Help - Search - Members - Calendar
Full Version: What flags a site as Spyware provider
B.I.S.S. Forums > Malware Research Forum > Malware IP Research Section
2k2f4i
Feb 5 2009, 01:40 PM
We use a watchguard firewall @ my company who happens to use your blocked site list for spyware sites.

I have a user that tried to access the site www.beliefnet.com. The page timed out.

When I try to do an NSlookup or type the url in the address bar for the site www.beliefnet.com. It will time out, because the DNS reply is coming from the name server NS1.DATAPIPE.NET or NS2.DATAPIPE.NET. The firewall is denying with the message


**From firewall logs**
********************************************************************************
******
2009-02-04 15:24:19 Deny (MY internal DNS server IP here) 64.27.64.76 dns/udp 49367 53 1-Trusted unknown NS2.DATAPIPE.NET, destination IP on Spyware Blocklist, firewall drop 63 128 (internal policy)
********************************************************************************
******


I have worked around this issue by forwarding unresolved traffic on the DNS server to our ISP's DNS servers. Their DNS server will query and return the results without us directly connecting with either NS1.DATAPIPE.NET or NS2.DATAPIPE.NET. Which I assume woudl keep us safe since no contact is made directly with either NS1.DATAPIPE.NET or NS2.DATAPIPE.NET.

After informing my boss of the work around she is concerned that this may be bypassing the spyware block list.

So my questions are:

1. How do you determine a site is a know Spyware site and block it? Since these are name servers and only use port 53, how is it a "spyware server" ? Is it infecting pc's via DNS queries? I verified port 80 is closed. Is it returning invalid "spoofed" DNS queries?

2. Because the DNS server for this site was blocked does that mean you do not scan the sites it hosts DNS for? IE is www.beliefnet.com not scanned because any site that uses NS1.DATAPIPE.NET or NS2.DATAPIPE.NEt is a known spyware site.

3. What was the reason for the blocking of NS1.DATAPIPE.NET?




From watchguard support (tech's name has been replaced with xxxxxx)

Our database is provided by http://www.bluetack.co.uk/forums/index.php?act=idx. You will find information regarding block site lists. This is the company one would contact if they appeared on a blocked sites list.

Thanks,

xxxxxxxxxx | Watchguard Technical Support
WatchGuard Technologies, Inc. | www.watchguard.com



Thanks so much for your time in this matter,

John
Moore
Feb 7 2009, 12:25 AM
Hi John, thanks for checking with us.

Those Datapipe DNS entries were from an old Browser / Internet Hijackers thread from a few years ago.. In some cases I was blocking the DNS servers of spyware sites web hosts.. I don't do that anymore except in very extreme cases.

The Datapipe DNS servers have now been removed from the spyware list.. Sorry if this has caused any inconveniences.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.