I previously reported on no-reverse-dns-configured.com and the current and previous owners. But what about the February 2016 botnet attacks? Who was the owner when the domain name was invoked in those attacks?
According to DomainTools, the owner of no-reverse-dns-configured.com in February 2016 was Slawek Modrzejewski. Slawek was original owner of the domain name since it was first registered in 11/15/2015.
On 4/9/2016, the registration for no-reverse-dns-configured.com was dropped by GoDaddy. Five days later, the registration was picked up by SouthNames Inc. (NamePal.com) with an anonymous owner protected by United Privacy Corp, which is based in Belize.
In addition to the number WHOIS record updates for no-reverse-dns-configured.com, there has been an equally historic hosting history. As of this writing, no-reverse-dns-configured.com has been pointed to 14 different IP addresses, shown in the illustration below from DomainTools.
During the botnet attacks, the hosting IP address was changed to 220.127.116.11 which is managed by ColoCrossing. After the attacks the server IP address was changed to 18.104.22.168 – which is a bit odd as that IP is managed by Alascom, Inc. in Anchorage, Alaska. Further information provided by DomainTools shows 78 domain names have A records going to 22.214.171.124.
This leads to none of those domain names actually resolving anywhere, which may appear to be some sort of “spammer nullroute”. The full list of the 78 domain names pointing to 126.96.36.199 is available here. I notified AT&T/Alascom about these fake A records pointing to their infastructure and will follow up if I hear back from their NOC/IPAM team.