I’ve just come across an interesting technique for spamming, although I’m not sure if it’s new as I recall seeing something similar back in the late nineties.

Firstly for anyone who doesn’t know what “whois” is; It is a tool/protocol which allows you to find out information about for example domain names or IP addresses including who they belong to. There are multiple layers in WHOIS and the server and the one operated by Verisign’s registry service is callers ‘whois.crsnic.net’. If you have a .com or .net domain it will have such an entry which points to whichever registrar you used to register the name which in turn provides details of the domain registrant and other contacts.

The registry also stores ‘host records’ which are a specific kind of record used for nameservers. Because of how the domain name system works, if you have a domain (e.g. seb.me.uk), you need to point that domain to some nameservers that know where to direct you to if someone types www.seb.me.uk or sends an e-mail to something ending in seb.me.uk. However, you first need to find the nameserver–If this is within the same domain (e.g. ns0.seb.me.uk) then it needs a ‘host entry’ (sometimes referred to as a ‘hint’) to find the nameserver, which then will give more information about the domain.

These host records are registered at the registry by the registrars and inserted into the DNS zone files. What seems to be happening, is some companies insert host records for server names with for example “someoneelse.com.www.theircompany.com” which then comes up when you search for someoneelse.com even though this is just a host within the theircompany.com domain.

I spotted this today for bulkregister.com, promoting dndialog.com:

Server Name: BULKREGISTER.COM.RESPECTED.BY.WWW.DNDIALOG.COM
IP Address: 81.177.3.240
Registrar: MONIKER ONLINE SERVICES, INC.
Whois Server: whois.moniker.com
Referral URL: http://www.moniker.com/whois/whois.jsp

The legitimate record which is also returned, is:

Domain Name: BULKREGISTER.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 16-feb-2007
Creation Date: 08-sep-1999
Expiration Date: 08-sep-2012

I guess preventing host parts with “com” in the middle might help (along with other TLDs although “ns” is a common suffix I suspect.

This entry was posted on Sunday, April 22nd, 2007 at 7:29 pm and is filed under annoyances.blog, general.blog. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.