Hello,
I have currently setup and eFa virtual appliance downloaded from the official website
I am having and issue, which eFA tries to contact the site mlsend.com & click.mlsend.com which is listed and a wellknown malicious site.
This is done or at least reported to do a dns spoofing.
Can anyone please how to block such kind of traffic?!
Best Regards
Albert
mlsend dns spoofing on eFA
-
shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: mlsend dns spoofing on eFA
Which log are you seeing this, and do you have an example entry? I'm curious what is possibly generating this.
-
albert.celami
- Posts: 4
- Joined: 15 Mar 2018 11:31
Re: mlsend dns spoofing on eFA
Hello,
below is the entry log on our dns server.
172.20.100.8 is the ip address of Efa Server and the DNS_IP_address is the hostname of dns server.
We have such of below entry log almost every 15 minutes.
Question_Name Remote_ip ResponseCode _raw
6/27/2018 10:45:21 AM 1088 PACKET 00000000050717E0 UDP Snd 172.20.100.8 1860 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:45:21 AM 1088 PACKET 00000000050717E0 UDP Rcv 172.20.100.8 1860 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 10:45:21 AM 1088 PACKET 0000000003C24E00 UDP Snd 172.20.100.8 7dcb R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:45:21 AM 1088 PACKET 0000000003C24E00 UDP Rcv 172.20.100.8 7dcb Q [0001 D NOERROR] NS mlsend.com
6/27/2018 10:34:49 AM 108C PACKET 0000000002C800C0 UDP Snd 172.20.100.8 7c37 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:34:49 AM 108C PACKET 0000000002C800C0 UDP Rcv 172.20.100.8 7c37 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 10:34:49 AM 108C PACKET 0000000005B0C240 UDP Snd 172.20.100.8 eb22 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:34:49 AM 108C PACKET 0000000005B0C240 UDP Rcv 172.20.100.8 eb22 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 10:34:27 AM 10EC PACKET 000000000608C640 UDP Snd 172.20.100.8 a61b R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:34:27 AM 10EC PACKET 000000000608C640 UDP Rcv 172.20.100.8 a61b Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 10:34:27 AM 10EC PACKET 00000000031B2E80 UDP Snd 172.20.100.8 b44b R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:34:27 AM 10EC PACKET 00000000031B2E80 UDP Rcv 172.20.100.8 b44b Q [0001 D NOERROR] NS mlsend.com
6/27/2018 10:30:46 AM 108C PACKET 0000000002912760 UDP Snd 172.20.100.8 fa21 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:30:42 AM 108C PACKET 0000000002912760 UDP Rcv 172.20.100.8 fa21 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 10:30:42 AM 108C PACKET 00000000046089B0 UDP Snd 172.20.100.8 c816 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:30:42 AM 108C PACKET 00000000046089B0 UDP Rcv 172.20.100.8 c816 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 10:15:19 AM 10EC PACKET 000000000786EE50 UDP Snd 172.20.100.8 716d R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:15:19 AM 1088 PACKET 000000000786EE50 UDP Rcv 172.20.100.8 716d Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 10:15:19 AM 1088 PACKET 000000000695FC60 UDP Snd 172.20.100.8 fd03 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:15:19 AM 1088 PACKET 000000000695FC60 UDP Rcv 172.20.100.8 fd03 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 10:00:50 AM 108C PACKET 000000000271B4B0 UDP Snd 172.20.100.8 63e3 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:00:50 AM 108C PACKET 000000000271B4B0 UDP Rcv 172.20.100.8 63e3 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 10:00:50 AM 108C PACKET 000000000564A130 UDP Snd 172.20.100.8 91ce R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:00:50 AM 108C PACKET 000000000564A130 UDP Rcv 172.20.100.8 91ce Q [0001 D NOERROR] NS mlsend.com
