Botnet Queries to MXes against cache

Peter Dambier peter at peter-dambier.de
Mon Sep 8 19:33:22 UTC 2008 

Hi Dan,

why should they query you?

Do you run a resolver?

If they are querying a wordbook out of your stomach
they might send the answers just as well - trying
to poison your cache.

They are after google and googlemail.
I guess they want to capture your clients emails or passwords for
their email accounts. Harvesting email accounts for spamming.

Maybe they want to capture their browsers as well - tricking
people to install ratware.

The bot querying need not be the same as the bots sending faked
answers.

Kind regards
Peter


Gushi wrote:
> This isn't a request for help so much as a story for anyone else who's
> seeing similar things:
> 
> Okay,
> 
> I have logwatch set up on my cobalt raq3.
> 
> Logwatch is cool. It emails you everything in the logfiles, you define
> great regular expressions as to what's harmless noise, and keep going
> till it's only the critical stuff that you get.
> 
> I just got a mail FULL of the following:
> 
> client 123.17.150.226 query (cache) 'mail.peregrinehw.com/A/IN'
> denied: 1 Time(s)
> client 123.18.118.42 query (cache) 'ALT1.ASPMX.L.GOOGLE.com/A/IN'
> denied: 1 Time(s)
> client 123.18.118.42 query (cache) 'ALT2.ASPMX.L.GOOGLE.com/A/IN'
> denied: 1 Time(s)
> client 123.18.118.42 query (cache) 'ASPMX.L.GOOGLE.com/A/IN' denied: 1
> Time(s)
> client 123.18.118.42 query (cache) 'ASPMX2.GOOGLEMAIL.com/A/IN'
> denied: 1 Time(s)
> client 123.18.118.42 query (cache) 'ASPMX3.GOOGLEMAIL.com/A/IN'
> denied: 1 Time(s)
> client 123.18.118.42 query (cache) 'ASPMX4.GOOGLEMAIL.com/A/IN'
> denied: 1 Time(s)
> client 123.18.118.42 query (cache) 'ASPMX5.GOOGLEMAIL.com/A/IN'
> denied: 1 Time(s)
> client 123.19.213.68 query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.213.68 query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.213.68 query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied: 1
> Time(s)
> client 123.19.213.68 query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.213.68 query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.213.68 query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.213.68 query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.59.189 query (cache) 'mail.peregrinehw.com/A/IN' denied:
> 1 Time(s)
> client 123.19.99.134 query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.99.134 query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.99.134 query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied: 1
> Time(s)
> client 123.19.99.134 query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.99.134 query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.99.134 query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> client 123.19.99.134 query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN'
> denied: 1 Time(s)
> 
> So after I dig around for a bit (no pun intended), I realize.
> 
> What I'm looking at is a whole bunch of terribly broken DNS
> implementations. DNS implementations that bypass a host's DNS entry,
> and directly query ME instead of looking something up directly.
> 
> All the domains above are A records (address records) that are pointed
> to by MX (mail exchanger) records. I host sites that use those MXes,
> but I don't host (obviously) googlemail.com.
> 
> Okay, so I know why this is happening. It's mostly harmless.
> 
> My options:
> 
> 1) Tune logwatch so I don't get these.
> 
> 2) Tune BIND so it doesn't log these hits.
> 
> 3) Use this information to feed a real-time blacklist -- it's fairly
> easy to write the parser but from the looks of it, most of these IPs
> are already on RBL's I use (spamhaus PBL, CBL).
> 
> 4) Find a way (as recursive as this sounds) to block queries to my DNS
> server, based on this blacklist. I don't think BIND supports such a
> feature.
> 
> Any comments?
> 
> -Dan

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
http://www.peter-dambier.de/
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/

More information about the bind-users mailing list