Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet Announcements

ICANN, IAB Ask VeriSign to Suspend SiteFinder 276

dmehus writes "ICANN issued an advisory late today concerning VeriSign's controversial SiteFinder service. The advisory requests that VeriSign voluntarily suspend SiteFinder until various independent and objective reviews, which are now underway, have been completed. Interested parties should see the advisory for more details." I think most people here can agree it was a bad idea, although it's not generating revenue for most of us either. ICANN isn't alone here either. Nuclear Elephant writes "The Internet Architecture Board issued this response to an ICANN inquiry about Verisign's SiteFinder service."
This discussion has been archived. No new comments can be posted.

ICANN, IAB Ask VeriSign to Suspend SiteFinder

Comments Filter:
  • by EpsCylonB ( 307640 ) <eps.epscylonb@com> on Saturday September 20, 2003 @09:25AM (#7011424) Homepage
    VeriSign's wildcard creates a registry-synthesized address record in response to lookups of domains that are not otherwise present in the zone (including restricted names, unregistered names, and registered but inactive names). The VeriSign wildcard redirects traffic that would otherwise have resulted in a "no domain" response to a VeriSign-operated website with search results and links to paid advertisements.

    Why should VeriSign get the money ?
  • by Anonymous Coward on Saturday September 20, 2003 @09:28AM (#7011430)
    ...in the meetings in which Verisign decided to implement SiteFinder.

    Do you think they innocently believed they had found a valid loophole for commercial exploitation a legitimate feature of the Internet protocols?

    Or did they say something like this? "Well, OK, so it does violate DNS specifications. People will scream. Let them scream. Nobody can touch us. The IETF has only moral authority. And ICANN and the U. S. Department of Commerce are never going to interfere seriously with any big, successful Internet company. So a few technies get angry, big deal."

    • Well, OK, so it
      does violate DNS specifications.
      In fact it does not violate the DNS specs as the advisories explicitly state.
    • Hanlon's Razor [catb.org] may well apply here.
    • by Anonymous Coward
      According to research at an English university, flies are unable to comprehend human language.
  • by Proudrooster ( 580120 ) on Saturday September 20, 2003 @09:34AM (#7011448) Homepage
    I think the real solution is this: If Verisign wants to continue this practice then Verisign should have to pay to register each mis-typed domain. After all, the end effect of Verisign's Sitefinder is to dynamically create a domain if it isn't already registered. Making Verisign pay to register each of these mis-typed domains would most likely halt their practice. In my opinion, Verisign is now "domain squatting" on any domain that isn't registered.
    • Pay to whom? Verisign is the one who collects wholesale fees from all of the registration services...
      • Well, I would be willing to take the money if no one else wants it :) ...

        Seriously though, the money could go to ICANN, IEEE, EFF, or the G.W. Bush war in Iraq fund. My point is this, if Verisign wants to "domain squat" they shouldn't get the domains for FREE and should have to pay for them just like everybody else. They are abusing their unique position as a registrar. For example: I can't hijack or redirect every mistyped domain to my ad server e.g. (yaho.com or yaahoo.com). I have to register each
        • For example: I can't hijack or redirect every mistyped domain to my ad server e.g. (yaho.com or yaahoo.com). I have to register each misspelling.

          You could if you owned/managed the recursive outward-facing DNS server in your organisation or ISP, at least for those clients using your server. Verisign controls the authoritative iterative zone authoritative for the .com and .net TLDs, so their benefit is that the buck stops with them for all failed (i.e. non-existant) .com and .net domain queries, whereas yo

    • If Verisign wants to continue this practice then Verisign should have to pay to register each mis-typed domain.

      Ahem, they manage the registry, so paying to register each domain involves nothing more than allocating the server space and writing code to automate such registries. There would be an uproar (more than there is now) about monopoly and resource exploitation, and they'd be seriously whipped into shape. Fun, eh? Maybe it IS an idea...

