Sunday, 11. May 2003
Stealing mail by faking DNS-entries
My research on DNS manipulations brought me to a provider stealing mail to stormfront.org. This is strange, since the blocking order only talked about web pages and mail is the only service which can run unaffected by faking DNS A records to block web access.
Even if you block mail data (MX records) in the DNS you don't have to redirect mail to your own servers. In fact this is not only illegal but also criminal.
[c0ldcut:~] md% dig @muensmain.citykom.de. stormfront.org. MX
; <<>> DiG 8.3 <<>> @muensmain.citykom.de. stormfront.org. MX ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4 ;; QUERY SECTION: ;; stormfront.org, type = MX, class = IN ;; ANSWER SECTION: stormfront.org. 1D IN MX 100 muemailb.citykom.de. stormfront.org. 1D IN MX 100 muemailc.citykom.de. ;; AUTHORITY SECTION: stormfront.org. 1D IN NS muensmain.citykom.de. stormfront.org. 1D IN NS muensa.citykom.de. ;; ADDITIONAL SECTION: muemailb.citykom.de. 1H IN A 195.202.32.22 muemailc.citykom.de. 1H IN A 195.202.32.23 muensmain.citykom.de. 1H IN A 195.202.33.68 muensa.citykom.de. 1H IN A 195.202.32.79 ;; Total query time: 137 msec ;; FROM: c0ldcut.23.nu to SERVER: muensmain.citykom.de. 195.202.33.68 ;; WHEN: Sun May 11 21:03:26 2003 ;; MSG SIZE sent: 32 rcvd: 201
DNS meets the press
My recent DNS-research hits the public at the CCC, heise newsticker and Lenz Blog.
disLEXia, a research project by Maximillian Dornseif
 |  |  | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
   |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |  |  | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||