Forgot your password?
typodupeerror
The Internet The Almighty Buck

Resolving Everything: VeriSign Adds Wildcards 1291

Posted by timothy
from the gotcha dept.
DragonHawk writes "As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising." Read on below for some more information.

"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)

This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.

Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.

VeriSign has published white papers about their implementation and also made some recommendations."

This discussion has been archived. No new comments can be posted.

Resolving Everything: VeriSign Adds Wildcards

Comments Filter:
  • wonder of wonders (Score:5, Interesting)

    by wherley (42799) * on Monday September 15, 2003 @09:24PM (#6970369)
    what are the chances - using the [verisign.com]
    search page that comes up at the
    verisign site to search for "register" we find at the top of the
    list a link to networksolutions.com (a verisign company). we also
    note that searching for the same word at google [google.com]
    does not result in that site being present in at least the first four pages of results.

    yeah - thats a real useful search tool verisign has there - thanks so much.
    • by Anonymous Coward on Monday September 15, 2003 @09:29PM (#6970453)
      It is not that bad. At least if you enter "Verisign sucks big donkey balls", two of the three first results are from Slashdot.
    • Re:wonder of wonders (Score:5, Interesting)

      by bobthemonkey13 (215219) <keegan AT xor67 DOT org> on Monday September 15, 2003 @09:31PM (#6970476) Homepage Journal
      More fun with sitefinder.verisign.com [verisign.com]

      Hmm, cross-site scripting. Seems harmless enough, but I wonder if VeriSign stores anything important in the verisign.com cookie...

    • by mosch (204) * on Monday September 15, 2003 @09:48PM (#6970696) Homepage
      Actually, the verisign search seems to be pretty good. A search for FUCK VERISIGN [verisign.com] returns a slashdot article about verisign sending out deceptive domain renewal mail as the second result.
    • by Teflon (32988) on Monday September 15, 2003 @09:50PM (#6970720)
      In order to get this rather unwelcome act of Verisign's reversed, EVERYONE should contact ICANN immediately.


      comments@icann.org

      • by tuba_dude (584287) <tuba.terry@gmail.com> on Monday September 15, 2003 @09:58PM (#6970808) Homepage Journal
        If ICANN was still there for the good of the internet, yeah, that should work. Otherwise, you should only bother complaining if you're a CEO.
      • by trafik (707566) on Monday September 15, 2003 @10:31PM (#6971121)
        They don't seem to have an e-mail address for the category of "Subversion of the global DNS," so pick one of the following e-mail addresses and use it to CC your complaint to Verisign:

        authenticode-support@verisign.com,
        billing@veri sign.com,
        channel-partners@verisign.com,
        clientp ki@verisign.com,
        consultingsolutions@verisign.com ,
        dbms-support@verisign.com,
        dcpolicy@verisign.c om
        digitalbranding@verisign.com,
        dnssales@verisi gn.com,
        enterprise-pkisupport@verisign.com,
        ente rprise-sslsupport@verisign.com,
        info@verisign-grs .com,
        internetsales@verisign.com,
        IR@verisign.co m,
        jobs@verisign.com,
        mss@verisign.com,
        objects igning-support@verisign.com,
        paymentsales@verisig n.com,
        practices@verisign.com,
        premiersupport@ne tworksolutions.com,
        press@verisign.com,
        privacy@ networksolutions.com,
        renewal@verisign.com,
        supp ort@verisign.com,
        verisales@verisign.com,
        vps-su pport@verisign.com,
        vts-csrgroup@verisign.com,
        v ts-mktginfo@verisign.com,
        webhelp@verisign.com,
        websitesales@verisign.com,
        websitesupport@verisig n.com
      • by trainsnpep (608418) <mikebenza&gmail,com> on Monday September 15, 2003 @10:34PM (#6971159)
        Well, regardless of whether it will work, I tried:

        Verisign has continually been abusing the power that has been handed out to them. Two such examples are its mailing of false renewal notices, and its most recent exploit: sitefinder.verisign.com. Now, nearly all mistyped names will be sent to Verisign where they can do whatever they like to the unwitting user. There are even categories on sitefinder.verisign.com where one can browse and go to sites which are undoubtedly paying Verisign for the space.

        Please take this, and the hundreds or thousands of e-mails you will receive, into consideration, and exercise the power that ICANN has. Verisign has continually been abusing and tricking people through deceptive business practices, and this should be the last straw. Verisign should not only be removed from it's post, but it should also be fined for its numerous escapades designed to make money.

        Sincerely,
        Michael B****

        I've got to wonder: where do they come up with such evil ideas? Verisign must have a beowulf cluster of insensitive clods...

    • Re:wonder of wonders (Score:5, Interesting)

      by gantzm (212617) on Monday September 15, 2003 @10:36PM (#6971172)
      Speaking of search engines. What would happen if a significant number of web sites put links on every page to a poison page. This poison page would generate 10,000 random links of the form "www.verisignblows948950948393903848585.com", with the number obviously being random. How long would it take for all the search engines and web crawlers to hit this and have a serious impact on verisigns servers?

      Now, I'm not suggesting anybody do this, I'm just asking the question.