    • I like Paul Hoffer's advice from the response [iab.org]. If Verisign did this, they may try something else slimy. Take the power away is my vote.

      ICANN should demand that VGRS immediately stop giving incorrect answers to any query in .com and .net, and should instead follow the IETF standards. If VGRS refuses, ICANN should re-delegate the .com and .net zones to registries that are more willing to follow the DNS standards. Please let me know if you have any further questions. --Paul Hoffman, Director --Internet M

      • Take the power away [from Verisign] is my vote.

        Bah. If this was the Real World (read 'international political arena'), the minority power-abuser holding a monopoly on the resource in question(read 'arbitrary powerful government with lots of weapons') would simply stomp on the independent standards-setting body (read 'international concensus organisation with global mandate'), and take the power away from them! None of this wishy-washy "international standards body" slapping the wrist of a powerful money

    • "I think the real solution is this: If Verisign wants to continue this practice then Verisign should have to pay to register each mis-typed domain."

      Well that's the obvious answer. If it cost us all $20 to register a domain, there's no reason why verisign should be any different. They want an infinite number of domains? Sure. And they pay $6.386e+125 for them. Note that paying themselves is considered cheating.
      • Actually, there aren't an infinite number of domains. The number could be calculated if you had the time or really cared.

        I think it would be something like amount = (max_DNS_entry_size! - registered .com domains) + (max_DNS_entry_size! - registered .net domains)

        This would give you a nice fair dollar amount to charge them.
    • As was pointed out in the previous discussion, Verisign has contracted with another agency (whose name I forget already) to parse these typoes.. now, why in hell would they care, other than to learn which ones are "popular", so they can register 'em and squat on 'em for real??

      Oh, you don't think this is practical as a revenue model?? Back when hotbot.com was a popular search engine, someone registered htobot.com because it was a common typo. Originally it was just a joke (and at the time even said so on th
  • by windows ( 452268 ) on Saturday September 20, 2003 @09:35AM (#7011450)
    Forgive me if I'm being idiotic about this, but relatively recently, the .museum TLD went live. It's just like any other TLD except that domains that don't exist diect you to a page saying the domain doesn't exist and with a couple of links. It's not very different than Verisign's SIteFinder, but there's little to no outcry over this. I'm curious because a lot of the objections about SiteFinder should also be true about the .museum TLD. What's different here?
    • because .com and .net amount to 99% of the internet and nobody really cares about smaller tlds (ie, .nu and so on)
    • by LostCluster ( 625375 ) on Saturday September 20, 2003 @09:46AM (#7011498)
      .com and .net are the two huge TLDs, so implementing wildcard sites on smaller TLDs just wasn't quite as outragious. Also, in the past, most wildcards were sites that only offered to register the non-existing domain at the monopoly registrar of that TLD.

      The controversy on SiteFinder seems to be that they're offering query-based ads, which essentially says "It's against the rules to register the typo of your competitor, but we'll sell you an ad on the site that results from that typo."
    • by SmallFurryCreature ( 593017 ) on Saturday September 20, 2003 @09:46AM (#7011499) Journal
      Oops good thing I checked before I commented.

      Amazing you are right. I never knew this. That of course might be your answer. Who the fuck uses .museum anyway? (Yeah I know the obvious answer thank you) See this [index.museum] for all the domains on .museum. One company I maintain servers for has got more domains then this list. Anyway.

      The outcry is not so much that they are cybersquatting. Well some are but that is not why the geeks are rebelling. The problem is that you used to be able to do a lot of usefull stuff by checking if a domain existed or not.

      Now thanks to this you can't well not without rewriting your code. grrr.

      I can only guess that nobody ever used a .museum url anyway :)

      But yes it is exactly the same thing. Except for the scale difference. I guess you can't check against spam being send from a .museum domain either.

      Good for finding this and pointing this out.

