Re: Verisign changes violates RFC2821, and spam implications
Avleen Vig suggests that it's very wrong for Verisign's bad-domain catcher to begin to accept SMTP messages and just reject all recipients with 550s rather than rejecting the whole transaction with a 554. I'm glad I'm not the only one who thinks that - is there some conceivable case for which this system _would_ accept a message, e.g. postmaster@real-name-for-that-machine.verisign.com ? On the other hand, it has very interesting implications for spam handling. While there are bad side effects that can be caused by Verisign's claim that any non-existent domain name now exists (since it's harder to reject that mail), the Internet now has one obvious happy destination for spam from harvested addresses. If your spider bait starts leaving around alice@bogusdomain-alice.com ... zebra@bogusdomain-zebra.com and thousands of similar addresses, the harvesters are going to start catching them and sending them spam, and the less intelligent harvesters aren't going to validate the domains against Verisign's IP address, and any badly administered machines with open smtp relays are certainly not going to be checking for it, so they'll be creating SMTP sessions with Verisign. It's even more fun with dictionary attacks, where the spammer targets aaaaaa@bogusdomain.com through zzzzzzzzz@bogusdomain.com - A DNS rejection would cause a direct attacker or (more likely) a relay attacker to give up quickly, and a 554 might do that also, while rejecting all 26**8 recipients one at a time is probably just the kind of behaviour that spamware is happy to talk to all day. Now all Verisign needs to add is a teergrube function to generate its responses very slowly after the first couple of them and they'll stay tied up for months, especially since many of them won't notice that bogusdomain1.com through bogusdomain32767.com are all going to the same IP address, since that's not uncommon virtual hosting behaviour. bill.stewart at pobox.com
On Wed, Sep 17, 2003 at 04:40:29AM -0500, Stewart, William C (Bill), RTSLS wrote:
It's even more fun with dictionary attacks, where the spammer targets aaaaaa@bogusdomain.com through zzzzzzzzz@bogusdomain.com - A DNS rejection would cause a direct attacker or (more likely) a relay attacker to give up quickly, and a 554 might do that also, while rejecting all 26**8 recipients one at a time is probably just the kind of behaviour that spamware is happy to talk to all day. Now all Verisign needs to add is a teergrube function to generate its responses very slowly after the first couple of them and they'll stay tied up for months, especially since many of them won't notice that bogusdomain1.com through bogusdomain32767.com are all going to the same IP address, since that's not uncommon virtual hosting behaviour.
I think it is hoping rather too much to expect spamware authors to be unable to modify their scripts to detect the verisign IP.
However I'm thinking it will mean that ISPs mail queues will get much larger as mail delivery failures etc will now queue for retry rather than being failed as a permanent error.. if you're an ISP with lots of customers who get infected with the latest spamming worm that means you! Steve On Wed, 17 Sep 2003, Stewart, William C (Bill), RTSLS wrote:
Avleen Vig suggests that it's very wrong for Verisign's bad-domain catcher to begin to accept SMTP messages and just reject all recipients with 550s rather than rejecting the whole transaction with a 554. I'm glad I'm not the only one who thinks that - is there some conceivable case for which this system _would_ accept a message, e.g. postmaster@real-name-for-that-machine.verisign.com ?
On the other hand, it has very interesting implications for spam handling. While there are bad side effects that can be caused by Verisign's claim that any non-existent domain name now exists (since it's harder to reject that mail), the Internet now has one obvious happy destination for spam from harvested addresses. If your spider bait starts leaving around alice@bogusdomain-alice.com ... zebra@bogusdomain-zebra.com and thousands of similar addresses, the harvesters are going to start catching them and sending them spam, and the less intelligent harvesters aren't going to validate the domains against Verisign's IP address, and any badly administered machines with open smtp relays are certainly not going to be checking for it, so they'll be creating SMTP sessions with Verisign.
It's even more fun with dictionary attacks, where the spammer targets aaaaaa@bogusdomain.com through zzzzzzzzz@bogusdomain.com - A DNS rejection would cause a direct attacker or (more likely) a relay attacker to give up quickly, and a 554 might do that also, while rejecting all 26**8 recipients one at a time is probably just the kind of behaviour that spamware is happy to talk to all day. Now all Verisign needs to add is a teergrube function to generate its responses very slowly after the first couple of them and they'll stay tied up for months, especially since many of them won't notice that bogusdomain1.com through bogusdomain32767.com are all going to the same IP address, since that's not uncommon virtual hosting behaviour.
bill.stewart at pobox.com
On Wed, 17 Sep 2003, Stewart, William C (Bill), RTSLS wrote:
is there some conceivable case for which this system _would_ accept a message, e.g. postmaster@real-name-for-that-machine.verisign.com ?
There would be no reason for that particular machine(s) to receive legitimate email for itself, as Verisign can (and should) easily put an MX record pointing to another machine to handle legitimate mail directed @sitefinder-idn.verisign.com . Ergo, the hopefully more polite version of Snubby can cancel the SMTP transaction without having to check whether its mail directed to itself. --==-- Bruce.
participants (4)
-
Andy Smith
-
Bruce Campbell
-
Stephen J. Wilcox
-
Stewart, William C (Bill), RTSLS