Resolving Everything: VeriSign Adds Wildcards

DragonHawk writes "As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising." Read on below for some more information.

"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)

This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.

Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.

VeriSign has published white papers about their implementation and also made some recommendations."

wonder of wonders

[wherley (42799)]

what are the chances - using the [verisign.com]
search page that comes up at the
verisign site to search for "register" we find at the top of the
list a link to networksolutions.com (a verisign company). we also
note that searching for the same word at google [google.com]
does not result in that site being present in at least the first four pages of results.

yeah - thats a real useful search tool verisign has there - thanks so much.

Re:wonder of wonders

[by Anonymous Coward]

It is not that bad. At least if you enter "Verisign sucks big donkey balls", two of the three first results are from Slashdot.

Re:wonder of wonders

[bobthemonkey13 (215219)]

More fun with sitefinder.verisign.com [verisign.com]

Hmm, cross-site scripting. Seems harmless enough, but I wonder if VeriSign stores anything important in the verisign.com cookie...

Re:wonder of wonders

[mosch (204)]

Actually, the verisign search seems to be pretty good. A search for FUCK VERISIGN [verisign.com] returns a slashdot article about verisign sending out deceptive domain renewal mail as the second result.

Complain to ICANN *NOW*

[Teflon (32988)]

In order to get this rather unwelcome act of Verisign's reversed, EVERYONE should contact ICANN immediately.

comments@icann.org

Re:Complain to ICANN *NOW*

[tuba_dude (584287)]

If ICANN was still there for the good of the internet, yeah, that should work. Otherwise, you should only bother complaining if you're a CEO.

Complain to Verisign as well

[trafik (707566)]

They don't seem to have an e-mail address for the category of "Subversion of the global DNS," so pick one of the following e-mail addresses and use it to CC your complaint to Verisign:

authenticode-support@verisign.com,
billing@veri sign.com,
channel-partners@verisign.com,
clientp ki@verisign.com,
consultingsolutions@verisign.com ,
dbms-support@verisign.com,
dcpolicy@verisign.c om
digitalbranding@verisign.com,
dnssales@verisi gn.com,
enterprise-pkisupport@verisign.com,
ente rprise-sslsupport@verisign.com,
info@verisign-grs .com,
internetsales@verisign.com,
IR@verisign.co m,
jobs@verisign.com,
mss@verisign.com,
objects igning-support@verisign.com,
paymentsales@verisig n.com,
practices@verisign.com,
premiersupport@ne tworksolutions.com,
press@verisign.com,
privacy@ networksolutions.com,
renewal@verisign.com,
supp ort@verisign.com,
verisales@verisign.com,
vps-su pport@verisign.com,
vts-csrgroup@verisign.com,
v ts-mktginfo@verisign.com,
webhelp@verisign.com,
websitesales@verisign.com,
websitesupport@verisig n.com

Re:Complain to ICANN *NOW*

[trainsnpep (608418)]

Well, regardless of whether it will work, I tried:

Verisign has continually been abusing the power that has been handed out to them. Two such examples are its mailing of false renewal notices, and its most recent exploit: sitefinder.verisign.com. Now, nearly all mistyped names will be sent to Verisign where they can do whatever they like to the unwitting user. There are even categories on sitefinder.verisign.com where one can browse and go to sites which are undoubtedly paying Verisign for the space.

Please take this, and the hundreds or thousands of e-mails you will receive, into consideration, and exercise the power that ICANN has. Verisign has continually been abusing and tricking people through deceptive business practices, and this should be the last straw. Verisign should not only be removed from it's post, but it should also be fined for its numerous escapades designed to make money.

Sincerely,
Michael B****

I've got to wonder: where do they come up with such evil ideas? Verisign must have a beowulf cluster of insensitive clods...

Re:wonder of wonders

[gantzm (212617)]

Speaking of search engines. What would happen if a significant number of web sites put links on every page to a poison page. This poison page would generate 10,000 random links of the form "www.verisignblows948950948393903848585.com", with the number obviously being random. How long would it take for all the search engines and web crawlers to hit this and have a serious impact on verisigns servers?

Now, I'm not suggesting anybody do this, I'm just asking the question.

Re:wonder of wonders

[pbox (146337)]

You at least have an option of turning off this "helpful" page in IE. No such feature from NSI.

Re:wonder of wonders

[StewedSquirrel (574170)]

Sure you do, if you have a REAL router (or a DSL router even) you should be able to null-route that IP. Or actually, you might even be able to convince your ISP to do it with a short, friendly letter to the admin.

Stewey

Contact ICANN comments@icann.org

[Teflon (32988)]

If you want this "feature" of verisign's turned off (I know I sure do), contact ICANN now. This is yet another example of Verisign having far too much unchecked power over the .COM and .NET registries.

Already discussed on the ICANN/GNSO mailing list

[next_permutation (627092)]

This is discussed on the ICANN/GNSO mailing list [icann.org]. A vote saying

gTLD Registry operators WILL return NXDOMAIN for ALL DNS queries for which there is not a REGISTERED domain name.

has been suggested. Sure seems like a good idea to me.

joy

[digitalsushi (137809)]

this should make troubleshooting dns records as a netadmin much more fun with all those glorious false positives... guess that means i'll have to learn how to spell finally!

network operators are pissed at this

[mdouglas (139166)]

expect that ip to get null routed by the backbone carriers real fast.

Re:network operators are pissed at this

[Wateshay (122749)]

I wonder how long it will be before Verisign decides to sue the backbone carriers for some kind of unfair business practice crap.

Re:network operators are pissed at this

[Alien Being (18488)]

That would leave browsers waiting to timeout. ICMP-Rejects wouldn't be much better.

We'll need to hack the resolver libraries and/or DNS servers to translate 64.94.110.11 into "no such domain". Verisign will add some more numbers, and soon we'll have blacklists.

Shorting Microsoft (prepare for battle)

[StewedSquirrel (574170)]

Doesn't this this short-circuit Microsoft's attempt to capture ad revinue from all mis-typed domains through their Internet Explorer?

I always thought that a revolting misuse of monopoly power and I use Mozilla exclusively now (that was one of the primary reasons I switched, tho not the only one).

Prepare for Microsoft to be EXTREMELY UPSET. MSN's search count will be cut in 1/4 by this move too.

Watch for it.

Stewey

Re:Shorting Microsoft (prepare for battle)

[wkcole (644783)]

The IE rediect to the MSN search mess is configurable: you can turn it off AND turn off the stupid useless 'all errors are one thing' error page and make IE actually give you something useful, at least with IE 5.5 and 6.

HOWEVER, you can bet that MS and AOL and everyone else who does something interesting and useful with HTTP queries that look for bad domain names (like some ISP's that have proxies for users and some companies that have proxies for employers) will be pissed off. Different people like to do different things with their NXDOMAIN responses, and Verisign has just made sure that a lot of those responses never happen and that only Verisign gets to choose what the user sees instead.

There essentially are no more unregistered .(com|net) domains. Verisign has just in effect registered all unregistered domains in those TLD's and pointed them at their own little cash-spinner.

What?

[Lord_Dweomer (648696)]

So let me get this straight.....If I own http://www.hardtospelldomain.com, and someone mispells it, Verisign now has the opportunity to offer up the highest bidders site for redirects? Even potential competitors? Perhaps I'm missing something here, but wouldn't this open them to all kinds of lawsuits from companies that were affected in that way?

Verisign would look nice in gasoline and flame

[netmask (8001)]

This is really sad.

Not only will mail have problems, as the "non-existent domain" check will always fail.. but this is completely criminal it seems.

I hate to mention, but they are giving Microsoft a dose of their own medicine.. taking away their ability to bring you to their 'search' page for non-existent domains.. and AOL's own feature similar to that. It hurts google, since Verisign teamed with yahoo on this one for search services (Although, google provides yahoos search functionality for now).

All .com domains are resolving with an authoratitive section of Verisign's server.. and .net's with the list of root servers. It would seem that no domain should ever resolve with either of those as an authority.. The real dns server for the domain should. Hopefully BIND and other DNS packages will start blocking domains that have a root server or a verisign server as the authoratitive dns server.

Further.. they'll be harvesting bounced email addresses for sure. If you get spammed from a bunk domain, and it gets returned.. or you typo and email address.. they are nice enough to run a mail daemon on port 25 to harvest those addresses. It lets you helo, from, rcpt, and data.. and then closes your connection.. just long enough to snag all the info it wants from you.

This entire thing is a mess, and seems like it should be highly illegal. Hopefully OpenSRS and GoDaddy and others will have a fit over it. This just seems completely wrong.

Re:Verisign would look nice in gasoline and flame

[Asgard (60200)]

In the absense of a MX record for a given domain, the MTA will attempt to go to the A-record for the domain.

DDOS in the making

[digitalsushi (137809)]

think about it.. your dns server caches the entries it gets back, but now we can make scripts that check sequentially all the way up! crash your ISPs name servers, or crash a root server for the prize! remember kids, take down 2/3 + 1 of the root servers and it's not running on spec anymore!

Now let's see

[psyconaut (228947)]

Porn companies aren't allowed to run sites with slightly mispelled names because it's considered unfair practice, but a 'registrar' is allowed to catch anything that might come their way?

-psy

Agreement by typo.

[Lux (49200)]

This is hillarious!! They have a TOS!

By making a typo, you supposedly agree that if their site overflows a buffer in your browser and wipes your HD, they are not liable.

Okay, terrible example for many reasons, but I still think it's pretty laughable that they claim that the "user" agrees to certain terms of service by "utilizing" this little piece of indirection.

-Lux

Re:Agreement by typo.

[JayBlalock (635935)]

That's not hillarious, that's maddening beyond my ability to properly express. Especially, #10 - Sole Remedy: "YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED WITH ANY OF THE MATERIALS, RESULTS OR OTHER CONTENTS OF THE VERISIGN SERVICES OR WITH THESE TERMS AND CONDITIONS, OUR PRIVACY STATEMENT, OR OTHER POLICIES, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE." If you don't like what Verisign is doing, get off the Internet. This could well inspire even our current Administration to smack them down. This is the most hubris-laden abuse of a monopoly I've heard of in a long time.

wahts the porelbm?

[yali (209015)]

For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake...

What do you mean, "by msiatke [slashdot.org]"?

patches?

[Pathwalker (103)]

I wonder how long it will be before there are patches for BIND/dnscache/etc. to remap any result containing 64.94.110.11 to a "record not found" result?

Mail trap

[piyamaradus (447473)]

This also traps all mail sent TO a non-existent domain. Since all RFC-compliant mail servers will follow up a negative MX response with an A lookup and connect to that IP, if you send mail to a bogus domain, it goes to verisign's server, which (currently) bounces it. Imagine the fun the federal government can have subpoena'ing those logs.

Also, you'll note the cookies that 'sitefinder' sends out, so they can uniquely track any traffic to that site. Also a fun subpoena opportunity. And did you read the fun terms of service that they claim you agree to by 'choosing to visit' their site?

I doubt this will stand. I certainly know that, as a major ISP executive, we'll be reviewing our business with Verisign.

30% chance of failure

[MavEtJu (241979)]

With DNS tracer [mavetju.org], you can see how much damage they do:

[~] edwin@k7>dnstracer -s . -o blaat.burps.ploeps.thisdomaindoesnotexistabcdef.co m
Tracing to blaat.burps.ploeps.thisdomaindoesnotexistabcdef.co m via A.ROOT-SERVERS.NET, timeout 15 seconds
A.ROOT-SERVERS.NET [.] (198.41.0.4)
|\___ M.GTLD-SERVERS.NET [com] (192.55.83.30)
|\___ E.GTLD-SERVERS.NET [com] (192.12.94.30)
|\___ K.GTLD-SERVERS.NET [com] (192.52.178.30)
|\___ J.GTLD-SERVERS.NET [com] (192.48.79.30)
|\___ F.GTLD-SERVERS.NET [com] (192.35.51.30)
|\___ L.GTLD-SERVERS.NET [com] (192.41.162.30)
|\___ D.GTLD-SERVERS.NET [com] (192.31.80.30) Got authoritative answer
|\___ B.GTLD-SERVERS.NET [com] (192.33.14.30) Got authoritative answer
|\___ I.GTLD-SERVERS.NET [com] (192.43.172.30)
|\___ C.GTLD-SERVERS.NET [com] (192.26.92.30) Got authoritative answer
|\___ H.GTLD-SERVERS.NET [com] (192.54.112.30)
|\___ G.GTLD-SERVERS.NET [com] (192.42.93.30)
\___ A.GTLD-SERVERS.NET [com] (192.5.6.30) Got authoritative answer


Personal opinion: stupid idiots who wrongly mix political goals with technical capabilities. Just because we can doesn't mean we should.

