[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Asrg] 5. Challenge/Response Internetworking - DNS wildcards (was 7. BCP - Verisign: All Your Misspelling Are Belong To Us)

To: "'Yakov Shafranovich'" <research@solidmatrix.com>, "'ASRG list'" <asrg@ietf.org>
Subject: RE: [Asrg] 5. Challenge/Response Internetworking - DNS wildcards (was 7. BCP - Verisign: All Your Misspelling Are Belong To Us)
From: "Eric Dean" <eric@purespeed.com>
Date: Thu, 18 Sep 2003 20:15:43 -0400
Importance: Normal
In-reply-to: <3F67066F.5000602@solidmatrix.com>
List-archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Sender: asrg-admin@ietf.org

I still don't see how CRI will break.  We send CRI headers...we don't
get a response...how is that broken?

> -----Original Message-----
> From: asrg-admin@ietf.org [mailto:asrg-admin@ietf.org] On Behalf Of
Yakov
> Shafranovich
> Sent: Tuesday, September 16, 2003 8:48 AM
> To: ASRG list
> Subject: [Asrg] 5. Challenge/Response Internetworking - DNS wildcards
(was
> 7. BCP - Verisign: All Your Misspelling Are Belong To Us)
> 
> The message below has direct relevance to the CRI proposal,
specifically
> the part about verifying the sender via SMTP. With wildcards enabled,
> CRI via SMTP will break.
> 
> Yakov
> 
> -------- Original Message --------
> Subject: 7. BCP - Verisign: All Your Misspelling Are Belong To Us
> Date: Tue, 16 Sep 2003 01:26:23 -0400
> From: Yakov Shafranovich <research@solidmatrix.com>
> To: Brad Knowles <brad.knowles@skynet.be>
> CC: IRTF ASRG <asrg@ietf.org>
> References: <a06001a20bb8c10de2061@[10.0.1.2]>
> 
> PLEASE BE ADVISED THAT VERISIGN IS OPERATING AN SMTP SERVER AT THAT
> ADDRESS. The SMTP server appears fake, take a look at the following
> transaction:
> 
> ----snip---
> open 64.94.110.11 25
> 220 snubby1-wceast Snubby Mail Rejector Daemon v1.3 ready
> blahblahbla
> 250 OK
> blahblahbla
> 250 OK
> blahblabhjla
> 550 User domain does not exist.
> blahblbjhbj
> 250 OK
> blajbjbjb
> 221 snubby1-wceast Snubby Mail Rejector Daemon v1.3 closing
transmission
> channel
> 
> Connection to host lost.
> ----snip---
> 
> Brad Knowles wrote:
> 
> > Folks,
> >
> >     This was just posted to the NANOG mailing list.  There are
already
> > people who are working on hacking BIND to return NXDOMAIN for
wildcard
> > records in TLD zones, or perhaps for any reference to the specific
IP
> > address(es) they are using (so far, we only know about
64.94.110.11).
> > Meanwhile, many are already null-routing this IP address.
> >
> >     This affects us, because now anyone can send spam with an
address
> > like "i@spam.from.verisign.becausethisdomaindoesntreallyexist.net",
and
> > yet still have that pass standard anti-spam checks like "Does this
> > domain really exist in the DNS"?
> >
> >
> >     Another one for the service provider BCP, I think.
> >
> >
> >     Anyway, the full message announcing this "enhancement" is:
> >
> >> Date: Mon, 15 Sep 2003 19:24:29 -0400
> >> From: Matt Larson <mlarson@verisign.com>
> >> To: nanog@nanog.org
> >> Subject: Change to .com/.net behavior
> >>
> >>
> >> Today VeriSign is adding a wildcard A record to the .com and .net
> >> zones.  The wildcard record in the .net zone was activated from
> >> 10:45AM EDT to 13:30PM EDT.  The wildcard record in the .com zone
is
> >> being added now.  We have prepared a white paper describing
VeriSign's
> >> wildcard implementation, which is available here:
> >>
> >> http://www.verisign.com/resources/gd/sitefinder/implementation.pdf
> >>
> >> By way of background, over the course of last year, VeriSign has
been
> >> engaged in various aspects of web navigation work and study.  These
> >> activities were prompted by analysis of the IAB's recommendations
> >> regarding IDN navigation and discussions within the Council of
> >> European National Top-Level Domain Registries (CENTR) prompted by
DNS
> >> wildcard testing in the .biz and .us top-level domains.
Understanding
> >> that some registries have already implemented wildcards and that
> >> others may in the future, we believe that it would be helpful to
have
> >> a set of guidelines for registries and would like to make them
> >> publicly available for that purpose.  Accordingly, we drafted a
white
> >> paper describing guidelines for the use of DNS wildcards in
top-level
> >> domain zones.  This document, which may be of interest to the NANOG
> >> community, is available here:
> >>
> >> http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf
> >>
> >> Matt
> >> --
> >> Matt Larson <mlarson@verisign.com>
> >> VeriSign Naming and Directory Services
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Asrg mailing list
> Asrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/asrg



_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] 5. Challenge/Response Internetworking - DNS wildcards (was7. BCP - Verisign: All Your Misspelling Are Belong To Us)
  - From: Yakov Shafranovich

References:
- [Asrg] 5. Challenge/Response Internetworking - DNS wildcards (was 7. BCP -Verisign: All Your Misspelling Are Belong To Us)
  - From: Yakov Shafranovich

Prev by Date: [Asrg] 2.a. Analysis - Honeypot!
Next by Date: Re: [Asrg] 8a. Evaluation Model - Technical Considerations Document
Previous by thread: [Asrg] 5. Challenge/Response Internetworking - DNS wildcards (was 7. BCP -Verisign: All Your Misspelling Are Belong To Us)
Next by thread: Re: [Asrg] 5. Challenge/Response Internetworking - DNS wildcards (was7. BCP - Verisign: All Your Misspelling Are Belong To Us)
Index(es):
- Date
- Thread