Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
 ·Comcast
4 edits | reply to Doctor Olds
Nevermind... I see it now
AHA! Only Windows queries get occasional redirects!
I have to set my box to use ns2.mindspring.com and about 50% of nslookups for the SAME MALFORMED DOMAIN gets the 209.86.66.9x addresses returned. Hmmm... at least I know I'm not nutso.
My usual BIND-NT server, even when using ns2.mindspring.com as a forwarder, refuses to show this even when trying random jibberish domains. Not sure this means anything, just a curiosity.  |
|
whfsdude
Premium
join:2003-04-05
Washington, DC
| reply to Bill_MI
Re: Nevermind... I see it now
said by Bill_MI  :AHA!My usual BIND-NT server, even when using ns2.mindspring.com as a forwarder, refuses to show this even when trying random jibberish domains. Not sure this means anything, just a curiosity. I think if you set your DNS timeout low it wpn't show. I know it doesn't show all the time in Safari because of that. However, in Camino (Firefox engine over cool cooca app interface goodness) it shows all the time. Unless you get so pissed off you change the DNS servers on your router  |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·Comcast
1 edit | Yes, timing seems to be everything and this almost looks like some kind of kloodge in Earthlink's DNS. When the redirects respond it's always delayed slightly while a failure to find the domain is very quick.
I happen to be playing with VMWare running a Ubuntu appliance and nslookup must give up very quickly because I cannot get those IPs noway nohow. On my Win2K box it's easy but no 50% anymore... more like 10% does it get the redirected IPs.
EDIT: I run:
nslookup fhyudsghedghdv.com 207.69.188.186
...over and over and eventually get the 209.86.66.9x addresses in between several "Non-existent domain" responses. |
|
ChemDude2
join:2005-08-27
Redlands, CA | reply to whfsdude
Re: Oh No They Didn't!
Forget Earthlink! Use public DNS servers and never rely on them again.
Just my two cents. |
|
about_blank
join:2006-08-26
|  said by ChemDude2 :
Forget Earthlink! Use public DNS servers and never rely on them again.
I'm not sure how one uses a "public DNS server" - isn't the DNS server "provided" automatically? How does one select ones own DNS server? (Please pardon my ignorance on this matter.) |
|
about_blank
join:2006-08-26
| reply to whfsdude
Here's a disturbing occurrence that I hope someone can shed some light on:
Last night, while booting my Win XP machine, I received a firewall pop-up notification (before I had logged on, no less) that some "system" process was trying to contact "elydm.03.am.barefruit.com [209.86.66.92]". I had never seen this notification before, so suspected spyware.
I denied permission, logged on, and immediately ran three scans of my hard drives: one with AVG Free anti-virus, one with Ad-Aware SE Personal, and one with Spyware Doctor (each having been updated to use their latest data files). Each scan came back negative.
Meanwhile, I noticed that my firewall (Kerio Personal) kept popping up a periodic warning that "system" was trying to contact the above mentioned "elydm.03.am.barefruit.com [209.86.66.92]", and each time I denied permission. Finally, I went into the "guts" of Kerio to investigate, and noted that the program sending the request was only identified as "system" - not too much help there. So, I went into Kerio's "Packet Filter..." screen and configured a blanket denial of access to the address mentioned, but set a notification to appear each time the denial was issued.
Then, I started googling for barefruit.com and 209.86.66.92, and came across some of the same information noted in earlier posts on this topic in this forum.
It is not clear to me what is happening, but I suspect that Earthlink (my ISP) has somehow configured my machine to "phone home" to barefruit.com - and from my Kerio pop-up settings, I can see that it is attempting to do so every 15 minutes, consistently. I am puzzled why this behavior has not been identified by Spyware Doctor, nor by Ad-Aware SE Personal, as spyware.
As I have used my firewall to block this outgoing communication, I cannot verify that Earthlink is using barefruit.com to redirect my "not found" pages to ones provided by barefruit.com - I still get my 'normal' browser 'not found' warning. (I use Netscape 7.2 for my browser.)
