techblog 

Over the past month we have seen some large spikes in DNS queries to our nameservers for non-existent .co.uk domains. These spikes often last around 6 hours, on occasion out numbering valid queries.

The A queries are for domains prefixed with mx, mxs, mail, smtp, relay, gate, mx1 and mail1, of roughly equal distribution. Queries for the MX record of the domain are also attempted. The domains themselves do not appear to be randomly generated and often appear within other tlds (predominately .com).

The queries themselves originate from other ISP DNS servers all over the globe. The hostnames of these resolvers indicate that these are likely to be recursive resolvers for customer use, with the query actually originating from end-user machines.

The prefixes are similar to those used by the Mytob worm, which still features near the top of many AV companies infection lists. It would appear likely that a variant replaces the .com suffix with .co.uk, in an attempt locate additional mail servers to spread through. The short duration of the spike, and the sudden increase in activity may indicate well organised seeding. A slight increase in valid queries during the spike shows that on occasion this strategy does locate additional mail servers with .co.uk, although the vast majority of the queries failed. The queries are however cheap to perform, and are only likely to be noticed those running the authoritive nameservers for the domain suffix chosen.