Resolving Everything: VeriSign Adds Wildcards 1291
"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)
This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.
Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.
VeriSign has published white papers about their implementation and also made some recommendations."
wonder of wonders (Score:5, Interesting)
search page that comes up at the
verisign site to search for "register" we find at the top of the
list a link to networksolutions.com (a verisign company). we also
note that searching for the same word at google [google.com]
does not result in that site being present in at least the first four pages of results.
yeah - thats a real useful search tool verisign has there - thanks so much.
How can we undo this? (Score:3, Interesting)
network operators are pissed at this (Score:5, Interesting)
Shorting Microsoft (prepare for battle) (Score:5, Interesting)
I always thought that a revolting misuse of monopoly power and I use Mozilla exclusively now (that was one of the primary reasons I switched, tho not the only one).
Prepare for Microsoft to be EXTREMELY UPSET. MSN's search count will be cut in 1/4 by this move too.
Watch for it.
Stewey
The ultimate domain squatter? (Score:3, Interesting)
If Verisign somehow was incharge of POP3, then a wrong user name or wrong password would still log you in, but into a dummy account with spam for you to read.
patches? (Score:5, Interesting)
Re:wonder of wonders (Score:5, Interesting)
Hmm, cross-site scripting. Seems harmless enough, but I wonder if VeriSign stores anything important in the verisign.com cookie...
Mail trap (Score:5, Interesting)
Also, you'll note the cookies that 'sitefinder' sends out, so they can uniquely track any traffic to that site. Also a fun subpoena opportunity. And did you read the fun terms of service that they claim you agree to by 'choosing to visit' their site?
I doubt this will stand. I certainly know that, as a major ISP executive, we'll be reviewing our business with Verisign.
A place for all those bad email addresses (Score:3, Interesting)
No, I'm not suggesting that anybody intentional do this. What kind of person do think I am?
Re:Wildcards aren't resolving for me.... (Score:2, Interesting)
# telnet dkfjdfkjdkfjdkjf.com 80
telnet: dkfjdfkjdkfjdkjf.com: Name or service not known
dkfjdfkjdkfjdkjf.com: Unknown host
# telnet www.dkfjdfkjdkfjdkjf.com 80
Trying 64.94.110.11...
Connected to www.dkfjdfkjdkfjdkjf.com.
Escape character is '^]'.
^]
telnet> q
Connection closed.
#
Who is going to be the first to hack it? (Score:5, Interesting)
Host sitefinder.verisign.com (12.158.80.10) appears to be up
Initiating SYN Stealth Scan against sitefinder.verisign.com (12.158.80.10) at 06
:36
Adding open port 80/tcp
The SYN Stealth Scan took 94 seconds to scan 1643 ports.
Warning: OS detection will be MUCH less reliable because we did not find at lea
st 1 open and 1 closed TCP port
For OSScan assuming that port 80 is open and port 36304 is closed and neither ar
e firewalled
For OSScan assuming that port 80 is open and port 43206 is closed and neither ar
e firewalled
For OSScan assuming that port 80 is open and port 44655 is closed and neither ar
e firewalled
Interesting ports on sitefinder.verisign.com (12.158.80.10):
(The 1642 ports scanned but not shown below are in state: filtered)
Port State Service
80/tcp open http
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SInfo(V=3.28%P=i386-portbld-freebsd
TSeq(Class=TR
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags
T1(Resp=Y%DF=Y%W=16D0%ACK=S++%Fla
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16D0%
T4(Resp=Y%DF=Y%W=0%ACK=
T5(Resp=N)
T6(Resp=N)
T7(Resp=N
PU(Resp=N)
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
TCP ISN Seq. Numbers: 673A4C36 652AB817 BBE534C3 685BB54A
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 137.552 seconds
Re:How can we undo this? (Score:4, Interesting)
Terms of Use (Score:5, Interesting)
So, by mistyping a domain name, I've entered into a legal agreement with Verisign? And the only way to get out of it is to not use the internet?
The only address on the page is their legal department's postal address, at
VeriSign, Inc.