This is what happens Larry...

[MrPerfekt (414248)]

when you fuck an RFC in the ass. *baseball bat on car headlight*

Send your queries to the GTLD servers direct

[DragonHawk (21256)]

Okay, everybody and their brother is trying to resolve "bogusdomainname.com" or whatever and finding they get a NXDOMAIN error (as they should). There are a lot of possible reasons for this, which I will simply handwave as "caching".

To see the real thing in action, query an authoritative nameserver directly. For example:


$ host www.bogusdomainname.com
Host www.bogusdomainname.com not found: 3(NXDOMAIN)
$ host www.bogusdomainname.com a.gtld-servers.net
Using domain server:
Name: a.gtld-servers.net
Address: 192.5.6.30#53
Aliases:

www.bogusdomainname.com has address 64.94.110.11
$


The first query uses the default resolver on my system, which is a local named which in turn forwards to my ISP's resolvers, which do who knows what. The second query says to ask a.gtld-servers.net, which causes the host utility to send the query directly to one of the authoritative nameservers for the GTLDs (Global Top Level Domains, as opposed to country-specific domains like .us). Then I see the current authoritative response.

They at least gave us warning

[jdc180 (125863)]

This isn't something new, they told us it was coming. [slashdot.org] What a crock of shit. I think this shows that there needs to be some sort of accountability in this business.

Who is going to be the first to hack it?

[Istealmymusic (573079)]

Starting nmap 3.28 ( www.insecure.org/nmap/ ) at 2003-09-15 06:36 PDT
Host sitefinder.verisign.com (12.158.80.10) appears to be up ... good.
Initiating SYN Stealth Scan against sitefinder.verisign.com (12.158.80.10) at 06
:36
Adding open port 80/tcp
The SYN Stealth Scan took 94 seconds to scan 1643 ports.
Warning: OS detection will be MUCH less reliable because we did not find at lea
st 1 open and 1 closed TCP port
For OSScan assuming that port 80 is open and port 36304 is closed and neither ar
e firewalled
For OSScan assuming that port 80 is open and port 43206 is closed and neither ar
e firewalled
For OSScan assuming that port 80 is open and port 44655 is closed and neither ar
e firewalled
Interesting ports on sitefinder.verisign.com (12.158.80.10):
(The 1642 ports scanned but not shown below are in state: filtered)
Port State Service
80/tcp open http
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SInfo(V=3.28%P=i386-portbld-freebsd5 .1%D=9/15%Time=3F65C0E9%O=80%C=-1)
TSeq(Class=TR% IPID=Z%TS=U)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags= AS%Ops=MNNTNW)
T1(Resp=Y%DF=Y%W=16D0%ACK=S++%Flag s=AS%Ops=MNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16D0%A CK=S++%Flags=AS%Ops=MNW)
T4(Resp=Y%DF=Y%W=0%ACK=O %Flags=R%Ops=)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)

TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
TCP ISN Seq. Numbers: 673A4C36 652AB817 BBE534C3 685BB54A
IPID Sequence Generation: All zeros

Nmap run completed -- 1 IP address (1 host up) scanned in 137.552 seconds

Oh common, the workaround is so obvious...

[TyrranzzX (617713)]

Simply block all traffic to 64.94.110.11 and give verisign your hate mail as well. It'll still return the error message whenever that address is found, so even if it is hosted, it's as good as not registered.

This a stupid stupid stupid move by them, Akin to shooting themselves in the foot with a 45 caliber pistol; it's going to anger a lot of people in the IT industry.

Make sure you let Scott and Matt know ....

[jea6 (117959)]

You may want to let Scott Hollenbeck (shollenbeck@verisign.com [mailto]) and Matt Larson (mlarson@verisign.com [mailto]) from VeriSign's Naming and Directory Services know what you think of their Best Practices [verisign.com].

And while you are at it, you may consider a friendly note for W.G. Champion Mitchell (wmitchell@verisign.com) [mailto], President, NetSol and Stratton Sclavos (ssclavos@verisign.com) [mailto], Chairman and CEO, VeriSign.

Terms of Use

[creidieki (110659)]

So let me get this straight. A site I didn't ask to go to has a Terms of Use which says that my sole remedy is to discontinue use of "The Verisign Services".