      • Re:wonder of wonders (Score:4, Informative)

        by CaptainSuperBoy (17170) on Tuesday September 16, 2003 @12:07AM (#6971844) Homepage Journal
        No, that won't work at all.

        First, Verisign put an exclude: / in their robots.txt.

        Second, do you really think Google doesn't know how to handle wildcards by now? Think about it for a second. Even Slashdot has a wildcard - anything dot slashdot.org goes to the homepage. Does Google index Slashdot an infinite amount of times? Of course not. Why should it be different for anything dot com?
  • joy (Score:5, Insightful)

    by digitalsushi (137809) * <slashdot@digitalsushi.com> on Monday September 15, 2003 @09:24PM (#6970376) Journal
    this should make troubleshooting dns records as a netadmin much more fun with all those glorious false positives... guess that means i'll have to learn how to spell finally!
  • How Long... (Score:3, Insightful)

    by jlaxson (580785) * <jlaxson@ma c . com> on Monday September 15, 2003 @09:25PM (#6970391) Journal
    until we get gator-type forced advertising (not just incidental unrelated ads on the page) whenever you make the slightest domain mistake? I get the feeling this doesn't bode well for the continued freedom of the internet, if one company can unilaterally do something of this magnitude. (But then again, Mr. Bush seems to get along fine.)
    • Re:How Long... (Score:5, Interesting)

      by dnoyeb (547705) on Monday September 15, 2003 @10:00PM (#6970828) Homepage Journal
      This happened to my mother just yesterday. She calls me complaining about "my computer has a virus!" I countered that their was no way her computer could know. This went on for a while..

      My mother is visually impared. She was trying to go to www.biblegateway.com, but she went to www.gatewaybible.com. sacreligious scum.

      It's hard for her to find the stupid MODAL popup windows when she is using a screen magnifier and the whole screen is not even showing...

      A DNS error would have been MUCH nicer. She would not have even called me costing my employer productivity. Currently I know somebody is wasting money on those parked domains. This verisign situation is just sad.
  • by nightsweat (604367) on Monday September 15, 2003 @09:26PM (#6970396)
    As a Denial of Service Attack Iwill continue to manually type domain names and not take typing classes.

    I oughta be able to bring em to their knees in a day or two.

  • by mdouglas (139166) on Monday September 15, 2003 @09:27PM (#6970406) Homepage
    expect that ip to get null routed by the backbone carriers real fast.
  • by StewedSquirrel (574170) on Monday September 15, 2003 @09:27PM (#6970417)
    Doesn't this this short-circuit Microsoft's attempt to capture ad revinue from all mis-typed domains through their Internet Explorer?

    I always thought that a revolting misuse of monopoly power and I use Mozilla exclusively now (that was one of the primary reasons I switched, tho not the only one).

    Prepare for Microsoft to be EXTREMELY UPSET. MSN's search count will be cut in 1/4 by this move too.

    Watch for it.

    Stewey
    • by ogre2112 (134836) on Monday September 15, 2003 @09:52PM (#6970739)
      The contents of the address bar are only processed by MSN's built in search form if you don't add the TLD.

      'slashhhdot' - would bring up MSN's search.

      'www.slashhhdot.com' - would bring a 404 (or now, Verisign's site-finder)

      After this change by Verisign, MSN's search operates 100% the same. At least, on my IE6 SP1 with no customizations.
    • by wkcole (644783) on Monday September 15, 2003 @09:54PM (#6970767)
      The IE rediect to the MSN search mess is configurable: you can turn it off AND turn off the stupid useless 'all errors are one thing' error page and make IE actually give you something useful, at least with IE 5.5 and 6.

      HOWEVER, you can bet that MS and AOL and everyone else who does something interesting and useful with HTTP queries that look for bad domain names (like some ISP's that have proxies for users and some companies that have proxies for employers) will be pissed off. Different people like to do different things with their NXDOMAIN responses, and Verisign has just made sure that a lot of those responses never happen and that only Verisign gets to choose what the user sees instead.

      There essentially are no more unregistered .(com|net) domains. Verisign has just in effect registered all unregistered domains in those TLD's and pointed them at their own little cash-spinner.
  • What? (Score:5, Insightful)

    by Lord_Dweomer (648696) on Monday September 15, 2003 @09:27PM (#6970420) Homepage
    So let me get this straight.....If I own http://www.hardtospelldomain.com, and someone mispells it, Verisign now has the opportunity to offer up the highest bidders site for redirects? Even potential competitors? Perhaps I'm missing something here, but wouldn't this open them to all kinds of lawsuits from companies that were affected in that way?

  • by netmask (8001) on Monday September 15, 2003 @09:28PM (#6970426)
    This is really sad.

    Not only will mail have problems, as the "non-existent domain" check will always fail.. but this is completely criminal it seems.

    I hate to mention, but they are giving Microsoft a dose of their own medicine.. taking away their ability to bring you to their 'search' page for non-existent domains.. and AOL's own feature similar to that. It hurts google, since Verisign teamed with yahoo on this one for search services (Although, google provides yahoos search functionality for now).

    All .com domains are resolving with an authoratitive section of Verisign's server.. and .net's with the list of root servers. It would seem that no domain should ever resolve with either of those as an authority.. The real dns server for the domain should. Hopefully BIND and other DNS packages will start blocking domains that have a root server or a verisign server as the authoratitive dns server.

    Further.. they'll be harvesting bounced email addresses for sure. If you get spammed from a bunk domain, and it gets returned.. or you typo and email address.. they are nice enough to run a mail daemon on port 25 to harvest those addresses. It lets you helo, from, rcpt, and data.. and then closes your connection.. just long enough to snag all the info it wants from you.

    This entire thing is a mess, and seems like it should be highly illegal. Hopefully OpenSRS and GoDaddy and others will have a fit over it. This just seems completely wrong.
  • DDOS in the making (Score:5, Insightful)

    by digitalsushi (137809) * <slashdot@digitalsushi.com> on Monday September 15, 2003 @09:29PM (#6970440) Journal
    think about it.. your dns server caches the entries it gets back, but now we can make scripts that check sequentially all the way up! crash your ISPs name servers, or crash a root server for the prize! remember kids, take down 2/3 + 1 of the root servers and it's not running on spec anymore!
  • Now let's see (Score:5, Insightful)

    by psyconaut (228947) on Monday September 15, 2003 @09:29PM (#6970443)
    Porn companies aren't allowed to run sites with slightly mispelled names because it's considered unfair practice, but a 'registrar' is allowed to catch anything that might come their way?

    -psy
  • Agreement by typo. (Score:5, Informative)

    by Lux (49200) on Monday September 15, 2003 @09:29PM (#6970444)
    This is hillarious!! They have a TOS!

    By making a typo, you supposedly agree that if their site overflows a buffer in your browser and wipes your HD, they are not liable.

    Okay, terrible example for many reasons, but I still think it's pretty laughable that they claim that the "user" agrees to certain terms of service by "utilizing" this little piece of indirection.

    -Lux
    • by JayBlalock (635935) on Monday September 15, 2003 @09:54PM (#6970766)
      That's not hillarious, that's maddening beyond my ability to properly express. Especially, #10 - Sole Remedy: "YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED WITH ANY OF THE MATERIALS, RESULTS OR OTHER CONTENTS OF THE VERISIGN SERVICES OR WITH THESE TERMS AND CONDITIONS, OUR PRIVACY STATEMENT, OR OTHER POLICIES, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE." If you don't like what Verisign is doing, get off the Internet. This could well inspire even our current Administration to smack them down. This is the most hubris-laden abuse of a monopoly I've heard of in a long time.
  • by yali (209015) on Monday September 15, 2003 @09:30PM (#6970461)

    For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake...

    What do you mean, "by msiatke [slashdot.org]"?

  • patches? (Score:5, Interesting)

    by Pathwalker (103) * <hotgrits@yourpants.net> on Monday September 15, 2003 @09:31PM (#6970465) Homepage Journal
    I wonder how long it will be before there are patches for BIND/dnscache/etc. to remap any result containing 64.94.110.11 to a "record not found" result?
  • Mail trap (Score:5, Interesting)

    by piyamaradus (447473) on Monday September 15, 2003 @09:34PM (#6970522)
    This also traps all mail sent TO a non-existent domain. Since all RFC-compliant mail servers will follow up a negative MX response with an A lookup and connect to that IP, if you send mail to a bogus domain, it goes to verisign's server, which (currently) bounces it. Imagine the fun the federal government can have subpoena'ing those logs.

    Also, you'll note the cookies that 'sitefinder' sends out, so they can uniquely track any traffic to that site. Also a fun subpoena opportunity. And did you read the fun terms of service that they claim you agree to by 'choosing to visit' their site?

    I doubt this will stand. I certainly know that, as a major ISP executive, we'll be reviewing our business with Verisign.
  • by MavEtJu (241979) <slashdot AT mavetju DOT org> on Monday September 15, 2003 @09:35PM (#6970541) Homepage
    With DNS tracer [mavetju.org], you can see how much damage they do:

    [~] edwin@k7>dnstracer -s . -o blaat.burps.ploeps.thisdomaindoesnotexistabcdef.co m
    Tracing to blaat.burps.ploeps.thisdomaindoesnotexistabcdef.co m via A.ROOT-SERVERS.NET, timeout 15 seconds
    A.ROOT-SERVERS.NET [.] (198.41.0.4)
    |\___ M.GTLD-SERVERS.NET [com] (192.55.83.30)
    |\___ E.GTLD-SERVERS.NET [com] (192.12.94.30)
    |\___ K.GTLD-SERVERS.NET [com] (192.52.178.30)
    |\___ J.GTLD-SERVERS.NET [com] (192.48.79.30)
    |\___ F.GTLD-SERVERS.NET [com] (192.35.51.30)
    |\___ L.GTLD-SERVERS.NET [com] (192.41.162.30)
    |\___ D.GTLD-SERVERS.NET [com] (192.31.80.30) Got authoritative answer
    |\___ B.GTLD-SERVERS.NET [com] (192.33.14.30) Got authoritative answer
    |\___ I.GTLD-SERVERS.NET [com] (192.43.172.30)
    |\___ C.GTLD-SERVERS.NET [com] (192.26.92.30) Got authoritative answer
    |\___ H.GTLD-SERVERS.NET [com] (192.54.112.30)
    |\___ G.GTLD-SERVERS.NET [com] (192.42.93.30)
    \___ A.GTLD-SERVERS.NET [com] (192.5.6.30) Got authoritative answer


    Personal opinion: stupid idiots who wrongly mix political goals with technical capabilities. Just because we can doesn't mean we should.
  • by MrPerfekt (414248) on Monday September 15, 2003 @09:37PM (#6970567) Homepage Journal
    when you fuck an RFC in the ass. *baseball bat on car headlight*
  • by DragonHawk (21256) on Monday September 15, 2003 @09:39PM (#6970594) Homepage Journal
    Okay, everybody and their brother is trying to resolve "bogusdomainname.com" or whatever and finding they get a NXDOMAIN error (as they should). There are a lot of possible reasons for this, which I will simply handwave as "caching".

    To see the real thing in action, query an authoritative nameserver directly. For example:


    $ host www.bogusdomainname.com
    Host www.bogusdomainname.com not found: 3(NXDOMAIN)
    $ host www.bogusdomainname.com a.gtld-servers.net
    Using domain server:
    Name: a.gtld-servers.net
    Address: 192.5.6.30#53
    Aliases:

    www.bogusdomainname.com has address 64.94.110.11
    $


    The first query uses the default resolver on my system, which is a local named which in turn forwards to my ISP's resolvers, which do who knows what. The second query says to ask a.gtld-servers.net, which causes the host utility to send the query directly to one of the authoritative nameservers for the GTLDs (Global Top Level Domains, as opposed to country-specific domains like .us). Then I see the current authoritative response.
  • by jdc180 (125863) on Monday September 15, 2003 @09:39PM (#6970597)
    This isn't something new, they told us it was coming. [slashdot.org] What a crock of shit. I think this shows that there needs to be some sort of accountability in this business.
  • What about Google? (Score:4, Insightful)

    by MobyDisk (75490) on Monday September 15, 2003 @09:40PM (#6970607) Homepage
    This is horrible for web spiders and search engines. Every link to a dead domain name will now result in a series of pages that need to be indexed. And there will be thousands (millions?) of web sites that all offer Verisign name registrations -- all identical. This will surely affect their page rankings! Spiders will have to be hard-coded to ignore certain IP addresses or DNS names.

    I hope they get sued by every mail filter vendor, registrar, and search engine that they just damaged with this. And the government needs to review the powers they are granting to name-server providers.
  • by Istealmymusic (573079) on Monday September 15, 2003 @09:41PM (#6970617) Homepage Journal
    Starting nmap 3.28 ( www.insecure.org/nmap/ ) at 2003-09-15 06:36 PDT
    Host sitefinder.verisign.com (12.158.80.10) appears to be up ... good.
    Initiating SYN Stealth Scan against sitefinder.verisign.com (12.158.80.10) at 06
    :36
    Adding open port 80/tcp
    The SYN Stealth Scan took 94 seconds to scan 1643 ports.
    Warning: OS detection will be MUCH less reliable because we did not find at lea
    st 1 open and 1 closed TCP port
    For OSScan assuming that port 80 is open and port 36304 is closed and neither ar
    e firewalled
    For OSScan assuming that port 80 is open and port 43206 is closed and neither ar
    e firewalled
    For OSScan assuming that port 80 is open and port 44655 is closed and neither ar
    e firewalled
    Interesting ports on sitefinder.verisign.com (12.158.80.10):
    (The 1642 ports scanned but not shown below are in state: filtered)
    Port State Service
    80/tcp open http
    No exact OS matches for host (test conditions non-ideal).
    TCP/IP fingerprint:
    SInfo(V=3.28%P=i386-portbld-freebsd5 .1%D=9/15%Time=3F65C0E9%O=80%C=-1)
    TSeq(Class=TR% IPID=Z%TS=U)
    T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags= AS%Ops=MNNTNW)
    T1(Resp=Y%DF=Y%W=16D0%ACK=S++%Flag s=AS%Ops=MNW)
    T2(Resp=N)
    T3(Resp=Y%DF=Y%W=16D0%A CK=S++%Flags=AS%Ops=MNW)
    T4(Resp=Y%DF=Y%W=0%ACK=O %Flags=R%Ops=)
    T5(Resp=N)
    T6(Resp=N)
    T7(Resp=N)
    PU(Resp=N)

    TCP Sequence Prediction: Class=truly random
    Difficulty=9999999 (Good luck!)
    TCP ISN Seq. Numbers: 673A4C36 652AB817 BBE534C3 685BB54A
    IPID Sequence Generation: All zeros

    Nmap run completed -- 1 IP address (1 host up) scanned in 137.552 seconds
  • by TyrranzzX (617713) on Monday September 15, 2003 @09:45PM (#6970664) Journal
    Simply block all traffic to 64.94.110.11 and give verisign your hate mail as well. It'll still return the error message whenever that address is found, so even if it is hosted, it's as good as not registered.

    This a stupid stupid stupid move by them, Akin to shooting themselves in the foot with a 45 caliber pistol; it's going to anger a lot of people in the IT industry.
  • by Cordath (581672) on Monday September 15, 2003 @09:49PM (#6970702)
    This is one helluva of a way to drum up traffic, so I'd be curious to know what kind of steroid-pumped uber-server and fat petabyte pipe they plan to run their site on. Personally, I suspect the ad page will be taken down by Verisign themselves when they smell smoke coming from the server room and see their sysadmin's running around naked on the front lawn while tearing out their hair and screaming "SWEET MOTHER OF SMEGMA, MAKE THEM STOP!!!".
  • by jea6 (117959) on Monday September 15, 2003 @09:49PM (#6970708)
    You may want to let Scott Hollenbeck (shollenbeck@verisign.com [mailto]) and Matt Larson (mlarson@verisign.com [mailto]) from VeriSign's Naming and Directory Services know what you think of their Best Practices [verisign.com].

    And while you are at it, you may consider a friendly note for W.G. Champion Mitchell (wmitchell@verisign.com) [mailto], President, NetSol and Stratton Sclavos (ssclavos@verisign.com) [mailto], Chairman and CEO, VeriSign.
  • by semanticgap (468158) on Monday September 15, 2003 @09:51PM (#6970729)
    I find it very hard to believe that they will be able to get away with this without some response from the US (and EU) government(s).

    Sorry to say this, but this is going to be a precedent for Internet being regulated, this time for real. And you'll be able to thank Verisign for it. Perhaps that's a provocative step to achieve what they are really after - being regulated, which will guarantee them longevity.

    Greedy bastards.
  • Terms of Use (Score:5, Interesting)

    by creidieki (110659) on Monday September 15, 2003 @09:54PM (#6970765) Journal
    So let me get this straight. A site I didn't ask to go to has a Terms of Use which says that my sole remedy is to discontinue use of "The Verisign Services".

    So, by mistyping a domain name, I've entered into a legal agreement with Verisign? And the only way to get out of it is to not use the internet?

    The only address on the page is their legal department's postal address, at

    VeriSign, Inc.
    Attention: Legal Department
    21355 Ridgetop Circle
    Dulles, VA 20166

    I guess I'll be sending them a nice letter. As soon as I figure out what legal recourse I actually have.
  • by LostCluster (625375) on Monday September 15, 2003 @10:10PM (#6970924)
    Is it just me, or is Verisign now absuing the trust of the Internet community, which is a very strange thing for a company that wants to be a root of trust when it comes to issuing SSL certs?
  • E-mail (Score:5, Interesting)

    by jdunlevy (187745) on Monday September 15, 2003 @10:23PM (#6971032) Homepage

    Just to see what would happen, I just tried sending an e-mail to <testuser@slashdoct.com>. Would they bounce the message? If so what would the error message look like? If they didn't bounce it, would they just keep it? Read it? Inquring minds want to know!

    Well it bounced:

    The original message was received at Mon, 15 Sep 2003 21:06:55 -0500 (CDT)
    from [myhost.mydomain] [xxx.xxx.xxx.xxx]

    ----- The following addresses had permanent fatal errors -----
    <testuser@slashdoct.com>
    (reason: 550 User domain does not exist.)

    ----- Transcript of session follows -----
    ... while talking to slashdoct.com.:
    >>> RCPT To:<testuser@slashdoct.com>
    <<< 550 User domain does not exist.
    550 5.1.1 <testuser@slashdoct.com>... User unknown

    Reporting-MTA: dns; [myhost.mydomain]
    Received-From-MTA: DNS; [myhost.mydomain]
    Arrival-Date: Mon, 15 Sep 2003 21:06:55 -0500 (CDT)

    Final-Recipient: RFC822; testuser@slashdoct.com
    Action: failed
    Status: 5.1.1
    Remote-MTA: DNS; slashdoct.com
    Diagnostic-Code: SMTP; 550 User domain does not exist.
    Last-Attempt-Date: Mon, 15 Sep 2003 21:06:56 -0500 (CDT)

    And: >telnet www.slashdoct.com 25
    Trying 64.94.110.11...
    Connected to www.slashdoct.com.
    Escape character is '^]'.
    220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready
    quit
    221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
    221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
    Connection closed by foreign host.
    >

    Snubby Mail Rejector???

    • Re:E-mail (Score:5, Interesting)

      by pipeb0mb (60758) <pipeb0mb AT pipebomb DOT net> on Monday September 15, 2003 @10:56PM (#6971328) Homepage
      I wonder if more people will become concerned when verisign starts to harvest instead of bounce?
    • by DeathB (10047) * <adamp&ece,cmu,edu> on Monday September 15, 2003 @11:28PM (#6971567) Homepage
      I've seen several people now post sessions they've had with "Snubby". Snubby is assuming that people are ordering things in a specific order. A session I just had with it:

      telnet 64.94.110.11 25
      Trying 64.94.110.11...
      Connected to 64.94.110.11.
      Escape character is '^]'.
      220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready

      250 OK

      250 OK

      550 User domain does not exist.

      250 OK

      221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
      Connection closed by foreign host.

      That's right. It doesn't parse the input at all (I just hit Enter a bunch of times). If you have multiple RCPT lines, or have an extra command in there anywhere, you will get an OK in the wrong place and it will look like you have succeeded.

      Adam
  • by Etcetera (14711) * on Monday September 15, 2003 @10:24PM (#6971052) Homepage

    Available here [verisign.com]

    How nice of them to let us know...

  • by DDumitru (692803) <doug@nOspAm.easyco.com> on Monday September 15, 2003 @10:28PM (#6971092) Homepage
    To: icann@icann.org, iana@iana.org, nstld@verisign-grs.com,
    rcc@verisign.com, hostmaster@nsiregistry.net, ir@verisign.com,
    dcpolicy@verisign.com
    Subject: Complaint about Versign abuse of DNS root zones

    A Letter of Complaint about actions undertaken by Verisign Incorporated
    on or about 9/13/03.

    Sent to the Internet Corporation of Assigned Names and Numbers and the
    Internet Assigned Number Authority.

    Doug Dumitru
    xxxxx xxxxxx xxxx Road
    xxxxxx xxxxxx, CA 9xxxx
    949 xxx-xxxx

    Dear sirs,

    As you are probably aware, Verisign is redirecting unregistered
    2nd-level domains in the .com and .net TLDs to a Verisign owned search
    engine. They are using a technique known as DNS wildcarding to
    accomplish this.

    I firmly believe that this is clearly an abuse of the DNS system, that
    it violates the technical requirements for domain lookups, that the
    results returned are fraudulent, and that this technical action only
    benefits Verisign at the expense of the rest of the internet population.

    I respectfully request that IANA and ICANN immediately take action
    against Verisign demanding that Verisign cease this fraudulent and
    damaging behaviour. Should Verisign refuse, I would recommend that IANA
    and/or ICANN (and/or the US government) take immediate action to revoke
    Verisign's contract to administer the .com and .net TLDs.

    I would also recommend that IANA and/or ICANN immediately pass "best
    practice" rules that prevent other TLDs and country-code domains from
    following in Verisign's deceptive footsteps. It is important that a
    "domain not found" error not be subverted into an advertising opportunity.

    Sincerely,
    Doug Dumitru
  • by wsloand (176072) on Monday September 15, 2003 @10:36PM (#6971175)
    It seems that they have effectively violated the ICANN Domain Name Dispute Policy [icann.org]: "circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration". They're definitely doing this to sell domains.

    Bill
  • by techstar25 (556988) <techstar25@@@cfl...rr...com> on Monday September 15, 2003 @10:40PM (#6971207) Homepage Journal
    I used VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones as the subject of the email. You could use something more original if you want.


    To whom it may concern,
    Verisign is commiting a major injustice that cannot be allowed to continue. It is important ICANN consider what is best for the internet community as a whole and take proper action. Proper action would be to immediately stop this monopolistic behavior from Verisign.

    Please read below for more information taken from Slashdot.org:

    As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising.

    This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.

    Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.


    The internet belongs to everyone. It is not something that can be bought and sold by any one entity. Please put a stop to this behavior.

    Thank you.
    ---insert name here---
    ---insert city and state of residence here---
  • by Huusker (99397) on Monday September 15, 2003 @10:40PM (#6971212) Homepage
    This is so amazingly reckless and damaging that I don't know where to begin.

    A few hours ago I was trying to troubleshoot a lame delegation to another zone. It seemed to be working which puzzled me to no end. It turns out the lame DNS server was returning 64.94.110.11.

    Lame delegation is a very common phenomenon and (in the case of a typo) can often be diagnosed with NXDOMAIN being returned for the glue RR record. Never returning NXDOMAIN means that many types of lame delegation will no longer be caught.

    One of my peer zones had a typo'ed MX record. Before VeriSign's sabotage (yes, sabotage) the lookup of the corresponding address record would simply fail with NXDOMAIN. The source MTA would then try to deliver to the secondary MTAs on the list of MX records in order of priority. Mail delivery would proceed normally using the secondary MTA(s).

    However to my complete and utter astonishment, 64.94.110.11 has a working MTA listening on port 25 (why???). This means that any MX records with typos in the primary record will have all their e-mail redirected to VeriSign's MTA. Mail that would normally automatically be re-routed to the secondary MTA instead now gets bounced by Verisign's ''Snubby Mail Rejector Daemon v1.3''. Not returning NXDOMAIN will break mail delivery to secondary MTAs.

    And what about spam filters? It will break any spam filter that tries to verify that the source MTA hostname claimed in the HELO request is resolvable (i.e. that the claimed HELO name is not fictious).

    I could probably list another half dozen problems if I thought about it. I can't believe the arrogance (read: stupidity) of this act.

    I can't wait to see reaction reaction from the backbone cabal on NANOG.

  • by Anonymous Coward on Monday September 15, 2003 @11:09PM (#6971408)
    If you run a nameserver and want to return NXDOMAIN instead of Verisign's IP, add this code to your named.conf if you are running BIND 9.2.2
    zone "11.110.94.64.in-addr.arpa" { type master; allow-query { none; }; };
    If you are running a version below 9.2.2 create a generic zonefile with contents such as
    $TTL 288000 @ IN SOA localhost. root.localhost. 1 7200 3600 604800 600
    and use this line in named.conf instead
    zone "11.110.94.64.in-addr.arpa" { type master; file "generic.zone"; allow-query { none; }; };
  • by ziegast (168305) on Monday September 15, 2003 @11:11PM (#6971434) Homepage
    At my last check, only the "a", "c", and "d" COM servers are serving the global A record for *.COM.

    I am removing those broken nameservers from my root zone hints at all of the places that I administer. Hopefully enough root servers will remain clean of this aborration to keep up a good level of service.

    I encourage others everywhere to do the same and ask their ISPs follow suit. If you don't play fairly with the public trust, the public should stop trusting you.

    If Verisign can hijack *.COM and *.NET, what is to keep resolving ISPs from hijacking unused domains at the resolver level to suit their own purposes?

    Where was the RFC on this practice? It would never have passed peer review.

    --
    Eric Ziegast
    Former TLD administrator.
    Former hostmaster at a major ISP.
  • by ddent (166525) on Monday September 15, 2003 @11:15PM (#6971467) Homepage
    Hi All,

    Took a look at their setup, and from what I can see, they have partnered with Overture to get their search results. Overture is a pay per click search engine, meaning advertisers bid to get to the top of the search results - anywhere from $0.10 to $50. Most arrangements involve Overture getting half of the the bid, and VeriSign getting the other half.

    What this means is that they are making money (probably hundreds of thousands if not millions daily) from most of the searches you make.

    Topics which attract high bids (up to $50 per click, it is shocking) include online casinos, dedicated servers, refinancing, and a few others.

    I implore you all:

    If you want this to stop, please do not click on any of the search results from this 'search engine'. Doing so will contribute to the profit VeriSign will make from this. If you really really want to click on one of the listings plase go to www.overture.com and get it directly from them.

    Other things we can do include:

    1) Putting them on the spam RBLs for spamming the entire internet. This will have the effect of blackholing them from some parts of the internet that drop packets based on those RBLs right at the router level.

    2) Encourage your vendors to modify their DNS server packages to change results for that IP to NXDOMAIN.

    3) Encourage your admins to run such modified DNS servers.
    • by okigan (534681) on Tuesday September 16, 2003 @01:39AM (#6972439)
      Actually I think you are totally right.

      The whole thing was done exactly with this
      purpose, but I think it can be used to break the
      system. If enough bots (and bots only)
      constantly "click" on the ads, their price will
      plummet. Since now they cannot tell if a person
      saw the ad, they "pay per click" becomes
      pointless. (and boy they will be mad when find
      out they paid all that money for nothing)

      On the other other hand if every slashdoter
      would ping the thing it would be way more fun.
      Come one everybody just type : ping 64.94.110.11
      (at -t if you are in windows)
  • by PghFox (453313) <afoxson@p o b o x . com> on Monday September 15, 2003 @11:54PM (#6971760) Homepage
    The North American Network Operators' Group [nanog.org] has two ongoing threads ('What *are* they smoking' [merit.edu] and 'Change to .com/.net behavior' [merit.edu]) with further discussion on this topic.
  • by CaptainCarrot (84625) on Tuesday September 16, 2003 @12:10AM (#6971869)
    From the website:

    VeriSign Worldwide Headquarters
    487 East Middlefield Road
    Mountain View, CA 94043
    Phone: 650-961-7500
    FAX: 650-961-7300

    Have fun!

  • Here's a neat idea: (Score:5, Informative)

    by pipeb0mb (60758) <pipeb0mb AT pipebomb DOT net> on Tuesday September 16, 2003 @12:34AM (#6972042) Homepage
    A fellow SA Goon (thatdog), pointed this out, and it could perhaps be a nice fun tool to screw with them...I'll quote his post over there:

    thatdog said:
    The most amusing part of this to me is they take whatever is passed in the url parameter and shove it into the html of their page, no questions asked. Remote scripting exploits will be ever so easy!

    If you don't get what I'm talking about, just check out this link [verisign.com].

    Would be fun to see redirects on major isps and backbones...or even forwarding to an alternate site hosted elsewhere with an explanation.
  • ICANN said no.... (Score:4, Informative)

    by chipster (661352) on Tuesday September 16, 2003 @12:54AM (#6972177)
    ...back in January, as you will read here:

    <http://www.icann.org/correspondence/iab-message-t o-lynn-25jan03.htm> [icann.org]

    What happened? I STRONGLY URGE that complaints be made to ICANN and the US DoC...right now.

    This is so much worse than many folks think.

  • libverisignfix.c (Score:5, Informative)

    by Dwonis (52652) on Tuesday September 16, 2003 @01:24AM (#6972349)
    Try libverisignfix.c [slashdot.org]. It's an LD_PRELOAD hack to intercept gethostbyname, gethostbyname_r, and gethostbyname2_r. It doesn't intercept anything else (like getaddrinfo), but it works in Mozilla.
  • Anti-Trust violation (Score:5, Interesting)

    by kolding (55685) on Tuesday September 16, 2003 @01:53AM (#6972515)
    IANAL, but I dated on once, so take this for what it's worth. This appears to me to be a clear violation of anti-trust laws. Verisign is using their monopoly position as the root DNS to create business opportunities which are not available to others. Verisign can create a nearly infinite number of domains for free, and sell advertising on all those domains. Any of their competition would have to pay for those domains (in fact, would have to pay Verisign). If this isn't abuse of a monopoly position, nothing is. Somebody should sue them under the Sherman Anti-Trust act and get an immediate injunction against them.

