Resolving Everything: VeriSign Adds Wildcards 1291
"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)
This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.
Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.
VeriSign has published white papers about their implementation and also made some recommendations."
wonder of wonders (Score:5, Interesting)
search page that comes up at the
verisign site to search for "register" we find at the top of the
list a link to networksolutions.com (a verisign company). we also
note that searching for the same word at google [google.com]
does not result in that site being present in at least the first four pages of results.
yeah - thats a real useful search tool verisign has there - thanks so much.
Re:wonder of wonders (Score:5, Funny)
Re:wonder of wonders (Score:5, Interesting)
Hmm, cross-site scripting. Seems harmless enough, but I wonder if VeriSign stores anything important in the verisign.com cookie...
Re:wonder of wonders (Score:5, Funny)
http://www.veirsign.com [veirsign.com]
Looks like someone beat them at their own game.
Re:wonder of wonders (Score:5, Funny)
Complain to ICANN *NOW* (Score:5, Informative)
comments@icann.org
Re:Complain to ICANN *NOW* (Score:5, Insightful)
Complain to Verisign as well (Score:5, Interesting)
authenticode-support@verisign.com,
billing@ver
channel-partners@verisign.com,
client
consultingsolutions@verisign.co
dbms-support@verisign.com,
dcpolicy@verisign.
digitalbranding@verisign.com,
dnssales@veris
enterprise-pkisupport@verisign.com,
ent
info@verisign-gr
internetsales@verisign.com,
IR@verisign.c
jobs@verisign.com,
mss@verisign.com,
object
paymentsales@verisi
practices@verisign.com,
premiersupport@n
press@verisign.com,
privacy
renewal@verisign.com,
sup
verisales@verisign.com,
vps-s
vts-csrgroup@verisign.com,
webhelp@verisign.com,
websitesupport@verisi
Re:Complain to ICANN *NOW* (Score:5, Interesting)
Verisign has continually been abusing the power that has been handed out to them. Two such examples are its mailing of false renewal notices, and its most recent exploit: sitefinder.verisign.com. Now, nearly all mistyped names will be sent to Verisign where they can do whatever they like to the unwitting user. There are even categories on sitefinder.verisign.com where one can browse and go to sites which are undoubtedly paying Verisign for the space.
Please take this, and the hundreds or thousands of e-mails you will receive, into consideration, and exercise the power that ICANN has. Verisign has continually been abusing and tricking people through deceptive business practices, and this should be the last straw. Verisign should not only be removed from it's post, but it should also be fined for its numerous escapades designed to make money.
Sincerely,
Michael B****
I've got to wonder: where do they come up with such evil ideas? Verisign must have a beowulf cluster of insensitive clods...
Re:wonder of wonders (Score:5, Interesting)
Now, I'm not suggesting anybody do this, I'm just asking the question.
Re:wonder of wonders (Score:4, Informative)
First, Verisign put an exclude: / in their robots.txt.
Second, do you really think Google doesn't know how to handle wildcards by now? Think about it for a second. Even Slashdot has a wildcard - anything dot slashdot.org goes to the homepage. Does Google index Slashdot an infinite amount of times? Of course not. Why should it be different for anything dot com?
Re:wonder of wonders (Score:4, Insightful)
Re:wonder of wonders (Score:4, Informative)
And you can't ignore domains that resolve to identical addresses. Virtual web servers share the same address with different domain names. The web server uses the name to decide which set of web pages to serve up.
Re:wonder of wonders (Score:5, Informative)
Google caches IP info a good deal longer than is specified by TTL and such, and a lot of other fancy bandwidth reducing (but frustrating) tricks). Its known by people who pay a lot of attention to google, based on observations. Many people have good reason to pay attention to google - they make their living from the traffic they get from google.
Re:wonder of wonders (Score:5, Informative)
Re:wonder of wonders (Score:5, Informative)
Stewey
Contact ICANN comments@icann.org (Score:5, Insightful)
Already discussed on the ICANN/GNSO mailing list (Score:5, Informative)
Complaint Form ICANN (Score:5, Informative)
To quote from the site in question:
Although ICANN's limited technical mission does not include resolving individual customer-service complaints, ICANN does monitor such complaints to discern trends.
Let your voices be heard!
Complaint submitted - the text (Score:5, Informative)
Waste of time (Score:5, Informative)
How do you fix this problem? DON'T USE THE ICANN ROOT SERVERS. Easy as that.
Plug: OpenNIC (for ICANN users) [unrated.net] and OpenNIC (for OpenNIC (and its peers) users) [opennic.glue]
Re:Waste of time (Score:4, Informative)
Boycott Thawte (Verisign's SSL subsidiary) (Score:5, Interesting)
If you have SSL certificates from Thawte [thawte.com] (a subsidiary of Verisign), you can send them a message today.
Email your Thawte rep to explain why you or, better yet, your huge organization :) won't be renewing your certificates with Thawte.
You can tell them "it's a trust thing" (their own motto).
Re:Boycott Thawte (Verisign's SSL subsidiary) (Score:5, Insightful)
Superb idea, ajks. Have a cookie (or a certificate).
Here's a form-letter version of the email I'm about to shoot off to our rep, the delightful(!) Barbara:
We're a small company: but even in our case, [x] and [y] are are 10 and 3000 respectively. It won't take that many to make a sizeable hole in Thawte's pockets.
Re:Contact ICANN comments@icann.org (Score:5, Insightful)
No, this is receiving feedback from the affected administrators, engineers and other interested persons; said feedback hopefully leading ICANN to do the give Verisign a short, sharp lesson in "WHOA!".
You know, the job that they are supposed to be doing and all that kind of thing.
Re:Contact ICANN comments@icann.org (Score:5, Insightful)
ICANN is responsible for, among other things, ensuring that it's registrars perform their duties properly. If an issue such as this one crops up, and the
Face it - sometimes, being responsible for a little thing like the internet can be a bitch. Most of us do have to deal with inane crap as a part of our daily grind, although I admit that getting 20,000 emails suggesting I view a goatsex link in a single day would probably be unusual for me at least. But at least ICANN has said outright that they aren't going to read all of them
joy (Score:5, Insightful)
How Long... (Score:3, Insightful)
Re:How Long... (Score:5, Interesting)
My mother is visually impared. She was trying to go to www.biblegateway.com, but she went to www.gatewaybible.com. sacreligious scum.
It's hard for her to find the stupid MODAL popup windows when she is using a screen magnifier and the whole screen is not even showing...
A DNS error would have been MUCH nicer. She would not have even called me costing my employer productivity. Currently I know somebody is wasting money on those parked domains. This verisign situation is just sad.
Strike Back with Poor Typing (Score:4, Funny)
I oughta be able to bring em to their knees in a day or two.
Re:Strike Back with Poor Typing (Score:5, Informative)
Wrong. Their SMTP server rejects all DATA commands with a 550:
$ nc 64.94.110.11 25
220 snubby1-wceast Snubby Mail Rejector Daemon v1.3 ready
MAIL FROM: <>
250 OK
RCPT TO: <anyone@example.com>
250 OK
DATA
550 User domain does not exist.
network operators are pissed at this (Score:5, Interesting)
Re:network operators are pissed at this (Score:5, Insightful)
Re:network operators are pissed at this (Score:5, Insightful)
We'll need to hack the resolver libraries and/or DNS servers to translate 64.94.110.11 into "no such domain". Verisign will add some more numbers, and soon we'll have blacklists.
Shorting Microsoft (prepare for battle) (Score:5, Interesting)
I always thought that a revolting misuse of monopoly power and I use Mozilla exclusively now (that was one of the primary reasons I switched, tho not the only one).
Prepare for Microsoft to be EXTREMELY UPSET. MSN's search count will be cut in 1/4 by this move too.
Watch for it.
Stewey
MSN search hasn't changed. (Score:4, Informative)
'slashhhdot' - would bring up MSN's search.
'www.slashhhdot.com' - would bring a 404 (or now, Verisign's site-finder)
After this change by Verisign, MSN's search operates 100% the same. At least, on my IE6 SP1 with no customizations.
Re:Shorting Microsoft (prepare for battle) (Score:5, Interesting)
HOWEVER, you can bet that MS and AOL and everyone else who does something interesting and useful with HTTP queries that look for bad domain names (like some ISP's that have proxies for users and some companies that have proxies for employers) will be pissed off. Different people like to do different things with their NXDOMAIN responses, and Verisign has just made sure that a lot of those responses never happen and that only Verisign gets to choose what the user sees instead.
