Greg mentioned...
#To answer the questions in the charter we may therefore have to ask and
#research some questions such as:
#* How widely is fast-flux hosting used? How many sites are hosted using FF?
Is there interest in receiving a feed of fast-flux hosted FQDNs? What sort
of format would work for folks? For example, how about something like dig
output?
dependablequality[dot]com. 120 IN A 79.119.143.30
dependablequality[dot]com. 120 IN A 85.29.194.24
dependablequality[dot]com. 120 IN A 85.179.115.73
dependablequality[dot]com. 120 IN A 87.228.106.7
dependablequality[dot]com. 120 IN A 88.134.190.175
dependablequality[dot]com. 120 IN A 88.134.236.222
dependablequality[dot]com. 120 IN A 89.173.18.71
dependablequality[dot]com. 120 IN A 89.173.87.34
dependablequality[dot]com. 120 IN A 91.127.1.68
dependablequality[dot]com. 120 IN A 91.201.48.98
dependablequality[dot]com. 120 IN A 24.35.75.248
dependablequality[dot]com. 120 IN A 59.112.239.18
dependablequality[dot]com. 120 IN A 61.15.232.198
dependablequality[dot]com. 120 IN A 61.18.221.154
dependablequality[dot]com. 120 IN A 61.224.140.184
dependablequality[dot]com. 120 IN A 62.178.232.75
dependablequality[dot]com. 120 IN A 78.48.71.159
dependablequality[dot]com. 120 IN A 78.102.113.236
dependablequality[dot]com. 120 IN A 78.102.210.159
dependablequality[dot]com. 120 IN A 78.159.38.201
dependablehigh[dot]com. 120 IN A 78.102.113.236
dependablehigh[dot]com. 120 IN A 78.159.38.201
dependablehigh[dot]com. 120 IN A 79.119.143.30
dependablehigh[dot]com. 120 IN A 85.179.115.73
dependablehigh[dot]com. 120 IN A 87.228.106.7
dependablehigh[dot]com. 120 IN A 88.134.190.175
dependablehigh[dot]com. 120 IN A 88.134.236.222
dependablehigh[dot]com. 120 IN A 89.41.109.23
dependablehigh[dot]com. 120 IN A 89.173.18.71
dependablehigh[dot]com. 120 IN A 89.173.87.34
dependablehigh[dot]com. 120 IN A 91.89.144.26
dependablehigh[dot]com. 120 IN A 92.227.34.52
dependablehigh[dot]com. 120 IN A 220.74.144.187
dependablehigh[dot]com. 120 IN A 24.35.75.248
dependablehigh[dot]com. 120 IN A 59.112.239.18
dependablehigh[dot]com. 120 IN A 61.15.170.57
dependablehigh[dot]com. 120 IN A 61.18.129.109
dependablehigh[dot]com. 120 IN A 61.18.221.154
dependablehigh[dot]com. 120 IN A 61.224.140.184
dependablehigh[dot]com. 120 IN A 62.178.232.75
[etc]
(dots rendered as [dot] to avoid triggering URI-based spam filtering that
some of you may use) Those IP's will naturallty change over time, but you
can look at the current ones to get a pretty good sense that this is not
a legitimately hosted domain.
Or do folks not care about individual dotted quads, just wanting a list
of FQDNs? I assume that folks are also aware of the possibility of following
the name servers used for this sort of thing to identify clusters of related
domains, right? For example, I can send you a sample of 1000 domains
currently using ns0.wkakekod[dot]com, all of which I believe to be FF
(and that's only a fraction of what's associated with just that single name
server). That might be somewhat awkward to share by email, however.
Also, any interest in the bogus whois data that often accompanies these?
E.G.,
[whois.paycenter[dot]com.cn]
Domain Name:dependablequality[dot]com
Registrant:
AS JLIJ
SD JLI
789607
Administrative Contact:
AD JLIJ
AS JLIJ
SD JLI
A JLI 789607
Costa Rica
tel: 0987 9807 8907 9807
fax: 8907 8907 897 978
890asd@xxxxxx
Technical Contact:
AD JLIJ
AS JLIJ
SD JLI
A JLI 789607
Costa Rica
tel: 0987 9807 8907 9807
fax: 8907 8907 897 978
890asd@xxxxxx
Billing Contact:
AD JLIJ
AS JLIJ
SD JLI
A JLI 789607
Costa Rica
tel: 0987 9807 8907 9807
fax: 8907 8907 897 978
890asd@xxxxxx
Registration Date: 2007-11-28
Update Date: 2008-02-18
Expiration Date: 2008-11-28
Primary DNS: ns0.wkakekod[dot]com 217.78.189.54
Secondary DNS: ns0.cnogaira[dot]com 77.41.80.55
#* What kinds of activities are occurring on those sites?
pillz, in the case of the examples shown... however one will also see
virtually all other types of spamvertised content (warez, watchez and
other replicaz, malware, you name it).
Regards,
Joe St Sauver (joe@xxxxxxxxxxxxxxxxxx)
http://www.uoregon.edu/~joe/
Disclaimer: all opinions strictly my own