Resolving Everything: VeriSign Adds Wildcards

DragonHawk writes "As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising." Read on below for some more information.

"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)

This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.

Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.

VeriSign has published white papers about their implementation and also made some recommendations."

wonder of wonders

[wherley]

what are the chances - using the [verisign.com]
search page that comes up at the
verisign site to search for "register" we find at the top of the
list a link to networksolutions.com (a verisign company). we also
note that searching for the same word at google [google.com]
does not result in that site being present in at least the first four pages of results.

yeah - thats a real useful search tool verisign has there - thanks so much.

How can we undo this?

[Anonymous Coward]

Anyone have any information on whom to contact to put an end to this absurdity?

network operators are pissed at this

[mdouglas]

expect that ip to get null routed by the backbone carriers real fast.

Shorting Microsoft (prepare for battle)

[StewedSquirrel]

Doesn't this this short-circuit Microsoft's attempt to capture ad revinue from all mis-typed domains through their Internet Explorer?

I always thought that a revolting misuse of monopoly power and I use Mozilla exclusively now (that was one of the primary reasons I switched, tho not the only one).

Prepare for Microsoft to be EXTREMELY UPSET. MSN's search count will be cut in 1/4 by this move too.

Watch for it.

Stewey

The ultimate domain squatter?

[Eric_Cartman_South_P]

Isn't this what domain squatting is? Now, EVERY single variation of a name is squatted, barring the few similar names that are legit. Crazy.

If Verisign somehow was incharge of POP3, then a wrong user name or wrong password would still log you in, but into a dummy account with spam for you to read.

patches?

[Pathwalker]

I wonder how long it will be before there are patches for BIND/dnscache/etc. to remap any result containing 64.94.110.11 to a "record not found" result?

Re:wonder of wonders

[bobthemonkey13]

More fun with sitefinder.verisign.com [verisign.com]

Hmm, cross-site scripting. Seems harmless enough, but I wonder if VeriSign stores anything important in the verisign.com cookie...

Mail trap

[piyamaradus]

This also traps all mail sent TO a non-existent domain. Since all RFC-compliant mail servers will follow up a negative MX response with an A lookup and connect to that IP, if you send mail to a bogus domain, it goes to verisign's server, which (currently) bounces it. Imagine the fun the federal government can have subpoena'ing those logs.

Also, you'll note the cookies that 'sitefinder' sends out, so they can uniquely track any traffic to that site. Also a fun subpoena opportunity. And did you read the fun terms of service that they claim you agree to by 'choosing to visit' their site?

I doubt this will stand. I certainly know that, as a major ISP executive, we'll be reviewing our business with Verisign.

A place for all those bad email addresses

[scruffy]

A lot of email addresses are modified to include "SPAM" or some other word so that they can't be easily spammed. Now all those emails using these addresses have someplace to go. And as long the from address is spoofed to a nonexistent .com or .net domain, then they'll give Verisign something to do.

No, I'm not suggesting that anybody intentional do this. What kind of person do think I am?

Re:Wildcards aren't resolving for me....

[markov_chain]

It looks like only "www.*.com" resolve this way. Try adding "www" to the front.


# telnet dkfjdfkjdkfjdkjf.com 80
telnet: dkfjdfkjdkfjdkjf.com: Name or service not known
dkfjdfkjdkfjdkjf.com: Unknown host
# telnet www.dkfjdfkjdkfjdkjf.com 80
Trying 64.94.110.11...
Connected to www.dkfjdfkjdkfjdkjf.com.
Escape character is '^]'.
^]
telnet> q
Connection closed.
#

Who is going to be the first to hack it?

[Istealmymusic]

Starting nmap 3.28 ( www.insecure.org/nmap/ ) at 2003-09-15 06:36 PDT
Host sitefinder.verisign.com (12.158.80.10) appears to be up ... good.
Initiating SYN Stealth Scan against sitefinder.verisign.com (12.158.80.10) at 06
:36
Adding open port 80/tcp
The SYN Stealth Scan took 94 seconds to scan 1643 ports.
Warning: OS detection will be MUCH less reliable because we did not find at lea
st 1 open and 1 closed TCP port
For OSScan assuming that port 80 is open and port 36304 is closed and neither ar
e firewalled
For OSScan assuming that port 80 is open and port 43206 is closed and neither ar
e firewalled
For OSScan assuming that port 80 is open and port 44655 is closed and neither ar
e firewalled
Interesting ports on sitefinder.verisign.com (12.158.80.10):
(The 1642 ports scanned but not shown below are in state: filtered)
Port State Service
80/tcp open http
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SInfo(V=3.28%P=i386-portbld-freebsd5 .1%D=9/15%Time=3F65C0E9%O=80%C=-1)
TSeq(Class=TR% IPID=Z%TS=U)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags= AS%Ops=MNNTNW)
T1(Resp=Y%DF=Y%W=16D0%ACK=S++%Flag s=AS%Ops=MNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16D0%A CK=S++%Flags=AS%Ops=MNW)
T4(Resp=Y%DF=Y%W=0%ACK=O %Flags=R%Ops=)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)

TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
TCP ISN Seq. Numbers: 673A4C36 652AB817 BBE534C3 685BB54A
IPID Sequence Generation: All zeros

Nmap run completed -- 1 IP address (1 host up) scanned in 137.552 seconds

Re:How can we undo this?

[pirodude]

ICANN and DoJ

Terms of Use

[creidieki]

So let me get this straight. A site I didn't ask to go to has a Terms of Use which says that my sole remedy is to discontinue use of "The Verisign Services".

So, by mistyping a domain name, I've entered into a legal agreement with Verisign? And the only way to get out of it is to not use the internet?

The only address on the page is their legal department's postal address, at

VeriSign, Inc.
Attention: Legal Department
21355 Ridgetop Circle
Dulles, VA 20166

I guess I'll be sending them a nice letter. As soon as I figure out what legal recourse I actually have.

Re:Shorting Microsoft (prepare for battle)

[wkcole]

The IE rediect to the MSN search mess is configurable: you can turn it off AND turn off the stupid useless 'all errors are one thing' error page and make IE actually give you something useful, at least with IE 5.5 and 6.

HOWEVER, you can bet that MS and AOL and everyone else who does something interesting and useful with HTTP queries that look for bad domain names (like some ISP's that have proxies for users and some companies that have proxies for employers) will be pissed off. Different people like to do different things with their NXDOMAIN responses, and Verisign has just made sure that a lot of those responses never happen and that only Verisign gets to choose what the user sees instead.

There essentially are no more unregistered .(com|net) domains. Verisign has just in effect registered all unregistered domains in those TLD's and pointed them at their own little cash-spinner.

Boycott the root servers

[Famanoran]

I vote that we all boycott the VeriSign root-servers, and setup an international non-profit agency to maintain new non-commercially-run root servers.

This is outrageous, and despite what they say, is completely in violation of internet standards and best practices.

Re:How can we undo this?

[r_weaver]

I checked their site [verisign.com], and found a Domain Names & Related Services contact number (888-642-9675), and gave it a try.

Unfortunately, the rep that answered the phone was unable to help, he said that he works for Network Solutions, and can only help with domain registration issues, and that the Verisign parent company runs the root nameservers. He was unable to give me a contact number for Verisign. However, you may want to try calling this number yourself to see if maybe a different rep has the contact number for Verisign.

I did a whois on the verisign.com domain, and came up with the main contact number for Verisign: 650-961-7500, but it's been ringing for the past 5 minutes, with no answer. One would think that they would have an automated voice-response system on their main number, so I think that they are being innudated with calls.

Bisso giveth, Verisign taketh

[tugrul]

Its odd given that we just found out [slashdot.org] spelling isn't *that* important =P

Re:Boycott the root servers

[WhiteWolf666]

Done.

Ask and ye shall receive:

OpenNIC [unrated.net]

Don't worry, it resolves on verisign's servers (for now).

Re:How Long...

[dnoyeb]

This happened to my mother just yesterday. She calls me complaining about "my computer has a virus!" I countered that their was no way her computer could know. This went on for a while..

My mother is visually impared. She was trying to go to www.biblegateway.com, but she went to www.gatewaybible.com. sacreligious scum.

It's hard for her to find the stupid MODAL popup windows when she is using a screen magnifier and the whole screen is not even showing...

A DNS error would have been MUCH nicer. She would not have even called me costing my employer productivity. Currently I know somebody is wasting money on those parked domains. This verisign situation is just sad.

OpenNIC anyone?

[efti]

Wasn't OpenNIC [unrated.net] created to prevent exactly this kind of abuse? People might just start using them if VeriSign carries on in this manner...

"The OpenNIC is a user owned and controlled Network Information Center offering a democratic, non-national, alternative to the traditional Top-Level Domain registries.

"Users of the OpenNIC DNS servers, in addition to resolving host names in the Legacy U.S. Government DNS, can resolve host names in the OpenNIC operated namespaces as well as in the namespaces with which we have peering agreements (at this time those are AlterNIC and The Pacific Root).

"Membership in the OpenNIC is open to every user of the Internet. All decisions are made either by a democratically elected administrator or through a direct ballot of the interested members and all decisions, regardless of how they are made, within OpenNIC are appealable to a vote of the general membership."

It sounds a whole lot better than the current system to me...

This isn't all bad...

[Sikmaz]

When I get into work tomorrow I will do two things:

1) Setup an internal web server and redirect all traffic to 64.94.110.11 to this box that says something, you have misstyped something...

2) I will enable reverse lookups and anything coming from 64.94.110.11 will be considered spam.

Won't affect my users and might help a LITTLE bit with spam.

Re:That's it.

[WhiteWolf666]

Well, I know of ONE way....

Internet Death Penalty.

End of Story

Now, the problem is, most individuals are unwilling to go that far. Me, I have no problem---I think the IDP should be used more often than it is.

*.verisign.com, (plus all associated ip addresses).

*.sco.com (and all SCO related addresses (ip/names).

Everyone will need to switch to OpenNIC, or something else, first.

Closer to possible political reality, switch to OpenNIC, and get all your friends to switch to OpenNIC.

Re:wonder of wonders

[Anonymous Coward]

I think it is not sooo bad that it resolves to an existing page. It is not just an ad of Verisign, it shows in the first line:

We didn't find: "mis-spelled site" ...
Did You Mean?

and here comes possible right sites.

I think it is even more usefull than: DNS not found !!!!

For your spam check (sender domain must resolve): Spamers have learnt that error and use anyway a resolveable domain name.

ronald@elmit.com

E-mail

[jdunlevy]

Just to see what would happen, I just tried sending an e-mail to <testuser@slashdoct.com>. Would they bounce the message? If so what would the error message look like? If they didn't bounce it, would they just keep it? Read it? Inquring minds want to know!

Well it bounced:

The original message was received at Mon, 15 Sep 2003 21:06:55 -0500 (CDT)
from [myhost.mydomain] [xxx.xxx.xxx.xxx]

----- The following addresses had permanent fatal errors -----
<testuser@slashdoct.com>
(reason: 550 User domain does not exist.)

----- Transcript of session follows -----
... while talking to slashdoct.com.:
>>> RCPT To:<testuser@slashdoct.com>
<<< 550 User domain does not exist.
550 5.1.1 <testuser@slashdoct.com>... User unknown

Reporting-MTA: dns; [myhost.mydomain]
Received-From-MTA: DNS; [myhost.mydomain]
Arrival-Date: Mon, 15 Sep 2003 21:06:55 -0500 (CDT)

Final-Recipient: RFC822; testuser@slashdoct.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; slashdoct.com
Diagnostic-Code: SMTP; 550 User domain does not exist.
Last-Attempt-Date: Mon, 15 Sep 2003 21:06:56 -0500 (CDT)

And: >telnet www.slashdoct.com 25
Trying 64.94.110.11...
Connected to www.slashdoct.com.
Escape character is '^]'.
220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready
quit
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.
>

Snubby Mail Rejector???

Re:Contact ICANN comments@icann.org

[C10H14N2]

Terrific. As the staff at ICANN can barely fill the coffeehouse across the street, hell, you could probably cram them all in the bathroom without too much work, I'm sure they'll appreciate the /. effect of 35,000 emails in a day on a single issue.

Yeah, bravo. The idea is alright, but suggesting it to the bagillion /. trolls that will see this is not exactly the epitome of civility. I feel for the sysadmin who is no doubt already writing the filter for anything regarding this issue that they are no doubt already aware of.

What is this, better living through DDoS?

An open letter of complaint

[DDumitru]

To: icann@icann.org, iana@iana.org, nstld@verisign-grs.com,
rcc@verisign.com, hostmaster@nsiregistry.net, ir@verisign.com,
dcpolicy@verisign.com
Subject: Complaint about Versign abuse of DNS root zones

A Letter of Complaint about actions undertaken by Verisign Incorporated
on or about 9/13/03.

Sent to the Internet Corporation of Assigned Names and Numbers and the
Internet Assigned Number Authority.

Doug Dumitru
xxxxx xxxxxx xxxx Road
xxxxxx xxxxxx, CA 9xxxx
949 xxx-xxxx

Dear sirs,

As you are probably aware, Verisign is redirecting unregistered
2nd-level domains in the .com and .net TLDs to a Verisign owned search
engine. They are using a technique known as DNS wildcarding to
accomplish this.

I firmly believe that this is clearly an abuse of the DNS system, that
it violates the technical requirements for domain lookups, that the
results returned are fraudulent, and that this technical action only
benefits Verisign at the expense of the rest of the internet population.

I respectfully request that IANA and ICANN immediately take action
against Verisign demanding that Verisign cease this fraudulent and
damaging behaviour. Should Verisign refuse, I would recommend that IANA
and/or ICANN (and/or the US government) take immediate action to revoke
Verisign's contract to administer the .com and .net TLDs.

I would also recommend that IANA and/or ICANN immediately pass "best
practice" rules that prevent other TLDs and country-code domains from
following in Verisign's deceptive footsteps. It is important that a
"domain not found" error not be subverted into an advertising opportunity.

Sincerely,
Doug Dumitru

Terms of use

[Psykosys]

Get this: (Terms of Use) [verisign.com]:

Use of the VeriSign Services. You agree not to use the VeriSign Services in any manner that is unlawful, or in any manner that could damage, disable, impair or otherwise interfere with another party's enjoyment and use of the VeriSign Service. You may not manipulate or attempt to gain unauthorized access to our website or systems or any websites or systems connected through our website through hacking, password mining or any other means. Modification by VeriSign. At any time VeriSign may modify or terminate these terms of use, its websites and the VeriSign Services and may at any time discontinue your use of the VeriSign Services without any notice to you, and without liability to you, any other user or any third party. Please review these Terms of Use from time to time so that you will be aware of any changes. Your continued use of the VeriSign Services constitutes your agreement to all such terms, conditions, and notices.

A "terms of service" section on a website people don't reach voluntarily?

Complain to Verisign as well

[trafik]

They don't seem to have an e-mail address for the category of "Subversion of the global DNS," so pick one of the following e-mail addresses and use it to CC your complaint to Verisign:

authenticode-support@verisign.com,
billing@veri sign.com,
channel-partners@verisign.com,
clientp ki@verisign.com,
consultingsolutions@verisign.com ,
dbms-support@verisign.com,
dcpolicy@verisign.c om
digitalbranding@verisign.com,
dnssales@verisi gn.com,
enterprise-pkisupport@verisign.com,
ente rprise-sslsupport@verisign.com,
info@verisign-grs .com,
internetsales@verisign.com,
IR@verisign.co m,
jobs@verisign.com,
mss@verisign.com,
objects igning-support@verisign.com,
paymentsales@verisig n.com,
practices@verisign.com,
premiersupport@ne tworksolutions.com,
press@verisign.com,
privacy@ networksolutions.com,
renewal@verisign.com,
supp ort@verisign.com,
verisales@verisign.com,
vps-su pport@verisign.com,
vts-csrgroup@verisign.com,
v ts-mktginfo@verisign.com,
webhelp@verisign.com,
websitesales@verisign.com,
websitesupport@verisig n.com

Re:Complain to ICANN *NOW*

[trainsnpep]

Well, regardless of whether it will work, I tried:

Verisign has continually been abusing the power that has been handed out to them. Two such examples are its mailing of false renewal notices, and its most recent exploit: sitefinder.verisign.com. Now, nearly all mistyped names will be sent to Verisign where they can do whatever they like to the unwitting user. There are even categories on sitefinder.verisign.com where one can browse and go to sites which are undoubtedly paying Verisign for the space.

Please take this, and the hundreds or thousands of e-mails you will receive, into consideration, and exercise the power that ICANN has. Verisign has continually been abusing and tricking people through deceptive business practices, and this should be the last straw. Verisign should not only be removed from it's post, but it should also be fined for its numerous escapades designed to make money.

Sincerely,
Michael B****

I've got to wonder: where do they come up with such evil ideas? Verisign must have a beowulf cluster of insensitive clods...

Re:Strike Back with Poor Typing

[Electrum]

Why the fuck would anyone run a "mail rejector daemon"? Seems like not answering to port 25 would fulfill all your mail rejection needs.

VeriSign is doing the correct thing with regards to SMTP. Not answering will cause the sending mail server to hold the mail in the queue for the queue lifetime (usually a week). Rejecting mail with a 550 causes it to bounce immediately. This is the desired behavior.

Re:Who is going to be the first to hack it?

[Anonymous Coward]

This actually brings up a very good point. There's now basically a valid (unpprovable by them) excuse for cracking into their system. "I was doing security audit/checks on my server. I guess I typed in the domain name wrong without even noticing..." Maybe someone needs to put up a server on a hard to spell domain name and run a "crack this server" contest...

Of course this brings up the other side of things... what if you ARE doing security checks for some company and you DO type in the domain name wrong by accident...

Re:wonder of wonders

[gantzm]

Speaking of search engines. What would happen if a significant number of web sites put links on every page to a poison page. This poison page would generate 10,000 random links of the form "www.verisignblows948950948393903848585.com", with the number obviously being random. How long would it take for all the search engines and web crawlers to hit this and have a serious impact on verisigns servers?

Now, I'm not suggesting anybody do this, I'm just asking the question.

Violation of ICANN Policy

[wsloand]

It seems that they have effectively violated the ICANN Domain Name Dispute Policy [icann.org]: "circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration". They're definitely doing this to sell domains.

Bill

Easy Cheasy DDoS?

[Predius]

So, any dns worm that launches a DDoS, like say, msblaster, that launches an attack against say, windowsupdate.com if it resolves, will now attack Verisign's root nameserver instead? Interesting...

Re:E-mail

[pipeb0mb]

I wonder if more people will become concerned when verisign starts to harvest instead of bounce?

Preliminary BIND 8 patch

[achurch]

Preliminary (as in, it seems to work for me) BIND 8 patch that I just cooked up available here [achurch.org].

Re:Uhm...

[gantzm]

stunt? I'm offended you would call my serious question a stunt! I really would like to know the impact this would have on DNS caches, considering the responses have a 15 minute TTL.

Remember this come with a big smiley! And kids don't try this at home, it just might piss of google. And I don't want to see what happens when google starts bitch slappin' VeriSign.

Alternative: Open DNS

[Anonymous Coward]

You know there is no reason why anyone has to use Verisign, ICANN, or any of that crap. There exist many alternatives. 1) We could go back to using the actual ip address. 2) We could each maintain our own huge hosts file. I don't actually recommend either of those ideas. But the idea I do like is why doesn't GNU or FSF or whoever start their own, open DNS system. There are no barriers to entry other than the bandwidth necessary to run root nameservers. OpenNIC is an example, I'm sure there are others.

There are so many problems with the current system that it's begging to be replaced. Corporations basically stealing domains from individuals who got there first. Incompetant corporations like verisign getting rich off of doing almost nothing.

What's more, the OpenDNS system could be much more accomodating with rolling out more progressive TLD's. Move beyond .com, ,net & .org to much more descriptive endings. DNS can and should be just as free and egalitarian as GNU software.

Re:Security Geniuses

[Voivod]

It's easy, but I'm not gonna tell you how. :-)

Besides, I have no doubt they'll fix this shortly. The point is that this shows the level of incompetence at Verisign. We can look forward to them demonstrating this again and again as their marketing department canibalizes key elements of Internet infrastructure into minor profit opportunities for the company.

Boycott Thawte (Verisign's SSL subsidiary)

[ajks]

If you have SSL certificates from Thawte [thawte.com] (a subsidiary of Verisign), you can send them a message today.

Email your Thawte rep to explain why you or, better yet, your huge organization :) won't be renewing your certificates with Thawte.

You can tell them "it's a trust thing" (their own motto).

Re:The damage is already beginning

[Wyzard]

I'm curious about this. According to RFC 2821, section 5, an A record is only used for mail delivery if there are no MX records for the name. If there are multiple MX records and the first is broken, shouldn't the MTA immediately try the subsequent MX records, rather than using the A record?