6/27/2018 9:45:22 AM 10B8 PACKET 0000000004F24870 UDP Snd 172.20.100.8 a995 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:45:22 AM 10B8 PACKET 0000000004F24870 UDP Rcv 172.20.100.8 a995 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 9:45:22 AM 10B8 PACKET 0000000003B0B320 UDP Snd 172.20.100.8 220c R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:45:22 AM 10B8 PACKET 0000000003B0B320 UDP Rcv 172.20.100.8 220c Q [0001 D NOERROR] NS mlsend.com
6/27/2018 9:30:47 AM 108C PACKET 0000000006A35FF0 UDP Snd 172.20.100.8 f47c R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:30:46 AM 108C PACKET 0000000006A35FF0 UDP Rcv 172.20.100.8 f47c Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 9:30:46 AM 108C PACKET 00000000042728F0 UDP Snd 172.20.100.8 2cb6 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:30:46 AM 108C PACKET 00000000042728F0 UDP Rcv 172.20.100.8 2cb6 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 9:15:20 AM 10B8 PACKET 000000000457A130 UDP Snd 172.20.100.8 2003 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:15:20 AM 108C PACKET 000000000457A130 UDP Rcv 172.20.100.8 2003 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 9:15:20 AM 108C PACKET 0000000004F2BCB0 UDP Snd 172.20.100.8 00f0 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:15:20 AM 108C PACKET 0000000004F2BCB0 UDP Rcv 172.20.100.8 00f0 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 9:00:48 AM 10EC PACKET 000000000437D750 UDP Snd 172.20.100.8 9848 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:00:48 AM 10EC PACKET 000000000437D750 UDP Rcv 172.20.100.8 9848 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 9:00:48 AM 108C PACKET 000000000548BE40 UDP Snd 172.20.100.8 ed82 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:00:48 AM 108C PACKET 000000000548BE40 UDP Rcv 172.20.100.8 ed82 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 8:45:24 AM 1088 PACKET 00000000047E0A50 UDP Snd 172.20.100.8 967c R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:45:24 AM 1088 PACKET 00000000047E0A50 UDP Rcv 172.20.100.8 967c Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 8:45:24 AM 10B8 PACKET 00000000037EA130 UDP Snd 172.20.100.8 d0e4 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:45:24 AM 10B8 PACKET 00000000037EA130 UDP Rcv 172.20.100.8 d0e4 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 8:30:45 AM 1088 PACKET 00000000066CF2D0 UDP Snd 172.20.100.8 3ab3 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:30:45 AM 1088 PACKET 00000000066CF2D0 UDP Rcv 172.20.100.8 3ab3 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 8:30:45 AM 1088 PACKET 00000000035D4070 UDP Snd 172.20.100.8 18f1 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:30:45 AM 1088 PACKET 00000000035D4070 UDP Rcv 172.20.100.8 18f1 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 8:15:17 AM 10EC PACKET 00000000027F3280 UDP Snd 172.20.100.8 6f85 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:15:17 AM 10EC PACKET 00000000027F3280 UDP Rcv 172.20.100.8 6f85 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 8:15:17 AM 10EC PACKET 0000000002BA8020 UDP Snd 172.20.100.8 2873 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:15:17 AM 10EC PACKET 0000000002BA8020 UDP Rcv 172.20.100.8 2873 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 8:00:49 AM 108C PACKET 00000000040846E0 UDP Snd 172.20.100.8 4bd7 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:00:49 AM 108C PACKET 00000000040846E0 UDP Rcv 172.20.100.8 4bd7 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 8:00:49 AM 108C PACKET 000000000314CC30 UDP Snd 172.20.100.8 33c4 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:00:49 AM 108C PACKET 000000000314CC30 UDP Rcv 172.20.100.8 33c4 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 7:45:17 AM 10B8 PACKET 0000000006A1C240 UDP Snd 172.20.100.8 ecd4 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:45:17 AM 10B8 PACKET 0000000006A1C240 UDP Rcv 172.20.100.8 ecd4 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 7:45:17 AM 10B8 PACKET 000000000421A3A0 UDP Snd 172.20.100.8 