Attention: Legal Department
21355 Ridgetop Circle
Dulles, VA 20166
I guess I'll be sending them a nice letter. As soon as I figure out what legal recourse I actually have.
Re:Shorting Microsoft (prepare for battle) (Score:5, Interesting)
HOWEVER, you can bet that MS and AOL and everyone else who does something interesting and useful with HTTP queries that look for bad domain names (like some ISP's that have proxies for users and some companies that have proxies for employers) will be pissed off. Different people like to do different things with their NXDOMAIN responses, and Verisign has just made sure that a lot of those responses never happen and that only Verisign gets to choose what the user sees instead.
There essentially are no more unregistered
Boycott the root servers (Score:2, Interesting)
This is outrageous, and despite what they say, is completely in violation of internet standards and best practices.
Re:How can we undo this? (Score:4, Interesting)
Unfortunately, the rep that answered the phone was unable to help, he said that he works for Network Solutions, and can only help with domain registration issues, and that the Verisign parent company runs the root nameservers. He was unable to give me a contact number for Verisign. However, you may want to try calling this number yourself to see if maybe a different rep has the contact number for Verisign.
I did a whois on the verisign.com domain, and came up with the main contact number for Verisign: 650-961-7500, but it's been ringing for the past 5 minutes, with no answer. One would think that they would have an automated voice-response system on their main number, so I think that they are being innudated with calls.
Bisso giveth, Verisign taketh (Score:2, Interesting)
Re:Boycott the root servers (Score:3, Interesting)
Ask and ye shall receive:
OpenNIC [unrated.net]
Don't worry, it resolves on verisign's servers (for now).
Re:How Long... (Score:5, Interesting)
My mother is visually impared. She was trying to go to www.biblegateway.com, but she went to www.gatewaybible.com. sacreligious scum.
It's hard for her to find the stupid MODAL popup windows when she is using a screen magnifier and the whole screen is not even showing...
A DNS error would have been MUCH nicer. She would not have even called me costing my employer productivity. Currently I know somebody is wasting money on those parked domains. This verisign situation is just sad.
OpenNIC anyone? (Score:2, Interesting)
Wasn't OpenNIC [unrated.net] created to prevent exactly this kind of abuse? People might just start using them if VeriSign carries on in this manner...
It sounds a whole lot better than the current system to me...
This isn't all bad... (Score:2, Interesting)
1) Setup an internal web server and redirect all traffic to 64.94.110.11 to this box that says something, you have misstyped something...
2) I will enable reverse lookups and anything coming from 64.94.110.11 will be considered spam.
Won't affect my users and might help a LITTLE bit with spam.
Re:That's it. (Score:3, Interesting)
Internet Death Penalty.
End of Story
Now, the problem is, most individuals are unwilling to go that far. Me, I have no problem---I think the IDP should be used more often than it is.
*.verisign.com, (plus all associated ip addresses).
*.sco.com (and all SCO related addresses (ip/names).
Everyone will need to switch to OpenNIC, or something else, first.
Closer to possible political reality, switch to OpenNIC, and get all your friends to switch to OpenNIC.
Re:wonder of wonders (Score:1, Interesting)
We didn't find: "mis-spelled site"
Did You Mean?
and here comes possible right sites.
I think it is even more usefull than: DNS not found !!!!
For your spam check (sender domain must resolve): Spamers have learnt that error and use anyway a resolveable domain name.
ronald@elmit.com
E-mail (Score:5, Interesting)
Just to see what would happen, I just tried sending an e-mail to <testuser@slashdoct.com>. Would they bounce the message? If so what would the error message look like? If they didn't bounce it, would they just keep it? Read it? Inquring minds want to know!
Well it bounced:
The original message was received at Mon, 15 Sep 2003 21:06:55 -0500 (CDT)
... while talking to slashdoct.com.:
from [myhost.mydomain] [xxx.xxx.xxx.xxx]
----- The following addresses had permanent fatal errors -----
<testuser@slashdoct.com>
(reason: 550 User domain does not exist.)
----- Transcript of session follows -----
>>> RCPT To:<testuser@slashdoct.com>
<<< 550 User domain does not exist.
