LISTSERV - HP3000-L Archives

HP3000-L Archives

September 2003, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L September 2003, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OT: Major email problem
From:	Dave Oksner <[log in to unmask]>
Reply To:	Dave Oksner <[log in to unmask]>
Date:	Mon, 22 Sep 2003 13:40:45 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (29 lines)

On Mon, Sep 22, 2003 at 01:32:35PM -0700, Emerson, Tom wrote:
> In a semi-related thread on another list [thankfully, not replicated to a newsgroup so far as I know] someone mentioned a two-part "co-conspirator" to the problem: verisign.
>
> It seems that Verisign, the holders and maintainers of a large part of the domain name registry, made an arbitrary (it seems) decision to break a fundamental part of the DNS as a whole: instead of returning a "failure" status for bogus domains, they now return a LEGITIMATE IP address for anything "not resolved".  For web traffic, this will direct you to their sign up page so you can register said domain [that you most likely mistyped anyway]; for all other traffic, such as SMTP edit checks against the SOURCE of the message, it will likely go to a black hole...
>
> Now, for those that haven't made the connection as to why this is a "bad thing", consider my last comment there: SMTP edit checks.  Yes, one part of the "war on spam/UCE"  **WAS** to verify that the domain of the sender is in some way "legitimate".  This is because many spammers & worms simply "make up" a domain to make the message appear "legitimate" to the end user [security.microsoft.org, for example...]  When the top-level DNS resolve returns "no such address", many SMTP programs simply drop the message right there [and I'm told this cuts 50% of the spam in it's tracks]  Now that ANYTHING in ".com" resolves to an IP, well...

Though ICANN has asked Verisign to "knock it off," there is a fairly workable
temporary solution: tell your caching dns server to ignore any responses
with a set of IP addresses (at the moment, that set has but one address).

The newest version of bind apparently has this capability, as does a patch
for djb's dns server (which I have already installed on my network).
Aside from the obvious countermeasure of Verisign adding several new IPs
to be returned for wildcards, can anyone see any problems associated with
this?

Dave

--
+-------------David Oksner-----http://www.case.net/-------------+
|LAWS OF COMPUTER PROGRAMMING:                                  |
|VII. Program complexity grows until it exceeds the capabilities|
|     of the programmer who must maintain it.                   |
[log in to unmask]

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU