Note to Verisign: Thank you thank you thank you!!!
I have been itching for a reason to block them ;-)
This actually does me a favor, my DNS lookup are now whizz-bang and I block
everything that resolves to that address. They did me a favor!
Regards,
Damon Sauer
-----Original Message-----
From: asrg-admin(_at_)ietf(_dot_)org [mailto:asrg-admin(_at_)ietf(_dot_)org]On
Behalf Of Yakov
Shafranovich
Sent: Tuesday, September 16, 2003 1:33 AM
Cc: Brad Knowles; IRTF ASRG
Subject: Re: [Asrg] 7. BCP - Verisign: All Your Misspelling Are Belong
To Us
One more piece of info from this post
(http://gnso.icann.org/mailing-lists/archives/ga/msg00311.html):
-----snip------
"They get back no MX, but an A record, pointing to this farm. Most
mail servers will go ahead and try the A record, getting connection
refused. The mailer will keep retrying for several days, all the while
these backing up in the queue."
Suppose you're a corporation, and a customer or prospect mistypes the
domain in the email address. Instead of failing immediately, the mail
server will keep trying to deliver that mail potentially for a week,
before ultimately being deemed non-deliverable. The client will be
confused, thinking your mailserver is down, or that you're ignoring
them, or that you're a terrible company and should take your business
to a competitor who is more responsive (and they might miss the
"bounce" message a week later, caught by their spam filters perhaps,
whereas they would have noticed the bounce had it been immediate). Not
a great "user experience".
Many of those "spam traps" which contain bogus email addresses will
start taking 7 days to fail, instead of failing immediately. Some ISPs
better get larger hard disks and connectivity budgets....
-----snip------
Yakov Shafranovich wrote:
PLEASE BE ADVISED THAT VERISIGN IS OPERATING AN SMTP SERVER AT THAT
ADDRESS. The SMTP server appears fake, take a look at the following
transaction:
----snip---
open 64.94.110.11 25
220 snubby1-wceast Snubby Mail Rejector Daemon v1.3 ready
blahblahbla
250 OK
blahblahbla
250 OK
blahblabhjla
550 User domain does not exist.
blahblbjhbj
250 OK
blajbjbjb
221 snubby1-wceast Snubby Mail Rejector Daemon v1.3 closing transmission
channel
Connection to host lost.
----snip---
Brad Knowles wrote:
Folks,
This was just posted to the NANOG mailing list. There are already
people who are working on hacking BIND to return NXDOMAIN for wildcard
records in TLD zones, or perhaps for any reference to the specific IP
address(es) they are using (so far, we only know about 64.94.110.11).
Meanwhile, many are already null-routing this IP address.
This affects us, because now anyone can send spam with an address
like
"i(_at_)spam(_dot_)from(_dot_)verisign(_dot_)becausethisdomaindoesntreallyexist(_dot_)net",
and yet still have that pass standard anti-spam checks like "Does this
domain really exist in the DNS"?
Another one for the service provider BCP, I think.
Anyway, the full message announcing this "enhancement" is:
Date: Mon, 15 Sep 2003 19:24:29 -0400
From: Matt Larson <mlarson(_at_)verisign(_dot_)com>
To: nanog(_at_)nanog(_dot_)org
Subject: Change to .com/.net behavior
Today VeriSign is adding a wildcard A record to the .com and .net
zones. The wildcard record in the .net zone was activated from
10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is
being added now. We have prepared a white paper describing VeriSign's
wildcard implementation, which is available here:
http://www.verisign.com/resources/gd/sitefinder/implementation.pdf
By way of background, over the course of last year, VeriSign has been
engaged in various aspects of web navigation work and study. These
activities were prompted by analysis of the IAB's recommendations
regarding IDN navigation and discussions within the Council of
European National Top-Level Domain Registries (CENTR) prompted by DNS
wildcard testing in the .biz and .us top-level domains. Understanding
that some registries have already implemented wildcards and that
others may in the future, we believe that it would be helpful to have
a set of guidelines for registries and would like to make them
publicly available for that purpose. Accordingly, we drafted a white
paper describing guidelines for the use of DNS wildcards in top-level
domain zones. This document, which may be of interest to the NANOG
community, is available here:
http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf
Matt
--
Matt Larson <mlarson(_at_)verisign(_dot_)com>
VeriSign Naming and Directory Services
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
*****
"The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential, proprietary, and/or
privileged material. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from all
computers."
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg