> 14:56:05.320892 IP 206.225.82.120.59328 > 216.87.84.211.53: 20+ A?
> 178.180.214.67.b.barracudacentral.org. (55)
> 14:56:05.326319 IP 206.225.82.120.38784 > 216.87.84.211.53: 73+ A?
> 178.180.214.67.xs.surbl.org. (45)
> 14:56:05.329781 IP 206.225.82.246.53808 > 216.87.84.211.53: 112+ A?
> 178.180.214.67.z.mailspike.net. (48)
> 14:56:05.332283 IP 206.225.82.246.57741 > 216.87.84.211.53: 119+ A?
> 178.180.214.67.block.dnsbl.sorbs.net. (54)
> 14:56:05.332997 IP 206.225.82.120.53693 > 216.87.84.211.53: 123+ A?
> 178.180.214.67.list.bbfh.org. (46)
> 14:56:05.345830 IP 206.225.82.240.38310 > 216.87.84.211.53: 94+ A?
> 178.180.214.67.bsb.empty.us. (45)
> 14:56:05.347685 IP 206.225.82.120.52860 > 216.87.84.211.53: 104+ A?
> 178.180.214.67.dnsrbl.swinog.ch. (49)
> 14:56:05.360841 IP 206.225.82.214.60666 > 216.87.84.211.53: 34+ A?
> 178.180.214.67.safe.dnsbl.sorbs.net. (53)
> 14:56:05.362052 IP 206.225.82.240.35198 > 216.87.84.211.53: 50+ A?
> 178.180.214.67.blacklist.sci.kun.nl. (53)
> 14:56:05.387914 IP 206.225.82.214.42145 > 216.87.84.211.53: 40+ A?
> 178.180.214.67.stale.dict.rbl.arix.com. (56)
> 14:56:05.390990 IP 206.225.82.240.48046 > 216.87.84.211.53: 34+ A?
> 178.180.214.67.relays.mail-abuse.org. (54)
> 14:56:05.399976 IP 206.225.82.120.33447 > 216.87.84.211.53: 84+ A?
> 178.180.214.67.niku.2ch.net. (45)
>
> ----
> To unsubscribe, email dns-operations-unsubscribe AT lists.opennicproject.org

- ----- End Original Message -----
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.8

iQJDBAEBCAAtBQJRdUp9JhxLZW5ueSBUYXlsb3IgPGtlbm55dGF5bG9yQHJ1bmJv
eC5jb20+AAoJELOordj4VKFQIMEP/iYrhHoHeg3Q5d4PpHVBsvytw72cNaLAqXX/
G1OO8QKHeaiAP7Xs8pBW/WBxCH5Vsseo5QtlS8eCJTx6KS4cXJz9KsvqcfZWt+5W
ZHKdoJSdXUkw6UAKNo2GnYyPPNdDjN+Eoag3maGk6yGXZo9dSJTJ19Un+/OAInjy
cRTYkaUAL2mkrrIDbXm93MfvPNhUI0VpzHidNyyEJE0pLfQeWQsm+7JRsaf8wGla
Decm+JkhnycW5mvVwhkBdUfcMwrflmESEz8vANzySQbq8Ub1gtepNExfFmdYp8ZS
bDlS5EwK93qlZDmqEqnWJreZ2ZP2KmGqlsHzAVcEchLWSWODaCiuUmqzl0jT25z+
xKJzEWHtLgFrxkE2f7qfPuMBUM4MeLA2tw56z1HklvgCJumRaK3MuJrFZATg4Ozd
nBu5M2Ufx1+yovZiihAoVj4F3+ZkDTPiUyo/5l/FDlyqTlVE0UYRZo4bn5AG4UWj
RtHDT+44zJajWVQU2ZFvN5iVTbZnoUaqEVs30bgTMWnbOnylrgSx7CwvVI2MHNWJ
CM+9wMMw1DQqt2QiZEk0vWY4gWb8fQBxjBX5OB4WswqRoqvjSEjbVeEebvHJ1wdx
BKziT8n9DLb6CjI+U+HziktPd0M16eCIUryWGYy4Djs/jRUmT7yL/X9wuCOF3jbN
DbuNO7bc
=aVJ8
-----END PGP SIGNATURE-----

[opennic-dns-operations] Banning 206.225.82.0/24 netblock for 48 hours., Guillaume Parent, 04/21/2013
- Re: [opennic-dns-operations] Banning 206.225.82.0/24 netblock for 48 hours., Jeff Taylor, 04/21/2013
  - Re: [opennic-dns-operations] Banning 206.225.82.0/24 netblock for 48 hours., Jeff Taylor, 04/21/2013
    - Re: [opennic-dns-operations] Banning 206.225.82.0/24 netblock for 48 hours., Guillaume Parent, 04/21/2013
      - Re: [opennic-dns-operations] Banning 206.225.82.0/24 netblock for 48 hours., Guillaume Parent, 04/21/2013
- <Possible follow-up(s)>
- Re: [opennic-dns-operations] Banning 206.225.82.0/24 netblock for 48 hours., Kenny Taylor, 04/22/2013