There essentially are no more unregistered
What? (Score:5, Insightful)
Verisign would look nice in gasoline and flame (Score:5, Insightful)
Not only will mail have problems, as the "non-existent domain" check will always fail.. but this is completely criminal it seems.
I hate to mention, but they are giving Microsoft a dose of their own medicine.. taking away their ability to bring you to their 'search' page for non-existent domains.. and AOL's own feature similar to that. It hurts google, since Verisign teamed with yahoo on this one for search services (Although, google provides yahoos search functionality for now).
All
Further.. they'll be harvesting bounced email addresses for sure. If you get spammed from a bunk domain, and it gets returned.. or you typo and email address.. they are nice enough to run a mail daemon on port 25 to harvest those addresses. It lets you helo, from, rcpt, and data.. and then closes your connection.. just long enough to snag all the info it wants from you.
This entire thing is a mess, and seems like it should be highly illegal. Hopefully OpenSRS and GoDaddy and others will have a fit over it. This just seems completely wrong.
Re:Verisign would look nice in gasoline and flame (Score:5, Informative)
DDOS in the making (Score:5, Insightful)
Now let's see (Score:5, Insightful)
-psy
Agreement by typo. (Score:5, Informative)
By making a typo, you supposedly agree that if their site overflows a buffer in your browser and wipes your HD, they are not liable.
Okay, terrible example for many reasons, but I still think it's pretty laughable that they claim that the "user" agrees to certain terms of service by "utilizing" this little piece of indirection.
-Lux
Re:Agreement by typo. (Score:5, Insightful)
wahts the porelbm? (Score:5, Funny)
For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake...
What do you mean, "by msiatke [slashdot.org]"?
patches? (Score:5, Interesting)
Preliminary BIND 8 patch (Score:5, Interesting)
Preliminary (as in, it seems to work for me) BIND 8 patch that I just cooked up available here [achurch.org].
done! (Score:4, Informative)
done: [icann.org] the patch is here [tinydns.org]
Mail trap (Score:5, Interesting)
Also, you'll note the cookies that 'sitefinder' sends out, so they can uniquely track any traffic to that site. Also a fun subpoena opportunity. And did you read the fun terms of service that they claim you agree to by 'choosing to visit' their site?
I doubt this will stand. I certainly know that, as a major ISP executive, we'll be reviewing our business with Verisign.
Re:Mail trap (Score:4, Funny)
Everybody wins!
30% chance of failure (Score:5, Informative)
[~] edwin@k7>dnstracer -s . -o blaat.burps.ploeps.thisdomaindoesnotexistabcdef.c
Tracing to blaat.burps.ploeps.thisdomaindoesnotexistabcdef.c
A.ROOT-SERVERS.NET [.] (198.41.0.4)
|\___ M.GTLD-SERVERS.NET [com] (192.55.83.30)
|\___ E.GTLD-SERVERS.NET [com] (192.12.94.30)
|\___ K.GTLD-SERVERS.NET [com] (192.52.178.30)
|\___ J.GTLD-SERVERS.NET [com] (192.48.79.30)
|\___ F.GTLD-SERVERS.NET [com] (192.35.51.30)
|\___ L.GTLD-SERVERS.NET [com] (192.41.162.30)
|\___ D.GTLD-SERVERS.NET [com] (192.31.80.30) Got authoritative answer
|\___ B.GTLD-SERVERS.NET [com] (192.33.14.30) Got authoritative answer
|\___ I.GTLD-SERVERS.NET [com] (192.43.172.30)
|\___ C.GTLD-SERVERS.NET [com] (192.26.92.30) Got authoritative answer
|\___ H.GTLD-SERVERS.NET [com] (192.54.112.30)
|\___ G.GTLD-SERVERS.NET [com] (192.42.93.30)
\___ A.GTLD-SERVERS.NET [com] (192.5.6.30) Got authoritative answer
Personal opinion: stupid idiots who wrongly mix political goals with technical capabilities. Just because we can doesn't mean we should.
This is what happens Larry... (Score:5, Funny)
Send your queries to the GTLD servers direct (Score:5, Informative)
To see the real thing in action, query an authoritative nameserver directly. For example:
$ host www.bogusdomainname.com
Host www.bogusdomainname.com not found: 3(NXDOMAIN)
$ host www.bogusdomainname.com a.gtld-servers.net
Using domain server:
Name: a.gtld-servers.net
Address: 192.5.6.30#53
Aliases:
www.bogusdomainname.com has address 64.94.110.11
$
The first query uses the default resolver on my system, which is a local named which in turn forwards to my ISP's resolvers, which do who knows what. The second query says to ask a.gtld-servers.net, which causes the host utility to send the query directly to one of the authoritative nameservers for the GTLDs (Global Top Level Domains, as opposed to country-specific domains like
They at least gave us warning (Score:5, Informative)
What about Google? (Score:4, Insightful)
I hope they get sued by every mail filter vendor, registrar, and search engine that they just damaged with this. And the government needs to review the powers they are granting to name-server providers.
Re:What about Google? (Score:5, Insightful)
User-agent: *
Disallow:
Who is going to be the first to hack it? (Score:5, Interesting)
Host sitefinder.verisign.com (12.158.80.10) appears to be up
Initiating SYN Stealth Scan against sitefinder.verisign.com (12.158.80.10) at 06
:36
Adding open port 80/tcp
The SYN Stealth Scan took 94 seconds to scan 1643 ports.
Warning: OS detection will be MUCH less reliable because we did not find at lea
st 1 open and 1 closed TCP port
For OSScan assuming that port 80 is open and port 36304 is closed and neither ar
e firewalled
For OSScan assuming that port 80 is open and port 43206 is closed and neither ar
e firewalled
For OSScan assuming that port 80 is open and port 44655 is closed and neither ar
e firewalled
Interesting ports on sitefinder.verisign.com (12.158.80.10):
(The 1642 ports scanned but not shown below are in state: filtered)
Port State Service
80/tcp open http
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SInfo(V=3.28%P=i386-portbld-freebsd
TSeq(Class=TR
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags
T1(Resp=Y%DF=Y%W=16D0%ACK=S++%Fla
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16D0%
T4(Resp=Y%DF=Y%W=0%ACK=
T5(Resp=N)
T6(Resp=N)
T7(Resp=N
PU(Resp=N)
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
TCP ISN Seq. Numbers: 673A4C36 652AB817 BBE534C3 685BB54A
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 137.552 seconds
they're only running smtp and http (Score:4, Informative)
The server is only running smtp and http, and theoretically it could be running services on the tens of thousands of other ports you didn't scan, but it almost certainly isn't.
Those filtered ports are why the nmap scan took 24.611 seconds; system without filtered ports will go faster then that under normal circumstances.
Oh common, the workaround is so obvious... (Score:5, Informative)
This a stupid stupid stupid move by them, Akin to shooting themselves in the foot with a 45 caliber pistol; it's going to anger a lot of people in the IT industry.
BANZAI!!! Self-DoS Attack of Ownage (Score:4, Funny)
Make sure you let Scott and Matt know .... (Score:5, Informative)
And while you are at it, you may consider a friendly note for W.G. Champion Mitchell (wmitchell@verisign.com) [mailto], President, NetSol and Stratton Sclavos (ssclavos@verisign.com) [mailto], Chairman and CEO, VeriSign.
Abuse of monopoly will result in regulation. (Score:4, Insightful)
Sorry to say this, but this is going to be a precedent for Internet being regulated, this time for real. And you'll be able to thank Verisign for it. Perhaps that's a provocative step to achieve what they are really after - being regulated, which will guarantee them longevity.
Greedy bastards.
Terms of Use (Score:5, Interesting)
So, by mistyping a domain name, I've entered into a legal agreement with Verisign? And the only way to get out of it is to not use the internet?
The only address on the page is their legal department's postal address, at
VeriSign, Inc.
Attention: Legal Department
21355 Ridgetop Circle
Dulles, VA 20166
I guess I'll be sending them a nice letter. As soon as I figure out what legal recourse I actually have.
Misplaced root of trust? (Score:5, Insightful)
E-mail (Score:5, Interesting)
Just to see what would happen, I just tried sending an e-mail to <testuser@slashdoct.com>. Would they bounce the message? If so what would the error message look like? If they didn't bounce it, would they just keep it? Read it? Inquring minds want to know!