550 5.1.1 <testuser@slashdoct.com>... User unknown
Reporting-MTA: dns; [myhost.mydomain]
Received-From-MTA: DNS; [myhost.mydomain]
Arrival-Date: Mon, 15 Sep 2003 21:06:55 -0500 (CDT)
Final-Recipient: RFC822; testuser@slashdoct.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; slashdoct.com
Diagnostic-Code: SMTP; 550 User domain does not exist.
Last-Attempt-Date: Mon, 15 Sep 2003 21:06:56 -0500 (CDT)
And: >telnet www.slashdoct.com 25
Trying 64.94.110.11...
Connected to www.slashdoct.com.
Escape character is '^]'.
220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready
quit
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.
>
Snubby Mail Rejector???
Re:Contact ICANN comments@icann.org (Score:3, Interesting)
Yeah, bravo. The idea is alright, but suggesting it to the bagillion
What is this, better living through DDoS?
An open letter of complaint (Score:5, Interesting)
rcc@verisign.com, hostmaster@nsiregistry.net, ir@verisign.com,
dcpolicy@verisign.com
Subject: Complaint about Versign abuse of DNS root zones
A Letter of Complaint about actions undertaken by Verisign Incorporated
on or about 9/13/03.
Sent to the Internet Corporation of Assigned Names and Numbers and the
Internet Assigned Number Authority.
Doug Dumitru
xxxxx xxxxxx xxxx Road
xxxxxx xxxxxx, CA 9xxxx
949 xxx-xxxx
Dear sirs,
As you are probably aware, Verisign is redirecting unregistered
2nd-level domains in the
engine. They are using a technique known as DNS wildcarding to
accomplish this.
I firmly believe that this is clearly an abuse of the DNS system, that
it violates the technical requirements for domain lookups, that the
results returned are fraudulent, and that this technical action only
benefits Verisign at the expense of the rest of the internet population.
I respectfully request that IANA and ICANN immediately take action
against Verisign demanding that Verisign cease this fraudulent and
damaging behaviour. Should Verisign refuse, I would recommend that IANA
and/or ICANN (and/or the US government) take immediate action to revoke
Verisign's contract to administer the
I would also recommend that IANA and/or ICANN immediately pass "best
practice" rules that prevent other TLDs and country-code domains from
following in Verisign's deceptive footsteps. It is important that a
"domain not found" error not be subverted into an advertising opportunity.
Sincerely,
Doug Dumitru
Terms of use (Score:2, Interesting)
Use of the VeriSign Services. You agree not to use the VeriSign Services in any manner that is unlawful, or in any manner that could damage, disable, impair or otherwise interfere with another party's enjoyment and use of the VeriSign Service. You may not manipulate or attempt to gain unauthorized access to our website or systems or any websites or systems connected through our website through hacking, password mining or any other means. Modification by VeriSign. At any time VeriSign may modify or terminate these terms of use, its websites and the VeriSign Services and may at any time discontinue your use of the VeriSign Services without any notice to you, and without liability to you, any other user or any third party. Please review these Terms of Use from time to time so that you will be aware of any changes. Your continued use of the VeriSign Services constitutes your agreement to all such terms, conditions, and notices.
A "terms of service" section on a website people don't reach voluntarily?
Complain to Verisign as well (Score:5, Interesting)
authenticode-support@verisign.com,
billing@ver
channel-partners@verisign.com,
client
consultingsolutions@verisign.co
dbms-support@verisign.com,
dcpolicy@verisign.
digitalbranding@verisign.com,
dnssales@veris
enterprise-pkisupport@verisign.com,
ent
info@verisign-gr
internetsales@verisign.com,
IR@verisign.c
jobs@verisign.com,
mss@verisign.com,
object
paymentsales@verisi
practices@verisign.com,
premiersupport@n
press@verisign.com,
privacy
renewal@verisign.com,
sup
verisales@verisign.com,
vps-s
vts-csrgroup@verisign.com,
webhelp@verisign.com,
websitesupport@verisi
Re:Complain to ICANN *NOW* (Score:5, Interesting)
Verisign has continually been abusing the power that has been handed out to them. Two such examples are its mailing of false renewal notices, and its most recent exploit: sitefinder.verisign.com. Now, nearly all mistyped names will be sent to Verisign where they can do whatever they like to the unwitting user. There are even categories on sitefinder.verisign.com where one can browse and go to sites which are undoubtedly paying Verisign for the space.
