Today I got a piece of spam carrying the URL chasovik.it.gg as its payload. I was intrigued because I didn't think .gg was a valid tld and looked it up with 'whois'. Sure enough, no match was found. However, 'host' resolved it as 80.190.202.40 and a 'host' lookup on the IP resolved to homepage-baukasten.de, which is known to 'whois'.
This is the first time I've seen this type of obfuscation. Has anybody else seen it? If so is it at all common, and how can it be set up apart from using some form of DNS poisoning exploit? Martin