    Eric
    eric at koldware dot SpamThisSucker dot com
  • What I did (Score:5, Interesting)

    by Piquan (49943) on Tuesday September 16, 2003 @01:57AM (#6972527)

    I've created a Squid redirector to deal with this problem. I tried to post it here, but couldn't get past the Slashdot lameness filter.

    It catches anything going to a gTLD's wildcard response (there's about 15 gTLDs doing this!) and redirects it to google. It also does some other niceties that don't automatically happen when using a proxy, such as adding www. and .org/.com/.net if needed.

    If anybody wants the code, then post a reply here and I'll set up a web page with it and post the URL. (I won't bother if nobody wants it.)

    You may want to know, also, that some of the NANOG folks have patches for BIND to change these responses back into NXDOMAIN.

  • by drx (123393) on Tuesday September 16, 2003 @02:22AM (#6972654) Homepage
    If you look for a file that doesn't exist on your hard drive, you will get ads for MS Office, telling you that you can create your own files with that!
  • by Cramer (69040) on Tuesday September 16, 2003 @02:35AM (#6972701) Homepage
    spacemeat:/# /usr/lib/sendmail -bt foo@foothefuckinghell.com
    foo@foothefuckinghell.c om
    deliver to foo@foothefuckinghell.com
    router = lookuphost, transport = remote_smtp
    host foothefuckinghell.com [64.94.110.11]
    spacemeat:/# telnet 64.94.110.11 25
    Trying 64.94.110.11...
    Connected to 64.94.110.11.
    Escape character is '^]'.
    220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready
    QUIT
    221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
    221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
    Connection closed by foreign host.


    Umm, the fact that email is going to go there for every typo or expired domain opens up a great deal of legal trouble. They really haven't thought this out very well have they?

    (Even if it currently bounces everything. It still has to get there to be rejected. And there's nothing that says they aren't keeping it, reading it, or won't do so in the future.)
    • by Cramer (69040) on Tuesday September 16, 2003 @03:55AM (#6972970) Homepage
      Oh, and what happens with that address is unreachable, down, DoSed, or whatever... your mail will sit in the queue for some configured amount of time with zero indication of the user's error.

      Remedy:
      1) blackhole that IP - PERMANENTLY. (blacklist their entire IP assignement(s))
      2) modify bind to return NXDOMAIN for any query containing that IP.
      3) make aformenttioned modification a configuration option (list) thus making it easy to adjust when the assh^W^Wthey change the address.
      4) add my own choice wildcard entries :-)
      5) kill every living thing at Verisign/Network Solutions even remotely involved with this bullshit (as an example to others who have not learned to participate in a civilized society.)

      There's a real big difference between me adding *.bar.com and someone adding *.com.. The wildcard record was originally intended to reduce the number of records -- specifically to negate the need for an MX record for every host. And honestly, it's never worked to anyone's satisfaction (e.g. the ability to send email to bob@[censored].bar.com)
  • web.archive.org (Score:5, Interesting)

    by Specialist2k (560094) <slashdot-200408.10.spezi@spamgourmet.com> on Tuesday September 16, 2003 @06:26AM (#6973504)
    Did Verisign even think when they implemented SiteFinder?

    One of many problems is that web.archive.org [archive.org] will honor the /robots.txt of any host and remove that host from its archive. So, sooner or later, the archive of all formerly (and currently no longer) registered domains will be gone...

  • by Fastolfe (1470) on Tuesday September 16, 2003 @10:22AM (#6974993)
    So if a script kiddie out there is trying to test his hostname parsing code in his latest DDoS tools, and tries to use a hostname that he knows doesn't exist, would he be liable for the damage his scriptz cause when that hostname actually does resolve to a Verisign IP address?

    It really sounds like Verisign wants traffic destined for every mistyped or invalid hostname. I say let them have it. Surely they're aware that the Internet is not just the web.
  • Clue-by-four (Score:5, Informative)

    by David Gerard (12369) <slashdot@@@davidgerard...co...uk> on Tuesday September 16, 2003 @01:02PM (#6976905) Homepage
    From: Martin A. Brooks
    Reply-To: uknot@uk.com
    To: uknot@uk.com
    Subject: [uknot] Cluebyfour verisign HOWTO for the UK
    Date: Tue, 16 Sep 2003 11:32:55 +0100

    Call 0800-032-2101 and select option 2 for Support.

    Explain to the engineer that you have typed in an non-existant domain name and
    been directed to their sitefinder service.

    Explain that you have read the "Terms of Use" and do not agree to abide by
    them.

    Explain that, as you don't agree to the ToU, you are explicitly forbidden from
    using their service.

    Ask them to exclude your IP block from those that will be given the sitefinder
    IP rather than NXDOMAIN.

    Give them your name, company (if appropriate) and a contact telephone number.

    US and Canada: The contact page number is 888-642-9675. Apparently they will also refer you to 866-345-0330 (which isn't listed on that page), but you should of course check the number given on their official contact page and call that first. The postal address is VeriSign, Inc., Attention: Legal Department, 21355 Ridgetop Circle, Dulles, VA 20166, USA.

The one day you'd sell your soul for something, souls are a glut.

Working...