fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)

• Previous message (by thread): fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
• Next message (by thread): fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

on Wed, Jan 12, 2005 at 01:49:53PM +0000, Eric Brunner-Williams in Portland Maine wrote:
> 
> > Why would it matter if you deactivated an unpublished/non-resolving domain?
> 
> How do "you deactivate an unpublished/non-resolving domain"? You may borrow
> a registrar or registry hat if that is useful to answer the question.

I suppose it depends on how you define 'unpublished'; and how you define
'non-resolving'.

A year and a half ago, I was subjected to a joe job by Brian Westby (the
bounces stopped the day after the FCC fined him), using several domains,
among them adultwebpasshosting.org. It had been registered, was in whois
with obviously forged data, resolved to an IP, and I reported it to
ICANN for having invalid whois data. It took them, as near as I can tell
(I was never notified of the action taken) at least a year to have it
removed from the root dbs.

I'd like to avoid going through that nonsense again.
 
> > If you care about the domain, keep the whois data up to date and accurate.
> 
> That is the policy articulated by the trademarks "stakeholders" in the ICANN
> drama, but how does their policy, which is indifferent to any condition but
> strindspace allocation, relate to any infrastructure that has one or more
> additional constraints?

Please see my other message. Allowing domains with invalid whois data to
remain in use facilitates abuse in other realms.
 
> > > I'm not sure why anyone cares about a very large class of domains in the
> > > context of SMTP however. 
> > 
> > For one thing, a very large class of domains are being used as
> > throwaways by spammers ...
> 
> Do you know anything about the acquisition pattern at all, or if there is
> any useful characterization finer in scope than "all"?

One of the domains we host has been the victim of an ongoing joe job. The
sender forges an address in the domain for the SMTP "MAIL FROM:" and when
the message(s) bounce(s), we get the DSN(s). I've got bounce messages here
going back several months. In the past month (since Dec 1), I've seen (not
counting the tens of thousands of DSNs I've refused from idiot outscatter
hosts):

count domain				  	received		registered		diff
----- ----------------------- 	-------------- 	-----------		----
   13 kakegawasaki.com		  	Jan  6 2005	 	Dec 23 2004     14d
    7 oertlika.com				Jan  7 2005		no whois info   n/a
    6 mikejensen.info			Dec 30 2004		Dec  9 2004		21d
    5 kristinaficci.info		Jan  8 2005		Dec 22 2004		17d
    4 rhianjonesmuchos.com		Jan 10 2005		no whois info	n/a
    4 krauszolts.info			Jan  7 2005		Dec 22 2004		16d
    4 gregbryant.info			Dec 31 2004		Dec  9 2004		22d
    4 elitke.info				Dec  1 2004		Nov 28 2004		 3d
    3 tlepolemosmilos.com		Jan  9 2004		no whois info	n/a
    3 latvianet.info			Dec 25 2004		Dec  3 2004		22d
    3 judsononly.info			Dec 30 2004		Dec 12 2004		18d
    2 tarumisalata.info			Dec 28 2004		Dec 12 2004		16d
    2 sawawer.net				Dec 13 2004		no whois info	n/a
    2 sakkama.info				Dec 15 2004		Dec  3 2004		12d
    2 purkyne.info				Dec  9 2004		Nov 28 2004		11d
    2 kazoplace.com				Dec 31 2004		no whois info	n/a
    2 katrianne.info			Dec  1 2004		Nov 28 2004		 3d
    2 heinrichkayser.info		Dec 30 2004		Dec  9 2004		21d
    2 cavaradossi.net			Dec 23 2004		no whois info	n/a
    2 brangane.info				Jan  3 2005		Dec 18 2004		16d
    1 wurmhug.com				Jan  1 2005		no whois info	n/a
    1 ulissedinires.com			Dec 24 2004		Nov 11 2004		13d
    1 onlycomello.info			Dec 19 2004		Dec  3 2004		16d
    1 mysalpetriere.com			Dec 26 2004		Dec 23 2004		 3d
    1 konstitutsiya.com			Dec 17 2004		Dec  3 2004		14d
    1 eugenisisplace.info		Dec 27 2004		Dec 12 2004		15d

Very few of these sighted span more than an 18 hour period between first
and last appearance in a bounce. 

All those I've tested simply redirect to some porn site or other; for
a list from November, see below:

domain                          redirects to
------------------------------------------------------------------------
anneraughop.com         http://www.femalestars.com/RS/rsid-609603/
anneres.info            http://www.allinternal.com/40195119/index.html
armidais.net            http://coolsites1.com/sites/milfmunchers/index.html
barbarescoer.info       dead (afilias - not found)
brandtor.info           dead (afilias - not found)
byblis.info             http://coolsites1.com/sites/oldfartfuckin/main.html
caseylisser.info        http://www.allinternal.com/40195119/index.html
coudrasy.info           http://coolsites1.com/sites/partiesshocking/index.html
dinahner.net            dead (registersite - found, but no DNS)
dupontaop.net           http://mendvd.com/?wmid=franky
durdaes.net             http://coolsites1.com/sites/milfmunchers/index.html
flegelis.net            http://www.allinternal.com/40195119/index.html
jarrydlevine.info       http://www.femalestars.com/RS/rsid-609603/
jizeras.net             dead (NSI - not found)
jo-annner.com           http://www.allinternal.com/40195119/index.html
jozsef.info             http://coolsites1.com/sites/massivedickaction/index.php
kadlu.info              dead (yanked for spamming by GKG)
kazakq.info             http://www.allinternal.com/40195119/index.html
ladaxs.net              http://coolsites1.com/sites/asspussymouth/index.html
oiunskijner.net         http://www.allinternal.com/40195119/index.html
oizumiw.net             http://www.oldagefuckers.com/1e901999dbffa34452401ad02b55d569/
ortigaraner.info        http://coolsites1.com/sites/milfmunchers/index.html
rebekkaner.com          http://www.femalestars.com/RS/rsid-609603/
rosselia.net            dead (yanked for spamming by GKG)
shirleyse.info          http://coolsites1.com/sites/massivedickaction/index.php
swingsey.net            http://www.eyessprayedshut.com/99dfc7de9df4511de46761609f55b433/
zajtsev.info            http://coolsites1.com/sites/massivedickaction/index.php

All the same spammer. The redirecting domains resolve (where they
resolve at all) to:

61.128.198.187          Chinanet
218.30.21.63            Chinanet
219.153.0.230           Chinanet
222.51.98.194           China Railway Telecommunications

I may not be able to convince China not to host this dirtbag, but I should
think I'd be able to prevent a registrar from repeatedly registering new
domains to him using false whois information. As it stands I have one bad
experience with ICANN taking a year to yank the domains for a convicted
fraudster.

I'd be delighted if you have pointers to a paid whois reformatter, but
I still believe strongly that it should not be necessary.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us!   http://hesketh.com/about/careers/account_manager.html    join us!

• Previous message (by thread): fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
• Next message (by thread): fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]