North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Verisign changes violates RFC2821, and spam implications

  • From: Stephen J. Wilcox
  • Date: Wed Sep 17 07:39:01 2003

However I'm thinking it will mean that ISPs mail queues will get much 
larger as mail delivery failures etc will now queue for retry rather than 
being failed as a permanent error.. if you're an ISP with lots of 
customers who get infected with the latest spamming worm that means you!

Steve

On Wed, 17 Sep 2003, Stewart, William C (Bill), RTSLS wrote:

> Avleen Vig suggests that it's very wrong for Verisign's bad-domain catcher to
> begin to accept SMTP messages and just reject all recipients with 550s
> rather than rejecting the whole transaction with a 554.
> I'm glad I'm not the only one who thinks that -
> is there some conceivable case for which this system _would_ accept a message,
> e.g. [email protected] ?
>  
> On the other hand, it has very interesting implications for spam handling.
> While there are bad side effects that can be caused by Verisign's claim that
> any non-existent domain name now exists (since it's harder to reject that mail),
> the Internet now has one obvious happy destination for spam from harvested addresses.
> If your spider bait starts leaving around [email protected] ... [email protected]
> and thousands of similar addresses, the harvesters are going to start catching them
> and sending them spam, and the less intelligent harvesters aren't going to validate the domains
> against Verisign's IP address, and any badly administered machines with open smtp relays
> are certainly not going to be checking for it, so they'll be creating SMTP sessions with Verisign.
>  
> It's even more fun with dictionary attacks, where the spammer targets [email protected]
> through [email protected] - A DNS rejection would cause a direct attacker
> or (more likely) a relay attacker to give up quickly, and a 554 might do that also,
> while rejecting all 26**8 recipients one at a time is probably just the kind of behaviour 
> that spamware is happy to talk to all day.   Now all Verisign needs to add is a teergrube function
> to generate its responses very slowly after the first couple of them and they'll stay tied up for months,
> especially since many of them won't notice that bogusdomain1.com through bogusdomain32767.com
> are all going to the same IP address, since that's not uncommon virtual hosting behaviour.
>  
>                            bill.stewart at pobox.com 
>  
>  
>  
>  
>  
>