Please take this, and the hundreds or thousands of e-mails you will receive, into consideration, and exercise the power that ICANN has. Verisign has continually been abusing and tricking people through deceptive business practices, and this should be the last straw. Verisign should not only be removed from it's post, but it should also be fined for its numerous escapades designed to make money.
Sincerely,
Michael B****
I've got to wonder: where do they come up with such evil ideas? Verisign must have a beowulf cluster of insensitive clods...
Re:Strike Back with Poor Typing (Score:3, Interesting)
VeriSign is doing the correct thing with regards to SMTP. Not answering will cause the sending mail server to hold the mail in the queue for the queue lifetime (usually a week). Rejecting mail with a 550 causes it to bounce immediately. This is the desired behavior.
Re:Who is going to be the first to hack it? (Score:1, Interesting)
Of course this brings up the other side of things... what if you ARE doing security checks for some company and you DO type in the domain name wrong by accident...
Re:wonder of wonders (Score:5, Interesting)
Now, I'm not suggesting anybody do this, I'm just asking the question.
Violation of ICANN Policy (Score:5, Interesting)
Bill
Easy Cheasy DDoS? (Score:2, Interesting)
Re:E-mail (Score:5, Interesting)
Preliminary BIND 8 patch (Score:5, Interesting)
Preliminary (as in, it seems to work for me) BIND 8 patch that I just cooked up available here [achurch.org].
Re:Uhm... (Score:2, Interesting)
Remember this come with a big smiley! And kids don't try this at home, it just might piss of google. And I don't want to see what happens when google starts bitch slappin' VeriSign.
Alternative: Open DNS (Score:1, Interesting)
There are so many problems with the current system that it's begging to be replaced. Corporations basically stealing domains from individuals who got there first. Incompetant corporations like verisign getting rich off of doing almost nothing.
What's more, the OpenDNS system could be much more accomodating with rolling out more progressive TLD's. Move beyond
Re:Security Geniuses (Score:3, Interesting)
Besides, I have no doubt they'll fix this shortly. The point is that this shows the level of incompetence at Verisign. We can look forward to them demonstrating this again and again as their marketing department canibalizes key elements of Internet infrastructure into minor profit opportunities for the company.
Boycott Thawte (Verisign's SSL subsidiary) (Score:5, Interesting)
If you have SSL certificates from Thawte [thawte.com] (a subsidiary of Verisign), you can send them a message today.
Email your Thawte rep to explain why you or, better yet, your huge organization :) won't be renewing your certificates with Thawte.
You can tell them "it's a trust thing" (their own motto).
Re:The damage is already beginning (Score:2, Interesting)
I'm curious about this. According to RFC 2821, section 5, an A record is only used for mail delivery if there are no MX records for the name. If there are multiple MX records and the first is broken, shouldn't the MTA immediately try the subsequent MX records, rather than using the A record?
I'm not correcting you, I'm asking, since you seem to know what you're talking about and I don't have real-world experience with "serious" DNS administration.
Re:The damage is already beginning (Score:1, Interesting)
Do not leave it is not real. (Score:3, Interesting)
OK fellow geeks, I am seeing alot of ranting about clogging mail server queues with typos and the like, let's go over this a little more in depth:
So perhaps it's not that bad. Port designations aren't sent with DNS queries, though, which makes this a bit puzzling. At least if it's true your mail queue wont' clog. Anyone with more experience in the area care to elaborate/prove it wrong? Not looking for a flame war, but a little scientific method.
Anti-Trust violation (Score:5, Interesting)
Eric
eric at koldware dot SpamThisSucker dot com
What I did (Score:5, Interesting)
I've created a Squid redirector to deal with this problem. I tried to post it here, but couldn't get past the Slashdot lameness filter.
It catches anything going to a gTLD's wildcard response (there's about 15 gTLDs doing this!) and redirects it to google. It also does some other niceties that don't automatically happen when using a proxy, such as adding www. and .org/.com/.net if needed.
