[Emerging-Sigs] auto-domain creation
Jim McQuaid
jim.mcquaid at gmail.com
Tue Mar 11 22:24:17 EST 2008
"One way to beat the RBN's auto-domain creation tactic is to catalogue
their IP space and block it whether they have anything there or not.
I've thought about this as a means to diminish the effectiveness of
fast flux. An example is at RapidSwitch, yesterday the RBN sigs blocked:
87.117.252.11
87.117.255.20
87.117.255.30
However, we have now observed:
87.117.252.11/32 trustedprotection.com
87.117.255.20/32 mail.yourprivacyguard.com,
mail.storageprotector.com, ns1.trustedprotection.com and
mail.trustedprotection.com
87.117.255.30/32 ns2.harddriveguard.com, ns2.trustedprotection.com
87.117.255.38/32 *.trygpcbruger.com
87.117.255.41/32 *.toolsicuro.com
87.117.255.42/32 *.schijfbewaker.com
87.117.255.47/32 *.harddriveguard.com
87.117.255.52/32 *.erreurchasseur.com
87.117.255.81/32 *.trustedprotection.com
87.117.255.85/32 *.elmejorantivirus.com
87.117.255.87/32 *.diskretter.com
87.117.255.96/32 *.bestsellerantivirus.com
87.117.255.98/32 *.exterminadordevirus.com
87.117.255.124/32 *.pctoolpro.com
87.117.255.158/32 *.confidentsurf.com
87.117.255.185/32 *.cleanuptool.com
87.117.255.218/32 *.gubbishremover.com
87.117.255.226/32 *.yourprivacyguard.com
87.117.255.250/32
Conclusion, RBN owns that block of 255 addresses. So, we should
always block it, as they are free to move domains in and out of that
range at will."
--
James McQuaid
http://www.jamesmcquaid.com
More information about the Emerging-sigs
mailing list