Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Mavis Verisign Beacon teaches typing

By Silent Chris in Technology
Tue Sep 16, 2003 at 03:26:45 AM EST
Tags: Internet (all tags)
Internet

As of tonight, Verisign has started rerouting misspelled URLs to its own servers.  What does this mean for your web surfing?  Oh, just about everything.


As reported by a few sites, Verisign has added a wildcard to some popular internet zones such as .com and .net.  What this means is that instead of mispelled URLs going to your web browser's search engine of choice, they are instead rerouted to http://sitefinder.verisign.com.

You can experiment with this now.  Try typing your favorite interesting website with a few extra characters.  Depending on the age of your DNS records, instead of going to an error or search page you'll end up at Verisign's search site.  It's a very simple page that offers placement advertising (try searching for "registrar" and seeing what you get).

A while back people argued that MSN could make a killing selling search terms for words (mispelled or not) in the address bar of IE.  MSN is now one of the top-rated sites in terms of traffic.  However, this new wildcard circumvents Microsoft's attempts at gaining ad dollars through misspells.  Indeed, even free browsers will be redirected to Verisign's page.  Perhaps most confusingly for the layman, legitimately misspelled URLs will bring up a pay-for-placement search site instead of an error message.  Troubleshooting this browser behavior may prove difficult.

A couple of network admins are beginning to fight back by blackholing the IP addresses http://sitefinder.verisign.com is found on.  Still, it's going to take a while to change all those records, and in the meantime people are beginning to question the legality of it all.  Is a government-created monopoly allowed to redirect traffic in such a way?  The only sure thing that abounds are questions about Verisign's future.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Verisign's decision to reroute traffic with wildcards:
o Legal 16%
o Illegal 83%

Votes: 168
Results | Other Polls

Related Links
o a few sites
o search
o engine
o choice
o http://sit efinder.verisign.com
o a few extra characters
o while back
o free browsers
o questions
o Also by Silent Chris


Display: Sort:
Mavis Verisign Beacon teaches typing | 186 comments (160 topical, 26 editorial, 2 hidden)
27 letters. (4.59 / 27) (#3)
by seebs on Mon Sep 15, 2003 at 10:37:03 PM EST

abcdefghijklmnopqrstuvwxyz1.com works; abcdefghijklmnopqrstuvwxyz12.com doesn't.

This is incredibly evil.  Consider this:

If you try to go to a site, and you get something looking like sitefinder, until today, that was proof that the site was dead - squatters stole the name.

Today, you will get that for any site on a typo.  Let's say I tell someone to visit my site at "plethora.net".  He makes a typo.  He finds sitefinder - and concludes that my ISP must have gone bust.  I lose the sale.

This is the ethical behavior I would expect from the company that double-charged me, kept my domain turned off for two weeks anyway, sent only a single email notification to an invalid address, and spent six months saying "someone will return your call" when I complained, but never returned my call.

Until verisign is destroyed, and I mean *GONE*, the internet will be plagued by bullshit like this.


spam filters (4.14 / 7) (#23)
by bmph8ter on Mon Sep 15, 2003 at 11:48:28 PM EST

What if your mail server is set to do reverse-dns lookups? Or you're trying to troubleshoot dns lookups? How about a search engine that now has all of these extra pages to index? It should at least help Verisign with their page rank. Bastards.

[ Parent ]
robots.txt (4.60 / 5) (#24)
by CaptainSuperBoy on Mon Sep 15, 2003 at 11:52:08 PM EST

At the very least, they put an disallow: / in their robots.txt file.

--
jimmysquid.com - I take pictures.
[ Parent ]
only www subdomains need apply (4.20 / 5) (#26)
by horny smurf on Tue Sep 16, 2003 at 12:15:04 AM EST

from some limited testing, it appears that only www subdomains are hijacked. So, you can either ban www subdomains, or /dev/null 64.94.110.11.

definitely a bunch of cocksucking douchebags at work, though.

[ Parent ]

Wait a bit (4.50 / 4) (#27)
by CaptainSuperBoy on Tue Sep 16, 2003 at 12:18:34 AM EST

No, they wildcarded everything in .COM and .NET. It's not just www subdomains. Wait a bit, the changes will infect your DNS server soon.

--
jimmysquid.com - I take pictures.
[ Parent ]
Blackholeing them will become the norm. (3.80 / 10) (#15)
by richarj on Mon Sep 15, 2003 at 11:15:03 PM EST



"if you are uncool, don't worry, K5 is still the place for you!" -- rusty
Mis-typing (3.23 / 13) (#18)
by A Proud American on Mon Sep 15, 2003 at 11:22:17 PM EST

I'm not sure how often I mistype an address.  I rely on a few bookmarks for daily-accessed sites, and for others I hit ALT+HOME to go to my "home page" (Google.com) and type in what I want, hit TAB twice, then ENTER, and I'm there.

But I can see how this is still a bit of a problem, as many people use the address bar to get to their favorite sites.  I'd rather hit a 404 page of some type than some ad for a Vodafone.

____________________________
The weak are killed and eaten...


So... (4.63 / 11) (#20)
by the77x42 on Mon Sep 15, 2003 at 11:38:08 PM EST

Does it still generate a DNS error or are all coded HTML parsers (like program-specific online updaters) going to be fucked when it comes to providing detailed errors?


"We're not here to educate. We're here to point and laugh." - creature
"You have some pretty stupid ideas." - indubitable ‮

No error (4.57 / 7) (#22)
by CaptainSuperBoy on Mon Sep 15, 2003 at 11:45:03 PM EST

No error, just an A record returned that points to 64.94.110.11. Pure evil.

I'm not sure how it would break online update software, though. Shouldn't the software already have the correct domain hard-coded?

--
jimmysquid.com - I take pictures.
[ Parent ]

well (4.25 / 4) (#32)
by the77x42 on Tue Sep 16, 2003 at 01:48:49 AM EST

I remember Ad-Aware used to have multiple sites to choose from, more than 50% were down. I guess you'd get a 404 error instead, but its still annoying not to immediately realize the domain is down/dead.


"We're not here to educate. We're here to point and laugh." - creature
"You have some pretty stupid ideas." - indubitable ‮

[ Parent ]
YAY... (4.09 / 11) (#21)
by the77x42 on Mon Sep 15, 2003 at 11:40:35 PM EST

try pinging a non-existent domain like wefhaewfhawearto.net.

The IP it returns: 64.94.110.11 (verisign)


"We're not here to educate. We're here to point and laugh." - creature
"You have some pretty stupid ideas." - indubitable ‮

Mail (4.42 / 7) (#43)
by Lynoure on Tue Sep 16, 2003 at 03:58:45 AM EST

If I make a typo in the domain par of an e-mail address, will some verisign guy get the e-mail instead of there being a proper bounce?


[ Parent ]
probably not (4.55 / 9) (#61)
by frozencrow on Tue Sep 16, 2003 at 06:45:20 AM EST

There is no corresponding wildcard MX, so mail to whoever@domain-that-is-not-registered.com will be directed to the A record. Here's what I see when I try it:

$ telnet 64.94.110.11 25
Trying 64.94.110.11...
Connected to sitefinder-idn.verisign.com (64.94.110.11).
Escape character is '^]'.
220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready
helo example.com
250 OK
mail from: nobody@example,com
250 OK
rcpt to: blah@nosuchdomainxya.com
550 User domain does not exist.
quit
221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.

The name of the daemon suggests that it's there to immediately reject your message, rather than letting it languish, undeliverable, in your mail queue for 5 days.

[ Parent ]

crap (4.75 / 8) (#104)
by frozencrow on Tue Sep 16, 2003 at 12:09:12 PM EST

I have learned since this morning that no matter what you type, Verisign's MTA will return that 250, 250, 550, 221, (connection closed) pattern. This will cause most mail to bounce, but not all--the ones that don't bounce will sit in the mail queues just like it would if there were no mailserver listening at all.

Golly, I've just thought of all kinds of unnice things that I'd like to say about Verisign.

[ Parent ]

Are you sure? (4.75 / 5) (#117)
by 87C751 on Tue Sep 16, 2003 at 01:38:01 PM EST

no matter what you type, Verisign's MTA will return that 250, 250, 550, 221, (connection closed) pattern.
I tried that too, and I always got 250, 250, 550, 250, 221. I suspected it was anticipating HELO, MAIL FROM, RCPT TO, RSET, QUIT.

My ranting place.
[ Parent ]

dunno what's wrong with me today... (4.33 / 4) (#145)
by frozencrow on Wed Sep 17, 2003 at 06:32:22 AM EST

Yes, you're correct. I am apparently not having a lot of luck getting information out of my brane and onto the screen.

I've heard elsewhere that the pattern being anticipated is HELO, MAIL FROM, RCPT TO, DATA, QUIT. Your guess makes more sense than that, I think. Either way, it's not a terribly good implementation.

[ Parent ]

Well circletimessquare is screwed (2.83 / 6) (#28)
by godix on Tue Sep 16, 2003 at 12:22:52 AM EST

Wonder what his new sig will be now that the point of his current one is destroyed?

I don't understand spending all that money for a fancy shot ... when pregnancy ain't nothing that a good coathanger or a pair of steel toed boots can't fix<
I don't really care (2.78 / 14) (#29)
by qpt on Tue Sep 16, 2003 at 01:10:49 AM EST

Where I end up if I try to navigate to a nonexistent site, since the site I was trying to reach, well, you know, doesn't exist.

Domine Deus, creator coeli et terrae respice humilitatem nostram.

So I thought too, at first (4.00 / 5) (#42)
by Lynoure on Tue Sep 16, 2003 at 03:52:10 AM EST

So I thought too at first, before realizing that this will affect some bookmark managers I occasionally use and more importantly the design of the one I'm planning to make.
I also dislike it on principle. If they are allowed to hijack the traffic that way, I wonder what comes next...

[ Parent ]
Hijacking (4.25 / 4) (#49)
by qpt on Tue Sep 16, 2003 at 04:30:07 AM EST

Generally involves taking traffic intended for one destination and routing it elsewhere without the originator's consent.

If I request http://www.thisisaplausibleyetnonexistentdomain.com, though, my own incompetence or ignorance has thwarted my intentions, and my network traffic wouldn't be going anywhere I wanted it to go regardless, with or without Verisign's intervention.

