Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)

[Steven Champeon <schampeo () hesketh com>]

on Wed, Jan 12, 2005 at 01:49:53PM +0000, Eric Brunner-Williams in Portland Maine wrote:
> > Why would it matter if you deactivated an unpublished/non-resolving domain?
>
> How do "you deactivate an unpublished/non-resolving domain"? You may borrow
> a registrar or registry hat if that is useful to answer the question.

I suppose it depends on how you define 'unpublished'; and how you define
'non-resolving'.

A year and a half ago, I was subjected to a joe job by Brian Westby (the
bounces stopped the day after the FCC fined him), using several domains,
among them adultwebpasshosting.org. It had been registered, was in whois
with obviously forged data, resolved to an IP, and I reported it to
ICANN for having invalid whois data. It took them, as near as I can tell
(I was never notified of the action taken) at least a year to have it
removed from the root dbs.

I'd like to avoid going through that nonsense again.
 
> > If you care about the domain, keep the whois data up to date and accurate.
>
> That is the policy articulated by the trademarks "stakeholders" in the ICANN
> drama, but how does their policy, which is indifferent to any condition but
> strindspace allocation, relate to any infrastructure that has one or more
> additional constraints?

Please see my other message. Allowing domains with invalid whois data to
remain in use facilitates abuse in other realms.
 
> > > I'm not sure why anyone cares about a very large class of domains in the
> > > context of SMTP however. 
> >
> > For one thing, a very large class of domains are being used as
> > throwaways by spammers ...
>
> Do you know anything about the acquisition pattern at all, or if there is
> any useful characterization finer in scope than "all"?

One of the domains we host has been the victim of an ongoing joe job. The
sender forges an address in the domain for the SMTP "MAIL FROM:" and when
the message(s) bounce(s), we get the DSN(s). I've got bounce messages here
going back several months. In the past month (since Dec 1), I've seen (not
counting the tens of thousands of DSNs I've refused from idiot outscatter
hosts):

count domain                                    received                registered              diff
----- -----------------------   --------------  -----------             ----
   13 kakegawasaki.com                  Jan  6 2005             Dec 23 2004     14d
    7 oertlika.com                              Jan  7 2005             no whois info   n/a
    6 mikejensen.info                   Dec 30 2004             Dec  9 2004             21d
    5 kristinaficci.info                Jan  8 2005             Dec 22 2004             17d
    4 rhianjonesmuchos.com              Jan 10 2005             no whois info   n/a
    4 krauszolts.info                   Jan  7 2005             Dec 22 2004             16d
    4 gregbryant.info                   Dec 31 2004             Dec  9 2004             22d
    4 elitke.info                               Dec  1 2004             Nov 28 2004              3d
    3 tlepolemosmilos.com               Jan  9 2004             no whois info   n/a
    3 latvianet.info                    Dec 25 2004             Dec  3 2004             22d
    3 judsononly.info                   Dec 30 2004             Dec 12 2004             18d
    2 tarumisalata.info                 Dec 28 2004             Dec 12 2004             16d
    2 sawawer.net                               Dec 13 2004             no whois info   n/a
    2 sakkama.info                              Dec 15 2004             Dec  3 2004             12d
    2 purkyne.info                              Dec  9 2004             Nov 28 2004             11d
    2 kazoplace.com                             Dec 31 2004             no whois info   n/a
    2 katrianne.info                    Dec  1 2004             Nov 28 2004              3d
    2 heinrichkayser.info               Dec 30 2004             Dec  9 2004             21d
    2 cavaradossi.net                   Dec 23 2004             no whois info   n/a
    2 brangane.info                             Jan  3 2005             Dec 18 2004             16d
    1 wurmhug.com                               Jan  1 2005             no whois info   n/a
    1 ulissedinires.com                 Dec 24 2004             Nov 11 2004             13d
    1 onlycomello.info                  Dec 19 2004             Dec  3 2004             16d
    1 mysalpetriere.com                 Dec 26 2004             Dec 23 2004              3d
    1 konstitutsiya.com                 Dec 17 2004             Dec  3 2004             14d
    1 eugenisisplace.info               Dec 27 2004             Dec 12 2004             15d

Very few of these sighted span more than an 18 hour period between first
and last appearance in a bounce. 

All those I've tested simply redirect to some porn site or other; for
a list from November, see below:

domain                          redirects to
------------------------------------------------------------------------
anneraughop.com         http://www.femalestars.com/RS/rsid-609603/
anneres.info            http://www.allinternal.com/40195119/index.html
armidais.net            http://coolsites1.com/sites/milfmunchers/index.html
barbarescoer.info       dead (afilias - not found)
brandtor.info           dead (afilias - not found)
byblis.info             http://coolsites1.com/sites/oldfartfuckin/main.html
caseylisser.info        http://www.allinternal.com/40195119/index.html
coudrasy.info           http://coolsites1.com/sites/partiesshocking/index.html
dinahner.net            dead (registersite - found, but no DNS)
dupontaop.net           http://mendvd.com/?wmid=franky
durdaes.net             http://coolsites1.com/sites/milfmunchers/index.html
flegelis.net            http://www.allinternal.com/40195119/index.html
jarrydlevine.info       http://www.femalestars.com/RS/rsid-609603/
jizeras.net             dead (NSI - not found)
jo-annner.com           http://www.allinternal.com/40195119/index.html
jozsef.info             http://coolsites1.com/sites/massivedickaction/index.php
kadlu.info              dead (yanked for spamming by GKG)
kazakq.info             http://www.allinternal.com/40195119/index.html
ladaxs.net              http://coolsites1.com/sites/asspussymouth/index.html
oiunskijner.net         http://www.allinternal.com/40195119/index.html
oizumiw.net             http://www.oldagefuckers.com/1e901999dbffa34452401ad02b55d569/
ortigaraner.info        http://coolsites1.com/sites/milfmunchers/index.html
rebekkaner.com          http://www.femalestars.com/RS/rsid-609603/
rosselia.net            dead (yanked for spamming by GKG)
shirleyse.info          http://coolsites1.com/sites/massivedickaction/index.php
swingsey.net            http://www.eyessprayedshut.com/99dfc7de9df4511de46761609f55b433/
zajtsev.info            http://coolsites1.com/sites/massivedickaction/index.php

All the same spammer. The redirecting domains resolve (where they
resolve at all) to:

61.128.198.187          Chinanet
218.30.21.63            Chinanet
219.153.0.230           Chinanet
222.51.98.194           China Railway Telecommunications

I may not be able to convince China not to host this dirtbag, but I should
think I'd be able to prevent a registrar from repeatedly registering new
domains to him using false whois information. As it stands I have one bad
experience with ICANN taking a year to yank the domains for a convicted
fraudster.

I'd be delighted if you have pointers to a paid whois reformatter, but
I still believe strongly that it should not be necessary.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us!   http://hesketh.com/about/careers/account_manager.html    join us!