[SURBL-Discuss] More spams with Zdnet redirector

John_Delisle at ceridian.ca John_Delisle at ceridian.ca
Thu Apr 7 17:22:43 CEST 2005


Based on what you've described below, I'm guessing you've found their load 
balancer.

chkpt.zdnet.com.                 300             IN              CNAME  
c10-dw-xw-lb.cnet.com.

They're a pretty big site - I'd bet they have geographical load balancers 
and DNS. 

The short TTL is normal for this type of configuration.

John Delisle, CISA
Senior Network Analyst, Network and Security Team
Information Systems & Technology Management Dept.
Ceridian Canada Ltd
600 - 125 Garry St
Winnipeg, MB
R3C 3P2
204-975-5909




List Mail User <track at Plectere.com> 
Sent by: discuss-bounces at lists.surbl.org
04/07/2005 10:04 AM
Please respond to
SURBL Discussion list <discuss at lists.surbl.org>


To
discuss at lists.surbl.org, jeffc at surbl.org
cc
track at Plectere.com
Subject
Re: [SURBL-Discuss] More spams with Zdnet redirector






>...
>
>On Wednesday, April 6, 2005, 11:54:56 AM, Patrik Nilsson wrote:
>> At 01:26 2005-04-06 -0700, Jeff Chan wrote:
>>>Raymond, Paul and others, please LART them.
>>>
>>>We're not going to blacklist zdnet.
>
>> It's not zdnet, it's chkpt.zdnet.com.
>
>> Does chkpt.zdnet.com show up in ham?
>
>> 
http://groups-beta.google.com/groups?q=%22chkpt.zdnet.com%22&start=10&scoring=d

>
>> Are we still 100% opposed to trying to find a way to include 
sub-domains in 
>> surbls?
>
>> Patrik 
>
>It's possible to list subdomains, but this one chkpt.zdnet.com
>would still probably not be appropriate since it probably has
>legitimate uses.  Also subdomains may not be checked by SURBL
>applications.
>
>Jeff C.
>--
>"If it appears in hams, then don't list it."
>
>_______________________________________________
>Discuss mailing list
>Discuss at lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
                 It is actually worse than a subdomain.  If it were a 
simple "static"
name, maybe you could list the IP.  But it is a CNAME with a five minute 
TTL,
and it *does* seem to change regularly!

% dig chkpt.zdnet.com any @ns.cnet.com

; <<>> DiG 9.3.0 <<>> chkpt.zdnet.com any @ns.cnet.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18416
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;chkpt.zdnet.com.                                IN              ANY

;; ANSWER SECTION:
chkpt.zdnet.com.                 300             IN              CNAME  
c10-dw-xw-lb.cnet.com.

;; AUTHORITY SECTION:
zdnet.com.                               86400           IN NS 
ns.cnet.com.
zdnet.com.                               86400           IN NS 
ns2.cnet.com.
zdnet.com.                               86400           IN NS 
ns3.cnet.com.

;; ADDITIONAL SECTION:
ns.cnet.com.                             86400           IN              A 
         216.239.126.10
ns2.cnet.com.                            86400           IN              A 
         206.16.0.71
ns3.cnet.com.                            86400           IN              A 
         216.239.120.69

;; Query time: 19 msec
;; SERVER: 216.239.126.10#53(ns.cnet.com)
;; WHEN: Thu Apr  7 07:58:20 2005
;; MSG SIZE  rcvd: 166

% dig c10-dw-xw-lb.cnet.com any @ns.cnet.com

; <<>> DiG 9.3.0 <<>> c10-dw-xw-lb.cnet.com any @ns.cnet.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46613
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;c10-dw-xw-lb.cnet.com.                          IN              ANY

;; ANSWER SECTION:
c10-dw-xw-lb.cnet.com.           300             IN              A  
216.239.115.143

;; AUTHORITY SECTION:
cnet.com.                                86400           IN NS 
ns.cnet.com.
cnet.com.                                86400           IN NS 
ns2.cnet.com.
cnet.com.                                86400           IN NS 
ns3.cnet.com.

;; ADDITIONAL SECTION:
ns.cnet.com.                             86400           IN              A 
         216.239.126.10
ns2.cnet.com.                            86400           IN              A 
         206.16.0.71
ns3.cnet.com.                            86400           IN              A 
         216.239.120.69

;; Query time: 20 msec
;; SERVER: 216.239.126.10#53(ns.cnet.com)
;; WHEN: Thu Apr  7 07:58:51 2005
;; MSG SIZE  rcvd: 156

                 Yesterday (or the day before), it pointed at a different 
IP.
I still think the only effective LART is a short message, and forward
the problem email to the CNet editors (but maybe someone else can find
a person at CNet to listen - I can't).

                 Meanwhile, If they don't do something soon - I promise 
when I own
cnet.com and zdnet.com, there will not be any redirectors:)

                 Paul Shupak
                 track at plectere.com
_______________________________________________
Discuss mailing list
Discuss at lists.surbl.org
http://lists.surbl.org/mailman/listinfo/discuss




More information about the Discuss mailing list