f9c4 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:45:17 AM 10B8 PACKET 000000000421A3A0 UDP Rcv 172.20.100.8 f9c4 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 7:30:40 AM 10EC PACKET 0000000007A8CA90 UDP Snd 172.20.100.8 26e7 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:30:40 AM 10EC PACKET 0000000007A8CA90 UDP Rcv 172.20.100.8 26e7 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 7:30:40 AM 10EC PACKET 00000000032B85B0 UDP Snd 172.20.100.8 81a0 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:30:40 AM 10EC PACKET 00000000032B85B0 UDP Rcv 172.20.100.8 81a0 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 7:15:14 AM 108C PACKET 0000000006977D00 UDP Snd 172.20.100.8 f1a3 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:15:14 AM 108C PACKET 0000000006977D00 UDP Rcv 172.20.100.8 f1a3 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 7:15:14 AM 108C PACKET 0000000003C99FA0 UDP Snd 172.20.100.8 cd17 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:15:14 AM 108C PACKET 0000000003C99FA0 UDP Rcv 172.20.100.8 cd17 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 7:00:43 AM 10B8 PACKET 0000000004BA6580 UDP Snd 172.20.100.8 08fe R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:00:43 AM 10B8 PACKET 0000000004BA6580 UDP Rcv 172.20.100.8 08fe Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 7:00:43 AM 10B8 PACKET 0000000003FF5390 UDP Snd 172.20.100.8 6128 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:00:43 AM 10B8 PACKET 0000000003FF5390 UDP Rcv 172.20.100.8 6128 Q [0001 D NOERROR] NS mlsend.com
below is the entry log on our dns server.
172.20.100.8 is the ip address of Efa Server and the DNS_IP_address is the hostname of dns server.
We have such of below entry log almost every 15 minutes.
Question_Name Remote_ip ResponseCode _raw
6/27/2018 10:45:21 AM 1088 PACKET 00000000050717E0 UDP Snd 172.20.100.8 1860 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:45:21 AM 1088 PACKET 00000000050717E0 UDP Rcv 172.20.100.8 1860 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 10:45:21 AM 1088 PACKET 0000000003C24E00 UDP Snd 172.20.100.8 7dcb R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:45:21 AM 1088 PACKET 0000000003C24E00 UDP Rcv 172.20.100.8 7dcb Q [0001 D NOERROR] NS mlsend.com
6/27/2018 10:34:49 AM 108C PACKET 0000000002C800C0 UDP Snd 172.20.100.8 7c37 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:34:49 AM 108C PACKET 0000000002C800C0 UDP Rcv 172.20.100.8 7c37 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 10:34:49 AM 108C PACKET 0000000005B0C240 UDP Snd 172.20.100.8 eb22 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:34:49 AM 108C PACKET 0000000005B0C240 UDP Rcv 172.20.100.8 eb22 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 10:34:27 AM 10EC PACKET 000000000608C640 UDP Snd 172.20.100.8 a61b R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:34:27 AM 10EC PACKET 000000000608C640 UDP Rcv 172.20.100.8 a61b Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 10:34:27 AM 10EC PACKET 00000000031B2E80 UDP Snd 172.20.100.8 b44b R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:34:27 AM 10EC PACKET 00000000031B2E80 UDP Rcv 172.20.100.8 b44b Q [0001 D NOERROR] NS mlsend.com
6/27/2018 10:30:46 AM 108C PACKET 0000000002912760 UDP Snd 172.20.100.8 fa21 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:30:42 AM 108C PACKET 0000000002912760 UDP Rcv 172.20.100.8 fa21 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 10:30:42 AM 108C PACKET 00000000046089B0 UDP Snd 172.20.100.8 c816 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:30:42 AM 108C PACKET 00000000046089B0 UDP Rcv 172.20.100.8 c816 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 10:15:19 AM 10EC PACKET 000000000786EE50 UDP Snd 172.20.100.8 716d R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:15:19 AM 1088 PACKET 000000000786EE50 UDP Rcv 172.20.100.8 716d Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 10:15:19 AM 1088 PACKET 000000000695FC60 UDP Snd 172.20.100.8 fd03 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:15:19 AM 1088 PACKET 000000000695FC60 UDP Rcv 172.20.100.8 fd03 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 10:00:50 AM 108C PACKET 000000000271B4B0 UDP Snd 172.20.100.8 63e3 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:00:50 AM 108C PACKET 000000000271B4B0 UDP Rcv 172.20.100.8 63e3 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 10:00:50 AM 108C PACKET 000000000564A130 UDP Snd 172.20.100.8 91ce R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 10:00:50 AM 108C PACKET 000000000564A130 UDP Rcv 172.20.100.8 91ce Q [0001 D NOERROR] NS mlsend.com
6/27/2018 9:45:22 AM 10B8 PACKET 0000000004F24870 UDP Snd 172.20.100.8 a995 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:45:22 AM 10B8 PACKET 0000000004F24870 UDP Rcv 172.20.100.8 a995 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 9:45:22 AM 10B8 PACKET 0000000003B0B320 UDP Snd 172.20.100.8 220c R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:45:22 AM 10B8 PACKET 0000000003B0B320 UDP Rcv 172.20.100.8 220c Q [0001 D NOERROR] NS mlsend.com
6/27/2018 9:30:47 AM 108C PACKET 0000000006A35FF0 UDP Snd 172.20.100.8 f47c R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:30:46 AM 108C PACKET 0000000006A35FF0 UDP Rcv 172.20.100.8 f47c Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 9:30:46 AM 108C PACKET 00000000042728F0 UDP Snd 172.20.100.8 2cb6 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:30:46 AM 108C PACKET 00000000042728F0 UDP Rcv 172.20.100.8 2cb6 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 9:15:20 AM 10B8 PACKET 000000000457A130 UDP Snd 172.20.100.8 2003 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:15:20 AM 108C PACKET 000000000457A130 UDP Rcv 172.20.100.8 2003 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 9:15:20 AM 108C PACKET 0000000004F2BCB0 UDP Snd 172.20.100.8 00f0 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:15:20 AM 108C PACKET 0000000004F2BCB0 UDP Rcv 172.20.100.8 00f0 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 9:00:48 AM 10EC PACKET 000000000437D750 UDP Snd 172.20.100.8 9848 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:00:48 AM 10EC PACKET 000000000437D750 UDP Rcv 172.20.100.8 9848 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 9:00:48 AM 108C PACKET 000000000548BE40 UDP Snd 172.20.100.8 ed82 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 9:00:48 AM 108C PACKET 000000000548BE40 UDP Rcv 172.20.100.8 ed82 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 8:45:24 AM 1088 PACKET 00000000047E0A50 UDP Snd 172.20.100.8 967c R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:45:24 AM 1088 PACKET 00000000047E0A50 UDP Rcv 172.20.100.8 967c Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 8:45:24 AM 10B8 PACKET 00000000037EA130 UDP Snd 172.20.100.8 d0e4 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:45:24 AM 10B8 PACKET 00000000037EA130 UDP Rcv 172.20.100.8 d0e4 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 8:30:45 AM 1088 PACKET 00000000066CF2D0 UDP Snd 172.20.100.8 3ab3 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:30:45 AM 1088 PACKET 00000000066CF2D0 UDP Rcv 172.20.100.8 3ab3 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 8:30:45 AM 1088 PACKET 00000000035D4070 UDP Snd 172.20.100.8 18f1 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:30:45 AM 1088 PACKET 00000000035D4070 UDP Rcv 172.20.100.8 18f1 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 8:15:17 AM 10EC PACKET 00000000027F3280 UDP Snd 172.20.100.8 6f85 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:15:17 AM 10EC PACKET 00000000027F3280 UDP Rcv 172.20.100.8 6f85 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 8:15:17 AM 10EC PACKET 0000000002BA8020 UDP Snd 172.20.100.8 2873 