      • It's not unique to .museum. A lot of the country-code top level domains do this, such as .tk, .us, and .nu. The outrage is that Versign did it for the entire .com/.net which is significantly more domains than all the country-code domains combined. And, they are not in a position of "owning" those domains, we just give them stewardship of them. In other words it shouldn't have been their decision to make. If the King of Tongo (or whoever controlls .to) wants all wildcards to go to a domain-for-sale page
        • Significantly more domains? I'll use your example and add some basic math
          2.22e+122 is an approximate number of domains in a tld based on some doamin naming rules I found in google and ignoring that a - can't be at the beginning and also ignoring that some people will want domain names less than 67 characters, which pushes these number up by a significant amount, but you get the idea .com = 3.67e67 .net = 3.67e67
          total = 7.34e67
          vs .tk = 3.67e67 .us = 3.67e67 .nu = 3.67e67
          total =10.10e67

          so actually if
      • So I went there and randomly clicked a link, "castles.museum". It redirects to http://www.yorkcastlemuseum.org.uk/

        Do they all redirect like that?? anyone know? (No, I'm not going to click every link to find out :)

    • The difference is nobody cares about .museum. A bunch of the cc TLDs have also been doing this for some time. Probably nobody thought this was a good idea either, but there was no outcry because most people probably never even noticed and of those who did, probably few cared.

      Screw up .COM and .NET and people care.

    • The difference is that virtually no one uses the .museum TLD. There have been complaints about the wildcards used for .cc, .nu and other TLDs. But it's only when they start playing games with .com and .net that people notice, because this affects everyone.
    • Indeed. This is not new. But there are differences:

      The .museum gTLD was a new gTLD. If you implement a wildcard from the start of a gTLD, that is something the community can take into account when developing systems around it. (this does not mean I agree with doing so).

      Some people also mention some ccTLD's like .tk and .nu doing the same. There is however a fundamental difference between a gTLD and a ccTLD. A gTLD is operated (or at least should be) under control of the community and should be more stri
    • OK, to sum up the differences between this and the existing cases:

      .museum is a limited-access domain and domains in this area don't really have commercial value. Thus, it's not unfair to "squat" on all the unused domains to provide this index. It might break DNS within the .museum TLD, but nobody really cares because nobody really visits the .museum domain.

      WRT the other toplevel registries: all of those that have been mentioned so far are breaking DNS anyway. You don't think that all those people with .tv

    • You could at least mention the name of the company you just screwed.
    • You are right, this decision must apply unilaterally.

      1) We need to make sure that our argument against Verisign isn't the CONTENT of the Verisign page - if so, they will just remove the ads or something. The problem here is that it breaks the DNS specification (see the IAB response for why).

      2) What happens when all the spammers start using .museum so that their DNS always resolves and the spam gets through?
    • In a quick search I found 12 two-letter TLDs doing the * thingy:
      .ac, .cc, .cx, .mp, .nu, .ph, .pw, .sh, .td, .tk, .tm and .ws

      Including .com, .net and .museum this makes 15 TLDs.

      The search was done using this very clumsy one-liner:
      for b1 in a b c d e f g h i j k l m n o p q r s t u v w x y z ; do for b2 in a b c d e f g h i j k l m n o p q r s t u v w x y z ; do host asqerdfqewrd.$b1$b2 >> dom.txt.slet; done; done

      (I wonder if there is a character equivalent for 'seq 1-27'.)
  • by Crimplene Prakman ( 82370 ) <prak@iol . i e> on Saturday September 20, 2003 @09:35AM (#7011452) Journal

    In common with the majority of internet protocols, DNS is not a best-guess system, it is a technically accurate way of transferring information, with correct failover mechanisms. From the article:

    As a lookup system, the DNS is designed to provide authoritative answers to queries.

    And later...

    The DNS is not a search service, and presenting speculative mappings based on HTTP inputs is not the service that the registry is expected to provide.

    And later still...

    To restore the data integrity and predictability of the DNS infrastructure, the IAB believes it would be best to return the .com and .net TLD servers to the behavior specified by the DNS protocols.

