fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)

Steven Champeon schampeo at
Wed Jan 12 22:25:57 UTC 2005

on Wed, Jan 12, 2005 at 04:24:42PM +0000, Eric Brunner-Williams in Portland Maine wrote:
(quoting Anonymous): 
> > Numerous (as in "at least hundreds, probably more") of spam gangs are
> > purchasing domains and "burning through" them in spam runs.  In many
> > cases, there's a pattern to them; in others, if there's a pattern,
> > it's not clear to me what it might be.
> >From my point of view, "pattern" is which registars are getting the buys,
> for which registries, where the ns's are hosted, and for domains used in
> the return value side, hosting details. The latter to reduce to RIR CIDRs.

I provided the IPs to which all of the latter domains resolved at the
time I checked. All went to four IPs, all in China, three in the same
network. The nameservers exhibit similar behavior, though often also
with Brazilian nameservers along with Chinese. Not in the last month, tho:

   16   HKNET-HK
   12    CRTC
   12    CNCGROUP-CQ
    4  AFFINITY-207-234-128-0
    2   HKNET-HK

registrars by whois server:

So? Of course .info is handled by afilias. Sponsoring registrars for
.info domains mentioned upthread:
    9 R126-LRMS  - Enom
    4 R239-LRMS  - Primus
    2 R171-LRMS  - GoDaddy

There's your clustering. Feel free to somehow reduce these to CIDRs or
ASNs; they're not used in the message headers anyway, so all you can do
is block the redirection for your users, but not prevent them from being
deluged with the spam itself, nor prevent me and others from being deluged
with the bogus DSNs. 

So what? Eventually, better antispam techniques will lead to the ability
to block messages from or referencing domains with banned nameservers.

And then spammy will set things up so that he has a new nameserver for
every run. And we'll still have insecure email, because he'll have
continued to get away with it, because he can hide behind "private"
whois for his domains registrations, he'll continue to burn through the
net namespace leaving nothing but scorched earth, and none of the
underlying conditions will have been addressed.

It's no longer a simple matter of blocking the sender origin, botnets
have taken care of that. It's no longer a matter of blocking known spammy
domains in SMTP envelopes; they're forging them. It's not a matter of
blocking mail with known spammy domains in it, as these are one-a-day
throwaway redirectors. It's not a matter of blocking mail with domains
that point to rogue nameservers, ASNs, or CIDRs, spammy can register new
domains and use new ones every day. It's not a matter of any of these
things, though I use them all, and with some effect.

The problem is that spammy is getting away with this by modifying his
tactics slightly and keeping a step ahead of the game, and because few
understand or care about actually /fixing the underlying brokenness/
that lets him get away with it day after day.

> There is more, but that is the first cut, localization of registrar(s) and
> registries and CIDRs.

I fail to see how isolating registrations to a single registrar changes
the facts on the ground - if anything, you're already showing that you
are at least one step behind Spammy, by making this a requirement. Or,
alternately, you're simply saying that those who care about net abuse are
shackled by ICANN's bylaws and therefore we can do nothing.

-- v: +1(919)834-2552 f: +1(919)834-2554 w:
join us!    join us!

More information about the NANOG mailing list