So, by mistyping a domain name, I've entered into a legal agreement with Verisign? And the only way to get out of it is to not use the internet?

The only address on the page is their legal department's postal address, at

VeriSign, Inc.
Attention: Legal Department
21355 Ridgetop Circle
Dulles, VA 20166

I guess I'll be sending them a nice letter. As soon as I figure out what legal recourse I actually have.

Misplaced root of trust?

[LostCluster (625375)]

Is it just me, or is Verisign now absuing the trust of the Internet community, which is a very strange thing for a company that wants to be a root of trust when it comes to issuing SSL certs?

E-mail

[jdunlevy (187745)]

Just to see what would happen, I just tried sending an e-mail to <testuser@slashdoct.com>. Would they bounce the message? If so what would the error message look like? If they didn't bounce it, would they just keep it? Read it? Inquring minds want to know!

Well it bounced:

The original message was received at Mon, 15 Sep 2003 21:06:55 -0500 (CDT)
from [myhost.mydomain] [xxx.xxx.xxx.xxx]

----- The following addresses had permanent fatal errors -----
<testuser@slashdoct.com>
(reason: 550 User domain does not exist.)

----- Transcript of session follows -----
... while talking to slashdoct.com.:
>>> RCPT To:<testuser@slashdoct.com>
<<< 550 User domain does not exist.
550 5.1.1 <testuser@slashdoct.com>... User unknown

Reporting-MTA: dns; [myhost.mydomain]
Received-From-MTA: DNS; [myhost.mydomain]
Arrival-Date: Mon, 15 Sep 2003 21:06:55 -0500 (CDT)

Final-Recipient: RFC822; testuser@slashdoct.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; slashdoct.com
Diagnostic-Code: SMTP; 550 User domain does not exist.
Last-Attempt-Date: Mon, 15 Sep 2003 21:06:56 -0500 (CDT)

And: >telnet www.slashdoct.com 25
Trying 64.94.110.11...
Connected to www.slashdoct.com.
Escape character is '^]'.
220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready
quit
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.
>

Snubby Mail Rejector???

An open letter of complaint

[DDumitru (692803)]

To: icann@icann.org, iana@iana.org, nstld@verisign-grs.com,
rcc@verisign.com, hostmaster@nsiregistry.net, ir@verisign.com,
dcpolicy@verisign.com
Subject: Complaint about Versign abuse of DNS root zones

A Letter of Complaint about actions undertaken by Verisign Incorporated
on or about 9/13/03.

Sent to the Internet Corporation of Assigned Names and Numbers and the
Internet Assigned Number Authority.

Doug Dumitru
xxxxx xxxxxx xxxx Road
xxxxxx xxxxxx, CA 9xxxx
949 xxx-xxxx

Dear sirs,

As you are probably aware, Verisign is redirecting unregistered
2nd-level domains in the .com and .net TLDs to a Verisign owned search
engine. They are using a technique known as DNS wildcarding to
accomplish this.

I firmly believe that this is clearly an abuse of the DNS system, that
it violates the technical requirements for domain lookups, that the
results returned are fraudulent, and that this technical action only
benefits Verisign at the expense of the rest of the internet population.

I respectfully request that IANA and ICANN immediately take action
against Verisign demanding that Verisign cease this fraudulent and
damaging behaviour. Should Verisign refuse, I would recommend that IANA
and/or ICANN (and/or the US government) take immediate action to revoke
Verisign's contract to administer the .com and .net TLDs.

I would also recommend that IANA and/or ICANN immediately pass "best
practice" rules that prevent other TLDs and country-code domains from
following in Verisign's deceptive footsteps. It is important that a
"domain not found" error not be subverted into an advertising opportunity.

Sincerely,
Doug Dumitru

Violation of ICANN Policy

[wsloand (176072)]

It seems that they have effectively violated the ICANN Domain Name Dispute Policy [icann.org]: "circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration". They're definitely doing this to sell domains.

Bill

Re:Abusing the Power that be

[ScrewMaster (602015)]

Verisign has forgotten that they don't own the Internet: they were granted the power to run the root servers and manage primary DNS by the federal government. That government-granted monopoly is revocable. This is a risky maneuver, as it will have global implications. They will probably get their wrists slapped.