    That seems to wrap it up really. I doubt any further studies will find differently, unless Verisign follows the apparently accepted way of paying for a biassed study......

    • Why not add a new DNS record type, the GUA record (for "GUess A"), which would return a speculative A record. ISPs that wanted to provide this service could then fallover to GUA records if A returns NXDOMAIN and so forth.

  • IAB response isn't (Score:5, Informative)

    by Frater 219 ( 1455 ) on Saturday September 20, 2003 @09:36AM (#7011457) Journal
    "The Internet Architecture Board issued this response to an ICANN inquiry about Verisign's SiteFinder service."

    Actually, if you read that article [iab.org] you will find that it is dated January 25 and is a response to another Verisign screwup. That one was similar to the present one, but had specifically to do with "internationalized" domain names -- DNS records for strings with characters above ASCII position 127.

    Historians find it important to check the dates of events and documents, so they can know which ones could possibly be responses to which other situations. For instance, an American comedian telling anti-French racial jokes in August 2001 could not possibly be responding to the French objection to Bush's war. Similarly, a document released January 25 2003 cannot be a response to a situation that arises the following September. Time just doesn't work that way.

  • Sneaky (Score:2, Insightful)

    by Unleashd ( 664454 )
    Anyone else notice the lack of advanced notice that verisign gave ... well the world. I just can't immagine that they thought it through at all. If they wanted to do it you would think that they would have notified ICANN ahead of time or put up some sort of notice
    • They did tell the IAB about it at least. The IAB told them it was not a good idea and why it wasn't a good idea (RFC violations etc). They went ahead and did it anyway, despite being told not to by the IAB.
  • Old IAB response (Score:5, Informative)

    by zjbs14 ( 549864 ) on Saturday September 20, 2003 @09:39AM (#7011462) Homepage
    People keep quoting that IAB response, but if you look at the date and actually read it, you'll see it's from back in January. And it was in response to Verisign's proposed wildcarding of only domains that contained non-ASCII characters, not all domains. Their point was that wildcarding based on a character set was against standards.

    So I guess Verisign interpreted that as "we better wildcard everything then."

  • by moehoward ( 668736 ) on Saturday September 20, 2003 @09:39AM (#7011467)
    We won't have any of this "advertising" on the Internet. The Internet is surely doomed if we allow it.
    • If I plastered my ads on your website without your permission you wouldn't like it, would you? They are placing adverts on 'websites' they don't own. It has lasted so long because nobody owns them.
  • by AchmedHabib ( 696882 ) on Saturday September 20, 2003 @09:42AM (#7011482)
    Get the latest version of BIND to block that Verisign junk. go here [isc.org]
    Now all it needs is support for the Evil-Bit in TCP/IP
    • I just installed it, together with the lines:

      zone "com" { type delegation-only; };
      zone "net" { type delegation-only; };

      in /etc/named.conf.

      Works very well, the solution was really elegant.

      I think it shall be installed very quickly by all ISP's, just in case and even if verisign stops and undoes their criminal move. Just in case...
  • Because for now, All our inexistant bases are belong to them.
  • instead of the verisign sitelooker page, I suggest that BIND (the software that runs 60% of the DNS) should be enhanced in several ways: The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem. The remaining 40% is due to the fact that people sometimes does
    • A great hack.. (Score:3, Interesting)

      by mindstrm ( 20013 )
      except, this type of thing is not the responsibility of the DNS.

      The fact that we tend to use DNS as an index of everything, and that humans can't get over "Www." is OUR problem, not a problem with DNS. DNS is a precise lookup service... we'd just like it to function as it always has, thanks.

      DNS wasn't put here to look up websites, it's far more fundamental than that.. and if people are too lazy to learn how to use a web browser right.. tough cookies for them. We should not be mangling DNS in order to do
      • What you suggest is actually available.

        If you have a browser that supports the Google Toolbar, try this:

        Install the Google Toolbar
        Turn off your address bar.
        Type whatever you want into the toolbar, URLs automatically resolve, non-URLs get searched on.