Well it bounced:
The original message was received at Mon, 15 Sep 2003 21:06:55 -0500 (CDT)
... while talking to slashdoct.com.:
from [myhost.mydomain] [xxx.xxx.xxx.xxx]
----- The following addresses had permanent fatal errors -----
<testuser@slashdoct.com>
(reason: 550 User domain does not exist.)
----- Transcript of session follows -----
>>> RCPT To:<testuser@slashdoct.com>
<<< 550 User domain does not exist.
550 5.1.1 <testuser@slashdoct.com>... User unknown
Reporting-MTA: dns; [myhost.mydomain]
Received-From-MTA: DNS; [myhost.mydomain]
Arrival-Date: Mon, 15 Sep 2003 21:06:55 -0500 (CDT)
Final-Recipient: RFC822; testuser@slashdoct.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; slashdoct.com
Diagnostic-Code: SMTP; 550 User domain does not exist.
Last-Attempt-Date: Mon, 15 Sep 2003 21:06:56 -0500 (CDT)
And: >telnet www.slashdoct.com 25
Trying 64.94.110.11...
Connected to www.slashdoct.com.
Escape character is '^]'.
220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready
quit
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.
>
Snubby Mail Rejector???
Re:E-mail (Score:5, Interesting)
Rejector isn't even parsing (Score:5, Informative)
telnet 64.94.110.11 25
Trying 64.94.110.11...
Connected to 64.94.110.11.
Escape character is '^]'.
220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready
250 OK
250 OK
550 User domain does not exist.
250 OK
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.
That's right. It doesn't parse the input at all (I just hit Enter a bunch of times). If you have multiple RCPT lines, or have an extra command in there anywhere, you will get an OK in the wrong place and it will look like you have succeeded.
Adam
Site Finder Developer's Guide available... (Score:4, Informative)
Available here [verisign.com]
How nice of them to let us know...
An open letter of complaint (Score:5, Interesting)
rcc@verisign.com, hostmaster@nsiregistry.net, ir@verisign.com,
dcpolicy@verisign.com
Subject: Complaint about Versign abuse of DNS root zones
A Letter of Complaint about actions undertaken by Verisign Incorporated
on or about 9/13/03.
Sent to the Internet Corporation of Assigned Names and Numbers and the
Internet Assigned Number Authority.
Doug Dumitru
xxxxx xxxxxx xxxx Road
xxxxxx xxxxxx, CA 9xxxx
949 xxx-xxxx
Dear sirs,
As you are probably aware, Verisign is redirecting unregistered
2nd-level domains in the
engine. They are using a technique known as DNS wildcarding to
accomplish this.
I firmly believe that this is clearly an abuse of the DNS system, that
it violates the technical requirements for domain lookups, that the
results returned are fraudulent, and that this technical action only
benefits Verisign at the expense of the rest of the internet population.
I respectfully request that IANA and ICANN immediately take action
against Verisign demanding that Verisign cease this fraudulent and
damaging behaviour. Should Verisign refuse, I would recommend that IANA
and/or ICANN (and/or the US government) take immediate action to revoke
Verisign's contract to administer the
I would also recommend that IANA and/or ICANN immediately pass "best
practice" rules that prevent other TLDs and country-code domains from
following in Verisign's deceptive footsteps. It is important that a
"domain not found" error not be subverted into an advertising opportunity.
Sincerely,
Doug Dumitru
Violation of ICANN Policy (Score:5, Interesting)
Bill
Here is a form letter for everybody: (Score:5, Informative)
To whom it may concern,
Verisign is commiting a major injustice that cannot be allowed to continue. It is important ICANN consider what is best for the internet community as a whole and take proper action. Proper action would be to immediately stop this monopolistic behavior from Verisign.
Please read below for more information taken from Slashdot.org:
As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the
This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.
Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all
The internet belongs to everyone. It is not something that can be bought and sold by any one entity. Please put a stop to this behavior.
Thank you.
---insert name here---
---insert city and state of residence here---
The damage is already beginning (Score:5, Informative)
A few hours ago I was trying to troubleshoot a lame delegation to another zone. It seemed to be working which puzzled me to no end. It turns out the lame DNS server was returning 64.94.110.11.
Lame delegation is a very common phenomenon and (in the case of a typo) can often be diagnosed with NXDOMAIN being returned for the glue RR record. Never returning NXDOMAIN means that many types of lame delegation will no longer be caught.