There is no Internet

[DragonHawk (21256)]

(Pre-emptive strike: Insert Matrix-spoon reference here.)

I feel it is worthwhile to post a more general response to this point as well.

There is this myth that "the Internet" exists as a single, cohesive network. It does not, and never has. "The Internet" is a network of networks. What that means is that a bunch of independent network operators have agreed to exchange traffic with each other because it benefits them. When you dial in to your ISP of choice (or plug in your Ethernet cable or whatever), you're not connecting to the Internet. You're connecting to your ISP. Your ISP probably connects to their ISP. Their ISP (if you're lucky) connects to several other ISPs, who connect to other ISPs, and so on. All these independent network operators form "the Internet". So, "the Internet" exists as an abstract concept (and a useful one), but not as something you can touch. Not even as something you can route traffic through. All you can do is connect to some other guy's network and hope for the best.

The reason this is important is because we are already seeing ISPs implementing countermeasures against this VeriSign move. Some are null-routing that IP address at layer two; others are using DNS tricks to give us the old behavior. If enough ISPs do this, VeriSign's move will be largely ineffective. In effect, ISPs as a community can veto VeriSign or anyone else. It only works if most of them agree and take action, of course, and it remains to be seen if they will do that. And, of course, some of these countermeasures may themselves be easily defeated, leading to an arms race (like the spammer vs anti-spam arms race).

The possible consequences of all this are, shall we say, interesting.

(BTW, I don't disagree with the OP's suggested course of action, nor with the principle behind it. I'm just pointing out that things are, as usual, more complicated then they might appear.)

Re:This is a bitch

[pavon (30274)]

I vote that we concider anything from 64.94.110.11 to be spam. That should take care of the problem for spam filters.

Re:This is a bitch

[SSpade (549608)]

Those spam-catching tools work by doing a reverse-dns lookup of the IP address that is trying to send the mail. This is different than doing a "forward"-dns lookup.

Not so.

A common spam filtering method is to check the envelope sender to see if the domain exists. Any mail that is sent with a faked envelope sender to which bounces can't be sent is spam.

That means querying for either an MX record or A record for that domain, and bouncing all the spam that doesn't have either. Now, thanks to verisign, all spam sent with forged envelope senders in .com or .net wil go straight through this spam filter, increasing the amount of spam in many peoples mailboxes.

Yes, in theory you could look for the magic A record returned, but to do so is something of an operational nightmare, and impossible to do with most current MTAs.

Re:How can we undo this?

[by Anonymous Coward]

Anyone have any information on whom to contact to put an end to this absurdity?

I think you mean Commander Taco. Or were you talking about that dns thing?

Re:How Long...

[dnoyeb (547705)]

This happened to my mother just yesterday. She calls me complaining about "my computer has a virus!" I countered that their was no way her computer could know. This went on for a while..

My mother is visually impared. She was trying to go to www.biblegateway.com, but she went to www.gatewaybible.com. sacreligious scum.

It's hard for her to find the stupid MODAL popup windows when she is using a screen magnifier and the whole screen is not even showing...

A DNS error would have been MUCH nicer. She would not have even called me costing my employer productivity. Currently I know somebody is wasting money on those parked domains. This verisign situation is just sad.

Re:I think Verisign now owes...

[signe (64498)]

VeriSign *is* InterNIC.

Network Solutions "bought" InterNIC way back when. VeriSign bought Network Solutions. Now Network Solutions sells domains as a registrar, and VeriSign (VeriSign Naming and Directory Services, specifically) is the registry. Every registrar, including Network Solutions, pays VNDS $6 per year per domain. VNDS doesn't pay anyone anything.

It's VNDS that is doing the wildcard entry.

-Todd

Re:Strike Back with Poor Typing

[Electrum (94638)]

Even better, you can send mails with 10MB attachements to people you don't know at random internet addresses ending with .com, they'll love it...

Wrong. Their SMTP server rejects all DATA commands with a 550:

$ nc 64.94.110.11 25
220 snubby1-wceast Snubby Mail Rejector Daemon v1.3 ready
MAIL FROM: <>
250 OK
RCPT TO: <anyone@example.com>
250 OK
DATA
550 User domain does not exist.

Re:What about Google?

[Asgard (60200)]

Fortunately there is a robots.txt hosted on that server:

User-agent: *
Disallow: /