![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
Re: VeriSign's rapid DNS updates in .com/.net
From: "william(at)elan.net" <william () elan net>
Date: Thu, 22 Jul 2004 19:14:08 -0700 (PDT)
On Fri, 23 Jul 2004, Richard Cox wrote:
The key here is not registration but change. Currently, while spammers and other malfeasants have the ability to send out through compromised proxies and zombied PCs, there is little that can be done to identify them until they require a response, and then the return path provides some traceability via the IP addresses used, at least for nameservers. One of the latest spammer exploits involves relying on compromised PCs for hosting of websites and DNS: which, coupled with the ability to update the root DNS in close-to-real-time, means that the entire hosting operation including nameservers can be based on compromised boxes, often with an encrypted/obfuscated link back to the real point of control, and that is significantly harder to track. This becomes of rather greater significance if the hosting is for a phishing site.
That is one of the main reasons why I don't like that Verisign has removed ability to find data on how list of nameservers for domain and more ip address of nameserver might have been changed. The only thing we can see is what whois shows (=bulk zone data) which is just one time/day snapshot while spammer may have changed the ip address of nameserver many times during the day to point to different zombie PCs. I hope Matt can get through to correct people and deltas will be available for those already doing bulk zone downloads.
The demand for extra domains serves the registrars' business model well. When a contact address is proved to be bogus, and at the end of 15 days the domain complained of is in consequence shut down, it does not seem to occur to most registrars that the other (say) six hundred - perhaps thousands of domains - that were registered by the same person with the identical contact details, must also have bogus contact details and so should be automatically shut down. No, an individual complaint seems to be needed in each case, which means that the malfeasants are given 15 days from the first appearance of EACH domain during which the entire domain is, as it were, bulletproof.
It seems that by these policies registries are actively helping out spammers while claiming to be neutral party. But in reality they know full well who the registrant of the domain is and that they deliberately breaking ICANN rules but they do not close their account and allow them to register more domains with false data. This "neutral party" excuse also leads to most domain registries refusing spam compaints, again they know exactly who it is that registers these domain and can definetly see they are spammer, but they will not do anything about it because spammers are good customers who register lots of domains. This situation not helping in trying to stop this epidemic. -- William Leibzon Elan Networks william () elan net
Current thread:
- Re: VeriSign's rapid DNS updates in .com/.net, (continued)
- Re: VeriSign's rapid DNS updates in .com/.net Robert L Mathews (Jul 22)
- Re: VeriSign's rapid DNS updates in .com/.net Chris Brenton (Jul 22)
- Re: VeriSign's rapid DNS updates in .com/.net Randy Bush (Jul 22)
- Re: VeriSign's rapid DNS updates in .com/.net Daniel Karrenberg (Jul 22)
- Re: VeriSign's rapid DNS updates in .com/.net Richard Cox (Jul 22)
- Re: VeriSign's rapid DNS updates in .com/.net Randy Bush (Jul 22)
- Re: VeriSign's rapid DNS updates in .com/.net Richard Cox (Jul 23)
- Re: VeriSign's rapid DNS updates in .com/.net Christian Kuhtz (Jul 23)
- Re: VeriSign's rapid DNS updates in .com/.net Daniel Senie (Jul 23)
- Re: VeriSign's rapid DNS updates in .com/.net Eric Brunner-Williams in Portland Maine (Jul 23)
- Re: VeriSign's rapid DNS updates in .com/.net Robert L Mathews (Jul 22)
- Re: VeriSign's rapid DNS updates in .com/.net william(at)elan.net (Jul 22)
- Re: VeriSign's rapid DNS updates in .com/.net Eric Brunner-Williams in Portland Maine (Jul 22)
- Re: VeriSign's rapid DNS updates in .com/.net Petri Helenius (Jul 23)
- Re: VeriSign's rapid DNS updates in .com/.net Paul Vixie (Jul 23)