[103739] in North American Network Operators' Group
Re: clickbank.net and bundleway.com
daemon@ATHENA.MIT.EDU (Paul Vixie)
Sun Apr 13 14:44:29 2008
To: Jon.Kibler@aset.com ("Jon R. Kibler")
cc: nanog@merit.edu
From: Paul Vixie <vixie@isc.org>
Date: 13 Apr 2008 18:35:20 +0000
In-Reply-To: <48021A12.3040903@aset.com>
Errors-To: owner-nanog@merit.edu
Jon.Kibler@aset.com ("Jon R. Kibler") writes:
> Anyone have any info on either of these domains?
>
> I have seen several recent web sites that had an iframe
> that pointed to clickbank.net and "interesting" / hidden
> links to bundleway.com.
>
> Haven't found much of use in a quick search of Google,
> except for a few claims of fraud against them. I suspect
> that they are some how related to affiliate programs?
>
> TIA for anything you may be able to tell me!
the nameservers who answered questions about bundleway.com in the last ~150
days were:
216.129.109.1
66.117.40.198
205.234.154.1
205.234.170.165
63.219.151.3
216.49.92.249
the A RR is stable, no flux at all. the nameservers are stable, also no flux.
1198886670 an bundleway.com IN A 1800,64.40.117.19 216.129.109.1
1197752951 ns bundleway.com IN NS 1800,ns0.dnsmadeeasy.com \
1800,ns0.dnsmadeeasy.com.bundleway.com \
1800,ns1.dnsmadeeasy.com \
1800,ns1.dnsmadeeasy.com.bundleway.com \
1800,ns2.dnsmadeeasy.com \
1800,ns2.dnsmadeeasy.com.bundleway.com \
1800,ns3.dnsmadeeasy.com \
1800,ns3.dnsmadeeasy.com.bundleway.com \
1800,ns4.dnsmadeeasy.com \
1800,ns4.dnsmadeeasy.com.bundleway.com \
216.129.109.1
note that there are no actual ".dnsmadeeasy.com.bundleway.com" nameservers,
so i suspect that somebody somewhere forgot a trailing "." or had the wrong
$ORIGIN or something. this is in the zone, or at least, it's in all answers
from the zone's servers, it's consistent enough that i expect it's in-zone
rather than some kind of dns load balancing error.
most traffic seen under clickbank.net is A RR responses, here are the top 10
out of ~4600 or so:
roeib.4idiots.hop.clickbank.net
mediafire.noadware.hop.clickbank.net
mediafire.spywarebot.hop.clickbank.net
mediafire.regsmart.hop.clickbank.net
mediafire.adalert.hop.clickbank.net
mediafire.regcure.hop.clickbank.net
delusions.sharezone.hop.clickbank.net
rvrsephone.phonesrch.hop.clickbank.net
esearching.movies01.hop.clickbank.net
vvllc2.phonesrch.hop.clickbank.net
...
it's pretty damning stuff. the nameservers who produce these are, in order
by frequency (downward):
209.81.12.120
209.81.12.121
64.128.87.120
64.128.87.121
216.99.132.5
216.99.132.104
(no overlap with the dnsmadeeasy.com nameservers shown earlier.) the A RR's
given by these *.hop.clickbank.net answers are always one of these three:
900,209.81.12.132 900,209.81.12.133
900,64.128.87.132 900,64.128.87.133
900,209.81.12.134 900,209.81.12.135
that is, two A RRs in an RRset, TTL 900. the first two are overwhelmingly
more frequent than the third one. looks like some kind of load balancing.
there's a similar but less frequent pattern, *.pay.clickbank.net, whose A RRs
are always one of these two sets:
900,209.81.12.134 900,209.81.12.135
900,64.128.87.134 900,64.128.87.135
the MX RRs for clickbank.net are always
900,10,a-mx.coloc8.net 900,20,b-mx.coloc8.net
except one recent sighting of the following:
900,10,mx1.clickbank.net 900,10,mx2.clickbank.net
there are also A RRs for 3LDs hop, www, ssl, and zzz, plus a 2LD A RR.
i hope this helps. it's all courtesy of ISC SIE and our generous sensors,
of whom i would welcome more. if you run a recursive nameserver for some
population, and are willing to share your upstream server-to-server traffic
with ISC for use in security research and operations, plz send me e-mail.
--
Paul Vixie
