VeriSign's rapid DNS updates in .com/.net

william(at)elan.net william at elan.net
Fri Jul 23 02:14:08 UTC 2004



On Fri, 23 Jul 2004, Richard Cox wrote:

> The key here is not registration but change.  Currently, while spammers
> and other malfeasants have the ability to send out through compromised
> proxies and zombied PCs, there is little that can be done to identify
> them until they require a response, and then the return path provides
> some traceability via the IP addresses used, at least for nameservers.
> 
> One of the latest spammer exploits involves relying on compromised
> PCs for hosting of websites and DNS: which, coupled with the ability
> to update the root DNS in close-to-real-time, means that the entire
> hosting operation including nameservers can be based on compromised
> boxes, often with an encrypted/obfuscated link back to the real point
> of control, and that is significantly harder to track.  This becomes
> of rather greater significance if the hosting is for a phishing site.

That is one of the main reasons why I don't like that Verisign has removed
ability to find data on how list of nameservers for domain and more ip 
address of nameserver might have been changed. The only thing we can 
see is what whois shows (=bulk zone data) which is just one time/day
snapshot while spammer may have changed the ip address of nameserver
many times during the day to point to different zombie PCs.

I hope Matt can get through to correct people and deltas will be available
for those already doing bulk zone downloads.

> The demand for extra domains serves the registrars' business model well.
> When a contact address is proved to be bogus, and at the end of 15 days
> the domain complained of is in consequence shut down, it does not seem
> to occur to most registrars that the other (say) six hundred - perhaps
> thousands of domains - that were registered by the same person with the
> identical contact details, must also have bogus contact details and so
> should be automatically shut down.  No, an individual complaint seems
> to be needed in each case, which means that the malfeasants are given
> 15 days from the first appearance of EACH domain during which the
> entire domain is, as it were, bulletproof.

It seems that by these policies registries are actively helping out spammers
while claiming to be neutral party. But in reality they know full well who 
the registrant of the domain is and that they deliberately breaking ICANN
rules but they do not close their account and allow them to register more
domains with false data. This "neutral party" excuse also leads to most
domain registries refusing spam compaints, again they know exactly who it
is that registers these domain and can definetly see they are spammer, but 
they will not do anything about it because spammers are good customers
who register lots of domains.

This situation not helping in trying to stop this epidemic.

-- 
William Leibzon
Elan Networks
william at elan.net




More information about the NANOG mailing list