I'm not correcting you, I'm asking, since you seem to know what you're talking about and I don't have real-world experience with "serious" DNS administration.

Re:The damage is already beginning

[Anonymous Coward]

V$ would have to run a mail server so they can bounce the email immediately - otherwise mail servers would retry for a few days before bouncing the message back to the user.

Do not leave it is not real.

[Tokerat]

OK fellow geeks, I am seeing alot of ranting about clogging mail server queues with typos and the like, let's go over this a little more in depth:

• http://aldvhlddvhlsdfvh.com [aldvhlddvhlsdfvh.com] - Verisign'd
• http://www.aldvhlddvhlsdfvh.com [aldvhlddvhlsdfvh.com] - Verisign'd
• http://aldvhlddvhlsdfvh.com:69 [aldvhlddvhlsdfvh.com] - DNS Error (immidiately)

Aha, so this only affects web browsers. Other ports besides 80 are somehow ignored...at least that is what happens on this end.

So perhaps it's not that bad. Port designations aren't sent with DNS queries, though, which makes this a bit puzzling. At least if it's true your mail queue wont' clog. Anyone with more experience in the area care to elaborate/prove it wrong? Not looking for a flame war, but a little scientific method.

Anti-Trust violation

[kolding]

IANAL, but I dated on once, so take this for what it's worth. This appears to me to be a clear violation of anti-trust laws. Verisign is using their monopoly position as the root DNS to create business opportunities which are not available to others. Verisign can create a nearly infinite number of domains for free, and sell advertising on all those domains. Any of their competition would have to pay for those domains (in fact, would have to pay Verisign). If this isn't abuse of a monopoly position, nothing is. Somebody should sue them under the Sherman Anti-Trust act and get an immediate injunction against them.

Eric
eric at koldware dot SpamThisSucker dot com

What I did

[Piquan]

I've created a Squid redirector to deal with this problem. I tried to post it here, but couldn't get past the Slashdot lameness filter.

It catches anything going to a gTLD's wildcard response (there's about 15 gTLDs doing this!) and redirects it to google. It also does some other niceties that don't automatically happen when using a proxy, such as adding www. and .org/.com/.net if needed.

If anybody wants the code, then post a reply here and I'll set up a web page with it and post the URL. (I won't bother if nobody wants it.)

You may want to know, also, that some of the NANOG folks have patches for BIND to change these responses back into NXDOMAIN.

Re:I'm voting with my feet. Bye bye Verisign.

[BlacKat]

Wait for the email from Verisign offering you a discount to renew once they get the registrar transfer request. ;)

I got one for each of my domains I moved to a new registrar a year or so ago after I finally got irked enough with Verisign to move.

Now I get my domains MUCH cheaper and the new registrar is miles better then Verisign ever was.

Add IMG SRC Tags Pointing to Bogus Domains!?

[Ron Bennett]

What would happen if I added some IMG SRC tags to webpages we serve that point to unregistered domain names ... between all the sites I operate that I could easily drive several million hits to semi-random unregistered domains everyday.

Before someone says this is a DoS...remember, the mere reference of a domain name is not a DoS...especially when said domain name is unregistered and in addition contains OUR extremely unique registered service/trade marks ... VeriSign has only itself to blame if they resolve unregistered domains improperly.

Welcome thoughts...

Ron

Legal degree from Play Skool?

[Cramer]

spacemeat:/# /usr/lib/sendmail -bt foo@foothefuckinghell.com
foo@foothefuckinghell.c om
deliver to foo@foothefuckinghell.com
router = lookuphost, transport = remote_smtp
host foothefuckinghell.com [64.94.110.11]
spacemeat:/# telnet 64.94.110.11 25
Trying 64.94.110.11...
Connected to 64.94.110.11.
Escape character is '^]'.
220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready
QUIT
221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.

Umm, the fact that email is going to go there for every typo or expired domain opens up a great deal of legal trouble. They really haven't thought this out very well have they?

(Even if it currently bounces everything. It still has to get there to be rejected. And there's nothing that says they aren't keeping it, reading it, or won't do so in the future.)