    • IMHO, this should be left up to the browser software and not the DNS server..otherwise you end up with the same scenario with ISPs using it as an advertising gimmick. I believe MSIE performs a search on what you type in. I don't see why all browsers couldn't be outfitted to do something like this.

      Remember, web browsers aren't the only thing that use BIND. You certainly don't want BIND suggesting possible matches to an SMTP server to deliver your private mail =). The solution would be best served at t
    • Well for starters DNS can't reliably tell what's a web browser and what is from something else and a lot of queries come from non human sources. So if in the future they came up with something that does what soundex tries (and fails) to do reliably this is still way too low a level to implement a feature like that.

      A web browser plugin would be a much better place to implement this so it can either be replaced or turned off according to the user's wishes.
    • I suggest that BIND (the software that runs 60% of the DNS) should be enhanced in several ways: The most important one, IMHO, is to [blah]

      I have a better suggestion. The most important BIND enhancement is: to give a damn about security. No, wait, how about: to stop obfuscating the simple concept of Internet naming, leading everyone to believe that the DNS is somehow difficult to comprehend. Or: to abandom the demonstrably-stupid AXFR protocol. Or: ad nauseum.

      Actually, all things considered, perhaps t
  • Verisign should patent this.

    Then if ICANN wants to run a similar service, or award it to someone else in exchange for payments, Verisign can take all the money in licensing fees.

    I mean, why not pimp this out all the way. It's not like ICANN wouldn't take the idea and exploit it for fees now that Verisign has suggested it. It's not like ICANN is accountable to anyone, and those fees would allow them to fly private jets to private islands in the pacific to have their meetings. I'll bet they wouldn't even
  • I'm glad the IAB took that position. Hopefully Verisign will do the right thing....but, given their history, they probably won't.

    We started a petition on Tuesday, and it got more than 16,000 signatures, before the site apparently got Slashdotted or something. We had to move it to a new server, with backups of the first 10K signatures. The new link is:

    Stop Verisign DNS Abuse Petition [whois.sc]

    We also made announcements here [icann.org] and here [icann.org], including having sent a hardcopy of the first 10,000 signatures to ICANN via

  • Real IAB Response (Score:5, Informative)

    by bigal123 ( 709270 ) on Saturday September 20, 2003 @10:08AM (#7011589)
    The response in the orignal article links to something old. Here [iab.org] is the IAB's offical reponse. The bottom has a whole section on "Principles, Conclusions, and Recommendations" Good reading http://www.iab.org/documents/docs/2003-09-20-dns-w ildcards.html
  • by mentaiko ( 692343 ) on Saturday September 20, 2003 @10:25AM (#7011643)
    Much more than their capturing of all port 80 traffic, I am irritated by what has happened to email.

    Every time I send a message with a typo in the domain name, my message goes straight to Verisign's email servers. Though they are kind enough to send a bounce back to me, in the meantime they have the ability to

    • Read my entire message
    • Stick my name and email address into their database for marketing and resale

    Shouldn't this be the main concern?

    • in the meantime they have the ability to
      Read my entire message


      Actually, they don't (yes, I've tested this by telnetting to the SMTP port).

      They accept the envelope sender and receiver, then reject the DATA command.
  • by johnthorensen ( 539527 ) on Saturday September 20, 2003 @11:01AM (#7011804)
    Something that seems to be mildly overlooked here, in my opinion, is that this has the power to give VeriSign "ownership" of the web in many users' minds.

    If my mom tries to go to http://www.gooodhousekeeping.com and gets a VeriSign message and a search box, well it doesn't take much of that before she starts thinking that VeriSign == The WWW, because VeriSign is who always tells her what she typed wrong and where she should be going.

    What this comes down to is a company trying to "brand" the web. In many ways, Google has been successful at this, but they have actually played fair and achieved what they have on the basis of merit. VeriSign is ABUSING their power to brand the web as their own.