One of my peer zones had a typo'ed MX record. Before VeriSign's sabotage (yes, sabotage) the lookup of the corresponding address record would simply fail with NXDOMAIN. The source MTA would then try to deliver to the secondary MTAs on the list of MX records in order of priority. Mail delivery would proceed normally using the secondary MTA(s).
However to my complete and utter astonishment, 64.94.110.11 has a working MTA listening on port 25 (why???). This means that any MX records with typos in the primary record will have all their e-mail redirected to VeriSign's MTA. Mail that would normally automatically be re-routed to the secondary MTA instead now gets bounced by Verisign's ''Snubby Mail Rejector Daemon v1.3''. Not returning NXDOMAIN will break mail delivery to secondary MTAs.
And what about spam filters? It will break any spam filter that tries to verify that the source MTA hostname claimed in the HELO request is resolvable (i.e. that the claimed HELO name is not fictious).
I could probably list another half dozen problems if I thought about it. I can't believe the arrogance (read: stupidity) of this act.
I can't wait to see reaction reaction from the backbone cabal on NANOG.
BIND Blocking Configuration (Score:5, Informative)
Not every root nameserver is serving the A record (Score:5, Informative)
I am removing those broken nameservers from my root zone hints at all of the places that I administer. Hopefully enough root servers will remain clean of this aborration to keep up a good level of service.
I encourage others everywhere to do the same and ask their ISPs follow suit. If you don't play fairly with the public trust, the public should stop trusting you.
If Verisign can hijack *.COM and *.NET, what is to keep resolving ISPs from hijacking unused domains at the resolver level to suit their own purposes?
Where was the RFC on this practice? It would never have passed peer review.
--
Eric Ziegast
Former TLD administrator.
Former hostmaster at a major ISP.
PLEASE DO NOT CLICK ON ANY SEARCH ENGINE RESULTS (Score:5, Informative)
Took a look at their setup, and from what I can see, they have partnered with Overture to get their search results. Overture is a pay per click search engine, meaning advertisers bid to get to the top of the search results - anywhere from $0.10 to $50. Most arrangements involve Overture getting half of the the bid, and VeriSign getting the other half.
What this means is that they are making money (probably hundreds of thousands if not millions daily) from most of the searches you make.
Topics which attract high bids (up to $50 per click, it is shocking) include online casinos, dedicated servers, refinancing, and a few others.
I implore you all:
If you want this to stop, please do not click on any of the search results from this 'search engine'. Doing so will contribute to the profit VeriSign will make from this. If you really really want to click on one of the listings plase go to www.overture.com and get it directly from them.
Other things we can do include:
1) Putting them on the spam RBLs for spamming the entire internet. This will have the effect of blackholing them from some parts of the internet that drop packets based on those RBLs right at the router level.
2) Encourage your vendors to modify their DNS server packages to change results for that IP to NXDOMAIN.
3) Encourage your admins to run such modified DNS servers.
Re:PLEASE DO NOT CLICK ON ANY SEARCH ENGINE RESULT (Score:4, Insightful)
The whole thing was done exactly with this
purpose, but I think it can be used to break the
system. If enough bots (and bots only)
constantly "click" on the ads, their price will
plummet. Since now they cannot tell if a person
saw the ad, they "pay per click" becomes
pointless. (and boy they will be mad when find
out they paid all that money for nothing)
On the other other hand if every slashdoter
would ping the thing it would be way more fun.
Come one everybody just type : ping 64.94.110.11
(at -t if you are in windows)
NANOG threads on this topic (Score:5, Informative)
Physical Location of Verisign Offices (Score:5, Informative)
VeriSign Worldwide Headquarters
487 East Middlefield Road
Mountain View, CA 94043
Phone: 650-961-7500
FAX: 650-961-7300
Have fun!
Here's a neat idea: (Score:5, Informative)
thatdog said:
The most amusing part of this to me is they take whatever is passed in the url parameter and shove it into the html of their page, no questions asked. Remote scripting exploits will be ever so easy!
If you don't get what I'm talking about, just check out this link [verisign.com].
Would be fun to see redirects on major isps and backbones...or even forwarding to an alternate site hosted elsewhere with an explanation.
