This is an email I’m circulating on a few mailing lists, tracking down a weird problem I ran into today. If anyone knows more, please comment.
I’m doing some routine maintenance on our mail server and tracking back IP addresses with a database that queries various WHOIS servers. To my surprise, the .mil whois server at whois.nic.mil is offline — the domain itself doesn’t resolve any longer.
I spoke to the very nice customer support representative at the phone number I found on the web, who told me the following:
1) he wasn’t sure if this service was *ever* public. Which I find interesting, as it’s a coded flag in the whois man page.
2) he said I should refer all IPs I need to review directly to DoD CERT.
3) he said that he received many calls like this, and it’s “always” people spoofing the IP addresses of .mil computers. I mentioned that since I’m tracking spam flow, it’s likely to be someone with a legitimate .mil address and a compromised computer. He referred me again to CERT.
Anyway, this struck me as *very* odd, and I feel like I’m showing up in the middle of the story. Anyone know more about this?