If anyone can provide some insight as to what is going on here - and hopefully, how to deactivate the program or process that is attempting to 'phone home' to barefruit.com, I would be most appreciative! |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·Comcast
4 edits | Remember what this is - returning barefruit.com instead of "non-existent domain" when an address is looked up.
In other words, anything checking for addresses could, potentially, get the barefruit.com address. Even Windows, AVG, AdAware and SpywareDoctor autoupdates or similar. Not that these things ask for bad names but any burp in their DNS providers and something like an AVG *could* be getting barefruit.com.
That's why this practice is so loathsome. 
BTW, from your earlier post, DNS servers can be set in any PC in the network settings. I don't use DHCP (getting settings automatically) but the source of these settings (like routers and modems) varies from configurable to can't-do-it. Finding good DNS servers is more the issue.
One thing for sure, DNS servers returning anything other than address failures are put on my sh*tlist so fast and their nature publicly condemned. I switched to no forwarding DNS servers for now (I run my own DNS). I'm delighted to see others feel the same. |
|
ChemDude2
join:2005-08-27
Redlands, CA
| reply to about_blank
Ok, if you want to change your DNS servers that your computer is using, it's very simple. Amazingly, Earthlink has how-to's for you to follow.
For Windows 2000 or XP
»www.earthnet.net/support/tcpip_d···K-xp.htm
For Windows 95, 98, or ME
»www.earthnet.net/support/tcpip_d···5-Me.htm
For Apple OSX
»www.earthnet.net/support/tcpip_d···_osx.htm
For Apple OS 9
»www.earthnet.net/support/tcpip_d···_os9.htm
And finally, if you're using any form of Unix, Linux, or BSD you already know how to do this so I won't even say.
Good luck. |
|
about_blank
join:2006-08-26
| Many thanks to ChemDude2 and to Bill in Michigan for your replies!
My issue with the outgoing request to elydm.03.am.barefruit.com [209.86.66.92] is unresolved. Earthlink suggests using their 'verify a website' box on their home page, and I was not surprised to find that no matter what variant of the above address I typed, their verification engine denied having anything to do with the web address in question. This may be so, I just don't know.
I've examined my GoBack logs for the past few days to see what changes might have triggered this annoyance, but have come up empty handed. I may just revert to a GoBack restore point prior to the annoyance, as my firewall pops up a warning every 15 minutes, like clockwork, that some process is seeking to contact barefruit.com. Not sure if it's related to the actual topic of this thread, but there are so few hits when I google 'barefruit.com' that it seemed appropriate to leave this info here. I won't belabor the point any more.
Thanks again for your help! |
|
DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT | reply to whfsdude
I'm watching the progress of this and just created a little redirect of my own. I stuck barefruit in my hosts file. When I get a minute, I'll blackhole their IP range in my firewall.
This will backfire on EL big-time. |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| said by DrStrange :I'm watching the progress of this and just created a little redirect of my own. I stuck barefruit in my hosts file. When I get a minute, I'll blackhole their IP range in my firewall. This will backfire on EL big-time. 209.86.66.90 elydm.01.am.barefruit.com
209.86.66.91 elydm.02.am.barefruit.com
209.86.66.92 elydm.03.am.barefruit.com
209.86.66.93 elydm.04.am.barefruit.com
209.86.66.94 elydm.05.am.barefruit.com
209.86.66.95 elydm.06.am.barefruit.com
Those IP above are on EL IP space.
quote:
IP block 209.86.66.90
Trying 209.86.66.90 at ARIN
Trying 209.86.66 at ARIN
OrgName: EarthLink, Inc.
OrgID: ERMS
Address: 1375 PEACHTREE ST, LEVEL A
City: ATLANTA
StateProv: GA
PostalCode: 30309
Country: US
NetRange: 209.86.0.0 - 209.86.255.255
CIDR: 209.86.0.0/16
NetName: EARTHLINK2000-E
NetHandle: NET-209-86-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: ITCHY.MINDSPRING.NET
NameServer: SCRATCHY.MINDSPRING.NET
Comment:
RegDate: 2000-04-20
Updated: 2000-04-20
What about those? 
