From Bell Canada the link in the Location: header takes me through a couple of steps of tracking sites and then away over to any of several spam/attack sites: http://www.mega-brokers.co/lp-millionaireclub-brown/?coc=156&subc=w1ATM3TVTC6OC04PG7B7IRCK¶mc=golf-axe-Tw049LVw¶mf=MS%20-%20New%20Publisher%20-%20INTL http://alwaysnew.feelfree4update.com/?pcl=3LbSqxsHPv14PjCURUDXDEdm0CHvCe21dottyrEp5Qo.&subid=102855_4a8f8983d90d5aba83b274e59952f44e&v_id=JMns7DFxzqZv1_WCWflzXTSG2mj3zOFVuYw-XLU3wFE. etc.., which seem to rotate every few minutes. From Wind Mobile Canada, the landing page you're being given TCP RSTs when I try to go to it, so good on Wind I guess. It's strange that the DNS hijacking is only for some sites. Are you sure it's targetting otr specifically? Can you maybe write a scapy script to test thoroughly? The landing site doesn't seem to be doing anything funny with routing. My traceroute to from Bell: [kousu@galleon ~]$ traceroute 195.22.126.213 traceroute to 195.22.126.213 (195.22.126.213), 30 hops max, 60 byte packets 1 homeportal (192.168.2.1) 5.969 ms 7.243 ms 8.035 ms 2 10.11.0.241 (10.11.0.241) 408.481 ms 408.536 ms 510.627 ms 3 10.178.206.42 (10.178.206.42) 17.837 ms 19.829 ms 21.733 ms 4 10.178.206.43 (10.178.206.43) 23.634 ms 23.901 ms 25.642 ms 5 tcore3-kitchener06_bundle-ether4.net.bell.ca (64.230.113.68) 31.503 ms tcore4-kitchener06_Bundle-ether4.net.bell.ca (64.230.113.70) 36.814 ms 33.979 ms 6 tcore4-toronto21_hun1-1-0-0.net.bell.ca (64.230.50.190) 45.551 ms 11.502 ms 24.040 ms 7 tcore4-torontoxn_HundredGigE0-12-0-0.net.bell.ca (64.230.50.19) 24.219 ms tcore3-torontoxn_HundredGigE0-12-0-0.net.bell.ca (64.230.50.11) 28.631 ms 28.861 ms 8 bx1-torontoxn_et1-0-0.net.bell.ca (64.230.97.157) 31.141 ms 32.961 ms 33.136 ms 9 ix-5-0-1-0.tcore2.TNK-Toronto.as6453.net (63.243.172.25) 62.577 ms 62.790 ms 62.937 ms 10 if-2-2.tcore1.TNK-Toronto.as6453.net (64.86.33.89) 36.800 ms 36.999 ms 38.806 ms 11 ae9.tor10.ip4.gtt.net (173.205.54.65) 38.981 ms 40.671 ms 42.366 ms 12 xe-0-1-0.waw11.ip4.gtt.net (141.136.109.10) 135.031 ms 128.720 ms xe-0-0-0.waw11.ip4.gtt.net (89.149.182.38) 132.269 ms 13 ip4.gtt.net (46.33.84.122) 138.020 ms 139.968 ms 140.194 ms 14 * * * 15 * * * 16 92-55-195-149.net.hawetelekom.pl (92.55.195.149) 159.489 ms 161.746 ms 163.115 ms 17 SDC-N003RTP01.net.hawetelekom.pl (77.242.225.94) 161.568 ms 164.712 ms 173.525 ms 18 n16h14.sprintdatacenter.net (46.29.16.14) 137.273 ms 139.551 ms 140.869 ms 19 195.22.126.213 (195.22.126.213) 141.038 ms 145.883 ms 147.956 ms and from Wind Mobile: [kousu@galleon ~]$ traceroute 195.22.126.213 traceroute to 195.22.126.213 (195.22.126.213), 30 hops max, 443 byte packets 1 * gateway (192.168.43.1) 9.156 ms 11.419 ms 2 * * * 3 * * * 4 199.7.156.196 (199.7.156.196) 1564.910 ms 1564.862 ms 1564.890 ms 5 199.7.156.197 (199.7.156.197) 1564.881 ms 1564.871 ms 1564.861 ms 6 199.7.158.107 (199.7.158.107) 1619.754 ms 1611.411 ms 