ICANN said no.... (Score:4, Informative)
<http://www.icann.org/correspondence/iab-message-t o-lynn-25jan03.htm> [icann.org]
What happened? I STRONGLY URGE that complaints be made to ICANN and the US DoC...right now.
This is so much worse than many folks think.
libverisignfix.c (Score:5, Informative)
Anti-Trust violation (Score:5, Interesting)
Eric
eric at koldware dot SpamThisSucker dot com
What I did (Score:5, Interesting)
I've created a Squid redirector to deal with this problem. I tried to post it here, but couldn't get past the Slashdot lameness filter.
It catches anything going to a gTLD's wildcard response (there's about 15 gTLDs doing this!) and redirects it to google. It also does some other niceties that don't automatically happen when using a proxy, such as adding www. and .org/.com/.net if needed.
If anybody wants the code, then post a reply here and I'll set up a web page with it and post the URL. (I won't bother if nobody wants it.)
You may want to know, also, that some of the NANOG folks have patches for BIND to change these responses back into NXDOMAIN.
What's next? (Score:5, Funny)
Legal degree from Play Skool? (Score:4, Interesting)
foo@foothefuckinghell.
deliver to foo@foothefuckinghell.com
router = lookuphost, transport = remote_smtp
host foothefuckinghell.com [64.94.110.11]
spacemeat:/# telnet 64.94.110.11 25
Trying 64.94.110.11...
Connected to 64.94.110.11.
Escape character is '^]'.
220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready
QUIT
221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.
Umm, the fact that email is going to go there for every typo or expired domain opens up a great deal of legal trouble. They really haven't thought this out very well have they?
(Even if it currently bounces everything. It still has to get there to be rejected. And there's nothing that says they aren't keeping it, reading it, or won't do so in the future.)
Re:Legal degree from Play Skool? (Score:4, Informative)
Remedy:
1) blackhole that IP - PERMANENTLY. (blacklist their entire IP assignement(s))
2) modify bind to return NXDOMAIN for any query containing that IP.
3) make aformenttioned modification a configuration option (list) thus making it easy to adjust when the assh^W^Wthey change the address.
4) add my own choice wildcard entries
5) kill every living thing at Verisign/Network Solutions even remotely involved with this bullshit (as an example to others who have not learned to participate in a civilized society.)
There's a real big difference between me adding *.bar.com and someone adding *.com.. The wildcard record was originally intended to reduce the number of records -- specifically to negate the need for an MX record for every host. And honestly, it's never worked to anyone's satisfaction (e.g. the ability to send email to bob@[censored].bar.com)
web.archive.org (Score:5, Interesting)
One of many problems is that web.archive.org [archive.org] will honor the /robots.txt of any host and remove that host from its archive. So, sooner or later, the archive of all formerly (and currently no longer) registered domains will be gone...
DDoS/attack/"testing"? (Score:4, Insightful)
It really sounds like Verisign wants traffic destined for every mistyped or invalid hostname. I say let them have it. Surely they're aware that the Internet is not just the web.
Clue-by-four (Score:5, Informative)
Reply-To: uknot@uk.com
To: uknot@uk.com
Subject: [uknot] Cluebyfour verisign HOWTO for the UK
Date: Tue, 16 Sep 2003 11:32:55 +0100
Call 0800-032-2101 and select option 2 for Support.
Explain to the engineer that you have typed in an non-existant domain name and
been directed to their sitefinder service.
Explain that you have read the "Terms of Use" and do not agree to abide by
them.
Explain that, as you don't agree to the ToU, you are explicitly forbidden from
using their service.
Ask them to exclude your IP block from those that will be given the sitefinder
IP rather than NXDOMAIN.
Give them your name, company (if appropriate) and a contact telephone number.
US and Canada: The contact page number is 888-642-9675. Apparently they will also refer you to 866-345-0330 (which isn't listed on that page), but you should of course check the number given on their official contact page and call that first. The postal address is VeriSign, Inc., Attention: Legal Department, 21355 Ridgetop Circle, Dulles, VA 20166, USA.
Re:Abusing the Power that be (Score:5, Insightful)
There is no Internet (Score:5, Insightful)
I feel it is worthwhile to post a more general response to this point as well.
