The 198.18.1 phenomenon

Spammers should not profit, so post information here that hits their pockets. There are many ways to fight spammers, and we have automation tools to combat them efficiently. These forums are moderated, but do not reflect the views of the hosting company, domain registrar, etc. By entering any of these forums, you agree that you cannot hold anyone liable for anything related in any way to these forums.

The 198.18.1 phenomenon

Postby Red Dwarf » Thu Oct 29, 2015 4:40 pm

Here is a puzzle. I have detected this once before on an IP address 212.154.209.10 in Kazakhstan.

Today there are a number (4%) of Eva pharmacy domains which are being assigned invalid non-routable IP addresses. They are in the range 198.18.1.1-254.
    198.18.0.0/15
    SPECIAL-IPV4-BENCHMARK-TESTING-IANA-RESERVED
    Addresses starting with "198.18." or "198.19." are set aside for use in isolated laboratory networks used for benchmarking and performance testing. They should never appear on the Internet and if you see Internet traffic using these addresses, they are being used without permission.

Each domain is rapidly switching from one address in that range to another. This is caused by a rogue domain name server at 212.154.209.10 owned by the Kazakhtelecom Network Information Center.

50.0% of queries will be returned by 103.229.72.179 (ns1.medicaltableteshop.ru)
medicaltableteshop.ru. 600 IN A 82.199.121.167
50.0% of queries will be returned by 212.154.209.10 (ns2.medicaltableteshop.ru)
medicaltableteshop.ru. 0 IN A 198.18.1.251

50.0% of queries will be returned by 103.229.72.179 (ns1.hsbiwjcs.ru)
hsbiwjcs.ru. 600 IN A 95.84.156.43
50.0% of queries will be returned by 212.154.209.10 (ns2.hsbiwjcs.ru)
hsbiwjcs.ru. 0 IN A 198.18.1.180

Examples of 120 domains that will be failing to load half the time:

Code: Select all
curingfamilymall.ru
curingfirstdeal.ru
ehkltrlu.ru
fasthealingeshop.xyz
herbaldrugsmarket.xyz
hottreatmentoutlet.ru
hottreatmentstore.ru
hsbiwjcs.ru
hwrzxota.ru
ifcmbiyo.ru
ixxeoylb.ru
izpcnurx.ru
lrnsawmm.ru
luckymedsquality.ru
medicaldrugtrade.ru
medicalfastprogram.ru
medicalglobalinc.ru
medicalherbprogram.ru
medicalmedsservices.ru
medicalpillmart.com
medicalprivatemart.ru
medicalremedyreward.ru
medicalremedysale.ru
medicalsafeservices.ru
medicalsecuresale.ru
medicaltableteshop.ru
medicaltabspurc
medicalwelnessshop.ru
medicatingsmartmart.ru
mghsuvep.ru
mghsuvep.ru
mjfloobj.ru
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10485
Joined: Tue Jun 27, 2006 2:01 am

Re: The 198.18.1 phenomenon

Postby Red Dwarf » Wed Nov 04, 2015 1:22 am

After 5 days, the rogue DNS IP 212.154.209.1 which was resolving to fast-flux address in the range 198.18.1.* has been withdrawn from use, and all the domains that were failing are now back into business. There are a few residual failures, such as
Code: Select all
curingaidmarket.xyz
yourorganicprogram.xyz
trustedcarecompany.xyz
smartaidservices.xyz
safepharmmarket.xyz
pureorganiccompany.xyz
onlineremedysale.xyz
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10485
Joined: Tue Jun 27, 2006 2:01 am


Return to Fight Spammers

Who is online

Users browsing this forum: Ahrefs, Bing [Bot] and 2 guests

cron