Spam Senders Dreams Have come True

[ac7xc]

Now porn sites can send unlimited spam. I just received this p0rn spam in my email
From: sexkitten@ihadsexatverizonswebsite.com
Message-ID: 20030915.9ie4s@ihadsexatverizonswebsite.com
Subject: Hi!

UDRP violation.

[arget]

No company will ever have to pay verisign again.

Think about it. You can't register a trademark or similarly "owned" name unless you own the trademark. If you do, the UDRP process will yank it away from you and give it over to the "real" owner. So any company can now file a claim against verisign for any trademark they haven't bothered to buy the domain for, or have let lapse, because now it resolves to verisign, and verisign is clearly using it to make money. Before you can say "corporate stooge arbitration", verisign will have to fork over any trademarks to the companies that own them.

Re:Here's a neat idea:

[BuilderBob]

I have to ask what is possibly a stupid question...

Is it possible to get the Versign website to DDOS itself? If the server uses server side includes then it can include itself? Would it stop if the client stopped requesting the page or would it keep looping until it maxed out the server threads?

Or, if not server side include, a javascript 'wget' maybe, but that's client side.

Others are doing it too

[Jesus IS the Devil]

Other domain registrars were doing this way before Verisign. If you typed in a non-existent domain name for .tv or .cc you'd get the registrar's page.

To me it's a stupid tactic to make more money. But I've moved all 50 of my domains away from Verisign a long time ago anyways.

web.archive.org

[Specialist2k]

Did Verisign even think when they implemented SiteFinder?

One of many problems is that web.archive.org [archive.org] will honor the /robots.txt of any host and remove that host from its archive. So, sooner or later, the archive of all formerly (and currently no longer) registered domains will be gone...

Time to replace verisign?

[joostje]

I mean, we can start paching the nameservers etc, letting verisign change the IP number, and pach them again.

But if enough ISP's or other people with big servers are infuriated by this, why not create a new set of root DNS servers (that get their data from the verisign ones, but filter out the * records), and then replace the current list of root servers in the bind config files with the new ones? No paching of bind, and verisign would learn a nice lesson.

Re:Contact ICANN comments@icann.org

[Anonymous Coward]

If you complain to ICANN, be sure to note that this is a breach of the WhoIs policy:

"76. It is noted that ICANN's Statement of Registrar Accreditation Policy requires accredited registrars to provide public access on a real-time basis (such as by way of a Whois service) to the contact details which it is recommended, above, be required to be provided by a domain name registrant 54."

-- The Availability Of Contact Details, The Management Of InterNet Names And Addresses: Intellectual Property Issues, World Intellectual Property Organisation, http://wipo2.wipo.int/process1/report/finalreport. html [wipo.int]

They're grabbing SMTP Traffic, too.

[Anonymous Coward]

Port 25 is open, and an SMTP daemon is running on it, too, so they are accepting all emails which are incorrectly addressed to any address.

Wonder what's going to happen to *those*...?

Andre Opperman fixes this in qmail and qmail-ldap

[acesuares]

From the qmail-ldap mailinglist: New: Fix Versign Breakage for standard qmail and for for qmail-ldap (Updated 20030916!). With this patch we treat wildcard responses (*.com) from the GTLD servers as NX_DOMAIN, like the DNS system did before Verisign broke it for us all. To the hell with these geedy bastards! http://www.nrg4u.com/

Re:Complaint submitted - the text(error-corrected)

[Snover]

This complaint is regarding Verisign's recent decision to claim all non-registered .COM and .NET domain names for itself. It has done this by inserting a wildcard into the DNS registers, meaning an IP of 64.94.110.11 is returned for any domain name that has not yet been registered. That page is an advertisement for VeriSign's domain registration services. This is unfair competition with existing registrars - there is no means for myself, for example, to gain a similar foothold without actually purchasing each and every currently unregistered .COM/.NET name. It is also a technical breach of trust - the Internet is not merely the Web, and unknown domains should return errors rather than constantly try to contact VeriSign's advertising servers. Non-Web-based applications (FTP clients, etc.), will now incorrectly log that they have contacted the host you asked for when in fact they should have returned an error 'hostname unknown' because the site does not exist. The same will occur with any ICMP TRACEROUTE or PING tools-- these will not behave in a manner expected. I would be grateful if you could investigate this matter. Yours, Ian McCall