Over the months some people have claimed that their nameservers were used to ban them, or that in fact their nameservers were blacklisted by google. I always stated that this wasn't the case, and no one ever presented any evidence to the contrary. Over the past few days I have done some pretty extensive research which I would like to present here. I have a long history of networking, dns, etc so I like to look at things from that perspective. Find an engineering reason behind a problem. That's what I hope to show here.

1) Nameserver bannings, fact or fiction?

Fiction. First of all this is a VERY inefficient way to ban domains because you don't have to use your own nameservers when setting up a domain. I can use godaddy's for example and blend in with 10,000 other domains. It simply doesn't make sense and there is no evidence anywhere to support it.

So then, what IS the cause of mass bans.

Simple, it's whois info. Not whois info like your name and address. That's too easy to fake, and guess what, private whois doesn't help you here at all. I never used private whois info, and given my research, it doesn't matter anyway because once again it is highly inefficient to use that info to find and or ban domains. 

So what part of whois info comes into play? The only part that can't be faked easily of course. The reverse dns lookup information. Lets explain this so that everyone can understand. 

When you have a domain on a server you setup dns entries that tell the world where that domain resides. Someone tries to connect to mydomain.com and a nameserver says "hey look, mydomain.com points to 127.0.0.1". This process also works in reverse though. Checking 127.0.0.1 shows all domains on that ip. This is done with PTR or pointer records. This is mainly used to help prevent e-mail spam. If a server sees a message coming from microsoft.com at 127.0.0.1 they can check the reverse dns and see if the ip resolves back to microsoft.com. If it doesn't the address is spoofed and the mail is returned. 

So how did I come to this conclusion? Well, a few members stated that they had hits in their stats from surveybot user agents followed by google, then no more traffic. I decided to test this theory. I went to whois.sc, typed in one of my domains, then checked my stats. Sure enough, I had a hit from surveybot as expected, but a second hit also showed up at the same time from mediapartners.google.com from the SAME ip address. Doing a reverse dns lookup on this ip address shows that it does NOT belong to google. This is pretty concrete evidence that google has partnered with whois.sc to compare this data though. 

So how do we prevent this?

The first step is to block them from viewing your pages. This is easy enough. Simply stick all of their ip's in the forbiden ip list, but this doesn't solve the problem. This simply gives them a 403 when trying to access the page information. So we need to take things a step further. This is where your firewall comes into play. Insert the ip address into your apf firewall host deny list, then restart the firewall. As long as we keep the ip list up to date, they shouldn't be able to whois new domains. 

Remember that this will only help new domains though. whois.sc caches information after doing an initial lookup so any domains put up prior to these steps will still show up as will your server info. New domains should not show up though thus helping them stay under the radar and helping prevent mass bans. This of course doesn't rule out individual bans or hand reviews, but it helps out none the less.

Can we do better?

Possibly. The next step would be to spoof PTR records, or modify the info so a domain doesn't point back to the ip address it came from. For this one I need some help from some dns guru's though. I know one guy that may be able to do it, but I need to talk to him. If anyone here is a DNS guru please step forward 

I have one last observation that may spark interest. I've had some sub domains up for about 4 months now and none of them have been banned, why is this? Well, it seems I may have stumbled onto something.

I actually have the domains and sub domains on two different servers. Lets say I have domain.com installed on server 1 with a nice blog on it. I have subdomain.domain.com on server 2 though along with ssec. When you do a reverse dns lookup it pulls the info from domain.com and not subdomain.domain.com. Why is that important? Well, this means they only see domain.com and not the 200 sub domains I have created and placed spam pages on. Further they aren't even looking at the right server. They are looking at my apparently white hat server with no spam on it instead of server 2 with thousands of spam pages. This means they can't use whois data to find my network of spam pages, they instead would have to do a hand review or similar.

Black Hat Cloaker