If anybody wants the code, then post a reply here and I'll set up a web page with it and post the URL. (I won't bother if nobody wants it.)
You may want to know, also, that some of the NANOG folks have patches for BIND to change these responses back into NXDOMAIN.
Re:I'm voting with my feet. Bye bye Verisign. (Score:2, Interesting)
I got one for each of my domains I moved to a new registrar a year or so ago after I finally got irked enough with Verisign to move.
Now I get my domains MUCH cheaper and the new registrar is miles better then Verisign ever was.
Add IMG SRC Tags Pointing to Bogus Domains!? (Score:3, Interesting)
Before someone says this is a DoS...remember, the mere reference of a domain name is not a DoS...especially when said domain name is unregistered and in addition contains OUR extremely unique registered service/trade marks
Welcome thoughts...
Ron
Legal degree from Play Skool? (Score:4, Interesting)
foo@foothefuckinghell.
deliver to foo@foothefuckinghell.com
router = lookuphost, transport = remote_smtp
host foothefuckinghell.com [64.94.110.11]
spacemeat:/# telnet 64.94.110.11 25
Trying 64.94.110.11...
Connected to 64.94.110.11.
Escape character is '^]'.
220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready
QUIT
221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.
Umm, the fact that email is going to go there for every typo or expired domain opens up a great deal of legal trouble. They really haven't thought this out very well have they?
(Even if it currently bounces everything. It still has to get there to be rejected. And there's nothing that says they aren't keeping it, reading it, or won't do so in the future.)
Spam Senders Dreams Have come True (Score:1, Interesting)
From: sexkitten@ihadsexatverizonswebsite.com
Message-ID: 20030915.9ie4s@ihadsexatverizonswebsite.com
Subject: Hi!
UDRP violation. (Score:2, Interesting)
Think about it. You can't register a trademark or similarly "owned" name unless you own the trademark. If you do, the UDRP process will yank it away from you and give it over to the "real" owner. So any company can now file a claim against verisign for any trademark they haven't bothered to buy the domain for, or have let lapse, because now it resolves to verisign, and verisign is clearly using it to make money. Before you can say "corporate stooge arbitration", verisign will have to fork over any trademarks to the companies that own them.
Re:Here's a neat idea: (Score:2, Interesting)
I have to ask what is possibly a stupid question...
Is it possible to get the Versign website to DDOS itself? If the server uses server side includes then it can include itself? Would it stop if the client stopped requesting the page or would it keep looping until it maxed out the server threads?
Or, if not server side include, a javascript 'wget' maybe, but that's client side.
Others are doing it too (Score:3, Interesting)
To me it's a stupid tactic to make more money. But I've moved all 50 of my domains away from Verisign a long time ago anyways.
web.archive.org (Score:5, Interesting)
One of many problems is that web.archive.org [archive.org] will honor the /robots.txt of any host and remove that host from its archive. So, sooner or later, the archive of all formerly (and currently no longer) registered domains will be gone...
Time to replace verisign? (Score:3, Interesting)
But if enough ISP's or other people with big servers are infuriated by this, why not create a new set of root DNS servers (that get their data from the verisign ones, but filter out the * records), and then replace the current list of root servers in the bind config files with the new ones? No paching of bind, and verisign would learn a nice lesson.
Re:Contact ICANN comments@icann.org (Score:1, Interesting)
"76. It is noted that ICANN's Statement of Registrar Accreditation Policy requires accredited registrars to provide public access on a real-time basis (such as by way of a Whois service) to the contact details which it is recommended, above, be required to be provided by a domain name registrant 54."
-- The Availability Of Contact Details, The Management Of InterNet Names And Addresses: Intellectual Property Issues, World Intellectual Property Organisation, http://wipo2.wipo.int/process1/report/finalreport
They're grabbing SMTP Traffic, too. (Score:1, Interesting)
Wonder what's going to happen to *those*...?
Andre Opperman fixes this in qmail and qmail-ldap (Score:2, Interesting)
Re:Complaint submitted - the text(error-corrected) (Score:3, Interesting)