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:15:17 AM 10EC PACKET 0000000002BA8020 UDP Rcv 172.20.100.8 2873 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 8:00:49 AM 108C PACKET 00000000040846E0 UDP Snd 172.20.100.8 4bd7 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:00:49 AM 108C PACKET 00000000040846E0 UDP Rcv 172.20.100.8 4bd7 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 8:00:49 AM 108C PACKET 000000000314CC30 UDP Snd 172.20.100.8 33c4 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 8:00:49 AM 108C PACKET 000000000314CC30 UDP Rcv 172.20.100.8 33c4 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 7:45:17 AM 10B8 PACKET 0000000006A1C240 UDP Snd 172.20.100.8 ecd4 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:45:17 AM 10B8 PACKET 0000000006A1C240 UDP Rcv 172.20.100.8 ecd4 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 7:45:17 AM 10B8 PACKET 000000000421A3A0 UDP Snd 172.20.100.8 f9c4 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:45:17 AM 10B8 PACKET 000000000421A3A0 UDP Rcv 172.20.100.8 f9c4 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 7:30:40 AM 10EC PACKET 0000000007A8CA90 UDP Snd 172.20.100.8 26e7 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:30:40 AM 10EC PACKET 0000000007A8CA90 UDP Rcv 172.20.100.8 26e7 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 7:30:40 AM 10EC PACKET 00000000032B85B0 UDP Snd 172.20.100.8 81a0 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:30:40 AM 10EC PACKET 00000000032B85B0 UDP Rcv 172.20.100.8 81a0 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 7:15:14 AM 108C PACKET 0000000006977D00 UDP Snd 172.20.100.8 f1a3 R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:15:14 AM 108C PACKET 0000000006977D00 UDP Rcv 172.20.100.8 f1a3 Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 7:15:14 AM 108C PACKET 0000000003C99FA0 UDP Snd 172.20.100.8 cd17 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:15:14 AM 108C PACKET 0000000003C99FA0 UDP Rcv 172.20.100.8 cd17 Q [0001 D NOERROR] NS mlsend.com
6/27/2018 7:00:43 AM 10B8 PACKET 0000000004BA6580 UDP Snd 172.20.100.8 08fe R Q [8081 DR NOERROR] A click.mlsend.com
click.mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:00:43 AM 10B8 PACKET 0000000004BA6580 UDP Rcv 172.20.100.8 08fe Q [0001 D NOERROR] A click.mlsend.com
6/27/2018 7:00:43 AM 10B8 PACKET 0000000003FF5390 UDP Snd 172.20.100.8 6128 R Q [8081 DR NOERROR] NS mlsend.com
mlsend.com 172.20.100.8 NOERROR 6/27/2018 7:00:43 AM 10B8 PACKET 0000000003FF5390 UDP Rcv 172.20.100.8 6128 Q [0001 D NOERROR] NS mlsend.com
-
shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: mlsend dns spoofing on eFA
Ok, what about some other logs? Do you see this same domain anywhere else in the system? i.e. /var/log/maillog?
-
shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: mlsend dns spoofing on eFA
Also, do the contents of any emails received at the time of these logs contain "click.mlsend.com" in them?
Also, do you have any deferred queue emails that may contain something interesting?
(Want to rule out that you are receiving junk/phishing email that is triggering lookups during scanning and delivery)
Also, do you have any deferred queue emails that may contain something interesting?
(Want to rule out that you are receiving junk/phishing email that is triggering lookups during scanning and delivery)
-
albert.celami
- Posts: 4
- Joined: 15 Mar 2018 11:31
Re: mlsend dns spoofing on eFA
No, there is no log related to e-mail sent or receive from this domain.
-
shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: mlsend dns spoofing on eFA
Unless your eFa is compromised (which I doubt), the only time such a domain lookup should occur is when emails are being scanned or relayed. A simple test would be to stop MailScanner and postfix temporarily and see if the lookups stop. If they do, something is being scanned or evaluated that is triggering the lookups.