1609.155 ms 7 199.7.158.130 (199.7.158.130) 160.965 ms 172.696 ms 181.021 ms 8 te0-0-1-2.nr12.b029131-1.yvr01.atlas.cogentco.com (38.88.6.177) 251.004 ms 253.353 ms 253.616 ms 9 te0-0-1-3.rcr12.yvr01.atlas.cogentco.com (154.24.48.217) 207.164 ms 219.989 ms 264.788 ms 10 te0-0-0-14.ccr21.sea02.atlas.cogentco.com (154.54.83.225) 161.598 ms 151.673 ms 144.550 ms 11 be2083.ccr21.sea01.atlas.cogentco.com (154.54.0.249) 163.858 ms be2084.ccr22.sea01.atlas.cogentco.com (154.54.0.253) 165.557 ms 177.474 ms 12 be2077.ccr22.sfo01.atlas.cogentco.com (154.54.0.241) 188.410 ms be2075.ccr21.sfo01.atlas.cogentco.com (154.54.0.233) 175.955 ms be2077.ccr22.sfo01.atlas.cogentco.com (154.54.0.241) 180.306 ms 13 be2165.ccr22.sjc01.atlas.cogentco.com (154.54.28.66) 188.078 ms be2164.ccr21.sjc01.atlas.cogentco.com (154.54.28.34) 195.397 ms be2165.ccr22.sjc01.atlas.cogentco.com (154.54.28.66) 194.008 ms 14 be2000.ccr21.sjc03.atlas.cogentco.com (154.54.6.106) 127.874 ms 130.911 ms 178.101 ms 15 gtt.sjc03.atlas.cogentco.com (154.54.9.14) 168.180 ms 179.834 ms 171.818 ms 16 xe-0-0-0.waw11.ip4.gtt.net (89.149.182.38) 284.123 ms 276.452 ms 279.398 ms 17 ip4.gtt.net (46.33.84.122) 307.631 ms 300.683 ms 291.059 ms 18 * * * 19 * * * 20 92-55-195-149.net.hawetelekom.pl (92.55.195.149) 293.195 ms 293.211 ms 292.000 ms 21 SDC-N003RTP01.net.hawetelekom.pl (77.242.225.94) 306.441 ms 335.056 ms 307.694 ms 22 n16h14.sprintdatacenter.net (46.29.16.14) 270.130 ms 285.611 ms 272.831 ms 23 * * * 24 195.22.126.213 (195.22.126.213) 317.531 ms 340.528 ms 364.764 ms That landing site is in Poland: [kousu@galleon ~]$ geoiplookup 46.29.16.14 GeoIP Country Edition: PL, Poland GeoIP Organization Edition: Sprint Data Center Sprint S.A. [kousu@galleon ~]$ geoiplookup 195.22.126.213 GeoIP Country Edition: PL, Poland GeoIP Organization Edition: EuroNet s.c. Henryk Kuc, Jacek Majak Now, ooni mentions that Greece is doing DNS hijacking to block gambling sites: https://ooni.torproject.org/post/eeep-greek-censorship/ but this doesn't look at all like government censorship, because of the out of country spam sites. It looks like a spammer, or like someone *trying to look* like a spammer. Hm. Very mysterious. -Nick Guenther 4B Stats/CS University of Waterloo On Wed, 09 Dec 2015 00:57:44 +0100 Jurre van Bergen <[email protected]> wrote:
Hi, I don't see the same thing happening no can I resolve that IP via the dns lookup for otr.cypherpunks.ca. Must be something weird on your network, might be interesting to run: ooni.torproject.org and see what is going on. On 12/08/2015 11:54 PM, Dionysis Zindros wrote: > Hello, > > The OTR homepage at http://otr.cypherpunks.ca/ seems to be > man-in-the-middled in certain networks. I have checked through > various different networks with various results. > > > Do you have ideas as to what could be happening? > > Thank you, > Dionysis Zindros.
_______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