There is this myth that "the Internet" exists as a single, cohesive network. It does not, and never has. "The Internet" is a network of networks. What that means is that a bunch of independent network operators have agreed to exchange traffic with each other because it benefits them. When you dial in to your ISP of choice (or plug in your Ethernet cable or whatever), you're not connecting to the Internet. You're connecting to your ISP. Your ISP probably connects to their ISP. Their ISP (if you're lucky) connects to several other ISPs, who connect to other ISPs, and so on. All these independent network operators form "the Internet". So, "the Internet" exists as an abstract concept (and a useful one), but not as something you can touch. Not even as something you can route traffic through. All you can do is connect to some other guy's network and hope for the best.
The reason this is important is because we are already seeing ISPs implementing countermeasures against this VeriSign move. Some are null-routing that IP address at layer two; others are using DNS tricks to give us the old behavior. If enough ISPs do this, VeriSign's move will be largely ineffective. In effect, ISPs as a community can veto VeriSign or anyone else. It only works if most of them agree and take action, of course, and it remains to be seen if they will do that. And, of course, some of these countermeasures may themselves be easily defeated, leading to an arms race (like the spammer vs anti-spam arms race).
The possible consequences of all this are, shall we say, interesting.
(BTW, I don't disagree with the OP's suggested course of action, nor with the principle behind it. I'm just pointing out that things are, as usual, more complicated then they might appear.)
Re:This is a bitch (Score:5, Insightful)
Re:This is a bitch (Score:5, Informative)
Those spam-catching tools work by doing a reverse-dns lookup of the IP address that is trying to send the mail. This is different than doing a "forward"-dns lookup.
Not so.
A common spam filtering method is to check the envelope sender to see if the domain exists. Any mail that is sent with a faked envelope sender to which bounces can't be sent is spam.
That means querying for either an MX record or A record for that domain, and bouncing all the spam that doesn't have either. Now, thanks to verisign, all spam sent with forged envelope senders in .com or .net wil go straight through this spam filter, increasing the amount of spam in many peoples mailboxes.
Yes, in theory you could look for the magic A record returned, but to do so is something of an operational nightmare, and impossible to do with most current MTAs.
Re:How can we undo this? (Score:5, Funny)
I think you mean Commander Taco. Or were you talking about that dns thing?
Re:How can we undo this? (Score:4, Interesting)
Re:How can we undo this? (Score:4, Interesting)
Unfortunately, the rep that answered the phone was unable to help, he said that he works for Network Solutions, and can only help with domain registration issues, and that the Verisign parent company runs the root nameservers. He was unable to give me a contact number for Verisign. However, you may want to try calling this number yourself to see if maybe a different rep has the contact number for Verisign.
I did a whois on the verisign.com domain, and came up with the main contact number for Verisign: 650-961-7500, but it's been ringing for the past 5 minutes, with no answer. One would think that they would have an automated voice-response system on their main number, so I think that they are being innudated with calls.
Re:Which domains? (Score:4, Informative)
Presumably VeriSign will copy the wildcard to the other servers at some point. I wouldn't be surprised if they're ramping up slowly, monitoring the load as they expand the wildcard coverage.
Re:Seeeing the future (Score:4, Insightful)
This was likely one of the primary motivations for this maneuver...to encourage formerly unnecessary registrations.
I've never registered mispellings of my companies domains, and the thought never even crossed my mind until now. I'm sure the crooks at Verisign saw this angle, in addition to the tons of free eyeballs.
Re:I think Verisign now owes... (Score:5, Informative)
Network Solutions "bought" InterNIC way back when. VeriSign bought Network Solutions. Now Network Solutions sells domains as a registrar, and VeriSign (VeriSign Naming and Directory Services, specifically) is the registry. Every registrar, including Network Solutions, pays VNDS $6 per year per domain. VNDS doesn't pay anyone anything.
It's VNDS that is doing the wildcard entry.
-Todd
Re:Already taken down?? (Score:5, Informative)
If you have a Linux box, you can see this with:
host verisigniscrooked.com a.gtld-servers.net
host verisigniscrooked.com i.gtld-servers.net
I think we should all call tech support on their 800 number and complain.
U.S. and Canada: 888-642-9675
Worldwide: 1-703-742-0914
Lets see if we can get their hold queue time to several hours. Perhaps even ask to speak to a supervisor. Be sure to get names of everyone you talk to. Ask for names and phone number of the corporate officers. Compare them to SCO (ok, a bit off topic but I couldn't resist).