DragonFly BSD
DragonFly users List (threaded) for 2005-02
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: OT a DNS/phishing puzzle

From: TIV <gtivey@xxxxxxxxxxxxx>
Date: Fri, 25 Feb 2005 05:14:30 +0000

walt wrote:

I'm only posting this here because this audience is the most
sophisticated group I know, and this incident worries me a lot.

I'm accustomed to phishing emails by now, but this particular
one made me nervous, because I don't understand how DNS works.

The phishing email wanted me to click on this URL:

Okay, so I do a 'whois wamu2u.com' and get this response:
Domain Name : wamu2u.com
       Name      : Constance Edwards
       Email     : edwards@xxxxxxxxxxx
       Address   : 1094 SE St Patricks Court, Port Orchard, WA
       Zipcode   : 98367
       Nation    : US

Okay, this much seems very reassuring.

The part that worries me is when I do an nslookup on the URL
(logon.personal.wamu2u.com) I get an IP address in China.

Anyone here understand DNS stuff well enough to explain how
this happens?

Can anyone else reproduce the results I've listed above?

Hi there ---

By all usual means, it appears that the IP assigned to the host you're being
directed to is in China and belongs to cnmobile.net. Whois records are obviously
questionable in this case.

Traceroute: (checK the latency!)

. ...15 dtag-asn3320.eqabva.sbcglobal.net ( 73.912 ms 34.289 ms 34.982ms
16 ( 236.619 ms 237.468 ms 237.433 ms
17 ( 672.746 ms * 657.978 ms
18 ( 654.917 ms 642.678 ms 646.222 ms
19 ( 676.671 ms 628.625 ms 632.641 ms
20 ( 585.209 ms 580.126 ms 585.92 ms
21 ( 626.871 ms 633.593 ms 643.297 ms
22 ( 628.554 ms 649.90 ms 639.832 ms
23 ( 626.844 ms 649.187 ms 658.232 ms
24 ( 661.846 ms 652.726 ms 637.384 ms
25 ( 633.740 ms 625.474 ms 638.583 ms
26 ( 648.28 ms * 628.769 ms

targa# dig -x

; <<>> DiG 9.2.4rc4 <<>> -x
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7249
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;  IN      PTR

202.218.in-addr.arpa. 3600 IN SOA ns.cnmobile.net. root.ns.cnmobile.net. 2004041401 3600 1800 604800 3600

;; Query time: 695 msec
;; SERVER: xx.x.xx.x#53(xx.x.xx.x)
;; WHEN: Fri Feb 25 04:41:37 2005
;; MSG SIZE  rcvd: 102

targa# host logon.personal.wamu2u.com
logon.personal.wamu2u.com has address

targa# host
Host not found: 3(NXDOMAIN)

Definite HiJinx goin on here ... possible namecache poisoning? no reverse lookup?
Your Whois --- ISN'T

targa# whois

OrgName:    Asia Pacific Network Information Centre
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

ReferralServer: whois://whois.apnic.net

NetRange: -
NetName:    APNIC4
NetHandle:  NET-218-0-0-0-1
NetType:    Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.RIPE.NET
Comment:    This IP address range is not registered in the ARIN database.
Comment:    For details, refer to the APNIC Whois Database via
Comment:    WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment:    ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment:    for the Asia Pacific region. APNIC does not operate networks
Comment:    using this IP address range and is not able to investigate
Comment:    spam or abuse reports relating to these addresses. For more
Comment:    help, refer to http://www.apnic.net/info/faq/abuse
RegDate:    2000-12-07
Updated:    2004-03-30

OrgTechHandle: AWC12-ARIN
OrgTechName:   APNIC Whois Contact
OrgTechPhone:  +61 7 3858 3100
OrgTechEmail:  search-apnic-not-arin@xxxxxxxxx

# ARIN WHOIS database, last updated 2005-02-24 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum: -
netname:      CMNET
descr:        China Mobile Communications Corporation
descr:        Mobile Communications Network Operator in China
descr:        Internet Service Provider in China
country:      CN
admin-c:      JS686-AP
tech-c:       CW265-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CN-CMCC
remarks:      ------------------------------
remarks:      Please send abuse e-mail to
remarks:      abuse@xxxxxxxxxxxxxxx
remarks:      Please send probe e-mail to
remarks:      security@xxxxxxxxxxxxxxx
remarks:      -------------------------------
changed:      hostmaster@xxxxxxxxx 20011106
changed:      hm-changed@xxxxxxxxx 20030923
source:       APNIC

person:       Jinxia Sun
address:      China Mobile Communications Corporation
address:      29, Jinrong Ave., Xicheng District, Beijing, 100032
country:      CN
phone:        +86-10-66006688-1755
fax-no:       +86-10-66006012
e-mail:       sunjinxia@xxxxxxxxxxxxxxx
nic-hdl:      JS686-AP
remarks:      ------------------------------
remarks:      Please send abuse e-mail to
remarks:      abuse@xxxxxxxxxxxxxxx
remarks:      Please send probe e-mail to
remarks:      security@xxxxxxxxxxxxxxx
remarks:      -------------------------------
mnt-by:       MAINT-CN-CMCC
changed:      hostmaster@xxxxxxxxxxxxxxx 20030130
source:       APNIC

person:       chenguang wei
nic-hdl:      CW265-AP
e-mail:       weichenguang@xxxxxxxxxxxxxxx
address:      29,Jinrong Ave., Xicheng  District, Beijing,
address:      100032 China
phone:        +86 10 66006688-1306
fax-no:       +86 10 66006187
country:      CN
remarks:      ------------------------------
remarks:      Please send abuse e-mail to
remarks:      abuse@xxxxxxxxxxxxxxx
remarks:      Please send probe e-mail to
remarks:      security@xxxxxxxxxxxxxxx
remarks:      -------------------------------
changed:      hostmaster@xxxxxxxxxxxxxxx 20030122
mnt-by:       MAINT-CN-CMCC
source:       APNIC

Probably more than you wanted to know --- but I't doesn't hurt to be careful ;-).

Best regards,

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]