The hoster who hosts my bitcoin node just forwarded the following email they received from
noreply@certsi.esDear Team,
CERTSI has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet.
As you are probably aware, Fast Flux botnets are built upon a network of compromised machines in order to provide better reliability to their evil deeds.
We can only infer that the detected domains are indeed fast flux domains from the DNS resolution. However, finding its IP address belonging to a fast flux domain is a strong indicator that a given host is compromised (or has been in the past, sometimes the evildoer fails to promptly remove the ip from the fast flux domain).
We recommend you to enquiry the customer whether he recognizes the domain as one they own/provide a service to. In case he doesn't, the host should probably be considered compromised, and appropiate measures taken to clean it and ensure it doesn't get compromised again.
At the bottom of this email you can find the information, concerning the hosts under your constituency that have been gathered since our last notification, as well as attached for your convenience.
The file is formatted as follows:
[Timestamp] [IP] [Domain] [Country] [AS]
**Timestamp format is dd/mm/yyyy hh:mm:ss UTC**
As this information is collected from public services, you can share it with other involved entities (like ISPs, CERTs or other companies).
We hope this information regarding the security of your customers/clients results useful for you. In case of further questions, or if you need any help on this issue, please feel free to contact us at .
You can contact us if you detect any fraudulent activity under a .es domain or related with Spanish resources, and we would try to help you to solve it.
Thank you.
Best Regards,
1-
https://en.wikipedia.org/wiki/Fast_flux2015-07-21 16:30:29,
<my node IP>, seed.bitcoin.sipa.be, DE, 24940, HETZNER-AS Hetzner Online AG
(I replaced my nodes IP address with "<my node IP>")
So I'm guessing they falsely identified seed.bitocin.sipa.be as a fastflux domain used to run a botnet?