    It should be patently obvious by now that VeriSign 's modus operandi is one of deceit and trickery. Evidence the fake "renewal" cards they have sent out in the past to "slam" DNS registrants much like the shady phone companies have tried to do with your long-distance.

    Damn, it's ridiculous that people even try to get away with this sort of crap these days...will someone with the power to please stop this?

    -JT
  • Fixing the problem (Score:3, Interesting)

    by bruns ( 75399 ) <bruns@[ ]it.com ['2mb' in gap]> on Saturday September 20, 2003 @11:01AM (#7011807) Homepage
    Well, one thing interesting I discovered - Earthlink appears to have patched their DNS servers so they return NXDOMAIN now instead of sitefinder. Cheers to a big ISP taking charge :)
  • by simon13 ( 121780 ) <slashdot@nOSPam.simoneast.net> on Saturday September 20, 2003 @11:02AM (#7011810) Homepage
    A week ago I saw Verisign as a highly respectable registry and provider of all sorts of security products and verification. Then these recent events occur and their reputation in my mind has gone terribly sour.

    Maybe it's just the bias I've learned from the Slashdot community, but they now just seem so imcompetent; maladroit? So much for the whole "trust" thing. I haven't given them my business in the past, but now it's looking significantly less likely. (Although they probably end up with some financial gain regardless of where I purchase domain names, correct?)

    Now they just join the list of organisations that just leave a bad taste: SCO, RIAA, and now... VeriSign! (I'm sure there's many more.)
    • Verisign isn't engaging in anything that's so out of line for them. They're already thoroughly infamous for "slamming" domain names by way of sending out scare-tactic letters to make people think that unless they registered with *Verisign*, they would lose their domain. GoDaddy.com had a scan of the physical letter online for a while, but offhand I can't find the link.

  • Am I the only one who would rather have VeriSign control this spillover page than Microsoft? For 90% of the world, Microsoft controls it now, right?

    It's either a money-grubbing domain name registrar that could be ousted if need be or a convicted monopolist that can't.* I'll take the former, thank you.

    Erik

    *At least not until people stop buying Windows. But that's a few years out yet.
  • I forgot to preview... DOH!

    Original Article [zdnet.com.au]

    VeriSign said Thursday that it would respond to technical complaints over its recent move to redirect Internet users who enter nonexistent or misspelled domain names to its Web site, but it said it would not pull the plug on the service. Criticism has been growing over the company's surprise decision to take control of unassigned .com and .net domain names, which has confused antispam utilities and drawn angry denunciations of the company's business practices

  • by Todd Knarr ( 15451 ) on Saturday September 20, 2003 @12:35PM (#7012251) Homepage

    Frankly I think ICANN should formally seperate the registrars and the root DNS registry. Make these changes to the rules:

    1. The root DNS registry operator may not themselves be a DNS registrar, nor may they have any affiliation with or organizational ties to one. The registry operator receives a fee per domain for operating the registry, there should be no incentives other than this fee affecting their operation of the registry. It's too critical to the rest of the Internet. If those fees alone aren't enough to make it worthwhile for any company to run the registry, then perhaps the registry shouldn't be run by a company.
    2. The registry operator may not run a publically-accessible root nameserver (but they may run one for purposes of transfering root zone data to root nameserver operators, so long as it is not listed in the root hints file). That would make it so that changes in the root zones such as adding wildcard records could, at least in principle, be filtered out by the root server operators before reaching the Internet at large.
    3. No one entity may, either directly or through affiliated entities, control more than 3 root nameservers or 25% of the root nameservers, whichever is less. That would hopefully insure enough variety in root nameserver operators that bad changes (eg. the wildcards addition or things that required specific non-standard DNS server software) would be rejected by at least one operator.
  • "We don't care. We don't have to. We are Verisign"
  • while [ 1 ]; do wget -T 10 www.verisign-sucks-ass.com; sleep 1; done;
  • I do applaud the ISC for patching BIND to eliminate this issue, but at the same time I am suspicious of another of their patches/features to DNS servers calle "views".
    Views seem (to me) that they will cause similar effects to that of wild cards in the root domains: that answers will not exactly be consistent or authoratiative depending on what you ask and where you ask it.
    In my opinion any use of the "views" functions of BIND are better handled by sub-domains.
    somesystem.mycompany.com would be used by all p
  • robots.txt (Score:3, Interesting)

    by Krashed ( 264119 ) on Saturday September 20, 2003 @01:56PM (#7012679) Journal
    Any site that sitefinder "helps" you with has a robots.txt file that disallows all agents. I am trying to access an old site of mine that was archived on the WaybackMachine and it won't let me access the old information now. Verisign must be stopped at all cost.
  • Among my other big problems with the whole thing, is the following line in their Terms of Use, section 10:

    Sole Remedy.
    Your use of the Verisign services is at your own risk. If you are dissatisfied with any of the materials, results or other contents of the Verisign services or with these terms and conditions, our privacy statement, or other policies, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE.

    Great.. and exactly HOW do *I* as the defined "user" do that?!

    When did I conse
  • For those who have upgraded/patched BIND to allow for the "type delegation-only" zones, here is a listing of all known publicy accessible TLDs configured for such operation.
    Simply put this in your named.conf, or use the new "include" operation and store these in a separte file.

    Due to the lameness of the lameness filter I can't post the list here. Get it from here [rathersimple.com] This is a plain text file signed with GPG.

    My web server should be able to handle the load since it's only a 16KB text file. Feel free to mirror
  • by pabl0 ( 228298 ) * on Saturday September 20, 2003 @03:42PM (#7013128)
    This appeared on the NANOG list about an hour ago. Seems they are at least addressing some of the problems that this has caused with mail services. Please don't go flaming this person's e-mail address. Consensus on list is that he's a "good guy making the best of a bad situation".

    Unfortunately, despite the fact that they say they aren't collecting e-mail addresses, for the community at large the issue is we now have to trust them to continue to honor that promise. Considering their actions in implementing SiteFinder in a most irresponsible fashion, I'm not sure that trust would be well placed.

    Date: Sat, 20 Sep 2003 14:01:39 -0400
    From: Matt Larson
    To: nanog@nanog.org
    Subject: VeriSign SMTP reject server updated

    Folks,

    One piece of feedback we received multiple times after the addition of
    the wildcard A record to the .com/.net zones concerned snubby, our
    SMTP mail rejection server. This server was designed to be the most
    modest of SMTP implementations and supported only the most common
    sequence of SMTP commands.

    In response to this feedback, we have deployed an alternate SMTP
    implementation using Postfix that should address many of the concerns
    we've heard. Like snubby, this server rejects any mail sent to it (by
    returning 550 in response to any number of RCPT TO commands).

    We would like to state for the record that the only purpose of this
    server is to reject mail immediately to avoid its remaining in MTA
    queues throughout the Internet. We are specifically not retaining,
    nor do we have any intention to retain, any email addresses from these
    SMTP transactions. In fact, to achieve sufficient performance, all
    logging has been disabled.

    We are interested in feedback on the best way within the SMTP protocol
    to definitively reject mail at these servers. One alternate option we
    are considering is rejecting the SMTP transaction by returning a 554
    response code as described in Section 3.1 of RFC 2821. Our concern is
    if this response effectively causes most SMTP servers to bounce the
    message, which is the desired reaction. We are researching common
    SMTP servers' handling of this response code; at least one popular
    server appears to requeue mail after receiving 554. Another option is
    remaining with the more standard SMTP sequence (returning 250 in
    response to HELO/EHLO), but then returning 550 in response to MAIL
    FROM as well as RCPT TO.

    I would welcome feedback on these options sent to me privately or the
    list; I will summarize the former.

    Matt


    Are we having fun yet?

Nothing is impossible for the man who doesn't have to do it himself. -- A.H. Weiler

Working...