|
 |
|||||||
|
A number of domains owned or controlled by the Fortis spam operation receive DNS from abusehost.pro, including these: etreening.ee koristus24.ee personal.ee The domain maili.ee also receives DNS from abusehost.pro, but its Whois record indicates that its DNS servers are ns1.maili.ee and ns2.maili.ee. Neither of these hostnames exists in DNS for the domain maili.ee, and neither of them resolves. Nonetheless maili.ee resolves, as shown by its A and MX records. This is how that trick works: WHOIS: $ whois -h whois.internet.ee maili.ee [Querying whois.internet.ee] [whois.internet.ee] Estonia .ee Top Level Domain WHOIS server Domain: name: maili.ee status: ok (paid and in zone) registered: 2011-07-05 16:15:04 +03:00 changed: 2016-07-23 23:50:05 +03:00 expire: 2017-07-05 outzone: delete: Registrant: name: Aleksandr Primakov email: Not Disclosed - Visit www.internet.ee for webbased WHOIS changed: 2015-12-15 14:30:08 +02:00 Administrative contact: name: Aleksandr Primakov email: Not Disclosed - Visit www.internet.ee for webbased WHOIS changed: 2015-12-15 14:30:09 +02:00 Technical contact: name: Aleksandr Primakov email: Not Disclosed - Visit www.internet.ee for webbased WHOIS changed: 2015-12-15 14:30:09 +02:00 Registrar: name: Zone Media OÜ url: http://www.zone.ee phone: +372 6886886 changed: 2016-01-04 18:23:09 +02:00 Name servers: nserver: ns2.maili.ee nserver: ns1.maili.ee changed: 2016-07-23 23:50:05 +03:00 [NOTE: ns1.maili.ee and ns2.maili.ee are designated nameservers for the maili.ee domain.] RESOLVING ns1/ns2.maili.ee: $ host ns1.maili.ee Host ns1.maili.ee not found: 3(NXDOMAIN) $ host ns2.maili.ee Host ns2.maili.ee not found: 3(NXDOMAIN) [NOTE: These designated nameservers do not resolve, but...] $ host maili.ee maili.ee has address 213.109.131.87 maili.ee mail is handled by 15 mail.maili.ee. maili.ee mail is handled by 10 mail.maili.ee. $ host mail.maili.ee mail.maili.ee has address 213.109.131.87 [NOTE: ...the A and MX records for teh domain do resolve. How can this be?] OK, using dig to check what the DNS databases actually show for maili.ee. First, find out what the authoritative nameservers are for the .EE top-level domain. $ dig ns ee ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> ns ee ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5723 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 9 ;; QUESTION SECTION: ;ee. IN NS ;; ANSWER SECTION: ee. 43200 IN NS ee.eenet.ee. ee. 43200 IN NS ns.tld.ee. ee. 43200 IN NS b.tld.ee. ee. 43200 IN NS e.tld.ee. ee. 43200 IN NS ee.aso.ee. ;; ADDITIONAL SECTION: b.tld.ee. 42602 IN A 194.146.106.110 b.tld.ee. 42602 IN AAAA 2001:67c:1010:28::53 ns.tld.ee. 68328 IN A 195.43.87.10 ee.aso.ee. 68328 IN A 213.184.51.122 ee.aso.ee. 68328 IN AAAA 2a02:88:0:21::2 ee.eenet.ee. 68328 IN A 193.40.132.5 ee.eenet.ee. 68328 IN AAAA 2001:bb8:4001::53 e.tld.ee. 42602 IN A 204.61.216.36 e.tld.ee. 42602 IN AAAA 2001:678:94:53::53 ;; Query time: 35 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jul 26 16:34:45 2016 ;; MSG SIZE rcvd: 309 OK. We'll check what ns.tld.ee tells us about maili.ee. $ dig ns @ns.tld.ee maili.ee ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> ns @ns.tld.ee maili.ee ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26803 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;maili.ee. IN NS ;; AUTHORITY SECTION: maili.ee. 43200 IN NS ns1.maili.ee. maili.ee. 43200 IN NS ns2.maili.ee. ;; ADDITIONAL SECTION: ns1.maili.ee. 43200 IN A 213.109.131.87 ns2.maili.ee. 43200 IN A 213.109.131.87 ;; Query time: 36 msec ;; SERVER: 195.43.87.10#53(195.43.87.10) ;; WHEN: Tue Jul 26 16:38:36 2016 ;; MSG SIZE rcvd: 94 VERY INTERESTING. The .EE TLD nameservers know about ns1.maili.ee and ns2.maili.ee, although those hostnames do not exist in maili.ee DNS itself. Let's see what DNS thinks this IP address is: $ host 213.109.131.87 87.131.109.213.in-addr.arpa domain name pointer vpn-213-109-131-87.link-kremen.net. The IP address is assigned to a VPS server. Let's see what dig shows to the world as the functioning DNS servers for maili.ee. $ dig ns maili.ee ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> ns maili.ee ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2783 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;maili.ee. IN NS ;; ANSWER SECTION: maili.ee. 3600 IN NS ns2.abusehost.pro. maili.ee. 3600 IN NS ns1.abusehost.pro. ;; Query time: 192 msec ;; SERVER: 173.255.243.5#53(173.255.243.5) ;; WHEN: Tue Jul 26 21:43:16 UTC 2016 ;; MSG SIZE rcvd: 86 $ host ns1.abusehost.pro ns1.abusehost.pro has address 213.109.131.87 $ host ns2.abusehost.pro ns2.abusehost.pro has address 213.109.131.87 [NOTE: Both nameservers point to the VPS above. VERY slick.] |
||||||
The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies. |
|
Maili.ee Index
|