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT | If anything redirects to barefruit by name, it's blocked now. When I get some time, I'll blackhole those six IPs as well. That should take care of that. |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
1 edit | reply to about_blank
The best solution (until Earthlink stops this crap) is to set your Router DHCP server settings for these two IPs.
4.2.2.1 and 4.2.2.2
If you have a UHP Modem they go here in the setup.
»EarthLink DSL FAQ »How to Specify DNS Information in the EarthLink UHP ADSL Modem
In the newer P660R-ELNK it is on this page under "Advanced Setup" then select "LAN", type in the Primary and Secondary DNS servers (4.2.2.1 for Primary and 4.2.2.2 for Secondary) then click on Apply.
»/r0/download/1···etup.JPG
Other Routers and Router/Modems that have built in PPPoE should have similar fields.
To get your Pc[s] to use the new info, release and renew your IP address in your OS.
In XP/Win2K open a CMD box and type "ipconfig /release" then count to 10 then type in "ipconfig /renew"
In Win9x and WinME open a Command box and type "winipcfg /all" and a GUI will open up. In the Box select your Ethernet Adapter from the dropdown menu, then click the release button then count to 10, press the renew button to get fresh info from the Router.
Regards,
Doctor Olds
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·Comcast
| Covad DNS Servers
In case it helps anyone: »www.covad.com/onlinesupportcente···ns.shtml
I found Covad DNS to not be the best in Detroit and Chicago - maybe others aren't as bad. If you're on Covad, they are usually very close by. I tested several non-existent domains and see no sign of the Earthlink skulduggery. |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| How many hops are you from these?
4.2.2.1 and 4.2.2.2 ?
19:33:59 Sun 08-27-2006
C:\WINDOWS>tracert 4.2.2.1
Tracing route to vnsc-pri.sys.gtei.net [4.2.2.1]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 192.168.254.254
2 15 ms 14 ms 13 ms 172.31.255.251
3 13 ms 12 ms 12 ms 192.168.1.57
4 14 ms 13 ms 12 ms ge-6-5.car2.Atlanta1.Level3.net [63.209.220.93]
5 14 ms 12 ms 11 ms ge-10-2.hsa1.Atlanta1.Level3.net [4.68.103.132]
6 14 ms 13 ms 13 ms vnsc-pri.sys.gtei.net [4.2.2.1]
Trace complete.
19:36:20 Sun 08-27-2006
C:\WINDOWS>tracert 4.2.2.2
Tracing route to vnsc-bak.sys.gtei.net [4.2.2.2]
over a maximum of 30 hops:
1 1 ms <10 ms 1 ms 192.168.254.254
2 14 ms 13 ms 14 ms 172.31.255.251
3 14 ms 12 ms 11 ms 192.168.1.57
4 13 ms 12 ms 13 ms ge-6-5.car2.Atlanta1.Level3.net [63.209.220.93]
5 14 ms 10 ms 12 ms ge-11-1.hsa1.Atlanta1.Level3.net [4.68.103.100]
6 15 ms 13 ms 13 ms vnsc-bak.sys.gtei.net [4.2.2.2]
Trace complete.
Regards,
Doctor Olds
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·Comcast
4 edits | When I get a chance, I'll run DNSRU on each, it's been awhile.