Domine Deus, creator coeli et terrae respice humilitatem nostram.
[ Parent ]

not only the web (4.25 / 4) (#51)
by CH-BuG on Tue Sep 16, 2003 at 04:58:20 AM EST

So consider sending email to a recipient and having a typo in the domain. Usually, you get an error message very fast (immediately if you are your own SMTP server, after a bounce at your ISP otherwise).

Due to this new feature, the mail will simply be queued until the timeout delay (3 days ?).

Still not annoyed ?

[ Parent ]

I suppose (4.00 / 5) (#54)
by qpt on Tue Sep 16, 2003 at 05:20:46 AM EST

That would be annoying if it actually happened, but I can't say I've ever made such a typo, and I send a lot of email.

Domine Deus, creator coeli et terrae respice humilitatem nostram.
[ Parent ]

Think for just a minute, dammit! (4.66 / 3) (#55)
by itsbruce on Tue Sep 16, 2003 at 05:36:35 AM EST

OK, so you don't see how it affects you personally. Well, look through the rest of the messages in this forum for a clue as to how it's fscking over many of the systems that make up the Internet that you use. Then remind yourself that you have grey matter between your ears and that it has an occasional use.

Less of this "I'm all right, Jack".


--It is impolite to tell a man who is carrying you on his shoulders that his head smells.
[ Parent ]

No need to get insulting. (2.42 / 7) (#56)
by qpt on Tue Sep 16, 2003 at 05:44:43 AM EST

Let's see here. In the other messages I see some yelping, some swearing, and you hollering at me. Also, someone's anti-spam solution might stop working. Thankfully, my anti-spam solution uses bayesian filtering and doesn't need reverse DNS. It works quite well, too!

Forgive me, but I'm not seeing the crisis. I realize that people are angry, for whatever reason, but I'm not, since this won't really impact me much at all.

Domine Deus, creator coeli et terrae respice humilitatem nostram.
[ Parent ]

wtf (5.00 / 3) (#90)
by Frequanaut on Tue Sep 16, 2003 at 10:11:24 AM EST

It doesn't affect you personally, therefore it's not a problem.

Nice fucking attitude.

[ Parent ]

Why should I care about badly designed MTAs? (2.50 / 8) (#93)
by Urpo on Tue Sep 16, 2003 at 10:20:22 AM EST

Boohoo, the "clever" geekage who uses things that aren't designed for it, like validating envelope hostnames to detect spam cry about it, as well as those doing stupid dns tricks or with halfassed email setups. I don't see why I should care that a lot of people using hacks for their email are finally getting their comeuppacne and will be forced to come back within the rfced fold.

Use a non-hacky, non-crappy, non-133t MTA and stop whining. This really doesn't affect anyone except above mentioned idiots.

--
Improvement makes strait roads, but the crooked roads without Improvement, are roads of Genius.
[ Parent ]

hrm (4.66 / 3) (#96)
by Wah on Tue Sep 16, 2003 at 10:45:48 AM EST

This really doesn't affect anyone except above mentioned idiots.

idiot defined as someone who ever misspells a URL in a browser or an email.  Seems like there's a few of those running around.

Not you, of course, but it does sometimes happen to others.
--
kewpie
[ Parent ]

WHat? (2.80 / 5) (#98)
by Urpo on Tue Sep 16, 2003 at 11:03:55 AM EST

Someone has already pointed this out, but it seems I have to again. If I misstype the url, I'm not going to where I wanted to anyway - so if I go to verisign, it doesn't matter. There's nothing violating about this and its not affecting me one whit. What's your problem with it, then? How are these people who misstype urls so grievously affected by being redirected to a site that will attempt to send them to the right one? Cos, you know, its not clear to me.

--
Improvement makes strait roads, but the crooked roads without Improvement, are roads of Genius.
[ Parent ]

well, one way... (4.00 / 5) (#106)
by frozencrow on Tue Sep 16, 2003 at 12:20:21 PM EST

It is a fairly common tactic for proxy servers to throw out an information page when a "no such domain" error is received. Such a page would say things like "domain does not exist, please check your spelling, call the help desk if you feel this message is in error." This functionality is completely broken now for com and net domains, as all of the non-existant ones now exist, so far as DNS is concerned.

This isn't a big deal for people who have a clue. But the people who have a clue are not the ones who are going to be calling me (and other network admins the world over) asking about these fucking messages. Making highly visible changes that don't really need to be made is just stupid. In my ever so humble opinion.

[ Parent ]

my first reply was eaten, here's another. (4.75 / 4) (#123)
by Wah on Tue Sep 16, 2003 at 02:22:34 PM EST

If I misstype the url, I'm not going to where I wanted to anyway - so if I go to verisign, it doesn't matter.

You will go to Verising, where you may or may not find out what went wrong. You will also never have the opportunity to use a competing service that does the same job.  In the current environment, if you get an error message, or a page locally configured to replace an error message, it is more likely that you will notice there is a problem and fix it yourself.  With the change, it's something of a misnomer to say a page 'cannot be found'.  All pages are found, but most of them don't exist.

Ping, nslookup and pretty much anything else that uses DNS might also do some strange things that could be misleading, not the least of which is getting false positives for typos.  As someone who deals a lot with tracking down ';'s in the wrong place, this can be annoying.  And thinking that something works when it doesn't can lead to catastrophe down the road.

There's nothing violating about this and its not affecting me one whit.

But you repeat yourself.

What's your problem with it, then?

A fundamental change in the way the Internet functions that can be mightily abused by a company that already has one of the worst reputations for customer service on the planet, perhaps?  

How are these people who misstype urls so grievously affected by being redirected to a site that will attempt to send them to the right one?

And of course, use their mistake to try and sell them something along the way, based on a profile that can be downloaded from their browser and now tracked and tagged with a web bug downloaded off of Verisign's redirect page.  "Grievous" is your word.  I just consider it under-handed and sneaky.  Most people will never notice that they are being fooled, and something about that bothers me.

We will also see some other problems from this action, especially in applications with URL error-handling.  And of course, the fact that any solutions to those problems will have to come from, and be dependant upon, the company that just hijacked the net.  And that nobody else can offer a solution, since DNS trumps the lot of them.
--
kewpie
[ Parent ]

Well, its a monopoly of sorts already (3.00 / 5) (#126)
by Urpo on Tue Sep 16, 2003 at 03:42:16 PM EST

I think the "consumer choice" is not relevant here. Verisign have a monopoly on .com and .net as things are. If you are worried about how precisely non-existing domain names should be treated within their hierarchy - and how they have a monopoly on how this happens - you should also be worried about the entire DNS structure and how it grants companies a monopoly in any given TLD. In short, the particular issue of Verisign adding this functionality is irrelevant because it does not suddenly become a monopoly when it does so - it already is one.

It was just a matter of time before somebody dropped a wildcard in the TLDs, and now you're upset because the bad behavior you've come to expect has been replaced with a different bad behavior. This is no surprise, it was debated and posted anywhere anybody who cares about dns should be reading.

There is no behaviour that it *should* have when trying to resolve something that does not exist. I would say that if you depend on undefined behaviour for your emails or whatever, you only have yourself to blame. How they deal with it is at the discretion of the provider. I should think most people will be happier with a system that attempts to correct their misstyped urls. Yes, they don't know that service is from verisign. So what? The user is not contracted to verisign at point of use, the person who buys the domain is. If you prefer your urls to use a different TLD where behaviour is different, then you are free to mve it there.

I think it is an overstatement to say that people are being "fooled" when the site they are trying to navigate to does not exist. The behaviour you expect then is undefined and there is no standard. That verisign have decided to attempt to provide something useful to the vast majority of users in that circumstance is worthy of applause, IMHO.

Also, people are dickheads, if a bogus .com or .net fucks up your setups that bad, you have a seriously fucked up setup. Were these people crying when whateverbullshit.cc would resolve to registrar.cc? Did it fuck up their precious clever secondary mx records or whatever they're yammering about that just exposes their ignorance? Secondary mx records with typos or some shit? "waaa, now we get bounce instead of cannot connect, difficult to diagnose, waaa!" They're fucking retards, set stuff up by the book, use well-supported, standard stuff, and check hostnames when you type them in. END OF STORY.

--
Improvement makes strait roads, but the crooked roads without Improvement, are roads of Genius.
[ Parent ]

clearing things up (4.50 / 2) (#150)
by Wah on Wed Sep 17, 2003 at 11:35:33 AM EST

In short, the particular issue of Verisign adding this functionality is irrelevant because it does not suddenly become a monopoly when it does so - it already is one.

This is not a point of contention.  DNS as a protocol (and I have not refreshed my knowledge of the rfc's for this reply) lends itself to this kind of structure.  As with other monopoly situations, it is not the existence of monopoly that is the problem, but the abuse of monopoly.

It was just a matter of time before somebody dropped a wildcard in the TLDs, and now you're upset because the bad behavior you've come to expect has been replaced with a different bad behavior. This is no surprise, it was debated and posted anywhere anybody who cares about dns should be reading.

You are confusing me with a full-time admin.  I am familiar with these issues, but do not at present, work on network infrastructure full time.  It's just a matter of time until everyone dies, but that isn't a good argument for suicide. I also don't quite understand what is this 'bad behavior I've come to expect'.

There is no behaviour that it should have when trying to resolve something that does not exist.

I dunno, when things break, I would expect them to act broken.

How they deal with it is at the discretion of the provider. I should think most people will be happier with a system that attempts to correct their misstyped urls. Yes, they don't know that service is from verisign. So what? The user is not contracted to verisign at point of use, the person who buys the domain is.

As the owner of serveral such domains, and the person with this 'contracted service', I am not happy with them using people who can't spell my website as a vehicle for promoting whatever they wish to promote.  So there's your first poll response, I'm curious to see what others like myself think.

If you prefer your urls to use a different TLD where behaviour is different, then you are free to mve it there.

You haven't spent over as much time trying to work with their customer support as I have, I'm guessing.  Yes, I am free to move it, but they suck so bad, it's far more economical to just get a new domain.  This is not a good solution from any vantage point, especially considering the near necessity of a '.com' or '.net' for any serious internet venture.

The behaviour you expect then is undefined and there is no standard. That verisign have decided to attempt to provide something useful to the vast majority of users in that circumstance is worthy of applause, IMHO.

Perhaps this is the case.  They will also shoot to the top of any net monitoring service that uses logs to find out what sites people are visiting. Then there's the millions, if not billions of ad impressions they can sell in exchange for providing something 'useful'...that  no one can really avoid.

--
Also, people are dickheads, if a bogus .com or .net fucks up your setups that bad, you have a seriously fucked up setup. Were these people crying when whateverbullshit.cc would resolve to registrar.cc? Did it fuck up their precious clever secondary mx records or whatever they're yammering about that just exposes their ignorance? Secondary mx records with typos or some shit? "waaa, now we get bounce instead of cannot connect, difficult to diagnose, waaa!" They're fucking retards, set stuff up by the book, use well-supported, standard stuff, and check hostnames when you type them in

I don't know who this strawman is, but you burned him to a crisp.  None of this has anything to do with my complaints.
--
kewpie
[ Parent ]

Also (4.50 / 2) (#152)
by Wah on Wed Sep 17, 2003 at 12:44:44 PM EST

this is directly affecting me personally.

I guess your next suggestion is that I should change my domain to work around their hijacking and crappy prediction software?

Notice the number of keystrokes it now takes to fix this problem.  It's gone from 1, to at least 21.

And have you read this?  You should, it applies to you.  And if you clicked that link above, you've already agreed to it.
--
kewpie
[ Parent ]

How is that affecting you personally? (3.00 / 3) (#168)
by Urpo on Thu Sep 18, 2003 at 12:12:18 PM EST

If you think that domain which doesn't exist should somehow point to you, then register it!

Regarding your other comment, when things break, currently, they do act broken by taking you to a page saying "Oh! That url doesn't exist. Sorry." That seems to be acting broken to me, even though it may not be acting broken in the precise way you would prefer it to (a matter of custom and not any explicity design). Whatever the domain registrar does when the domain does not exist is an "abuse of monopoly" - you are saying that it behaving in one way, instead of another, it is somehow an abuse. I can't see why this is so.

As for my strawman, it wasn't a strawman because it wasn't aimed at you, it was a more generalised piss and moan.

--
Improvement makes strait roads, but the crooked roads without Improvement, are roads of Genius.
[ Parent ]

Um, did you not read? (4.00 / 3) (#169)
by Wah on Thu Sep 18, 2003 at 02:30:32 PM EST

How is that affecting you personally?

And my previous response: Notice the number of keystrokes it now takes to fix this problem.  It's gone from 1, to at least 21.  For me personally, their 'service' hurts more than it helps.

"Regarding your other comment, when things break, currently, they do act broken by taking you to a page saying "Oh! That url doesn't exist. Sorry."

Well, I will agree with you if you use the Hollywood version of 'act broken', i.e. it isn't but it acts like it.  The page is resolving, just not where it shouldn't be.  BTW, did you read the privacy statement for that page?  That is not acting broken.  Errors don't track usage.  Errors don't sell advertising based on 'anonymous' (IP) profiles.  Errors don't include cookies.

"Whatever the domain registrar does when the domain does not exist is an "abuse of monopoly" - you are saying that it behaving in one way, instead of another, it is somehow an abuse."

I don't see what you are saying.  Let's see, before: mis-typed domain, no resolution error message.  What action in that sequence is abuse?  You seem to see it, I can't.  After: mis-typed domain, poor suggestions, error harder to fix, person making error profiled and targeted, without their consent.  This might actually be illegal in the EU, but I couldn't say for sure.
--
kewpie
[ Parent ]

actually... (4.50 / 2) (#155)
by tabris on Wed Sep 17, 2003 at 02:06:09 PM EST

some non geeks use this very technique. AOL uses a blacklist. bellsouth checks sender-domains (i got caught by this once til i added another MX record to my DNS setup for my internal machine name)
now, admittedly, b/c mine was a 3rd level domain, and the second level exists, it would have not been caught by verisign's wildcard, the fact remains that there are professional/corporate sites out there that use this technique, whether it breaks RFC or not.

[ Parent ]
Are you just stupid? (3.25 / 4) (#156)
by DavidTC on Wed Sep 17, 2003 at 02:34:06 PM EST

The RFCs explictly say that email address in the envelope MUST have a valid domain name (Or be local, but someone claiming to be a local user when they aren't is also a perfectly valid reason to reject.)

Someone whose MTA check that isn't some hacky, crappy, 133t MTA, it's just something that isn't incredibly lax in what it accepts. People are required to send mail with valid full domains in the MAIL FROM, unless they have some sort of arrangement with that server (For example, if they are in /etc/hosts.), it's not some crazy half-assed optional thing. For one thing, if the address is invalid, the mail server can't bounce the message.

There are plenty of spam checks that are of questionable RFC-ness, like requiring rDNS, and even matching rDNS to HELO, and some that are mostly RFC compatible but probably not a good idea, like requiring a fully valid hostname in HELO. (Although while the RFC requires the client to do that, it says the server is not supposed to reject based on the validity of that, but you can, paradoxically reject based on random policy decisions, so all you have to do is say that you will not accept mail from clients that don't fulfill their RFC requirements.)

But requiring the mail comes with a goddamn valid hostname in the MAIL FROM is not one of them, that make a hell of a lot of sense. People should not send you email that cannot be bounced or replied to, and that's straight out of the standard too so there's no room for complaints. An invalid sender is a perfectly valid reason to reject email, and any email address with a nonexistent domain is automatically an invalid email address.

-David T. C.
Yes, my email address is real.
[ Parent ]

You're an idiot, shut up (3.00 / 2) (#166)
by Urpo on Thu Sep 18, 2003 at 12:03:19 PM EST

and read this closely.

Then explain to me how verisign's actions affect whois records for checking domain names.

--
Improvement makes strait roads, but the crooked roads without Improvement, are roads of Genius.
[ Parent ]

BTW (3.00 / 3) (#167)
by Urpo on Thu Sep 18, 2003 at 12:06:24 PM EST

This in particular points out how you're a jerkoff.

In other words, SMTP crafters say non-dns-registered senders are legit, so fuck, I say, to you. "Should" is the key. If it said MUST sendmail would be spam filtering when I enter HELO hi.fuk.u.

--
Improvement makes strait roads, but the crooked roads without Improvement, are roads of Genius.
[ Parent ]

Who the FUCK... (3.33 / 3) (#177)
by DavidTC on Fri Sep 19, 2003 at 02:44:24 PM EST

...mentioned filtering on HELO or EHLO? That is what the section you were point to was talking about. I explicitly said it was of questionable RFC-ness to check HELO, although there have been claims either way.

I said checking MAIL FROM is valid. Read 3.6:

Only resolvable, fully-qualified, domain names (FQDNs) are permitted when domain names are used in SMTP. In other words, names that can be resolved to MX RRs or A RRs (as discussed in section 5) are permitted, as are CNAME RRs whose targets can be resolved, in turn, to MX or A RRs. Local nicknames or unqualified names MUST NOT be used.

Now, does MAIL TO actually require a domain name? Let's check....why, no, it doesn't, it says it requires a source path back to the mailbox:

The reverse-path consists of the sender mailbox. Historically, that mailbox might optionally have been preceded by a list of hosts, but that behavior is now deprecated (see appendix C). In some types of reporting messages for which a reply is likely to cause a mail loop (for example, mail delivery and nondelivery notifications), the reverse-path may be null.

So, the revere path may be null, or a mailbox. So what's a mailbox? That's in 2.3.10:

An address normally consists of user and domain specifications. The standard mailbox naming convention is defined to be "local- part@domain": contemporary usage permits a much broader set of applications than simple "user names".

So, a MAIL FROM need something@domian name, and a domain name is defined to be a resolvable, fully-qualified, domain name, i.e., it has to exist.

And, yes, there are various exceptions, like a null path, and even some that aren't listed. For example, you can possibly use username@[<ip address>], in brackets like that, although I don't think it's valid in MAIL FROM. But that's not important, the important thing is that what I said it completely true, it's is perfectly valid to look up the sender's claimed domain name to see if it exists, as they are required to have a valid (or null) reverse path, and any email address without a valid domain name is de facto invalid.

As for checking on HELO, I have to point out it also says that HELO contains a 'fully-qualified domain name' if it has one, or it SHOULD have an address literal. The problem there is that the RFC says 'SHOULD', but probably means 'MUST', as there's no other option given...the damn field has to have something. But I'm not going to argue that it's valid to block based on that.

However, section 7.7 clearly says that while doing so may endanger the ability of the email system to function, it's perfectly acceptable to reject mail for any damn reason you feel like. You can reject mail servers that HELO with anyting starting with a 'z' if you want.

-David T. C.
Yes, my email address is real.
[ Parent ]

E-mail bounces (4.50 / 4) (#60)
by Lynoure on Tue Sep 16, 2003 at 06:45:14 AM EST

I had to test it, of course.

There is a bounce, e.g.:

<lynoure@lyyynnoure.com>: host lyyynnoure.com[64.94.110.11] said: 550 User          domain does not exist. (in reply to RCPT TO command)

Unlike previously, this bounce arrives slower and is slightly misformed (you can all probably spot the  paradox above).

It's all just a selfish ugly kludge.
   

[ Parent ]

Broken indeed (4.42 / 7) (#82)
by willie on Tue Sep 16, 2003 at 08:53:51 AM EST

No matter what you send, the reply from the mail server is:

250 OK

250 OK

550 User domain does not exist.

250 OK

221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.

Which they are assuming will correspond with a HELO, MAIL FROM, RCPT TO, DATA.

Of course, this isn't always the case, so it will break and confuse a lot of stuff.

[ Parent ]

no, it will bounce immedately (4.25 / 4) (#62)
by frozencrow on Tue Sep 16, 2003 at 06:48:32 AM EST

They're running a mail bouncer on the target machine, so you'll get a "no such user/domain" message just slightly slower than if name lookups returned NXDOMAIN.

Unless the mail bouncer goes down, in which case, yes your mail will sit in a mail queue somewhere for a while (5 days is the typical value.)

[ Parent ]

Sorry, but you are wrong, because... (4.80 / 5) (#70)
by hummassa on Tue Sep 16, 2003 at 08:01:46 AM EST

It should return a negative DNS lookup, so I can correct the address. If it doesn't, it's hijacking.

[ Parent ]
No. (3.75 / 4) (#103)
by qpt on Tue Sep 16, 2003 at 11:37:26 AM EST

It just doesn't behave as you might prefer.

The notion that a packet with no destination can be misdirected is laughable.

Domine Deus, creator coeli et terrae respice humilitatem nostram.
[ Parent ]

I expect... (4.00 / 2) (#143)
by hummassa on Wed Sep 17, 2003 at 06:25:38 AM EST

that a package in snail-mail, addressed to <my name (23 chars) with 5 typos>, <my street name (20 chars) with 5 typos>, <number of my building + 2>, <any number of apartment> reaches me in the same way others do; and, guess what, it happens! Until verising pulled this, every web client had the option of, when not finding and address, start a web search and try something...

[ Parent ]
Backup MXs. (5.00 / 4) (#154)
by DavidTC on Wed Sep 17, 2003 at 02:03:27 PM EST

They are, in fact, hijacking connections to backup MXs.

If you set up, let's say, example.com, and set the lowest priority MX record for it to mail.exaple.net (note the typo), and a backup to mail.example.org, before, it would try mail.exaple.net, figure there is no such site, and try mail.example.org.

Now, of course, there is a mail.exaple.org.

Likewise, they are redirecting purchased but unpointed names. If I purchased [myname]sucks.com and pointed it nowhere, I damn well want it to go nowhere, that is the correct destination.

Anyway, pretending that 'nowhere' is not a correct destination for network traffic is just incorrect. 'nowhere' is a perfectly valid destination, and when I'm going nowhere, I damn well want to know it, I don't want all 'nowhere' to magically point to somewhere else.

If you're in a small town, and ask for directions to McDonalds, do you want someone directing you to Barnes and Nobles without telling you because there is no McDonalds in the town, instead of just telling you there is no McDonalds?

If you go to mapquest and look up the driving directions to 'Gainsville GA', do you want it directing you to the Mall of Georgia because there is no Gainsville GA, it's Gainesville with an e? I would be very upset if they did that, but I guess that's okay in your world.

Pretending that it's okay to direct people randomly when they don't know where they are going is insane. The correct thing to do is to tell them they don't know where they're going.

And, for what it's worth, hijacking a connection simply involves redirecting it without the consent of one of the ends. In this case, there is only one end, but that doesn't make it any less hijacking. The other end didn't magically give consent by not existing.

-David T. C.
Yes, my email address is real.
[ Parent ]

Nope. (2.40 / 5) (#160)
by qpt on Wed Sep 17, 2003 at 09:15:26 PM EST

What a surprise, a nerd confused himself with an analogy.

Nowhere is not a destination. It isn't someplace where traffic can be directed, so it's simply incoherent to talk about traffic being redirected away from nowhere.

Now, your analogies regarding McDonalds and Gainesville are just stupid. McDonalds and Gainesville are actual places that exist outside of Mapquest, etc. A mapping of domain names to IP addresses is different, though. Mapquest doesn't define the name and location of Gainesville; it describes it, and can thus be wrong.

In contrast, DNS records define the mapping of domain names to IP addresses. As it turns out, the IP address associated with the domain whwhwhwhwhwhwahahshw.com is 64.94.110.11, since that is what the DNS records indicate. Now, I might wish that whwhwhwhwhwhwahahshw.com had a different IP, or maybe none at all, but I can't say the mapping is wrong.

Domine Deus, creator coeli et terrae respice humilitatem nostram.
[ Parent ]

Another write up and Rant off of NANOG (4.60 / 10) (#33)
by Lin Dze on Tue Sep 16, 2003 at 02:00:35 AM EST

heres another write up and rant that I pulled off of NANOG tonight: http://www.haque.net/verisign_dns_rant.php

Includes a few technical details about how their redirector is working and some things its doing to break SMTP. Also details how they arnt adhering to their stated implementation white paper.

Heres the 'official' post from their contact. Also if you look at the last days NANOG archive they seem to have dearly pissed off most N. American net engineers.

So, how many people will still defend ICANN and VeriSign after this?

-Lin Dze
"Facts don't cease to exist because they are ignored." Aldous Huxley

Any way to change this to Topical? N/T (5.00 / 2) (#35)
by Lin Dze on Tue Sep 16, 2003 at 02:03:04 AM EST



-Lin Dze
"Facts don't cease to exist because they are ignored." Aldous Huxley
[ Parent ]
"Official" Verisign response link broken (4.50 / 2) (#175)
by phliar on Fri Sep 19, 2003 at 01:25:12 PM EST

The URL http://www.merit.edu/mail.arch ives/nanog/msg13603.html doesn't go anywhere, I guess since it's off the "most recent 300" list. Can you tell us anything about this — date, name of sender, whatever — that we can use to find this message?

Faster, faster, until the thrill of...
[ Parent ]

Sorry, here it is (none / 0) (#181)
by Lin Dze on Thu Sep 25, 2003 at 04:34:38 AM EST

Heres the whole thing, minus some clipped headers for space.

**** Original Message Follows ****

Return-Path: <owner-nanog@merit.edu>
Delivered-To: lindze@unixninjas.org
Date: Mon, 15 Sep 2003 19:24:29 -0400
From: Matt Larson <mlarson@verisign.com>
To: nanog@nanog.org
Subject: Change to .com/.net behavior
Message-ID: <20030915232429.GA15402@chinook.rgy.netsol.com> Sender: owner-nanog@merit.edu
Precedence: bulk
Errors-To: owner-nanog-outgoing@merit.edu
X-Loop: nanog

Today VeriSign is adding a wildcard A record to the .com and .net
zones. The wildcard record in the .net zone was activated from
10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is
being added now. We have prepared a white paper describing VeriSign's
wildcard implementation, which is available here:

http://www.verisign.com/resources/gd/sitefinder/implementation.pdf

By way of background, over the course of last year, VeriSign has been
engaged in various aspects of web navigation work and study. These
activities were prompted by analysis of the IAB's recommendations
regarding IDN navigation and discussions within the Council of
European National Top-Level Domain Registries (CENTR) prompted by DNS
wildcard testing in the .biz and .us top-level domains. Understanding
that some registries have already implemented wildcards and that
others may in the future, we believe that it would be helpful to have
a set of guidelines for registries and would like to make them
publicly available for that purpose. Accordingly, we drafted a white
paper describing guidelines for the use of DNS wildcards in top-level
domain zones. This document, which may be of interest to the NANOG
community, is available here:

http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf

Matt
--
Matt Larson <mlarson@verisign.com>
VeriSign Naming and Directory Services


-Lin Dze
"Facts don't cease to exist because they are ignored." Aldous Huxley
[ Parent ]

He-he. (3.80 / 5) (#36)
by i on Tue Sep 16, 2003 at 02:12:57 AM EST

sitefinder-idn.verisign.com (64.94.110.11) does not accept connections to port 80 as of now.

and we have a contradicton according to our assumptions and the factor theorem

The redirect works for me (5.00 / 2) (#38)
by Mister Pmosh on Tue Sep 16, 2003 at 02:23:25 AM EST

I emailed my cable modem provider (Cox Communications) to inform their legal department that VeriSign is infringing on their trademark by redirecting misspelled and near domain names to Verisign sites. The site I tested redirected me to http://sitefinder.verisign.com/lpc?url=www.coxc.net&host=www.coxc.net

I think that if everyone contacts all the companies they know and asks them to sue Verisign for infringing on trademarks, perhaps that company can be put out of business permanently to prevent them from other criminal acts like this.
"I don't need no instructions to know how to rock!" -- Carl
[ Parent ]

Works for me too now. (5.00 / 2) (#50)
by i on Tue Sep 16, 2003 at 04:51:30 AM EST

The b@st@rds must be sued and blackholed.

and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]
not me (5.00 / 2) (#91)
by Frequanaut on Tue Sep 16, 2003 at 10:12:00 AM EST



[ Parent ]
Wipe them out, all of them. (4.68 / 16) (#37)
by pb on Tue Sep 16, 2003 at 02:21:31 AM EST

Verisign, how do you propose to help us search the web when you can't find your own ass with a map and a troop of boy scouts?
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
Terms of Use (4.60 / 5) (#147)
by killthiskid on Wed Sep 17, 2003 at 08:51:02 AM EST

From their Terms of Use page.

Sole Remedy.

YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED WITH ANY OF THE MATERIALS, RESULTS OR OTHER CONTENTS OF THE VERISIGN SERVICES OR WITH THESE TERMS AND CONDITIONS, OUR PRIVACY STATEMENT, OR OTHER POLICIES, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE.

Uhh... I sure as hell don't agree with or am satisfied by their services. They say the SOLE REMEDY is to quit using their services... which I can't do!

There has to be some legal from of recourse based on the above.



[ Parent ]
yes, but I can... (4.33 / 3) (#151)
by pb on Wed Sep 17, 2003 at 11:43:14 AM EST

iptables -A OUTPUT -d 64.94.110.11 -j REJECT

I'm not about to let those bastards waste my time and log my traffic. But I do hope that someone does sue them, and causes them much suffering.

Verisign, I'm not sure if I've ever done business with you before, but now I'll make sure to never do so in the future.
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
[ Parent ]

couple of points (4.16 / 12) (#39)
by Run4YourLives on Tue Sep 16, 2003 at 02:52:24 AM EST

Microsoft (msn) is going to be pissed... it hi-jacks IE by default, that's a lot of lost revenue.

They better have one fuck of a server running that POS, they're going to get DOSed like theres no tomorrow.


It's slightly Japanese, but without all of that fanatical devotion to the workplace. - CheeseburgerBrown

It would be interesting if someone... (4.66 / 6) (#47)
by Ta bu shi da yu on Tue Sep 16, 2003 at 04:24:01 AM EST

... made an email virus that spammed with the effectiveness of a normal MS worm... but all it did was just opened IE to a domain with a random sequence of characters with a .com added to the end.

DDOS city!

Yours humbly,
Ta bù shì dà yú


---
AdTIה"the think tank that didn't".
ה
[ Parent ]

give it a week... (4.33 / 3) (#110)
by Run4YourLives on Tue Sep 16, 2003 at 12:53:20 PM EST

But they've got to have thought of that, you'd think.

It's slightly Japanese, but without all of that fanatical devotion to the workplace. - CheeseburgerBrown
[ Parent ]
Better than that (4.66 / 3) (#128)
by vadim on Tue Sep 16, 2003 at 03:52:37 PM EST

The virus should be completely invisible, and:

Include a long list of NTP server in the worm, sync the computer with the server once on install. DoSing the NTP server would be bad, since the attack would be less effective.

Resolve random domain names at a fixed interval, say, every 5 minutes, at :00 seconds. With synced clocks this will generate a lot of load on the servers.

To make it even more evil, read the whole page into /dev/null.

To make it *even* more evil, monitor the network for activity, and do the HTTP access only during activity, to make it less noticeable.
--
<@chani> I *cannot* remember names. but I did memorize 214 digits of pi once.
[ Parent ]

Solution? (3.57 / 7) (#40)
by Mister Pmosh on Tue Sep 16, 2003 at 03:05:50 AM EST

Why not simply put:

127.0.0.1 sitefinder.verisign.com

in your hosts file? While it's true that the original misspelling will work, it shouldn't be able to redirect you to the shitefinder site.
"I don't need no instructions to know how to rock!" -- Carl

I don't think so (5.00 / 3) (#53)
by arvindn on Tue Sep 16, 2003 at 05:17:41 AM EST

This is not a HTTP URL-redirection. What they've done is to make the DNS resolve the site to verisign's IP. So this affects even SMTP and other protocols. The domain name sitefinder.verisign.com doesn't even enter the picture. You can find out what domain it actually is only by doing and RDNS lookup. So the only solution here is to blackhole the IP.

At least that's how I understood it. Please correct me if I'm wrong.

So you think your vocabulary's good?
[ Parent ]

yes, mostly (5.00 / 3) (#63)
by frozencrow on Tue Sep 16, 2003 at 06:58:32 AM EST

OB Pedant: You're correct, except for the RDNS part--a "reverse lookup" (IP to domain name) is really disjoint from a "forward lookup" (domain name to IP.) The reverse lookup may yield a value which bears no similarity to the forward lookup. There is no hard requirement that the two correspond. (If there were, lots of stuff, virtualhosted websites, for example, would break.)

It *is* considered good form for a reverse lookup to return a domain name that can then be forward resolved to yield the original IP that you did a reverse lookup on. Many mailservers require this to be true before they'll accept mail from a given IP.

Long story short (too late,) the relationships are not 1:1.

[ Parent ]

It works for me (5.00 / 3) (#121)
by Mister Pmosh on Tue Sep 16, 2003 at 01:57:12 PM EST

When I attempt to type in a bad URL that would normally lead to a Verisign site, I basically get told that the server is down, because it's going to my localhost which is not running a web server.

This is not going to help with mail servers and such, but it helps the average joe who is just browsing the internet. It's just that you won't be able to differentiate between whether a server is down or whether it's just sitefinder crap.
"I don't need no instructions to know how to rock!" -- Carl
[ Parent ]

it's right (none / 0) (#184)
by coolos27 on Wed Jan 14, 2004 at 05:02:10 PM EST

No it's true yes


Teens Sexe

[ Parent ]
Yes and no (4.50 / 2) (#88)
by Stavr0 on Tue Sep 16, 2003 at 10:00:22 AM EST

I prefer
0.0.0.0 sitefinder.verisign.com
and adding a total ZoneAlarm block on sitefinder.verisign.com plus 64.94.110.11 This way the addr/site will report a 'server not found' again. BTW the first hit to unknowndomainxyz.com resolves to 64.94.110.11 and reports HTTP 302 MOVED followed by a redirection to http://sitefinder.verisign.com/?q=unknowndomainxyz.com
- - -
Pax Americana : Oderint Dum Metuant
[ Parent ]
Simple solution (3.57 / 7) (#41)
by TVoFin on Tue Sep 16, 2003 at 03:41:35 AM EST

iptables -I forward -d 64.94.110.11 -j DENY

IB, life, sleep -- pick any two. --Anonymous IB senior.

Solution, huh? (4.50 / 4) (#44)
by Ta bu shi da yu on Tue Sep 16, 2003 at 03:59:54 AM EST

What about those people who want the automatic search in IE?

Yours humbly,
Ta bù shì dà yú

---
AdTIה"the think tank that didn't".
ה
[ Parent ]

iptables v1.2.6a (3.50 / 2) (#45)
by Prophet themusicgod1 on Tue Sep 16, 2003 at 04:05:28 AM EST

Couldn't load target 'DENY':/lib/iptables/libipt_DENY.so:cannot open shared object file:No such file or directory
try 'iptables -h' or 'iptables --help' for more information
"I suspect the best way to deal with procrastination is to put off the procrastination itself until later. I've been meaning to try this, but haven't gotten around to it yet."swr
[ Parent ]
Maybe use... (5.00 / 2) (#113)
by stormysky on Tue Sep 16, 2003 at 01:08:09 PM EST

iptables -A INPUT -d 64.94.110.11 -j DROP

That's just off the top of my head, might be wrong.  The 'DROP' is right though.
We can face anything, except for bunnies.
[ Parent ]

hrm. (5.00 / 1) (#115)
by Prophet themusicgod1 on Tue Sep 16, 2003 at 01:18:03 PM EST

what that appears to do is to have all connections to that ip address just drop into the abyss, never to return, or to report back.
i like. thank you
"I suspect the best way to deal with procrastination is to put off the procrastination itself until later. I've been meaning to try this, but haven't gotten around to it yet."swr
[ Parent ]
that (5.00 / 1) (#137)
by Prophet themusicgod1 on Wed Sep 17, 2003 at 01:45:17 AM EST

not only segfaulted all my elinks windows, but also caused a problem in finding my dns or something and practically knocked me off the internet. not-fun.
"I suspect the best way to deal with procrastination is to put off the procrastination itself until later. I've been meaning to try this, but haven't gotten around to it yet."swr
[ Parent ]
Gack! (5.00 / 1) (#164)
by stormysky on Thu Sep 18, 2003 at 03:30:20 AM EST

I didn't have any trouble, and I added that to mine.  I didn't bother tossing it into my pppout rule chain... but, shouldn't make a difference.

Not sure what happened there --- also, that solution (at least for that IP) didn't work terribly well for me, since I'm still getting the verisign crap.  If having that rule in is crashing ya, you might just have more significant problems, anyway.

We can face anything, except for bunnies.
[ Parent ]

btw [OT:sig] (3.50 / 2) (#46)
by Prophet themusicgod1 on Tue Sep 16, 2003 at 04:06:08 AM EST

i simply love your quote
"I suspect the best way to deal with procrastination is to put off the procrastination itself until later. I've been meaning to try this, but haven't gotten around to it yet."swr
[ Parent ]
Broken solution (4.50 / 2) (#92)
by Stereo on Tue Sep 16, 2003 at 10:17:27 AM EST

You'll get enormous mail queues that will build up during a week, etc.. What we need is something to put in our DNS server config files to return NXDOMAIN when the root server returns 64.94.110.11.

There are some patches around, but I don't really feel like patching my DNS server with untested patches yet, and all the config changes I've seen aren't returning NXDOMAIN.

kuro5hin - Artes technicae et humaniores, a fossis


[ Parent ]
Uh.. (5.00 / 3) (#116)
by awgsilyari on Tue Sep 16, 2003 at 01:21:49 PM EST

That won't even work. You probably want something like:

iptables -N fuck-verisign
iptables -A fuck-verisign -s 64.94.110.11 -j DROP
iptables -A fuck-verisign -d 64.94.110.11 -j DROP
iptables -I INPUT -j fuck-verisign
iptables -I FORWARD -j fuck-verisign
iptables -I OUTPUT -j fuck-verisign

Anything having anything at all to do with that IP will be blackholed.

--------
Please direct SPAM to john@neuralnw.com
[ Parent ]

Better solution (4.50 / 2) (#142)
by dark on Wed Sep 17, 2003 at 05:07:04 AM EST

Use REJECT instead. That way you get an immediate error instead of timing out.

[ Parent ]
F***K Spamming vermin, verisign (3.83 / 6) (#48)
by RipCurl on Tue Sep 16, 2003 at 04:30:04 AM EST

They need to get their heads of out the rear-end of the internet first. I've had Verisign blackholed on my server for the last 2 years.
They are spamming vermin. When they were the ONLY registrars on the net, people had to use them; once i found a better place, Verisign lost my business ( they are freaking expensive ) for the five domains I own. And im with a reputable registrar that ACTUALLY cares about their customers instead of fsking them over.

.com/org/net @ 12?/year (4.50 / 2) (#86)
by Vesperto on Tue Sep 16, 2003 at 09:54:17 AM EST

joker.com - if you see a versign page that's because i misspelled the URL, sorry.

If you disagree post, don't moderate.
[ Parent ]
Other Internet services (4.61 / 18) (#52)
by Builder on Tue Sep 16, 2003 at 05:13:44 AM EST

While this might be slightly annoying behaviour in web browsers, it's an absolute nightmare on other services.

Many anti-spam solutions check the domain in the envelope-from header before accepting mail. If that domain doesn't exist, the e-mail is flagged as spam. With this abortion, any .com or .net will be shown to exist.

Secondly, this can cause problems for mail delivery. If there was a problem with the primary MX record for a domain (the record, not the server that the record points at!), mail would normally have been delivered to a backup MX. This would happen if the primary record was misspelled or the domain had lapsed, etc. Since this change, instead of delivering to backup MX, mail will now be delivered to the verisign machine WHICH HAS AN SMTP SERVICE LISTENING! This means that mail will bounce instead of being stored for later retrieval.

This fuckup makes troubleshooting services on the Internet a bitch.
--
Be nice to your daemons

Not quite (4.33 / 6) (#57)
by itsbruce on Tue Sep 16, 2003 at 05:50:39 AM EST

They're only redirecting A queries, not MX queries. No properly-functioning MTA should be routing any mail to verisign because of this. What it will do, however, is make those well-behaved MTAs waste a lot of time retrying the delivery for every mistyped recipient domain.

--It is impolite to tell a man who is carrying you on his shoulders that his head smells.
[ Parent ]

Not quite. (4.50 / 8) (#65)
by ubernostrum on Tue Sep 16, 2003 at 06:59:32 AM EST

Verisign claim they've set up a rudimentary SMTP server on that address, with the sole purpose of returning an SMTP error 550 on anything sent to it. So you'll get an immediate bounce instead of a timeout on mail sent to a nonexistent domain.


--
You cooin' with my bird?
[ Parent ]
But I don't want a bounce! (4.16 / 6) (#68)
by Builder on Tue Sep 16, 2003 at 07:49:23 AM EST

I want my mail to go to my backup MX server like it was designed to . Fuckers.
--
Be nice to your daemons
[ Parent ]
I wish (4.50 / 4) (#95)
by Bradley on Tue Sep 16, 2003 at 10:35:44 AM EST

As people on other sites have noticed, it doesn't - it assumes the content of the SMTP converstaion:

$ telnet asdadadadadada.com 25
Trying 64.94.110.11...
Connected to asdadadadadada.com.
Escape character is '^]'.
220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready
as
250 OK
as
250 OK
asda
550 User domain does not exist.
asd
250 OK
asda
221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channelConnection closed by foreign host.

Which means that if you have mail to more than one person, you'll get an OK for the second address, and a 221 for the DATA, which will probably (haven't checked) cause mail servers to retry.

[ Parent ]

fondling snubby (5.00 / 2) (#109)
by Entendre Entendre on Tue Sep 16, 2003 at 12:43:09 PM EST

telnet asdfasdfasdfasdfsda.com smtp
Trying 64.94.110.11...
Connected to asdfasdfasdfasdfsda.com (64.94.110.11).
Escape character is '^]'.
220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready
mail from: test@whatever.com
250 OK
rcpt to: test@whatever.com
250 OK
rcpt to: test@verisign.com
550 User domain does not exist.

rcpt to: test@yahoo.com
250 OK
data
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.

Gee, why the special treatment?

--
Reduce firearm violence: aim carefully.
[ Parent ]

Why? (3.33 / 3) (#111)
by CrimsonDeath on Tue Sep 16, 2003 at 12:59:46 PM EST

Because the first command is supposed to be a HELO or EHLO, not MAIL.

[ Parent ]
Supposed to be, but... (4.33 / 3) (#118)
by itsbruce on Tue Sep 16, 2003 at 01:40:55 PM EST

A lot of clients leave it out and most mtas accept this.

--It is impolite to tell a man who is carrying you on his shoulders that his head smells.
[ Parent ]

Yeah, but, no. (4.00 / 2) (#122)
by Entendre Entendre on Tue Sep 16, 2003 at 02:18:57 PM EST

True, but irrelevant, and no, it doesn't answer the question. Your pedantry is much appreciated however.

--
Reduce firearm violence: aim carefully.
[ Parent ]

what? (4.85 / 7) (#66)
by frozencrow on Tue Sep 16, 2003 at 07:05:31 AM EST

They've returning that A record for *.com and *.net. If there's no MX record, then your mailer will fall back to using the A record, so email to misspelled domains will definitely end up at verisign's machine. They're running a mailbouncer there, so the message will immediately bounce. This is how a properly functioning MTA will work. Properly functioning MTAs do not queue up mail for domains that they know do not exist. Properly function MTAs do not make a guess about which domain name you meant to type and deliver on the basis of that guess.

[ Parent ]
As someone else already said... (3.55 / 9) (#69)
by Builder on Tue Sep 16, 2003 at 07:50:00 AM EST

If the MX record doesn't exist, most MTA's fall back to A records. That WILL resolve, so we're scrod.
--
Be nice to your daemons
[ Parent ]
Wrong: See RFC 2821, section 5, paragraph 1 (4.50 / 2) (#165)
by Xenophon Fenderson, the Carbon(d)ated on Thu Sep 18, 2003 at 09:26:52 AM EST

RFC 2821, section 5 ("Address Resolution and Mail Handling"), paragraph 1 states in part:

The lookup first attempts to locate an MX record associated with the name... If no MX records are found, but an A RR is found, the A RR is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.
You are wrong. QED.



--
Rev. Dr. Xenophon Fenderson, the Carbon(d)ated, KSC, mhm21x16, and the Patron Saint of All Things Plastic fnord
I'm proud of my Northern Tibetian heritage!
[ Parent ]
Look at it from a positive angle. (4.33 / 3) (#127)
by Estanislao Martínez on Tue Sep 16, 2003 at 03:51:07 PM EST

This means that mail will bounce instead of being stored for later retrieval.

Look at it from the bright side. Think of all the services and good you'll learn about when Verisign starts putting ads in their bounce notices.

--em
[ Parent ]

Amen! (4.00 / 2) (#176)
by phliar on Fri Sep 19, 2003 at 01:31:45 PM EST

While this might be slightly annoying behaviour in web browsers, it's an absolute nightmare on other services.
God! I write network code at work. These are private protocols, in-company stuff — and now there's no way I can tell the difference any more between a mis-typed hostname, and the service being dead on our remote server. It's "connection refused" in either case. (I really don't want to put a "special" IP into the code.)

Bastards. May they rot in hell.

Faster, faster, until the thrill of...
[ Parent ]

Blackholing 64.94.110.11 is not a solution. (3.75 / 8) (#58)
by i on Tue Sep 16, 2003 at 06:09:18 AM EST

DNS software should continue to return "no such host/domain" for offending queries. How to tell that a query is offending? For now, 64.94.110.11 is the telltale sign, but that could well change. Maybe the absence of a whois record?

and we have a contradicton according to our assumptions and the factor theorem

How about this (3.30 / 23) (#59)
by phraggle on Tue Sep 16, 2003 at 06:27:47 AM EST

looks like theres just a hole where this site should be

Clever. Still, that's a goatcx link. (4.66 / 3) (#119)
by nurikochan on Tue Sep 16, 2003 at 01:45:24 PM EST

Some warning for people on public computers might have been nice.

[ Parent ]
Terms of use (4.22 / 9) (#64)
by Lynoure on Tue Sep 16, 2003 at 06:59:21 AM EST

Verisign sitefinder even has terms of use, http://sitefinder.verisign.com/terms.jsp

How do terms of use work in a case where the issuer of the terms forces you against your will to use the service?

My letter to Verisign (4.93 / 16) (#67)
by Lynoure on Tue Sep 16, 2003 at 07:08:26 AM EST

To: websitesupport@verisign.com
Subject: sitefinder terms of use

I do not accept your Sitefinder terms of use. However, you force me to
use the service by redirecting misspelled and non-existing domain names there. If you
object to me using the site without agreeing to your terms, please stop redirecting me there.

[ Parent ]

GREAT IDEA! here's my text: (5.00 / 7) (#131)
by mcherm on Tue Sep 16, 2003 at 07:23:14 PM EST

16-Sep-2003

Dear sirs:

I refuse to accept the SiteFinder terms of use. Furthermore, I find myself being directed to your site for various misspelled or non-existent domain names. This email serves as official notice that I refuse to accept these terms of service. I will, therefore, make a policy of avoiding the "verisign.com" and "sitefinder.verisign.com" domains.

However, if you persist in redirecting misspelled or non-existent queries to your website, (which previously went to a search engine of my choice), then I will take that as consent from you to make use of the services WITHOUT agreeing to the terms. Specifically, I do NOT agree to give up my legal right to an implied warranty of merchantability. I do NOT agree to give up my legal right to collect on any consequential damages that may be due me. I do NOT agree to indemnify the VeriSign corporation.

Apparently the design of your system is such that I am involuntarily forced to use your system, rather than the search engine of my choice, whenever I make a typo or other such error. By continuing to "provide" (your term) me with this service for more than 2 weeks after receiving this notice, you are acknowledging that you understand I have refused to be bound by the agreement, and that I am to use the service without accepting any terms of use.

Sincerely,

Michael Chermside
2936 Morris Rd
Ardmore, PA 19003


-- Michael Chermside
[ Parent ]

Here's my response: (5.00 / 3) (#157)
by mcherm on Wed Sep 17, 2003 at 04:20:50 PM EST

Dear Mr. Chermside,

Thank you for contacting Network Solutions.

We apologize for the inconvenience you are experiencing.

Much to our regret, we may not be able to assist you with your concern, as what you are encountering is a system recently applied by the Global Registry.

Site Finder is a new service offered by the VeriSign Global Registry. For more information, please contact VeriSign at sitefinder@verisign-grs.com

Please know that your inquiry is important to us, and
we value your business.

Best regards,

Nityalila001
Web Site Support Team
mailto:websitesupport@verisign.com
Network Solutions, a VeriSign Company


[ Parent ]

Write in (4.44 / 9) (#71)
by phraggle on Tue Sep 16, 2003 at 08:06:27 AM EST

Legal, but an abuse of its power.

-1 Too seppo-centric (1.25 / 24) (#73)
by I Hate Seppos on Tue Sep 16, 2003 at 08:24:10 AM EST

Only seppos are lazy, stupid and fat-fingered enough to misspell web addresses. They're only a few letters long for Christ's sake!

____________________
Are you a retarded water-on-the-brain seppo that doesn't even know what a seppo is?
Well, here's a hint, fuckface: what rhymes with septic tank?

i reserve the right (3.00 / 7) (#77)
by Prophet themusicgod1 on Tue Sep 16, 2003 at 08:45:34 AM EST

to pingbomb nonexistant ip addresses to death.
"I suspect the best way to deal with procrastination is to put off the procrastination itself until later. I've been meaning to try this, but haven't gotten around to it yet."swr
sometimes i feel like i wish (3.00 / 3) (#80)
by Prophet themusicgod1 on Tue Sep 16, 2003 at 08:48:00 AM EST

some islamist terrorist would just put a bullet in my mouth. i make no sense, any more.
"I suspect the best way to deal with procrastination is to put off the procrastination itself until later. I've been meaning to try this, but haven't gotten around to it yet."swr
[ Parent ]
ad hominem (3.00 / 2) (#114)
by Prophet themusicgod1 on Tue Sep 16, 2003 at 01:10:30 PM EST

RunForYourLives is a pinhead. just thought you might like to know.
"I suspect the best way to deal with procrastination is to put off the procrastination itself until later. I've been meaning to try this, but haven't gotten around to it yet."swr
[ Parent ]
This can be fixed (4.00 / 5) (#78)
by Kenoubi on Tue Sep 16, 2003 at 08:46:36 AM EST

Even if Verisign doesn't bow down to pressure from the public and no legal challenge is successful, DNS servers could be reconfigured to consider an upstream result of 64.94.110.11, or whatever IP Verisign chooses to use for this service, equivalent to "no result". They would then forward a negative result to the requestor. I don't know that any DNS servers currently support such a setting, but I wouldn't be at all surprised to see it in the next releases, if not.

This obviously wouldn't fix the problem all at one go, but if you already use a caching nameserver (many Linux systems do to cut down on useless DNS queries), this would be a simple addition. ISPs might well adopt this as well as individual users—Verisign's actions here don't seem to benefit anyone except Verisign.

Of course, none of this is to say that we shouldn't try to pressure Verisign to undo this or take legal action against them, or that Verisign should be allowed to continue to exist at all.



Right on! (4.00 / 3) (#94)
by hummassa on Tue Sep 16, 2003 at 10:26:44 AM EST

This is the most intelligent comment to this subject. I, for instance, use dnsmasq in my network. So, I suppose it's easy to make it search for each address, something like 64.94.110.11().bogusverisign.dyndnsx.org and, if found, return a negative DNS record. I'll look into it.
(
) insert addresses here.

[ Parent ]
Replying to myself, ... (5.00 / 2) (#144)
by hummassa on Wed Sep 17, 2003 at 06:31:41 AM EST

There is a better yet solution; compare the *.com and *.net A records to the address returned, or, better yet, the *.tld record to the address returned for <something>.tld

[ Parent ]
Verisign Typosquatting Explorer (4.44 / 9) (#79)
by Seth Finkelstein on Tue Sep 16, 2003 at 08:47:40 AM EST

I wrote a little perl program to examine what they were suggesting for typosquatting. If interest, updates at
http://sethf.com/domains/verisquat/

#!/usr/bin/perl
# "Verisign Typosquatter Explorer"      Version 1.0
# Seth Finkelstein   sethf@sethf.com  http://sethf.com  September 16 2003
# Given URLs as arguments, find Verisign suggested sites
# Format is the URL, then comma-separated lists of sites on different settings
# URL|sites-nofilter|sites-moderate|sites-strict

use LWP::UserAgent;
use HTTP::Request::Common qw(GET);
use HTTP::Cookies;
use strict;

my $UA = new LWP::UserAgent;

foreach my $url (@ARGV) {
    print $url,'|';
    print join(',',@{get_verisign_squats($url, 'nofilter')}),'|';
    print join(',',@{get_verisign_squats($url, 'moderate')}),'|';
    print join(',',@{get_verisign_squats($url, 'strict')}),"\n";
}

sub get_verisign_squats { # get verisign typo-squats, return an array reference
    my ($nohttp, $supress) = @_; # url minus http, content-control setting
    $nohttp =~ s,^http://,,i;
    my ($host) = $nohttp =~ m,^([^/]+),;

    my $res = $UA->request # this is the page Verisign generates for a typo
        (GET "http://sitefinder.verisign.com/lpc?url=$nohttp&host=$host",
         "Cookie" => "PREF=$supress");
# PREF can be 'nofilter', 'moderate', 'strict', controls "offensiveness"

    my @verisign_squats = $res->is_success ? # parse out hosts in page
        sort($res->content =~ m/onMouseOver=\"self.status='(.*?)'/g) :
        ("ERROR"); # default in case the connection fails
   return \@verisign_squats; # reference to array of typo-squat suggestions
}

-- Seth Finkelstein

commas as delimiters for reg-exps (4.50 / 2) (#84)
by waxmop on Tue Sep 16, 2003 at 09:30:12 AM EST

I've never seen that before. It's a good idea. They're small and non-distracting. For the sake of future users though, I like to use / unless I'm matching a string that has a bunch of /s inside. Then I use # or ? depending on mood. Maybe now I'll start using commas.

Ain't perl fun?

Anyway, I'm at work, and I don't want to have to add all my proxy info to that script before I can run it, so, can you reply with some sample output?
--
We are a monoculture of horsecock. Liar
[ Parent ]

1) delimiters 2) sample output (5.00 / 2) (#87)
by Seth Finkelstein on Tue Sep 16, 2003 at 09:56:24 AM EST

Thank, just a note, I wouldn't recommend '#' or '?', even though you can use them - visually they're confusing with comments or the non-greedy quantifiers. And '?' delimiters are a special case themselves.

The script shows output like

verisquat.pl sex.net
sex.net|www.ex.net,www.ksex.net,www.soex.com,www.wsex.com|www.ex.net,www.soex.co m,www.wsex.com|www.ex.net,www.soex.com,www.wsex.com

I havne't had time to play with it too much , and my connection to Verisign seems to be flaky too. So no real revelations yet.

-- Seth Finkelstein
[ Parent ]

"kuro5hin.org" results of algorithm (4.50 / 2) (#97)
by Seth Finkelstein on Tue Sep 16, 2003 at 10:52:37 AM EST

Note since Verisign is queried directly in the program, one can get the squats for sites which in fact do exist or won't be redirected.

I ran it with "kuro5hin.org", and it seems to give (in all cases)

www.kumohin.net,www.kurohan.com,www.kurohon.com


-- Seth Finkelstein
[ Parent ]

Ugh (4.00 / 4) (#112)
by Grape Smuggler on Tue Sep 16, 2003 at 01:05:35 PM EST

This does nothing to refute my belief that all Perl code looks exactly like linenoise.

By reading this message you've unwittingly exposed yourself to my powerful, moth-like pheremones.
[ Parent ]

OT: (4.50 / 2) (#129)
by lb008d on Tue Sep 16, 2003 at 05:09:22 PM EST

Funny, I read it just fine. Perhaps you ought to be more familar with Perl before dismissing it as line noise.

[ Parent ]
But it DOES look like line noise (5.00 / 1) (#159)
by pyro9 on Wed Sep 17, 2003 at 08:53:10 PM EST

I program in Perl and I still think it resembles line noise. It just happens to be well organized and useful line noise.


The future isn't what it used to be
[ Parent ]
(laughs out loud) (5.00 / 3) (#134)
by UncannyVortex on Tue Sep 16, 2003 at 09:58:10 PM EST

As a developer who is familiar with Perl, I found much mirth in your comment.  Don't let anyone tell you that it wasn't funny.

K?  Thx.

[ Parent ]

well they have changed the ip address (2.80 / 5) (#85)
by ChoGGi on Tue Sep 16, 2003 at 09:44:39 AM EST

now its 12.158.80.10 and here i thought i had killed it off oh well at least i got to read the terms of service this time

keep the old (4.33 / 3) (#89)
by F a l c o n on Tue Sep 16, 2003 at 10:02:08 AM EST

The old IP (64.94.110.11) is still what you get for everything else.
The new IP is just if you directly go to the sitefinder address.

So continue blackholing the old one.

--
Back in Beta (too many new features added): BattleMaster
[ Parent ]

Yet more complicated than that (4.33 / 3) (#107)
by DoubleEdd on Tue Sep 16, 2003 at 12:35:03 PM EST

Whilst sitefinder.verisign.com resolves to the 12. IP, and non-existent domains resolve to the 64. IP the latter reverse-resolves to sitefinder-idn.verisign.com, and that resolves back to the 64. IP too. Of course if you connect to the latter you don't get quite what you expect.

[ Parent ]
MTAs (4.25 / 8) (#99)
by SwampGas on Tue Sep 16, 2003 at 11:07:17 AM EST

Uhh.  Yeah.  Now all the bad domains work.  Now we're sending the mail through our system, to Verisign, it bounces, and my system handles the bounce.  It used to just get denied at SMTP time.  Damnit.

Had to add the following to my DNS lookup router in exim:

ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 10.0.0.0/8 :\        
                        169.254.0.0/16 : 172.16.0.0/12 :\              
                        192.168.0.0/16 : 64.94.110.0/24

If it reaches the DNS lookup router, it's definitely a remote mailer that needs to be contacted because the domain exists.......except if it's from 64.94.110.*.  Die Verisign.

Try a .gov site (3.00 / 8) (#100)
by wurp on Tue Sep 16, 2003 at 11:17:08 AM EST

Apparently, even Verisign knows what they're doing is unethical - they're unwilling to do it to the gov sites.  For example, try http://www.whithouse.gov
---
Buy my stuff
It only works for TLDs Versign controls (4.66 / 6) (#101)
by Seth Finkelstein on Tue Sep 16, 2003 at 11:21:36 AM EST

Ethics has nothing to do with it. It only affects TLDs that are under the control of Verisign - that's primarily .COM and .NET and a few minor other ones (and not .ORG or .GOV).

-- Seth Finkelstein
[ Parent ]
Ethical... nah (4.00 / 2) (#124)
by TVoFin on Tue Sep 16, 2003 at 02:33:18 PM EST

they're unwilling to do it to the gov sites.

Aside from being unable to do that, I think that even Verisign realizes that such action would probably incite some government response.

Along the lines of a 50 kt nuke in their HQ main lobby.


IB, life, sleep -- pick any two. --Anonymous IB senior.
[ Parent ]

privacy invasion (3.85 / 7) (#102)
by cronian on Tue Sep 16, 2003 at 11:31:34 AM EST

By examining mispellings, verisign now has tbe power to figure out what sites people are visiting based on misspellings. They can also delete the WHOIS records, which they control, for whatever.com and then it redirects the traffic to their site logging everyone's IP address.

We perfect it; Congress kills it; They make it; We Import it; It must be anti-Americanism
No subject (3.66 / 6) (#105)
by aphyr on Tue Sep 16, 2003 at 12:13:46 PM EST

It doesn't apply to .org domains, though. Small relief.

Really? (5.00 / 1) (#108)
by DoubleEdd on Tue Sep 16, 2003 at 12:43:03 PM EST

Then what's this?
;-)

[ Parent ]
Erm (5.00 / 1) (#178)
by aphyr on Fri Sep 19, 2003 at 03:19:24 PM EST

Try a nonexistent .com domain that resolves to verisign, then try that with .org. I'm assuming your example is just url-value substitution, because www.kuro5hin.org resolves fine over here.

[ Parent ]
Countermeasures (patches for BIND,djbdns&more) (4.50 / 8) (#120)
by agl on Tue Sep 16, 2003 at 01:45:37 PM EST

See http://www.imperialviolet.org/dnsfix.html

Legal shmegal! (4.16 / 6) (#125)
by butfuk on Tue Sep 16, 2003 at 02:42:03 PM EST

Whether what Verisign is doing is legal or not doesn't really matter to me. The fact that it irks me is what counts, and is why I will make the extra effort to circumvent their little ploy.

The bastards!




     
Unix and C are the ultimate computer viruses.
What are the monetary damages? (4.00 / 6) (#130)
by izogi on Tue Sep 16, 2003 at 06:21:22 PM EST

I'm as annoyed by this as everyone else seems to be, but one thing I'm surprised not to've seen people talking about yet is more specific detail about monetary damages.

Verisign has effectively screwed up the entire Internet's DNS, intentionally and for their own selfish commercial gain. The DNS is used for a huge variety of services other than the web traffic that seems to be the main target of Verisign's actions. Lots of those services rely on being able to find out whether a domain exists or not.

So for a straw poll, how much time and money are non-verisign businesses losing over this? I bet it's a lot.


- izogi


I don't see anything wrong here... (3.75 / 4) (#132)
by ghosty on Tue Sep 16, 2003 at 08:35:02 PM EST

$ dig verisignsucksdick.com

; <<>> DiG 9.2.2 <<>> verisignsucksdick.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61418
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;verisignsucksdick.com.         IN      A

;; ANSWER SECTION:
verisignsucksdick.com.  196     IN      A       64.94.110.11
...


A few comments on this. (4.00 / 4) (#133)
by seebs on Tue Sep 16, 2003 at 08:55:51 PM EST

1. I put up a blog entry about this.

2. The next installment of the Cranky User column should be about this - it's on IBM developerWorks, and should be up in the first couple of days of October.

3. I'm also doing VeriSgni tshirts. If we all take the time to write about this, and talk about it, maybe we can finally get VeriSign reined in a bit.

I wonder if... (5.00 / 3) (#135)
by Sloppy on Wed Sep 17, 2003 at 01:29:38 AM EST

..any of the new domains that they serve happen to be someone's trademark? ICANN's policies tend to be weighted in favor of trademark holders. Set evil against evil.

It would be amusing if Verisign had to maintain some kind of dead domain list, of names that aren't registered, but can't be used either, because some trademark holder said so.
"RSA, 2048, seeks sexy young entropic lover, for several clock cycles of prime passion..."

Interesting... (4.00 / 3) (#136)
by the77x42 on Wed Sep 17, 2003 at 01:43:55 AM EST

... It doesn't seem to be doing this anymore at least on my ISP... can others confirm? (I tried both .net and .com and get the regular error)


"We're not here to educate. We're here to point and laugh." - creature
"You have some pretty stupid ideas." - indubitable ‮

Does it with my ISP (SBC/PacBell) (5.00 / 1) (#138)
by skim123 on Wed Sep 17, 2003 at 01:54:40 AM EST


Money is in some respects like fire; it is a very excellent servant but a terrible master.
PT Barnum


[ Parent ]
It means your ISP has patched its dns server (4.50 / 2) (#139)
by wolverine1999 on Wed Sep 17, 2003 at 02:00:08 AM EST

It means your ISP has installed some patch to reinstate the previous and correct behaviour (returning NXDOMAIN instead of Verisign's IP).

[ Parent ]
well (4.50 / 2) (#140)
by the77x42 on Wed Sep 17, 2003 at 02:26:08 AM EST

i guess i would need others' information to confirm or deny that, which is what I stated in my original post, but thank you for refreshing everyone else who didn't know what was going on.

I honestly didn't mean for that to sound THAT smug :P


"We're not here to educate. We're here to point and laugh." - creature
"You have some pretty stupid ideas." - indubitable ‮

[ Parent ]

same here dude. (none / 0) (#180)
by Run4YourLives on Tue Sep 23, 2003 at 11:35:35 AM EST

I think telus got their act together on this one, or at least has one competent employee on their staff.

Good for them. (and us to)

It's slightly Japanese, but without all of that fanatical devotion to the workplace. - CheeseburgerBrown
[ Parent ]

Doesn't work here (5.00 / 1) (#149)
by hershmire on Wed Sep 17, 2003 at 11:05:11 AM EST

T-Online still gives a DNS error. I am not redirected at all.
FIXME: Insert quote about procrastination
[ Parent ]
Looks like OpenNIC was right all along. (4.33 / 6) (#141)
by mdm42 on Wed Sep 17, 2003 at 04:09:39 AM EST

The best thing to do here is simply to move en masse to a more open DNS root system like the OpenNIC Democratic Name System.

While some of the solutions I have seen posted here and elsewhere might result in curbing Verisign's hijacking of a public good, it won't stop whoever replaces them -- only a truly democratic DNS will.

Dear sir, (3.00 / 4) (#148)
by Vesperto on Wed Sep 17, 2003 at 11:04:11 AM EST

i'm the self-appointed shrink of K5 and i would like to have a chat with you about an important matter. Most users of this site suffer from acute OSS (Other Site Sindrome), a pathology which translates as an inferiority complex towards another online comunity. Therefore, and having in mind the mental health of our patients, please do not post links referring to that site or, so you won't complain about your rights, at least be so kind as to put an OSS-warning on the topic. Thank you.

If you disagree post, don't moderate.
[ Parent ]
OpenNIC seems nice.. (4.50 / 2) (#158)
by Platy on Wed Sep 17, 2003 at 07:49:40 PM EST

..but as a user I just couldn't get it working. I put some of the public domain servers mentioned on their page into my DNS configuration - but still couldn't resolve their names. I tried it with nslookup directly; I only got a timeout.
--
Tongue-tied and twisted, just an earthbound misfit, I.
[ Parent ]
You realize, of course... (5.00 / 2) (#170)
by strabo on Thu Sep 18, 2003 at 06:16:35 PM EST

That in this case, moving to OpenNIC would not solve this problem.  The problem, as it exists, is with the .com and .net zones, and not the root.  Even with a configuration using OpenNIC, you still have to deal with Verisign serving up .com and .net.

(Note:  This is not an opinion either way regarding the merits of OpenNIC in general, just pointing out that OpenNIC is irrelevant to this particular problem.)

- strabo

[ Parent ]

Applies for a second brain cell... (5.00 / 1) (#174)
by mdm42 on Fri Sep 19, 2003 at 07:11:39 AM EST

You're so right.  Some days the brain cell just fails to fire...

Nevertheless, I think there is still a point to be made about monopoly control of key infrastructure without democratic oversight.

[ Parent ]

Agreed (3.50 / 2) (#179)
by strabo on Fri Sep 19, 2003 at 04:16:41 PM EST

Nevertheless, I think there is still a point to be made about monopoly control of key infrastructure without democratic oversight

Absolutely agreed.

- strabo



[ Parent ]
there's a petition (4.50 / 2) (#146)
by maluke on Wed Sep 17, 2003 at 06:50:13 AM EST

http://www.petitiononline.com/icanndns/petition.html

easy way to say veri(sigh!) "enough"

Mail addresses... (4.50 / 2) (#153)
by Ratface on Wed Sep 17, 2003 at 01:01:00 PM EST

I sent mail complaints to the following addresses. I got a bunch of automated replys, but a couple came through with a human contact. Just remember to keep it civilised - you're complaining, but the individual on the receiving end isn't the person who's directly to blame for the situation!

authenticode-support@verisign.com, billing@verisign.com, channel-partners@verisign.com, clientpki@verisign.com, consultingsolutions@verisign.com, dbms-support@verisign.com, dcpolicy@verisign.com, digitalbranding@verisign.com, dnssales@verisign.com, enterprise-pkisupport@verisign.com, enterprise-sslsupport@verisign.com, info@verisign-grs.com, internetsales@verisign.com, IR@verisign.com, jobs@verisign.com, mss@verisign.com, objectsigning-support@verisign.com, paymentsales@verisign.com, practices@verisign.com, premiersupport@networksolutions.com, press@verisign.com, privacy@networksolutions.com, renewal@verisign.com, support@verisign.com, verisales@verisign.com, vps-support@verisign.com, vts-csrgroup@verisign.com, vts-mktginfo@verisign.com, webhelp@verisign.com, websitesales@verisign.com, websitesupport@verisign.com
Ever wanted to adopt a fluffy alien? Why not check out Alien Adoption Agency?
[ Parent ]

Great, an online petition! (4.28 / 7) (#162)
by CaptainSuperBoy on Wed Sep 17, 2003 at 10:59:17 PM EST

Thank heavens, there's an online petition on the case. This should be wrapped up by morning. If only we could have online petitions on MORE subjects, we would solve all the problems of the world.

--
jimmysquid.com - I take pictures.
[ Parent ]
.cx has been doing it for a long time (4.75 / 4) (#161)
by BlowCat on Wed Sep 17, 2003 at 10:39:34 PM EST

... and nobody cried foul. Try it. To be fair, all top-level TLDs should be required to stop this practice, not just Verisign.

Small differences ... (4.50 / 2) (#163)
by suquux on Wed Sep 17, 2003 at 11:38:32 PM EST

crux:~>ping xahoo.com
ping: unknown host xahoo.com

crux:~>ping xahoox.com
PING xahoox.com (64.94.110.11)

crux:~>ping xoogle.com
ping: unknown host xoogle.com

crux:~>ping xooglex.com
PING xooglex.com (64.94.110.11)

Interesting.

CC.
All that we C or Scheme ...

Registered (5.00 / 1) (#171)
by CaptainSuperBoy on Thu Sep 18, 2003 at 11:00:23 PM EST

That is because xahoo.com and xoogle.com are both registered domains but they aren't set up. Verisign is only redirecting unclaimed domains. If you register a domain they are redirecting it will no longer go to sitefinder.

--
jimmysquid.com - I take pictures.
[ Parent ]
dotDNS, a technical response to DNS hijacking (5.00 / 1) (#172)
by odonnell on Fri Sep 19, 2003 at 12:45:06 AM EST

This is a good time to look at Bob Frankston's dotDNS proposal for a layer of reliable but meaningless domain names. dotDNS lookups can be made self-verifiable using public-key signatures, but without the costly chain of trust required by DNSSEC methods. The validity of a dotDNS binding can be verified easily by the querier, without relying at all on the server that provided the putative binding.

dotDNS does not solve the whole problem, since any layer that translates from humanly meaningful names to dotDNS names is still vulnerable to hijacking. But the reliable and verifiable name bindings in dotDNS will make it much easier to switch name-resolution services when we are dissatisfied with their policies. dotDNS is a cheap and immediately deployable positive step toward fixing the DNS mess, requiring no approval by any central agency. It's time for a visionary sponsor to step forward and just do it.
Mike O'D.

Evil up on evil: Web Bugs (4.75 / 4) (#173)
by itsbruce on Fri Sep 19, 2003 at 06:50:54 AM EST

Looks like the bastards added a data-harvesting web bug to the Sitefinder page.


--It is impolite to tell a man who is carrying you on his shoulders that his head smells.

At least we can talk to them.. (none / 0) (#182)
by borbjo on Tue Sep 30, 2003 at 03:19:36 PM EST

here.

lol, someone actually answered (none / 0) (#183)
by borbjo on Tue Sep 30, 2003 at 03:24:41 PM EST

Elliott: Hello
you: Hello, I was visiting a site and I got this page http://sitefinder.verisign.com/lpc?url=www.hitmail.com what is it
Elliott: it 's a service to help you find your correct site, it ususally pops up if you mispell a site
you: thank you very much for that service


[ Parent ]
Mavis Verisign Beacon teaches typing | 186 comments (160 topical, 26 editorial, 2 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!