– The mother of all PTR records

Recently, I posted about the IP and the DoS attacks I observed in my syslog. I presumed the reverse DNS record (PTR record) pointing to was just a one-time fake. However, further investigation blew that theory out of the water.

Upon review of the top three networks in my all-time dropped packets list, I saw which is also managed by Quasi Networks LTD and has a PTR record, you guessed it, going to At that point I figured further investigation into this domain name was needed.

IBM X-Force Exchange is reporting the DNS name has 245 associated DNS records of which 244 are PTR records from IP addresses managed by Quasi Networks LTD.  Many of the IP addresses shown have been blacklisted by IBM.

A little further down the page shows was flagged as malware 673 times, mostly for a phishing attack in December 2016. report on is also reporting no-reverse- as malicous, including a link to a post on In the post on MMD, no-reverse- is shown as being used in a DDoS attack in February 2016, referred to as “MMD-0052-2016 – Overview of “SkidDDoS” ELF++ IRC Botnet.” is invoked yet again on DigitalOcean’s community forum back in February 2016 where a user reported, “Strang [sic] activity at auth.log (POSSIBLE BREAK-IN ATTEMPT)” from an IP address with a PTR record going to

So what is the ownership history of the no-reverse- domain name?  According a lookup, the domain name was owned in 2016 by world famous domain name squatter Milen Radumilo. Milen is credited with almost 100,000 registered domain names on DomainTools.

Milen Radumilo squatted on the domain

Milen Radumilo lost a notable domain name dispute against Energizer Brands, LLC for The complaint notes that Milen used the domain name in bad faith, going so far to impersonate the Energizer Bunny to profit from links to third-party websites. Milen was also involved in at least five previous domain name dispute proceedings, each of which resulted in him forfeiting the squatted domain name.

Milen was also exposed in the Flexytalk WordPress plugin incident when he scooped two expired domains and subsequently injected popup scams into the websites using the plugin.

Sometime around March 10, 2017 the domain name ownership of was transferred from Milen Radumilo to Dmitry Vasilev. Similar Quasi Networks Ltd, Dimitry also has an address in Seychelles.

Dmitry is also a prolific domain name squatter, with over 18,000 domains associated to him, mostly under the organization “Kineticdomains Ltd” A prior domain name dispute Dmitry was involved in references his company as “Elmaco Ltd” but no further information is found for either company.

I contacted RIPE NCC regarding the malicious traffic from Quasi Networks and informed them of the of the numerous PTR records pointing to I received a response from RIPC NCC Customer Services that, “In order to have a reverse delagation [sic] PTR records are not a must and therefor [sic] any can create PTR records with false information.”  I followed up with further documentation of the malicious activity Quasi Networks and will update this post with their response.

3 thoughts on “ – The mother of all PTR records”

  1. I’ve been getting dropped packets, every couple of minutes, from the same IP/PTR since December 9th, 2016.

    What’s it take to get them shutdown???

  2. Source IP address: (

    Been receiving these port scan notifications for a couple months.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.