$ traceroute -I 4.2.2.1
traceroute to 4.2.2.1 (4.2.2.1), 30 hops max, 40 byte packets
1 h-69-3-125-1.sfldmidn.dynamic.covad.net (69.3.125.1) 19.468 ms 18.758 ms 18.223 ms
2 192.168.7.137 (192.168.7.137) 18.784 ms 17.186 ms 18.224 ms
3 ge-5-1-133.hsa2.Detroit1.Level3.net (166.90.203.1) 19.169 ms 17.359 ms 16.907 ms
4 so-0-3-0.mp1.Detroit1.Level3.net (4.68.97.217) 18.742 ms 18.039 ms 19.195 ms
5 so-2-0-2.bbr2.Chicago1.Level3.net (64.159.0.194) 22.484 ms ae-0-0.bbr1.Chicago1.Level3.net (64.159.1.33) 20.969 ms 23.312 ms
6 ge-11-2.core1.Chicago1.Level3.net (4.68.101.164) 24.863 ms ge-11-0.core1.Chicago1.Level3.net (4.68.101.36) 32.006 ms ge-10-2.core1.Chicago1.Level3.net (4.68.101.132) 37.387 ms
7 vnsc-pri.sys.gtei.net (4.2.2.1) 43.426 ms 35.718 ms 30.637 ms
$ traceroute -I 64.105.179.138
traceroute to 64.105.179.138 (64.105.179.138), 30 hops max, 40 byte packets
1 h-69-3-125-1.sfldmidn.dynamic.covad.net (69.3.125.1) 17.606 ms 18.532 ms 18.720 ms
2 192.168.7.137 (192.168.7.137) 19.612 ms 19.595 ms 20.453 ms
3 h-64-105-179-138.sfldmidn.covad.net (64.105.179.138) 20.243 ms 17.518 ms 20.342 ms
EDIT: Boy, tracert resolution sure sucks in Win2K, I switched to Linux - now the route changes show. Sheesh |
|
about_blank
join:2006-08-26
| reply to DrStrange
Re: Oh No They Didn't!
said by DrStrange :
If anything redirects to barefruit by name, it's blocked now. When I get some time, I'll blackhole those six IPs as well. That should take care of that.
I'm familiar with the hosts file, but am not sure exactly what effect entries have. For instance, if I put the following line in the hosts file:
209.86.66.90 elydm.01.am.barefruit.com
does that block any outgoing requests to 209.86.66.90? Or merely identify that outgoing request as "elydm.01.am.barefruit.com" in various log files, instead of using the 209.86.66.90 address?
If it blocks requests to 209.86.66.90, what advantage is there in using the hosts file, rather than my firewall, to block these requests?
I hope you can enlighten me - thanks in advance!
PS: I rolled back using GoBack, which eliminated the outgoing requests to 209.86.66.92, but within 24 hours, I've now got a request to 209.86.66.95! (I'm currently blocking that request with my firewall, but my machine is attempting to contact that site every 15 minutes like clockwork.) |
|
DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
 ·Stephouse Networks
 ·magicjack.com
·EarthLink
| You should have entered
'127.0.0.1 elydm.01.am.barefruit.com' into the hosts file. It redirects requests to elydm.01.am.barefruit.com to 127.0.0.1 [the localhost address].
209.86.66.90 is what goes into the firewall with the 'deny all' rule.
If you enter the actual IP address into the hosts file, it just means that requests for the associated domain go directly to that address instead of querying a DNS server first [that's how the hosts file was originally intended to be used]. |
|
about_blank
join:2006-08-26
|  said by Dr. Strange :
'127.0.0.1 elydm.01.am.barefruit.com' into the hosts file. It redirects requests to elydm.01.am.barefruit.com to 127.0.0.1 [the localhost address].
Thanks for the edification. I'm assuming that any direct request to an actual IP address (number) does not have to use the hosts file to look anything up. Since that is my situation, I'm filtering the outgoing requests using my firewall, which alerts me with a pop-up at each attempt.
I've noted that these attempts continue for a couple of hours, then stop. But the following day, an attempt is made to contact one of the other addresses for barefruit.com, which my firewall catches. I then add the new address to the firewall, set to pop-up a small box each time an attempt is made. Right now, I've added 209.86.66.90 through 209.86.66.95, corresponding to elydm.01.am.barefruit.com through elydm.06.am.barefruit.com, inclusive. (Just to get ahead of the game - So far, only elydm.01, 03, and 06 have been used, but I've added 02, 04 and 05.)
Thanks again! |
|
