<p dir="ltr">I did say fast flux. Take down one compromised vm in a cheap datacenter somewhere and it pops up on some random company's exposed file and print server somewhere else.<br>
</p>
<div class="gmail_quote">On Jun 26, 2013 8:49 PM, "Frank Gadegast" <<a href="mailto:ripe-anti-spam-wg@powerweb.de">ripe-anti-spam-wg@powerweb.de</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Suresh Ramasubramanian wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Consider, if you will, a domain that has absolutely no "content", but is<br>
the command and control for a fast flux botnet. Which has been the case<br>
with both the latvian as well as austrian cctld cases.<br>
</blockquote>
<br>
Same thing.<br>
The controllers must run on a server with an IP address,<br>
destroy these servers.<br>
<br>
The domainname is just a name, its the hostnames in the domains<br>
nameserver pointing to an IP and a server with whatever service<br>
running under that IP.<br>
Its likely that the botnet owner uses another domainname,<br>
if you remove it.<br>
<br>
botnet owners arent stupid.<br>
<br>
<br>
Kind regards, Frank<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
On Jun 26, 2013 7:52 PM, "Frank Gadegast" <<a href="mailto:ripe-anti-spam-wg@powerweb.de" target="_blank">ripe-anti-spam-wg@powerweb.de</a><br>
<mailto:<a href="mailto:ripe-anti-spam-wg@powerweb.de" target="_blank">ripe-anti-spam-wg@<u></u>powerweb.de</a>>> wrote:<br>
<br>
Suresh Ramasubramanian wrote:<br>
<br>
Just want to note, that domainnames themself cant be<br>
dangerous (of course using a similar name could cos<br>
problems with trademarks and the like).<br>
<br>
Its only the content thats dangerous, eMail or webpage.<br>
So its more a problem of the people running the services<br>
and these are either hacked sites or ISPs tolerating<br>
or deliberatly hosting this content.<br>
<br>
Asking a TLD registry to remove domainnames because<br>
of pishing its then somehow to wrong place to start,<br>
specially for Spamhaus, they should know better and<br>
simply place all those IPs on their lists ...<br>
<br>
<br>
BTW:<br>
just found the service "Google Safe Browsing Alerts<br>
for Network Administrators" where every AS owner can<br>
register under<br>
<a href="http://www.google.com/__safebrowsing/alerts/" target="_blank">http://www.google.com/__<u></u>safebrowsing/alerts/</a><br>
<<a href="http://www.google.com/safebrowsing/alerts/" target="_blank">http://www.google.com/<u></u>safebrowsing/alerts/</a>><br>
to receive notification about doubtful content<br>
Google might find, when spidering your network.<br>
<br>
This could be pretty usefull to remove pishing<br>
and hacked sites for pretty quick.<br>
<br>
<br>
<br>
Kind regards, Frank<br>
<br>
There are of course multiple sides to that story as well.<br>
<br>
Like a massive infestation of rock phish domains which, too, were<br>
knowingly disregarding local law, and were present in rather massive<br>
quantities on the .at ccTLD at that time.<br>
<br>
<a href="http://www.spamhaus.org/__organization/statement/7/" target="_blank">http://www.spamhaus.org/__<u></u>organization/statement/7/</a><br>
<<a href="http://www.spamhaus.org/organization/statement/7/" target="_blank">http://www.spamhaus.org/<u></u>organization/statement/7/</a>><br>
<br>
--srs<br>
<br>
On Wednesday, June 26, 2013, Wilfried Woeber wrote:<br>
<br>
Erik Bais wrote:<br>
[...]<br>
> For those that want to read up on what actually happened<br>
on that<br>
specific<br>
> incident in Latvia (July/August 2010), have a read on the<br>
following open<br>
> letter from CERT.lv<br>
><br>
> <a href="https://cert.lv/uploads/__uploads/OpenLetter.pdf" target="_blank">https://cert.lv/uploads/__<u></u>uploads/OpenLetter.pdf</a><br>
<<a href="https://cert.lv/uploads/uploads/OpenLetter.pdf" target="_blank">https://cert.lv/uploads/<u></u>uploads/OpenLetter.pdf</a>><br>
<br>
And this actually wasn't the only or the first "incident"<br>
with Spamhaus.<br>
They also tried similer *piep*^Wbullying against NIC.at before.<br>
<br>
Which actually has discredited Spamhaus in my personal<br>
opinion for sure,<br>
for knowingly disregarding local law, but that's slightly<br>
OT here - but<br>
maybe not...<br>
<br>
> Erik Bais<br>
<br>
Wilfried.<br>
<br>
<br>
<br>
--<br>
--srs (iPad)<br>
<br>
<br>
<br>
</blockquote>
<br>
<br>
</blockquote></div>