Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Spam

Spammers' Upend DNS 304

Posted by CmdrTaco from the cat-and-mouse dept.
Saint Aardvark writes "eWeek reports on the latest trick of spammers: getting around DNS-based lookups. By registering a domain *after* the spam goes out advertising it, they can get around blacklists. However, that causes all sorts of problems for ISPs and anti-spam services. Paul Judge, CTO at Ciphertrust, says "Even in large enterprises, it's becoming very common to see a large spam load cripple the DNS infrastructure.""
This discussion has been archived. No new comments can be posted.

Spammers' Upend DNS More

Spammers' Upend DNS

Comments Filter:

  • Anti-Spam Legislation Is Only Effective Solution (Score:5, Funny)

    by bigtallmofo ( 695287 ) on Thursday January 13, 2005 @01:32PM (#11350592)
    Until they pass a law that makes it completely legal to kill spammers, the spam problem will not go away.
    • Heck I would love it if they would make it fully legal to hack the spammers computer and forcefully remove you name from the list. But because I don't know exactly where my name is on the list I figure that I will just rename all the domains to point themselfs. or there ISP Leader.

    • Just Greylist! (Score:3, Informative)

      by emil ( 695 )

      OpenBSD's spamd will initially reject all mail from previously unknown sources. It will only permit access to sendmail after an attempt at redelivery. This has brought my spam load down to about zero.

      Unless a spammer using the above trick attempted redelivery (which is unlikely), it would not cause a DNS flood.

      spamd [openbsd.org] is only one of a great many reasons to consider OpenBSD on your critical servers.

      • Re:Just Greylist! (Score:3, Informative)

        by Greyfox ( 87712 )
        There's a similar daemon out there called postgrey which does pretty much the same thing. If you run Debian and your own mail server, you can just apt-get install postgrey.

        It doesn't work 100% of the time but betweem that and SPF checking, my spam load has been reduced to 3 or 4 a month. I could ban hotmail and yahoo and that'd pretty much eliminate spam from my mailbox completely.

        They'll figure this trick out eventually though, then I'll have to come up with something else.

  • Thats a nice stunt

    How do you combat this? If the e-mail contains an invalid domain name kill it? What about typos?
    -nB

    • Re:Thats a nice stunt (Score:2, Insightful)

      by skaladin ( 97172 )
      Who cares about typos? If it doens't exist don't forward it. Plain and Simple.
      • You've misunderstood the problem ...

        The domains sending the email exist, but the ones advertised in the email do not. Because SpamCop (et. al) punish not only the sending IP block, but also the advertised host/IP block, spammers are advertising sites that won't exist for a few hours, tricking SpamCop (et al) into reporting on domains that don't exist and therefore cannot be penalized.

    • Re:Thats a nice stunt (Score:5, Interesting)

      by Kissing Crimson ( 197314 ) <jonesy AT crimsonshade DOT com> on Thursday January 13, 2005 @01:45PM (#11350794) Homepage
      Yup. If it shouldn't come in, and it can't be returned, drop it on the floor.

      So often times my (l)users ask me why they received an email saying their computer is infected with a virus (bogus bounces due to a virii changing their source addresses)

      My servers drop anything that doesn't seem right: virus infections, RBL tagged connections, obviously forged senders, etc. When a message gets delivered to the bit bucket; no more processing, no more network traffic, no more (l)user complaints.

      And I never get a complaint.

      • Re:Thats a nice stunt (Score:4, Interesting)

        by networkBoy ( 774728 ) on Thursday January 13, 2005 @01:53PM (#11350899) Journal
        Overall I agree with this, but my concern is that if you parse the message and find invalid url's then a valid message will be dropped because of a malformed text string. While I suppose that's better than letting more spam through, I would be uneasy about the increase in false positives.
        -nB

        • Re:Thats a nice stunt (Score:3, Insightful)

          by bentfork ( 92199 )
          Good point. I would hate it if this email got stuck in the spam trap

          To Accounting@bla.com:
          Please authorise my PO so I may purchase the domainname OurNewProduct.com

          • Please authorise my PO so I may purchase the domainname OurNewProduct.com

            Not a problem, unless the sender set their return address to something@OurNewProduct.com, and it doesn't exist. One of the restrictions available on Postfix and other MTAs is, "if you can't find a domain server for the MAIL FROM domain, reject it." It doesn't matter if there are invalid domain names WITHIN the message, because it doesn't parse those.

            • Not a problem, unless the sender set their return address to something@OurNewProduct.com, and it doesn't exist. ... It doesn't matter if there are invalid domain names WITHIN the message, because it doesn't parse those.

              In spam I have seen most of the 'evil' links are contained WITHIN the body of the text. The sending email addresses are from yahoo, gmail &c.

              The problem is catching the spammers email. If you made a simple mail filter would send legit emails containing unregistered domains to /dev/n

          • Umm. Why not just use an envelope? After all, we're talking about corresponding with accounting . . .
    • the problem is that when you have to look up domains that don't exist it tends to take longer, especially for DNS servers, as my understanding they then ask ANOTHER server if it has it, etc and thus when you multiply that times about a billion... you end up killing/lagging DNS servers and the server recieving the mail in the first place ;p

      • Re:Thats a nice stunt (Score:2, Insightful)

        by Gr8Apes ( 679165 )
        Seems the simple solution is to cache "bad" addresses in your local DNS server for some specified period of time, probably in a LRU type cache to prevent Spammers from taking it down.

        Adding features in your SMTP server that if a certain source has multiple failing emails, that source could be processed on a queue basis, or even automatically bitbucket anything from that address since spam comes in waves.

  • Fast DNS updates! (Score:5, Funny)

    by Cyn ( 50070 ) <{cyn} {at} {cyn.org}> on Thursday January 13, 2005 @01:33PM (#11350611) Homepage
    Thank goodness we can now register domains and have them active within 30 minutes!

    Oh look, my foot's bleeding. Someone must have shot it.
    • Do you stop advancing technology just because the spammers may benefit from it?

      Rapid updates to the .com and .net zones is VERY helpful for a large number of people - punishing them because it also helps spammers is like tearing down skyscrapers to avoid terrorists in airplanes.
  • I bet that the barracuda spam blocker would protect against this.

  • That's not the sky falling... (Score:5, Insightful)

    by winkydink ( 650484 ) * <sv.dude@gmail.com> on Thursday January 13, 2005 @01:34PM (#11350624) Homepage Journal
    The article goes on to say that some anti-spam applications do as many as 30 dns lookups. This is a design problem with the apps, not with DNS. Do less lookups, minimize the problem. I'd venture that after checking with a few of the major blacklists, you've pretty much hit the point of diminishing return in distinguishing spam/ham.

    • Re:That's not the sky falling... (Score:3, Interesting)

      by Anonymous Coward
      The problem with DNS is that it is very slow, and does a lot of things that make lookups too slow and unreliable.

      Looking up www.name.com should take no more than three DNS lookups with an empty cache (To root: "com" DNS server has IP 10.1.2.3; to 10.1.2.3: "name.com" has DNS server with IP 10.2.3.4; to 10.2.3.4: "www.name.com" has IP 10.3.4.5). However, because of DNS' poor design, it doesn't work that way; it can take dozens DNS lookups from an empty cache to get "www.name.com".
    • ummm I use mailscanner / postfix on 3 domains, and have my own bind 9 server as a caching DNS server. If admins would only set up caching DNS servers the problem would go away.

      And this is also a good way to defeat this new way to spam. IMHO new (not changed) DNS entries should take a min of 24 hours anyway.

    • Re:That's not the sky falling... (Score:5, Insightful)

      by Zocalo ( 252965 ) on Thursday January 13, 2005 @02:14PM (#11351207) Homepage
      No, it's a problem with spammers making references to multiple domains in their email, each of which might need to be checked against several SURBLs. Personally, I'm not fretting this one at all; while it's an ingenious work around from the spammers to get around the SURBLs, there's a trivial fix.

      At the moment, each domain referenced in the body of a spam is checked against one or more SURBLs to see if it has been spamvertised - hence the 30 lookups figure. Instead of immediately checking the SUBLS, we can just make a single check to see if the domain exists at all, if it doesn't then skip the SURBL checks and bias the score towards being spam. If it does exist, then we can proceed to check the SURBLs as normal and still nail any spams using known spamvertised domains. If the domain does exist, then it's a single extra DNS lookup which is possibly going to be cached, so a root server query may be avoided. If it doesn't exist, then we skip the SURBL checks and save our 30 DNS queries.

      Yup, it's the old spam arms race again. Give it a month or so and we'll all be moaning about some completely new spammer tactic brought in to replace this one.

    • The article is wrong. (Score:4, Informative)

      by mortonda ( 5175 ) on Thursday January 13, 2005 @02:46PM (#11351633)
      The article is just wrong, and there's a feedback post [eweek.com] on the same page that explains why very well. (Although, what's with the stupid formatting?)

  • So which is going to come first... (Score:2, Interesting)

    by Anonymous Coward
    Email authentication, or the wholesale abandonment of email as a viable communication platform?

  • Wanted: DNS geek (Score:3, Interesting)

    by RealityMogul ( 663835 ) on Thursday January 13, 2005 @01:38PM (#11350688)
    When a DNS query goes to an ISPs DNS server, and the entry does not exist, does it go to the root servers?

    Secondly, do invalid domain names get cached (I'm thinking not)?

    • Re:Wanted: DNS geek (Score:2, Insightful)

      by stratjakt ( 596332 )
      I don't get it. If this is true, it sounds like a MAJOR MAJOR design flaw in DNS.

      Surely it allows for invalid domain requests, or did they just assume everyone on the net will correctly type the domain name every time?

      Or, is it not the email or DNS itself, but the anti-spam filters that are hammering the DNS servers?

      I don't understand the problem. It sounds like a made up non-issue by the anti-spam crowd, frankly.
      • I don't get it.

        Let me guess, you're not running a mail server?

        If this is true, it sounds like a MAJOR MAJOR design flaw in DNS.

        DNS itself works fine; it are applications and people who are abusing it. Same as SMS works fine; except if tens of thousands of people suddenly start sending huge amounts of them.

        Don't call something a flaw until you realize how it works. We have enough people who know nothing about things calling things flawed despite that they don't know anything about them.

        I don't under

    • Re:Wanted: DNS geek (Score:3, Informative)

      by marsvin ( 84268 )
      When a DNS query goes to an ISPs DNS server, and the entry does not exist, does it go to the root servers?
      Yeah, how else would you know it doesn't exist?
      Secondly, do invalid domain names get cached (I'm thinking not)?
      Nowadays yes, but not for very long (on the order of 5 minutes, usually).

    • Re:Wanted: DNS geek (Score:2, Informative)

      by ngc5194 ( 847747 )

      When a DNS query goes to an ISPs DNS server, and the entry does not exist, does it go to the root servers?

      When we make a DNS query, it goes to our name server. If the name server does not have a result for that query cached, it queries a higher-level server for information on which name server is authoritative for that domain. It is possible that any DNS query where no component of the domain name is cached to require a query of the root name servers. This is true for any existant or nonexistant doma

    • When a DNS query goes to an ISPs DNS server, and the entry does not exist, does it go to the root servers?

      Yes

      Secondly, do invalid domain names get cached (I'm thinking not)?

      Yes, its known as negative cacheing, its done to reduce the load on the root servers (see question 1).
    • I don't believe it does. If it did, then you could DoS the cache by spamming random crap at it..
  • I don't get it.

    So I send out a million spams, all saying "go to www.stratjaktsmadeupdomainname.com for hot viagra and lower mortgage payments."

    The domain doesn't exist, and people click on it, which "cripples" dns because the dns servers have to respond with a "no such domain name" reply?

    How does this cripple them? Was DNS not designed to handle fat-fingered domains gracefully?

    What happens, do all the requests for my domain get propogated up the chain, is that the crux of the problem? If so, doesn't D

  • all this just makes me sad... (Score:3, Insightful)

    by jxyama ( 821091 ) on Thursday January 13, 2005 @01:42PM (#11350735)
    ...and also mad.

    this is not meant as any kind of informative post, but every time i read something like this, or receive another spam in my Inbox, i feel a bit of both sadness and anger...

    here is a wonderful tool that made communication easy, fast and cheap but is absolutely being ruined by the malicious few with absolutely no morals, ethics or concerns for others.

    just like those orphan traders at tsunami disaster areas... i really would like to have a chance to confront these disguisting people and try to make sense of their thought process...

    • i really would like to have a chance to confront these disguisting people and try to make sense of their thought process

      There's not much to understand.

      1. Situation to be taken advantage of
      2. Lack of morals/ethics
      3. ???
      4. Profit!
    • There is always the joke(and it's variants)
      Normal person to large asshole: How do you sleep at night?
      Asshole:On top of a big pile of money next to a different beautiful woman every night!
      NP:Ok, I was just curious...

    • Spam will never go away until the government decides that the Direct Marketing Association are not their friends.

      But our governments are in bed with the spammers and so are the credit card companies.

      All that is needed to eliminate spam is to attack it at the other end of the line with a small staff of agents, several honeypot email boxes, and three judges blanketing a 24-hour day to issue subpoenas which freeze the spammer's credit-card merchant account assets.

    • a chance to confront these disguisting people and try to make sense of their thought process...
      [voice of Prof. H. Farnsworth]
      Only one way... by disecting its brain! Enough chitchat, restrain the specimen
      [/Prof. H. Farnsworth]
    • i really would like to have a chance to confront these disguisting people and try to make sense of their thought process...

      feel free to do a whois query or whatever and if they are in the US and you have free long distance or whatnot, give them a call. They really appreciate the feedback :)
    • just like those orphan traders at tsunami disaster areas... i really would like to have a chance to confront these disguisting people and try to make sense of their thought process...

      This isn't a popular view these days, but it's always been generally accepted that their are bad people. Not people who are inwardly good but act poorly, but genuinely bad people. One relatively modern name giving to such people is "sociopaths". They have no regard for other people, if they even see other people as fellow

  • Auto-register domains (Score:5, Interesting)

    by crow ( 16139 ) on Thursday January 13, 2005 @01:42PM (#11350736) Homepage Journal
    Some anti-spam group should set up a spam filter that looks for domain names, and registers any that it sees that aren't valid. They would point to a web site that politely explains to users how stupid they are for clicking on a link in spam.

    I expect spammers would drop that technique quite quickly if that were done.
    • The spammers could easily step up the pace and cost them a considerable amount.

  • spam protocol hogging (Score:5, Insightful)

    by Doc Ruby ( 173196 ) on Thursday January 13, 2005 @01:44PM (#11350761) Homepage Journal
    DNS could play a role in beating spam. DNS servers suffering from "spam overload" can see that they're handling a lot of the same lookups, that are overloading them. They could flag their responses back to the isolated SMTP servers that are processing the spams, which can tell that they're all the same message. So the distributed network can identify spams, and at least require the senders to share some of the processing load (through another extension to the SMTP and DNS protocols). A more severe response that might affect mere mass-mailers (different from "spam" because content is either noncommercial, or was solicited by the recipient) would be to report such spam-suspects to blacklist servers, which in turn inform users spam filters.

    Having had several mass-mailed (big Cc: lists) urgent messages filtered out by corporate spam filters in the past couple of months, I know we need a much better system. Spam is taking down DNS, blocking SMTP, and, even worse, censoring legitimate message needles in the spam haystack. We need network protocols to get smarter, taking advantage of the distributed intelligence that can kill spam. Can the IETF overcome its interest in perpetuating the spam that pays for so much of the Internet, in leading us out of the spam trap?
  • This suggests that some mail systems are already parsing links in emails and rejecting those which are to known spamvertisers? That's a good idea, but it must put a bit of a load on a mail server.

    We need to be going after the spamvertisers, not the spammers. Legislation outlawing spamvertising, with penalties for the advertiser and the spammer, not just the spammer, would be far more effective than merely shooting all spammers. After all, spammers can hide and work from offshore, while the advertiser h

    • Spam involves criminal activity (fraud at the least). It involves many people (mail-senders, product suppliers, and some legitimate businesses like credit card processors, banks, and ISPs).

      Smells like a Racketerr-Influenced Corrupt Organization to me. Anyone even remotely involved gets a ticket to the proverbial Federal PMITA prison for 20 years, $100k in fines.

      These penalties and a wide net are all that can influence spam.
    • penalties for the advertiser and the spammer

      A manufacturer/seller can easily (and honestly, and legitimately) point out that someone who has joined their affiliate program has violated their terms, and is spamming against the rules. The person running the program can certainly pull the plug on that affiliate account, and the big affiliate engines (Commission Junction, Performics, et al) can torpedo user accounts and do... but not in an instantaneous way. You'd think that these folks (the affiliate progra
    • >We need to be going after the spamvertisers, not the spammers.

      Exactly. It blows my mind that very few people want to ask who the men behind the curtain are. Spammers are just nerds for hire. Its the marketers, businesses, and investors who must be targeted also. The same is true with spyware. Follow the money, people.

  • Negative Caching (Score:5, Insightful)

    by whoever57 ( 658626 ) on Thursday January 13, 2005 @01:45PM (#11350789) Journal
    BIND, at least, does negative caching. Surely this means the load on DNS servers due to looking up the non-existent spam domains is minimal.

    Also, once the mail server has decided that a bounce reply is undeliverable (because of no DNS records), surely it is going to dump the email immediately, rather than continuning to attempt to deliver it?

    So is this a case of SOME brain dead implementaions of DNS and mail servers, or a real problem for all?
    • Also, once the mail server has decided that a bounce reply is undeliverable (because of no DNS records), surely it is going to dump the email immediately, rather than continuning to attempt to deliver it?



      No, it will put it in the defered queue and try again later, finally giving up after 5-7 days, and potentially filling a mail queue with 20k-50k deferred bounce messages.

      • No, it will put it in the defered queue and try again later, finally giving up after 5-7 days, and potentially filling a mail queue with 20k-50k deferred bounce messages.

        Well, this seems to be implementation dependent. Postfix does not do this (I just checked). Perhaps Exchange does (another poster suggested this), in which case it is merely an implementation problem in SOME MTAs (as I suggested in my original post)

        • Postfix *does* do this. I have had to clear out 20k messages because of this. "Bounce" messages will queue up. OTOH, if the server answered with a "reject" message to the original message, then no bounce message is generated.

          Granted, this is usually a problem when a server is under a dictionary attack, and doesn not have a proper recipient_map set up to reject unauthorized recipients.

          A properly configured postfix server would reject unknown recipients, and the dns load would be handled by a local cach
    • Part of the problem seems to be that people running mail servers and tools like SpamAssassin aren't running their own caching nameservers locally.

      I actually run two caching nameservers. One for email servers and the other for everything else. The DNS lookups for email have a different *context* than web browsing -- which indicates to me that they should be in separate caches. Negative responses for an email lookup shouldn't pollute the positive information about web lookups.

      ::shrugs:: It's hard to say

  • Spam (Score:2, Funny)

    by clinko ( 232501 )
    I hate this new trend! I have to wait until morning until I can order my v!@gra!!!

    What happened to the good old days, when I could order B0n3r Juic3 as soon as I got my mail!
  • Without a domain to check the SPF record of, the mail would never be delivered. Easy.

    On the other hand, it could result in far, far more DNS lookups for an organization, but in theory they would never need more DNS capability then they have mail capability.

  • Bogus article (Score:3, Interesting)

    by SSpade ( 549608 ) on Thursday January 13, 2005 @01:52PM (#11350884) Homepage
    Either the journalist drastically misunderstood and misinterpreted what they were told, or one of the people interviewed is launching some magic snake-oil product that'll "solve" this non-existant problem. (Yes, I know exactly what spammers do. That's my job. I know exactly what DNS does, that was my previous job. This article is fiction.)

    • Re:Bogus article (Score:2, Funny)

      by Anonymous Coward
      Yes, I know exactly what spammers do. That's my job

      Helpful suggestion: work on the phrasing a little bit, there, when you update your resume.
    • one of the people interviewed is launching some magic snake-oil product that'll "solve" this non-existant problem.

      How about "sitefinder" -- the wildcard in the .com domain?

  • Slashdot writers (and editors) are still a lot worse than spammers, but their punctuation has some room for improvement.

  • I noticed I am getting spam again (Score:3)

    by Billly Gates ( 198444 ) on Thursday January 13, 2005 @01:54PM (#11350909) Journal
    With Yahoo mail.

    I typically get 80 messages a day which the builk mailer always finds. These last 2 or 3 weeks only half the spam is being caught and my mail box is becoming loaded again. I was wondering why the fail rate was going up.

    My guess is Yahoo used dns lookups in its anti-spam software.

    • The spammers have been streamlining the spam more lately to get around blocks, this means they are making them look more and more confusing to bayes filters, etc.

      They're also using different subjects these days that almost require you to check to make sure they are not legitimate emails, things like "order status" means if you are expecting a shipment of something your ordered you are going to open that message.

      I manage a couple ISP MTA frontends that use SimScan and SpamAssassin to drop anything scoring
  • And who wired their brains to think this way? As much as I hate the stuff they do, ya gotta give them credit for being masters of manipulating The System(tm)

    • If your livelyhood depends on it, then they will find a way. If you read the specs, study implementations, read up, and start to flowchart things, then ideas like this are likely to fall out. As much as it sucks in cases like this, it is an engineer's job to figure out ways to do things that "can't be done."

  • Wow. The article itself is ... stunning. On a per-word basis, I don't know where I've seen a higher concentration of misconceptions about DNS.

    Most modern MTAs have the ability to reject email purportedly coming from domains that aren't registered. Just as one example, sendmail does this by default. Not registering domain names makes it *much* *easier* for me to avoid spam. I encourage spammers to adopt the practice described in this article.

    Moreover, the costs of looking up nonexistant domains i

  • If we had a wildcard, then all these lookups would resolve! Problem solved

    Let's go ask Network Solutions to add a wildcard to .com.

    [the above is a lame attempt at humor]

    [or is it--tinfoil hats on -- could it be that NS is behind the article in an attempt to promote the "sitefinder" wildcard entry?]

  • Legal countermeasures (Score:3, Interesting)

    by earthforce_1 ( 454968 ) <earthforce_1@yaho[ ]om ['o.c' in gap]> on Thursday January 13, 2005 @02:19PM (#11351279) Journal
    Standard IANAL disclaimer, but:

    Couldn't the spammers be sued for causing what amounts to a DOS attack on the recipient mailserver?

    Also, if sexual predators and hackers can be barred from going online, and if corrupt executives can be barred from acting as corporate directors, why can't judges ban unrepentant spammers from going online, or carrying on an internet related business? (And extradited if they subsequently set up shop offshore)

  • Why can't spam software be made immune by denying the message if it finds that the URL returns an error message, indicating it doesn't exist? If it finds a web site doesn't exist (and I'm not referring to the domain, but the actual URL, in its entirety), it should simply reject it. Does this not make sense?

  • This should be easy to fix. Domain registrars should be required to check the spam databases during domain registration. If a domain has been recently associated with spam, extra validation of the ownership of the domain should be required. ICANN can require this. They've been tightening up on phony domain registration info already.

    Incidentally, any "domain hiding" service [registerfly.com] which assists a spammer could find themselves liable under the "conspiracy" clause in the CAN-SPAM act. CAN-SPAM is weak on spamm

  • The blacklists we have been using for a long time -- SPEWS, Spamhaus, CBL, SORBS do work on DNS and they continue to work fine whether or not the spammer registers a domain after the spamrun. These blacklists work by looking up the connecting IP address that is sending mail, and that IP address can not be forged in TCP/IP. Whether or not the mail body contains IPs or domain names that are invalid or not, forged, etc is an auxiliary issue. Most spam can be blocked at the entrance point, the mail transfer (SM

Slashdot Top Deals

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Close