CBL給我發的郵件，另人沉思！都進來看看吧

CBL給我發的郵件，另人沉思！都進來看看吧

我的一台WIN 2003 伺服器，今天突然收到IDC的通知說發大量的垃圾郵件；登陸進去一看，沒有25埠在監聽啊。唯一的可能就是被黑客利用SMTP進行發信吧。
IDC轉發CBL給我的郵件，內容如下：

Ref: SBL48222

211.136.85.xx/32 is listed on the Spamhaus Block List (SBL)

12-Nov-2006 01:56 GMT | SR02

"rock phish" nameserver

Nameserver controlling many, many phish site domains.


ns1.galik.cc A 211.136.85.xx
dns2.breliaz.cc A 211.136.85.1xx
dns1.donseza.name A 211.136.85.xx
gn1.garsiya.info A 211.136.85.xx
dns1.donseza.info A 211.136.85.xx
fn1.florig.info A 211.136.85.xx
nss1.strsnik.info A 211.136.85.xx
ns1.seduk.info A 211.136.85.xx
ns2.jesuscentral.info A 211.136.85.xx
nsca1.cattyl.info A 211.136.85.xx
nsco1.cloder.info A 211.136.85.xx
ns1.gjopnr.info A 211.136.85.xx
ns1.soert.info A 211.136.85.xx
nsr52.roliky.info A 211.136.85.xx
dns1.kaliz.us A 211.136.85.xx
ng2.garsiya.biz A 211.136.85.xx
ns2.troubed.biz A 211.136.85.xx
ns2.toaski.biz A 211.136.85.xx
jazz1.jazzinfo.biz A 211.136.85.xx
dns2.editop.biz A 211.136.85.xx
dns2.ericat.biz A 211.136.85.xx





$ dig @211.136.85.xx www.amsouth.com.customercare.troubed.biz a

; <<>> DiG 9.2.4 <<>> @211.136.85.xxwww.amsouth.com.customercare.troubed.biz a
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42204
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.amsouth.com.customercare.troubed.biz. IN A

;; ANSWER SECTION:
www.amsouth.com.customercare.troubed.biz. 43200 IN A 202.134.177.23

;; Query time: 327 msec
;; SERVER: 211.136.85.xx#53(211.136.85.xx)
;; WHEN: Sat Nov 11 2006
;; MSG SIZE rcvd: 74







Domain Name: TROUBED.BIZ
Domain ID: D15179238-BIZ
Sponsoring Registrar: REGISTER.COM
Sponsoring Registrar IANA ID: 9
Domain Status: clientTransferProhibited
Registrant ID: 8408490216E37895
Registrant Name: Vicente Gil
Registrant Address1: Urb. Prado Alto, Calle 5, Casa b-14 Guaynabo
Registrant City: San Juan
Registrant Postal Code: 00966
Registrant Country: Puerto Rico (US)
Registrant Country Code: PR
Registrant Phone Number: +1.7877827947
Registrant Email: vicentegil@musician.org
Administrative Contact ID: 9162019216AEE719
Administrative Contact Name: Vicente Gil
Administrative Contact Address1: Urb. Prado Alto, Calle 5, Casa b-14 Guaynabo
Administrative Contact City: San Juan
Administrative Contact Postal Code: 00966
Administrative Contact Country: Puerto Rico (US)
Administrative Contact Country Code: PR
Administrative Contact Phone Number: +1.7877827947
Administrative Contact Email: vicentegil@musician.org
Billing Contact ID: 1603811216CAC726
Billing Contact Name: Domain Registrar
Billing Contact Organization: Registercom
Billing Contact Address1: 575 8th Avenue
Billing Contact City: New York
Billing Contact State/Province: NY
Billing Contact Postal Code: 10018
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +1.9027492701
Billing Contact Facsimile Number: +1.9027492701
Billing Contact Email: domainregistrar@register.com
Technical Contact ID: 8011248216F9A276
Technical Contact Name: Domain Registrar
Technical Contact Organization: Registercom
Technical Contact Address1: 575 8th Avenue
Technical Contact City: New York
Technical Contact State/Province: NY
Technical Contact Postal Code: 10018
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +1.9027492701
Technical Contact Facsimile Number: +1.9027492701
Technical Contact Email: domainregistrar@register.com
Name Server: NS1.TROUBED.BIZ
Name Server: NS2.TROUBED.BIZ
Created by Registrar: REGISTER.COM
Last Updated by Registrar: REGISTER.COM
Domain Registration Date: Sat Nov 11 17:47:21 GMT 2006
Domain Expiration Date: Sat Nov 10 23:59:59 GMT 2007
Domain Last Updated Date: Sat Nov 11 18:07:03 GMT 2006








--------------------------------------------------------------------------------

Removal Procedure

To have record SBL48222 (211.136.85.xx/32) removed from the SBL, the Abuse/Security representative of chinamobile.com (or the Internet Service Provider responsible for connectivity to 211.136.85.xx/32) needs to contact the SBL Team to explain how the spam problem has been terminated. If the spam problem that caused this listing has been terminated we will normally remove the listing from the SBL.

看樣子似乎是 我的伺服器成了一個DNS的動態解析SERVER。從
;; Query time: 327 msec
;; SERVER: 211.136.85.xx#53(211.136.85.xx)
這個裡面可以看出，是一個標準的DNS服務。

問題：
1.動態的域名解析出來，他是如何發送垃圾郵件的呢？
2. ping ns1.galik.cc這些IP根本就不指向 211.136.85.xx ，用什麼偽裝技術嗎？？
請各位老師解惑一下。

[ 本帖最後由 webyuhang 於 2006-11-14 13:39 編輯 ]

UP一下

Tags: