Slashdot Mirror
Resolving Everything: VeriSign Adds Wildcards
"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)
This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.
Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.
VeriSign has published white papers about their implementation and also made some recommendations."
what are the chances - using the
search page that comes up at the
verisign site to search for "register" we find at the top of the
list a link to networksolutions.com (a verisign company). we also
note that searching for the same word at google
does not result in that site being present in at least the first four pages of results.
yeah - thats a real useful search tool verisign has there - thanks so much.
this should make troubleshooting dns records as a netadmin much more fun with all those glorious false positives... guess that means i'll have to learn how to spell finally!
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Did anyone else see this story about 15 mins ago and get an error saying the page is in the future when you tried to open it. When i refreshed it was gone.
An now to be OT:
How big a problem will this be as most people/companies register common mispellings along with the right domain and make the mispellings point to the right site?
according to this "soemcompany.com" isn't wrong.
I've heard this breaks a lot of spam-catching tools which check if the mail was sent from an invalid domain, as all IPs in these invalid domains now resolve.
Former Iraqi Information Minister Mohammed Saeed al-Sahaf
This really does smack as an abuse of power to me.
The sad part is I'm really surprised it took them this long to implement this. It's just another sign that sales and marketing analysts run companies, and make all the decesions. Even small companies face this same thing.
In a row???
until we get gator-type forced advertising (not just incidental unrelated ads on the page) whenever you make the slightest domain mistake? I get the feeling this doesn't bode well for the continued freedom of the internet, if one company can unilaterally do something of this magnitude. (But then again, Mr. Bush seems to get along fine.)
On Apple Input Peripherals: They're okay, I guess, but I was really hoping for a one-key keyboard and a 109-button mouse
Anyone have any information on whom to contact to put an end to this absurdity?
I oughta be able to bring em to their knees in a day or two.
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
...keeps Verisign away.
expect that ip to get null routed by the backbone carriers real fast.
Hmmm I guess this mean Frist Psot is really an advertisement for First Post!
I'm so sick of having to see advertising everywhere. I only have so much money to spend, I wish companies would just leave me alone.
Doesn't this this short-circuit Microsoft's attempt to capture ad revinue from all mis-typed domains through their Internet Explorer?
I always thought that a revolting misuse of monopoly power and I use Mozilla exclusively now (that was one of the primary reasons I switched, tho not the only one).
Prepare for Microsoft to be EXTREMELY UPSET. MSN's search count will be cut in 1/4 by this move too.
Watch for it.
Stewey
There are 10 kinds of people in the world. Those who understand binary and those who don't.
So, which domains actually return this ip address? I can't seem to find any.
ÕÕ
Buy Steampunk Clothing Online!
Verisign just DDOSed itself by redirecting untold numbers of spam bounces to a single IP. Good job, guys!
--
There is no hatred more pure and true than that expressed by children.
This is really sad.
.com domains are resolving with an authoratitive section of Verisign's server.. and .net's with the list of root servers. It would seem that no domain should ever resolve with either of those as an authority.. The real dns server for the domain should. Hopefully BIND and other DNS packages will start blocking domains that have a root server or a verisign server as the authoratitive dns server.
Not only will mail have problems, as the "non-existent domain" check will always fail.. but this is completely criminal it seems.
I hate to mention, but they are giving Microsoft a dose of their own medicine.. taking away their ability to bring you to their 'search' page for non-existent domains.. and AOL's own feature similar to that. It hurts google, since Verisign teamed with yahoo on this one for search services (Although, google provides yahoos search functionality for now).
All
Further.. they'll be harvesting bounced email addresses for sure. If you get spammed from a bunk domain, and it gets returned.. or you typo and email address.. they are nice enough to run a mail daemon on port 25 to harvest those addresses. It lets you helo, from, rcpt, and data.. and then closes your connection.. just long enough to snag all the info it wants from you.
This entire thing is a mess, and seems like it should be highly illegal. Hopefully OpenSRS and GoDaddy and others will have a fit over it. This just seems completely wrong.
[gid@pimpbot:~] datea fsda.com does not exist (Authoritative answer)
Mon Sep 15 21:27:37 EDT 2003
[gid@pimpbot:~] host jskalfdsjksfjkfjdskafsda.com
jskalfdsjksfjkfjdsk
Am I missing something? Shouldn't that resolve to that ip?
Or is this a bit of a coincidence given story
sreb
I got a timeout trying to reach http://www.verisignsucks.com
No more Micro$oft bashing from me. Its like bashing at the special olympics.
think about it.. your dns server caches the entries it gets back, but now we can make scripts that check sequentially all the way up! crash your ISPs name servers, or crash a root server for the prize! remember kids, take down 2/3 + 1 of the root servers and it's not running on spec anymore!
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
So 90% of the population, instead of getting a Windows message will now get a verisign message.
"If anything can go wrong, it will." - Murphy
Porn companies aren't allowed to run sites with slightly mispelled names because it's considered unfair practice, but a 'registrar' is allowed to catch anything that might come their way?
-psy
This is hillarious!! They have a TOS!
By making a typo, you supposedly agree that if their site overflows a buffer in your browser and wipes your HD, they are not liable.
Okay, terrible example for many reasons, but I still think it's pretty laughable that they claim that the "user" agrees to certain terms of service by "utilizing" this little piece of indirection.
-Lux
Anybody know which root servers Verisign doesn't control, and therefore doesn't use this stupid wildcard? Or do I just not get it and this is a fact of life for now?
On Apple Input Peripherals: They're okay, I guess, but I was really hoping for a one-key keyboard and a 109-button mouse
If Verisign somehow was incharge of POP3, then a wrong user name or wrong password would still log you in, but into a dummy account with spam for you to read.
Just think about this, they can spin off a company to "buy" all bad domain names from Verisign, their stock price goes up because of new profits, the spin off company declares bankruptcy and everybody is happy - well sort of.
For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake...
What do you mean, "by msiatke"?
Well, gee... I hope they can handle all the traffic from all of us who've got our mail servers configured to do SMTP callbacks...
Damn. I can't believe I almost miss the pit of worthlessness and apathy that was Network Solutions, now.
oh wait a minute....
no i don't.
I wonder how long it will be before there are patches for BIND/dnscache/etc. to remap any result containing 64.94.110.11 to a "record not found" result?
It worked for me for two randomly typed strings, and then I stopped getting the page and got my good ol' error messages. Very strage. perhaps we've already DOSed them?
This breaks something major, that'ill be fun. DNS is too low level to be messing around with it in this way. Sure you get IE taking you to some search page but atleast that is at the browser level and you can change your browser.
At most this should only apply to anything starting with www.. will have to check out the pdf.
Guess I can start charging Verisign for all that extra bandwidth they're gonna generate.
AC comments get piped to
I visited http://www.ewrljighwerlghkg.com/ and I got a page which appears to belong to dotster, which is actually my registrar of choice...
<img src="http://futurehome.dotster.com/images/transfil l.gif" width="1" height="10">
Is the segment of the html which I am examining.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Is this going to do anything at all to prevent domain squatting? Not really....Verisign just validated their business practice by doing it themselves. That's great.
I don't really know much about anything....
but...
can't you just put
sitefinder.verisign.com 255.255.255.255 (or other invalid ip) in your hosts file?
doesn't that prevent sitefinder.verisign.com from resolving dns correctly? or am I wrong? i'm pretty sleepy, so I might not be thinking clearly.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
How is this anti-spam check useless? Couldn't it be a simple check to modify the checking code to check for resolving to "64.94.110.11", and deny from that? It seems that no legitimate mail will come from that address (Verisign has different machines setup for different purposes, this one appears to be dedicated), or am I missing something?
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
Leveraging their control of DNS, this is a very simple way to take over search capabilities from Google and the others.
And sponsored links for all.
Wow! I'd never expected to find something even more misleading the netscape's use of keywords in the location bar.
Where can we sign to have this extravagant feature blown to dust?
It seems that only names of the form "www.foobar.com" get resolved to verisign's search page. Anything without "www" in front is still reported as non-existing, so maybe the problems that many posters above mention about spam cross-checks won't be that significant.
An interesting way to leverage the DNS, anyway.
Tsunami -- You can't bring a good wave down!
Yup, they done did it... coopted the internet!
it's going to give misconfigured host connectivity a case of the chromen brokesomes.
This also traps all mail sent TO a non-existent domain. Since all RFC-compliant mail servers will follow up a negative MX response with an A lookup and connect to that IP, if you send mail to a bogus domain, it goes to verisign's server, which (currently) bounces it. Imagine the fun the federal government can have subpoena'ing those logs.
Also, you'll note the cookies that 'sitefinder' sends out, so they can uniquely track any traffic to that site. Also a fun subpoena opportunity. And did you read the fun terms of service that they claim you agree to by 'choosing to visit' their site?
I doubt this will stand. I certainly know that, as a major ISP executive, we'll be reviewing our business with Verisign.
Is there any way to configure BIND to ignore this other than picking new root servers and removing the option to use my ISPs DNS server?
I am running BIND9 on OpenBSD as a local LAN name server and DNS cache for the Internet.
With DNS tracer, you can see how much damage they do:
o mo m via A.ROOT-SERVERS.NET, timeout 15 seconds
[~] edwin@k7>dnstracer -s . -o blaat.burps.ploeps.thisdomaindoesnotexistabcdef.c
Tracing to blaat.burps.ploeps.thisdomaindoesnotexistabcdef.c
A.ROOT-SERVERS.NET [.] (198.41.0.4)
|\___ M.GTLD-SERVERS.NET [com] (192.55.83.30)
|\___ E.GTLD-SERVERS.NET [com] (192.12.94.30)
|\___ K.GTLD-SERVERS.NET [com] (192.52.178.30)
|\___ J.GTLD-SERVERS.NET [com] (192.48.79.30)
|\___ F.GTLD-SERVERS.NET [com] (192.35.51.30)
|\___ L.GTLD-SERVERS.NET [com] (192.41.162.30)
|\___ D.GTLD-SERVERS.NET [com] (192.31.80.30) Got authoritative answer
|\___ B.GTLD-SERVERS.NET [com] (192.33.14.30) Got authoritative answer
|\___ I.GTLD-SERVERS.NET [com] (192.43.172.30)
|\___ C.GTLD-SERVERS.NET [com] (192.26.92.30) Got authoritative answer
|\___ H.GTLD-SERVERS.NET [com] (192.54.112.30)
|\___ G.GTLD-SERVERS.NET [com] (192.42.93.30)
\___ A.GTLD-SERVERS.NET [com] (192.5.6.30) Got authoritative answer
Personal opinion: stupid idiots who wrongly mix political goals with technical capabilities. Just because we can doesn't mean we should.
bash$
What exactly gives them the legal right to just decide that they can take every non-owned domain name for their own advertising. It would seem to me that some small companies somewhere might be able to create a rather large stench about this. One can at least hope...How about this for unfair monopolistic business practice!!...
The site they redirect traffic too is horribly misconfigured. It will accept traffic on ports 80 and 25 but silently drop everything on other ports. So if you telnet, ssh, rsync, etc to a nonexistant domain it will hang for several minutes before timing out instead of even giving a "connection refused" message.
Help!
VeriSign has taken over www.lksdjglkjdslkjg44.com! This infringes on my trademark, which I have been using since 21:31 EDT. Unless VeriSign transfers that domain to me, for free, I'll sue!
Since all of these supposed mis-types will resolve in a verisign web page, shouldn't they have to pay the $35/year or what ever it is to register for each and every domain that know is pointed to them?
Who wants to be the first to hack a fix for this into BIND?
when you fuck an RFC in the ass. *baseball bat on car headlight*
I just wasted your mod points! HA!
hosts file
127.0.0.1 sitefinder.verisign.com
save
done.
you guys don't whine about having to do this for any other spam, why go nuts over it now? not like much will be done about it, so just block em like spam.
Is this even legal? Makes me wish there was some sort of complaint service that game lawyers interesting cases to persue.
I can't resolve unregistered domains even if I query VeriSign's root server itself, as per the most recent named.root file the server is 192.36.148.17 right?
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
; operated by VeriSign, Inc.
i tried to goto mirocsotr.com
and that verisign page popped up. I hate verisign, i use www.domaindiscover.com as my registrar of choice... might be a good poll.
They would have the default page contain no advertisements and give a message like 'sorry, the domain you typed is misspelled'.
Then people would be less irritated with this change because it appears useful. 6 months later they change it to ad pop-up hell.
Great... now we're all gonna get a wheelbarrow full of $5 coupons from Network Solutions that we can only use for their price-inflated products!
I already have enough toilet paper that says "register.com" on it. Guess I better go invest in a fireplace...
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
AC comments get piped to
Examples:
oifn348nfs.com
oifn348nfs.net
t98mklskqpz.com
oifn348nfs.net
Could be that the DNS servers are taking their time to refresh...
The worst thing about this is how one company that is sanctioned by the government that is charged with the duty to be fair - isn't.
Oh wait - was I supposed to be surprised...
Create music
Okay, everybody and their brother is trying to resolve "bogusdomainname.com" or whatever and finding they get a NXDOMAIN error (as they should). There are a lot of possible reasons for this, which I will simply handwave as "caching".
.us). Then I see the current authoritative response.
To see the real thing in action, query an authoritative nameserver directly. For example:
$ host www.bogusdomainname.com
Host www.bogusdomainname.com not found: 3(NXDOMAIN)
$ host www.bogusdomainname.com a.gtld-servers.net
Using domain server:
Name: a.gtld-servers.net
Address: 192.5.6.30#53
Aliases:
www.bogusdomainname.com has address 64.94.110.11
$
The first query uses the default resolver on my system, which is a local named which in turn forwards to my ISP's resolvers, which do who knows what. The second query says to ask a.gtld-servers.net, which causes the host utility to send the query directly to one of the authoritative nameservers for the GTLDs (Global Top Level Domains, as opposed to country-specific domains like
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
This isn't something new, they told us it was coming. What a crock of shit. I think this shows that there needs to be some sort of accountability in this business.
Verisign now owes money to the Internic for every domain they now effectively hold. Considering how many misspelled domains get hit, I think we're going to have plenty of cash to upgrade the root name infrastructure, don't you?
This is horrible for web spiders and search engines. Every link to a dead domain name will now result in a series of pages that need to be indexed. And there will be thousands (millions?) of web sites that all offer Verisign name registrations -- all identical. This will surely affect their page rankings! Spiders will have to be hard-coded to ignore certain IP addresses or DNS names.
I hope they get sued by every mail filter vendor, registrar, and search engine that they just damaged with this. And the government needs to review the powers they are granting to name-server providers.
My guess is that one of two things will happen:
1) the DOJ will take them down like Microsoft
or
2) someone will buy out VeriSign and replace SiteFinder with a page of hundreds of porn ads and pop ups
echo 127.0.0.1 sitefinder.verisign.com >>/etc/hosts
# Done.
RelevantElephants: A Somatic WebComic...
No, I'm not suggesting that anybody intentional do this. What kind of person do think I am?
$ whois whattotalbullshit.com
[... stuff omitted
No match for "WHATTOTALBULLSHIT.COM".
$ ping whattotalbullshit.com
Unknown host whattotalbullshit.com.
$ wget whattotalbullshit.com
--21:36:11-- http://whattotalbullshit.com/
=> `index.html'
Resolving whattotalbullshit.com... failed: Host not found.
Doesn't work in lynx or links either, but putting it in IE or Mozilla goes right to VeriSign's slimy little page...
So perhaps this won't break systems which rely on detecting non-existing domain names; but what's different about how IE and Mozilla do their DNS lookups?
Weeeee...
Starting nmap 3.28 ( www.insecure.org/nmap/ ) at 2003-09-15 06:36 PDT ... good.5 .1%D=9/15%Time=3F65C0E9%O=80%C=-1)% IPID=Z%TS=U)= AS%Ops=MNNTNW)g s=AS%Ops=MNW)A CK=S++%Flags=AS%Ops=MNW)O %Flags=R%Ops=))
Host sitefinder.verisign.com (12.158.80.10) appears to be up
Initiating SYN Stealth Scan against sitefinder.verisign.com (12.158.80.10) at 06
:36
Adding open port 80/tcp
The SYN Stealth Scan took 94 seconds to scan 1643 ports.
Warning: OS detection will be MUCH less reliable because we did not find at lea
st 1 open and 1 closed TCP port
For OSScan assuming that port 80 is open and port 36304 is closed and neither ar
e firewalled
For OSScan assuming that port 80 is open and port 43206 is closed and neither ar
e firewalled
For OSScan assuming that port 80 is open and port 44655 is closed and neither ar
e firewalled
Interesting ports on sitefinder.verisign.com (12.158.80.10):
(The 1642 ports scanned but not shown below are in state: filtered)
Port State Service
80/tcp open http
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SInfo(V=3.28%P=i386-portbld-freebsd
TSeq(Class=TR
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags
T1(Resp=Y%DF=Y%W=16D0%ACK=S++%Fla
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16D0%
T4(Resp=Y%DF=Y%W=0%ACK=
T5(Resp=N)
T6(Resp=N)
T7(Resp=N
PU(Resp=N)
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
TCP ISN Seq. Numbers: 673A4C36 652AB817 BBE534C3 685BB54A
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 137.552 seconds
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
Why don't you try it ?
http://shivaji.maharaj.slashdot.org"
They are running Linux.
Just a little humour...
Ok, that's it. We need to get verisign out, now. Anyone know how to accomplish this?
What we need to do is start contacting our ISP's and complain about this. We also need to launch complaints from IT departments around the world at them, telling them how this is screwing things up. Those of you in the states need to write your various represenetives and tell them that this may possibly be illegal. Someone also needs to tell ICAAN, but I'm sure they've noticed.
We then need to keep this pressure up, then someone starts a DDOS against them just using bad domain names. If there is an outage, this can be further used as bad PR against them.
I am calling my upline ISP to complain in a few minutes. Everyone else who works in IT needs to complain to their ISP, the authorities, and ICAAN. Loudly.
Maybe we DID take the blue pill. You wouldn't remember anyway.
C:\Documents and Settings\Pat>nslookup
www.sdlfkjsldkfjsldkf.com
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address
192.168.8.1: Timed out
Server: ns6.attbi.com
Address: 63.240.76.4
Name: www.sdlfkjsldkfjsldkf.com
Address: 64.94.110.11
Comment removed based on user account deletion
Perhaps I'm missing something here, but wouldn't this open them to all kinds of lawsuits from companies that were affected in that way?
Sure. Are your lawyers better then their lawyers? That's all that matters.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
to them using their near monopoly status in the domain registrar market to try and gain a strong foothold in the search engine business?
Isn't this a RFC violation? Or at least a violation of being a domain mane register via the international concil that governs this stuff?
You say things that offend me and I can deal with it. Can you?
Ah, I just figured it out...
If you type in foo.com (and foo.com is not registered), IE and Mozilla both makes attempts to www.foo.com, which goes right to VeriSign.
So I imagine that the next version of these programs will cease this practice to stop sending traffic to VeriSign.
Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae.
The rset can be a total mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe. Fcuknig amzanig huh?
Simply block all traffic to 64.94.110.11 and give verisign your hate mail as well. It'll still return the error message whenever that address is found, so even if it is hosted, it's as good as not registered.
This a stupid stupid stupid move by them, Akin to shooting themselves in the foot with a 45 caliber pistol; it's going to anger a lot of people in the IT industry.
Candy-Coated Knowledge
opps.
Maybe we DID take the blue pill. You wouldn't remember anyway.
Last time I looked IE on a PC running XP returns some kind of MSN powered Not Found message when a non-existent URL is entered. Isn't this a better solution?
anyone know if its instantly on? or if rr is blocking it already? or if it just takes a while?
Form now on I wlil olny psot lkie tihs.
hah hah hah
This will result in much extra traffic for all ISPs. Their lookups to the .com and .net will return considerably more information than before. Multiply this by all the misspellings per second per AOL user, and that's a considerable amount.
This is one helluva of a way to drum up traffic, so I'd be curious to know what kind of steroid-pumped uber-server and fat petabyte pipe they plan to run their site on. Personally, I suspect the ad page will be taken down by Verisign themselves when they smell smoke coming from the server room and see their sysadmin's running around naked on the front lawn while tearing out their hair and screaming "SWEET MOTHER OF SMEGMA, MAKE THEM STOP!!!".
What's with the links that come up? They look benign at first glance, but they actually call Javascript functions (i.e. they are not just plain old hyperlinks). Anyone care to decipher what happens when you click them?
Or is it something cool?
-Quote from web-
Set Your Content Filtering Preferences
Filtering Preferences:
Filtering attempts to block content containing explicit and adult material. While no filter is 100% effective, Site Finder uses industry-leading technology to identify explicit content and reduce undesired results.
Please choose your preference:
Full filtering: Explicit content is removed from all results
Partial filtering: Explicit content is removed from category results and presented last in search results
No filtering: Do not filter my content
Note: Setting preferences will not work if you have disabled cookies in your browser.
Copyright(C) 2003 VeriSign, Inc. All Rights Reserved
Privacy Policy | Terms Of Use | Content Filtering Preferences | Help
You may want to let Scott Hollenbeck (shollenbeck@verisign.com) and Matt Larson (mlarson@verisign.com) from VeriSign's Naming and Directory Services know what you think of their Best Practices.
And while you are at it, you may consider a friendly note for W.G. Champion Mitchell (wmitchell@verisign.com), President, NetSol and Stratton Sclavos (ssclavos@verisign.com), Chairman and CEO, VeriSign.
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
"the site finder response server runs a limited smtp server that returns an smtp 550 error response for any specified destination..."
different protocols will be treated differently
comments@icann.org
So can't we just add 64.94.110.11 to the list of non routable addresses. (127.0.0.1, 10.*, 192.168.* and now 64.94.110.11) I say we storm Verisign, Nerf Bats in hand. A call to arms I say!!! Damn Marketers.
Serenity|Chaos
So, they are within rights to do this.
Sure its a tad slimly and sucks.. but its well within their charter...
---- Booth was a patriot ----
To put it mildly, what absolute wankers.
As a guy running an ISP, doing tech support etc. the mind boggles about how much stuff this will break.
Expect to see huge traffic increases/slow speed of access as soon as these updates filter through everywhere.
I find it very hard to believe that they will be able to get away with this without some response from the US (and EU) government(s).
Sorry to say this, but this is going to be a precedent for Internet being regulated, this time for real. And you'll be able to thank Verisign for it. Perhaps that's a provocative step to achieve what they are really after - being regulated, which will guarantee them longevity.
Greedy bastards.
grisha.org
POSTUS FIRSTUS
tugrul@duality:~$ telnet dkfjdfkjdkfjdkjf.com 80
Trying 64.94.110.11...
Connected to sitefinder-idn.verisign.com.
Escape character is '^]'.
^]
telnet> c
Connection closed.
tugrul@duality:~$ telnet it.really.is.a.wildcard.dkfjdfkjdkfjdkjf.com 80
Trying 64.94.110.11...
Connected to sitefinder-idn.verisign.com.
Escape character is '^]'.
^]
telnet> c
Connection closed.
tugrul@duality:~$
This is just evil
The contents of the address bar are only processed by MSN's built in search form if you don't add the TLD.
'slashhhdot' - would bring up MSN's search.
'www.slashhhdot.com' - would bring a 404 (or now, Verisign's site-finder)
After this change by Verisign, MSN's search operates 100% the same. At least, on my IE6 SP1 with no customizations.
Verisign should nto be able to just mess with the dns system like this. They should be a registrar.. nothing more. From their point of view, whether or not this involves websites is pointless.
http://reports.internic.net/cgi/registrars/problem -report.cgi
go to "jshkflfhe.com" or whatever. At the Verisign page, enter "verisign licks ass". 2 of the 10 search results are from slashdot. Oh, the irony...
FYI, that IP address (64.94.110.11) is being null-routed by many ISPs. For example, it is unreachable from my home ISP right now, but if I SSH into work, I can reach it from there. I've also heard of ISPs configuring their resolvers to return NXDOMAIN for any query that returns an A record with that IP address.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
beagleeagles.com no longer resolves to Verisign, but beagleeagles.net does? Tried a couple other .com's seems like they just changed it as I was playing?
whooaaaahhhh.... how long has that happened?
So let me get this straight. A site I didn't ask to go to has a Terms of Use which says that my sole remedy is to discontinue use of "The Verisign Services".
So, by mistyping a domain name, I've entered into a legal agreement with Verisign? And the only way to get out of it is to not use the internet?
The only address on the page is their legal department's postal address, at
VeriSign, Inc.
Attention: Legal Department
21355 Ridgetop Circle
Dulles, VA 20166
I guess I'll be sending them a nice letter. As soon as I figure out what legal recourse I actually have.
Maybe they'll have a sense of humor. "You have been infected with the honor system virus. Please delete your files now."
they were granted the power to run the root servers and manage primary DNS by the federal government.
Actually, the US government transferred that to ICANN some time ago. ICANN currently contracts VeriSign to run the SOA for the roots and GTLDs, and other companies and organizations run the other nameservers.
Of course, ICANN could drop the hammer on VeriSign, but given ICANN's past performance, I doubt they will. Apparently, other TLD operators have already tried this, and the slap on the wrist was easily ignored.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
I vote that we all boycott the VeriSign root-servers, and setup an international non-profit agency to maintain new non-commercially-run root servers.
This is outrageous, and despite what they say, is completely in violation of internet standards and best practices.
If you want this "feature" of verisign's turned off (I know I sure do), contact ICANN now. This is yet another example of Verisign having far too much unchecked power over the .COM and .NET registries.
Show your hate for SCO. Get a cool t-shirt and donate to the Open Source Now Fund.
I'm gonna burn a little karma here and recommend that you be moderated up. Very good point, and definately the way to proceed.
Can I get an eye poke?
Dog House Forum
Well, I've read a lot of posts that say this should/is illegal. Fine, let's go for it - everyone needs to contact the Better Business Bureau and their local congressmen/women (here is contact info for Oregon; Washington, etc. - use your brain, you'll figure it out), and get some movement on this. Don't just sit there and make angry comments! Do it...
As with my previous comments, comments@icann.org is the place to go.
Its odd given that we just found out spelling isn't *that* important =P
It is not as bad as it seems.
While misscpelldedomian.com is redirected in your browser, a ping to that domain gives me still "domain not found".
So all complaining sys admins: learn to use the command line and ping to check for domain existence, instead of using your browser for that. Or is that too hard for an MCSE?
How can they get away with this? Not even Microsoft would sink as low as to claim ownership of every unclaimed .com and .net. They have no possible claim to this. I like a nice friendly 404 when I make typos, not an ad. I would rather view every offtopic post on slashdot ever posted then this.
SAILING MISHAP
Well, I guess not really, but this seriously bites ass. Do you kno whow many shell/perl scripts are going to have to be tweaked because of this helpful addition?
C:\WINDOWS\system32\drivers\etc>nslookup www.hdjkdfjkfhfhfdjkhjks.com
Server: vnsc-pri-dsl.genuity.net
Address: 4.2.2.4
Non-authoritative answer:
Name: www.hdjkdfjkfhfhfdjkhjks.com
Address: 64.94.110.11
C:\WINDOWS\system32\drivers\etc>nslookup 64.94.110.11
Server: vnsc-pri-dsl.genuity.net
Address: 4.2.2.4
Name: sitefinder-idn.verisign.com
Address: 64.94.110.11
I tried a few domains and got the Verisign page, but now the 'feature' seems to be missing. Did they backtrack already?
route add -host 64.94.110.11 gateway 10.0.0.86 dev eth0
works for me!
There has been an increase in domain name transaction activity lately as well as increasing awareness of the value of domain names in internet commerce.
Of course on the dark side is VeriSign...wonder if they have configured DNS wildcards properly?
In any event, VeriSign's appropriation of internet domain names they don't own as their own is wrong and likely exists viable legal theories in stopping them from wildcarding unregistered domain names...
* Violates generally accepted DNS standards
* Trademark dilution/confusion
* Privacy issues
.. now verisign is no better than lop.com and other programs that Hi-Jack IE and do the same they do. The internet is getting ruined by MS and VeriSign, I wish that the "big three" (win,mac,lin) were more equal, then the internet would be somewhat less degraded. I hope the US government takes away the priviledge they gave to NSI/VeriSign and hands it to a more responsible company. It's not like .COM is like .tk where they can advertise like that, .COM is most of the net, so they are on a higher playing ground.
Sig: I stole this sig.
.cx does this too, i noted recently.
Sacred cows make the best burgers.
Inventor Says Search Service Won't Break DNS
VeriSign Looks At Earning Money on Domain Typos
VeriSign Mulls Way to Make Money from Typos
Litigious bastards
"We didn't find: "64.94.110.11"
There is no Web site at this address."
say what?
The 'dnslookup' router in the configuration file has probably already got a line like:
ignore_target_hosts = 127.0.0.0/8
Change this to:
ignore_target_hosts = 127.0.0.0/8 : 64.94.110.11
And for all purposes ( including verification, unless you've configured the router otherwise ) names that resolve to 64.94.110.11 will be treated as if they don't.
Wasn't OpenNIC created to prevent exactly this kind of abuse? People might just start using them if VeriSign carries on in this manner...
It sounds a whole lot better than the current system to me...
I signed up for a
What, is the Internet powerless against this kind of BS?! It is incomprehensible that Verisign can simply violate RFC after RFC and nothing can be done about it!
$ host blahfuckxxx111.com
Host blahfuckxxx111.com not found: 3(NXDOMAIN)
$ wget blahfuckxxx111.com
--21:59:19-- http://blahfuckxxx111.com/
=> `index.html'
Resolving blahfuckxxx111.com... failed: Host not found.
Yet my Mozilla is showing the sitefinder web page. Still trying to figure out what's going on on the protocol levels...
www.is_verisign_really_fucking_up_the_entire_inter net.com
isn't resolving for me ?
0.0.0.0 sitefinder.verisign.com
~~~
This completely killed us. We have co-lo with an unregistered domain assigned in Active Directory. Our crappy sys admin had assigned all the public NICs on our multi-homed web servers to use Verio's or PacBell's name servers. None of the machines could resolve the names of anything else, including the backend DB servers and the domain controllers. I thought it odd when every nslookup returned the same 64. IP address. I guess in the past, the DNS lookups failed and then the web servers tried the nameserver specified on the other NIC (the IP address of a domain controller), at which point it succeeded. I'm pretty that this guy set things up pretty badly, but everything was working until VeriSign made this change. Oh, and I think it was before 7.45 EDT because I was working on it before then, and seeing that IP address before then.
Just type in any URL you don't think corresponds to an address, like www.googoogoogle.com. All the contact info will be on the bogus page that pops up.
First, as I recall, no one from NetSol/Veri$ign sought ideas or thoughts from the internet community at large before implementing this. What really bothers me is the fact that:
- Only one company is doing this
- This company engages in what I would consider deceptive and somewhat dangerous business pratices
- This same company controls a lot of the Root Certificates
- This same company controls a lot of registrations for websites (including my employer's)
Even if I think of it as a worse-case scenario, let's say that Mr. Experienced Cracker/Internet Bad Guy wants to crack into this server. Within a day, if no one notices it (and given their security record, this shouldn't be too much of a stretch), within a day, they have the ability to 0wn numerous clients.
Best Case scenario, I still see them breaking many things, including email, the rest of DNS, and, quite possibly, other things.
I have the odd feeling this will turn into another "Proft by legislation/lawsuit" scheme. *sighs* Know of any good countries where people still have "rights?"
I disable sigs...do you?
We do blacklists for spam because it originates from multiple moving targets.
Verisign is neither multiple nor moving. Instead of sullying our libraries with this stupidity, put your effort into beating Verisign into submission to common decency.
Is it just me, or is Verisign now absuing the trust of the Internet community, which is a very strange thing for a company that wants to be a root of trust when it comes to issuing SSL certs?
When I get into work tomorrow I will do two things:
1) Setup an internal web server and redirect all traffic to 64.94.110.11 to this box that says something, you have misstyped something...
2) I will enable reverse lookups and anything coming from 64.94.110.11 will be considered spam.
Won't affect my users and might help a LITTLE bit with spam.
If you're upset about this, I'd recommend calling one of the 800/888 numbers on the Verisign Corporate Contacts Page and lodging a formal complaint.
You can also email your concerns directly to customer service (which is what they will have you do after you call, anyway)
As of right now, smtp is also enabled on that IP. Haven't received a bounce message yet for an intentionally incorrect email. Wonder where all the badly addressed spam will go now?
what the hell is a 'junk character', anyway?
fuck.
Null routing only changes the problem, it doesn't eliminate it. The domain still will return an address- it will just be unreachable. The error returned is therefore wrong.
This will force recoding on an insane scale. And what do we do when they change the IP address every couple of days?
This cannot stand and I would be surprised if it did.
I cannot imagine a more vapid thing to do than this- and to not even give any notice! The monomania and self delusion that they are exhibiting is truly amazing.
Does anyone have an idea of how we can start returning correct error messages immediately?
Hinavg jsut raed the shoasdlt srtoy eeilnttd Can You Raed Tihs?, I bigen to wnoder if the sirntg mthicang used by DNS is too sitrct. Sulery a pmueertd nmae culod be rtdcireeed to the ceorrct stie? Aslo, one suhold not be aoellwd to reeisgtr a doamin nmae wihch is a smlipe pimaureottn of an esxiintg dimoan name wtih the smae frist and last leettr.
How long will it take me to write a script that continuously sends out requests for domain names like "www.98237498766783264786237864.com"? I'm starting now. Anyone who comes up with one, respond below with "first ddos!" and share your technique.
You want the truthiness? You can't handle the truthiness!
Stop them!
LOL
I don't know the meaning of the word 'don't' - J
(Pre-emptive strike: Insert Matrix-spoon reference here.)
I feel it is worthwhile to post a more general response to this point as well.
There is this myth that "the Internet" exists as a single, cohesive network. It does not, and never has. "The Internet" is a network of networks. What that means is that a bunch of independent network operators have agreed to exchange traffic with each other because it benefits them. When you dial in to your ISP of choice (or plug in your Ethernet cable or whatever), you're not connecting to the Internet. You're connecting to your ISP. Your ISP probably connects to their ISP. Their ISP (if you're lucky) connects to several other ISPs, who connect to other ISPs, and so on. All these independent network operators form "the Internet". So, "the Internet" exists as an abstract concept (and a useful one), but not as something you can touch. Not even as something you can route traffic through. All you can do is connect to some other guy's network and hope for the best.
The reason this is important is because we are already seeing ISPs implementing countermeasures against this VeriSign move. Some are null-routing that IP address at layer two; others are using DNS tricks to give us the old behavior. If enough ISPs do this, VeriSign's move will be largely ineffective. In effect, ISPs as a community can veto VeriSign or anyone else. It only works if most of them agree and take action, of course, and it remains to be seen if they will do that. And, of course, some of these countermeasures may themselves be easily defeated, leading to an arms race (like the spammer vs anti-spam arms race).
The possible consequences of all this are, shall we say, interesting.
(BTW, I don't disagree with the OP's suggested course of action, nor with the principle behind it. I'm just pointing out that things are, as usual, more complicated then they might appear.)
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
MX or not, most mail systems will attempt to deliver to the primary A record if no MX is present.
Just imagine the volume of bandwidth they're going to pay for because of mistyped domains. Maybe when that *.com site is /.ed they will rethink this..
How many pieces of software will have to be re-written because they rely on an error message being returned when a domain doesn't resolve? There's already the afformentioned anti-spam software, I have to believe there's a ton more that haven't even been thought of yet.
I think if anything takes this dispicable practice down it'll be the legal system, or the threats of legal action.
AccountKiller
Just to see what would happen, I just tried sending an e-mail to <testuser@slashdoct.com>. Would they bounce the message? If so what would the error message look like? If they didn't bounce it, would they just keep it? Read it? Inquring minds want to know!
Well it bounced:
The original message was received at Mon, 15 Sep 2003 21:06:55 -0500 (CDT)
... while talking to slashdoct.com.:
from [myhost.mydomain] [xxx.xxx.xxx.xxx]
----- The following addresses had permanent fatal errors -----
<testuser@slashdoct.com>
(reason: 550 User domain does not exist.)
----- Transcript of session follows -----
>>> RCPT To:<testuser@slashdoct.com>
<<< 550 User domain does not exist.
550 5.1.1 <testuser@slashdoct.com>... User unknown
Reporting-MTA: dns; [myhost.mydomain]
Received-From-MTA: DNS; [myhost.mydomain]
Arrival-Date: Mon, 15 Sep 2003 21:06:55 -0500 (CDT)
Final-Recipient: RFC822; testuser@slashdoct.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; slashdoct.com
Diagnostic-Code: SMTP; 550 User domain does not exist.
Last-Attempt-Date: Mon, 15 Sep 2003 21:06:56 -0500 (CDT)
And: >telnet www.slashdoct.com 25
Trying 64.94.110.11...
Connected to www.slashdoct.com.
Escape character is '^]'.
220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready
quit
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.
>
Snubby Mail Rejector???
I can't believe I fell for that.
Fool of a Took!
El riesgo vive siempre!
how can this be legal..we just saw in the news that any porn site that uses the saem tactic is committing a crime..
Don't Tread on OpenSource
Available here
How nice of them to let us know...
Hire a Linux system administrator, systems engineer,
Any idea if that can be done without code change?
:-)
Well, it would depend on the resolver you use, but I would still expect the answer to be "no". But I've already seen public discussion over how to patch ISC BIND to do it. And that was hours ago.
Of course, if you use a closed-source resolver, you're be stuck. But then, you knew that, right?
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
IE has been redirecting people to a M$ website for over a year. which is the lesser of the two evils. promoting ms'ed'n or verisad? it amounts to another url being added to the hosts file.
i'm querying bad domains and getting dns errors instead of this search site. is it dead already?
To: icann@icann.org, iana@iana.org, nstld@verisign-grs.com,
.com and .net TLDs to a Verisign owned search
.com and .net TLDs.
rcc@verisign.com, hostmaster@nsiregistry.net, ir@verisign.com,
dcpolicy@verisign.com
Subject: Complaint about Versign abuse of DNS root zones
A Letter of Complaint about actions undertaken by Verisign Incorporated
on or about 9/13/03.
Sent to the Internet Corporation of Assigned Names and Numbers and the
Internet Assigned Number Authority.
Doug Dumitru
xxxxx xxxxxx xxxx Road
xxxxxx xxxxxx, CA 9xxxx
949 xxx-xxxx
Dear sirs,
As you are probably aware, Verisign is redirecting unregistered
2nd-level domains in the
engine. They are using a technique known as DNS wildcarding to
accomplish this.
I firmly believe that this is clearly an abuse of the DNS system, that
it violates the technical requirements for domain lookups, that the
results returned are fraudulent, and that this technical action only
benefits Verisign at the expense of the rest of the internet population.
I respectfully request that IANA and ICANN immediately take action
against Verisign demanding that Verisign cease this fraudulent and
damaging behaviour. Should Verisign refuse, I would recommend that IANA
and/or ICANN (and/or the US government) take immediate action to revoke
Verisign's contract to administer the
I would also recommend that IANA and/or ICANN immediately pass "best
practice" rules that prevent other TLDs and country-code domains from
following in Verisign's deceptive footsteps. It is important that a
"domain not found" error not be subverted into an advertising opportunity.
Sincerely,
Doug Dumitru
Use of the VeriSign Services. You agree not to use the VeriSign Services in any manner that is unlawful, or in any manner that could damage, disable, impair or otherwise interfere with another party's enjoyment and use of the VeriSign Service. You may not manipulate or attempt to gain unauthorized access to our website or systems or any websites or systems connected through our website through hacking, password mining or any other means. Modification by VeriSign. At any time VeriSign may modify or terminate these terms of use, its websites and the VeriSign Services and may at any time discontinue your use of the VeriSign Services without any notice to you, and without liability to you, any other user or any third party. Please review these Terms of Use from time to time so that you will be aware of any changes. Your continued use of the VeriSign Services constitutes your agreement to all such terms, conditions, and notices.
A "terms of service" section on a website people don't reach voluntarily?
Just works with small strings or something like that. Example: www.caquinhacomcebola.com don't return anything
They don't seem to have an e-mail address for the category of "Subversion of the global DNS," so pick one of the following e-mail addresses and use it to CC your complaint to Verisign:
i sign.com,p ki@verisign.com,m ,c omi gn.com,e rprise-sslsupport@verisign.com,s .com,o m,s igning-support@verisign.com,g n.com,e tworksolutions.com,@ networksolutions.com,p ort@verisign.com,u pport@verisign.com,
v ts-mktginfo@verisign.com,
websitesales@verisign.com,g n.com
authenticode-support@verisign.com,
billing@ver
channel-partners@verisign.com,
client
consultingsolutions@verisign.co
dbms-support@verisign.com,
dcpolicy@verisign.
digitalbranding@verisign.com,
dnssales@veris
enterprise-pkisupport@verisign.com,
ent
info@verisign-gr
internetsales@verisign.com,
IR@verisign.c
jobs@verisign.com,
mss@verisign.com,
object
paymentsales@verisi
practices@verisign.com,
premiersupport@n
press@verisign.com,
privacy
renewal@verisign.com,
sup
verisales@verisign.com,
vps-s
vts-csrgroup@verisign.com,
webhelp@verisign.com,
websitesupport@verisi
The Good Side to all this is that there's finally a large-scale, mass-customer-affecting issue that Verisign has caused. Those of us in the US can now point to something (something easy-to-understand as an abuse of power) when we go talk to our Congressmen about overseeing the Department of Commerce.
Verisign is no longer worthy of the Internet's trust. It's time for the Dept. of Commerce to take the InterNIC back under its wing.
To all you damn Libertarians that thing private commerce and capitalism is important for the proper functioning of ANYTHING, wake up and take a look around. Some things NEED to be regulated by the government; some times efficency is NOT as important as accountability. This is one of them (as a Californian, energy regulation is another!).
Hire a Linux system administrator, systems engineer,
And implement a new standard to allow for http requests to doubleclick whenever a dns resolution is made
meridian at tha.net
take the first and last letters of each word and work out what the correct address should be.
"She's a West Texas girl, just like me" - G.W Bush Iraqis
I see a number of ways in which we can 'fight' back(and no, i do not mean DDos). Here's an idea- why don't we(network admins) just configure all our routers to route that IP into a black hole, and/or set up our DNS servers to ignore the invalid responses? We can justify it to the PHB's very, very easily- we're "fixing" what Verisign has broken. Verisign will have thrown a party, and nobody will show up because we've ripped down the fliers.
I imagine it won't be long before many software packages are updated to have an option to detect Verisign's monkeybusiness, and/or various HOWTOs come out that tell you how to get your nameserver to ignore the silly bullshit. In fact, why don't we all work on a patch to bind to do just that?
It should be very easy to write code that handles any of a variety of blocking methods on this- all you'd have to do is do a DNS lookup on (insert random, long # of random letters+numbers).com, and Verisign will handily tell you exactly what IP to block. From then on, if any DNS lookup returns that IP, return no-such-record instead. Poof. Problem solved. I bet it would take all of an hour or two for someone to write the code to do this for bind.
Oh, and here's another idea- on your homepage, create a link called "Verisign" and point it to somebody's(anybody's) website describing what Verisign has done, why it's bad, etc- guess what will happen when people type in "verisign" into google? :-)
Please help metamoderate.
Ya, Versign aint the only one benefitting/!! muahahah but me!!!
I thought before that Verisign was a bunch of fuckers.
And now they've completely convinced me of that.
Shit. What a bunch of fuckers.
He did wonders with SCO, now he should set his site on versign...
It seems that they have effectively violated the ICANN Domain Name Dispute Policy: "circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration". They're definitely doing this to sell domains.
Bill
everyone keeps suggesting that blocking/ignoring 64.94.110.11 is the fix for this. come on, you people are smarter than that! how hard do you think it would be for them to change the A record to 64.94.110.12? then 64.94.110.13? and so on...
as i see it, the only way this madness will stop is if the government gets involved somehow.
Gyrate Dot Org - "Where high-tech meets low-life"
It will take lots of these, but it beats my previous method of typing abusive nonexistent domainnames like www.couldyoupleasestopactinglikewankersandstopthis .com in my browser...
I signed up for a
Of course, we could protest this idiotic move by starting to systematically buy up all possible .com domain names, redirecting them to a page proclaiming verisign's poor judgment. That'll teach them!
What gives Verisign the right to unilaterally make this decision about how the internet will work? As it's been mentioned, it breaks a lot of stuff and from what I've heard (admittedly, I haven't paid a lot of attention), nobody except them seems to want it.
A network with no single point of failure? Pah!
I used VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones as the subject of the email. You could use something more original if you want.
.COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising.
.COM and .NET domain names now exist, that anti-spam check is useless.
To whom it may concern,
Verisign is commiting a major injustice that cannot be allowed to continue. It is important ICANN consider what is best for the internet community as a whole and take proper action. Proper action would be to immediately stop this monopolistic behavior from Verisign.
Please read below for more information taken from Slashdot.org:
As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the
This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.
Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all
The internet belongs to everyone. It is not something that can be bought and sold by any one entity. Please put a stop to this behavior.
Thank you.
---insert name here---
---insert city and state of residence here---
Tihs is all thanks to sldhsaot's sroty elirear today! Hree's a lnik jsut inacse
9 /1 5/2227256&mode=thread&tid=133&tid=134&tid= 186
http://science.slashdot.org/article.pl?sid=03/0
Life is like pants... fit in or you don't fit in.
A few hours ago I was trying to troubleshoot a lame delegation to another zone. It seemed to be working which puzzled me to no end. It turns out the lame DNS server was returning 64.94.110.11.
Lame delegation is a very common phenomenon and (in the case of a typo) can often be diagnosed with NXDOMAIN being returned for the glue RR record. Never returning NXDOMAIN means that many types of lame delegation will no longer be caught.
One of my peer zones had a typo'ed MX record. Before VeriSign's sabotage (yes, sabotage) the lookup of the corresponding address record would simply fail with NXDOMAIN. The source MTA would then try to deliver to the secondary MTAs on the list of MX records in order of priority. Mail delivery would proceed normally using the secondary MTA(s).
However to my complete and utter astonishment, 64.94.110.11 has a working MTA listening on port 25 (why???). This means that any MX records with typos in the primary record will have all their e-mail redirected to VeriSign's MTA. Mail that would normally automatically be re-routed to the secondary MTA instead now gets bounced by Verisign's ''Snubby Mail Rejector Daemon v1.3''. Not returning NXDOMAIN will break mail delivery to secondary MTAs.
And what about spam filters? It will break any spam filter that tries to verify that the source MTA hostname claimed in the HELO request is resolvable (i.e. that the claimed HELO name is not fictious).
I could probably list another half dozen problems if I thought about it. I can't believe the arrogance (read: stupidity) of this act.
I can't wait to see reaction reaction from the backbone cabal on NANOG.
www.sdfnaisdfs.de, www.adfaiosdfn.co.uk, www.asdfueunf.biz, and www.asdfniotguidf.us still result in the usual dns error page. Also, as of the time of this writing, sitefinder.verisign.com can't even fulfill a search request! I don't think it will be long (minutes, maybe an hour..) before it is completely WWW Dotted(TM).
Now, if you'll excuse me, I have backups to corrupt.
I mean if you consider systems that unsucessfully scan for victims or fellow flooders (or spammers I guess) in a DDOS, will now see a working victim where normally there was none. Since this is not a redirect and is a DNS level issue, I wonder if Verisign is hoping DDOS launchers and creators of various worms will be courteous enough to now keep their attacks to DNS redirects and spoofing. Or at least just verify address resolution and not flood Verisigns machines.
Quick! Someone whip up an Outlook virus that DDOS's sitefinder.verisign.com. Let stupid Windows users do us some good for a change.
The web server at 64.94.110.11 is no longer taking requests. I guess we showed them no to screw with Slashdot. Their rig is still returning pings, but not much else.
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
So, any dns worm that launches a DDoS, like say, msblaster, that launches an attack against say, windowsupdate.com if it resolves, will now attack Verisign's root nameserver instead? Interesting...
As another person mentioned this already, e-mailing them is a waste of time unless you're a corporation with extra cash.
How do you fix this problem? DON'T USE THE ICANN ROOT SERVERS. Easy as that.
Plug: OpenNIC (for ICANN users) and OpenNIC (for OpenNIC (and its peers) users)
>To all you damn Libertarians that thing private commerce and capitalism is important for the proper functioning of ANYTHING, wake up and take a look around. Some things NEED to be regulated by the government; some times efficency is NOT as important as accountability. This is one of them (as a Californian, energy regulation is another!).
You're still wrong.
In a libertarian society, we'd have switched to another set of domain servers. People with com/net/org registrations would get VERY angry with Verisign when their paid-for domains become worthless.
Instead we live in an overly regulated society were it would take an army of men to get the government to start using alternative servers.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Well, for me it's the opposite, with plain old ping the www makes it *not* go to VeriSign:
dyheli:~> ping www.akruhgskdu.com
ping: unknown host www.akruhgskdu.com
dyheli:~> ping akruhgskdu.com
PING akruhgskdu.com (64.94.110.11) 56(84) bytes of data.
From 10.171.0.19 icmp_seq=38 Time to live exceeded
From gar3-p360.wswdc.ip.att.net (12.123.9.65) icmp_seq=39 Time to live exceeded
From gar3-p360.wswdc.ip.att.net (12.123.9.65) icmp_seq=40 Time to live exceeded
From gar3-p360.wswdc.ip.att.net (12.123.9.65) icmp_seq=41 Time to live exceeded
From gar3-p360.wswdc.ip.att.net (12.123.9.65) icmp_seq=42 Time to live exceeded
From tbr1-p013301.wswdc.ip.att.net (12.122.11.169) icmp_seq=43 Time to live exceeded
From tbr1-p013301.wswdc.ip.att.net (12.122.11.169) icmp_seq=44 Time to live exceeded
From tbr1-p013301.wswdc.ip.att.net (12.122.11.169) icmp_seq=45 Time to live exceeded
--- akruhgskdu.com ping statistics ---
76 packets transmitted, 0 received, +8 errors, 100% packet loss, time 75138ms
# ftso verisign
iptables -A OUTPUT -d 64.94.110.11 -j REJECT
iptables -A FORWARD -d 64.94.110.11 -j REJECT
I tried a gobbledy-gook URL 5 minutes ago and got Verisign's search page. But I tried the same thing less than a minute ago and got IE's search page instead. Has Verisign already backed down?
Verisign's telephone number is 1-888-642-9675 (confirmation from Google). I'm sure they'd appreciate a call if you notice anything wrong with their domain servers.
- where x.x.x.x = some bogus ip on your subnet
I am dropping my verizon dsl the MOMENT my speakeasy comes in. Goodbye, fuckers.
Cue Cartman voice: Oh, I'm sorry, Mr. Garrison, I said HOW WOULD YOU LIKE TO SUCK MY BALLS?
"My God, this must be a truly remarkable corn chip, to be so widely and confidently touted."
Here's the email I sent:
To: AskDOJ@usdoj.gov
To: comments@icann.org
Subject: Verisign power abuse
VeriSign, Inc. has just made an audacious power
grab to take control of every unassigned
top-level
for their advertising purposes.
On 15 September 2003 19:30 PDT I confirmed that
VeriSign has been successful in their power grab.
I did this by attempting to view the unassigned
domain name qprwdbmzswygh.com in a web browser,
and I received an advertisement for VeriSign, Inc,
which included the following Terms Of Use:
http://sitefinder.verisign.com/terms.jsp
You know, of course, that you must take all action
in your power to stop this abuse.
(My contact info.)
We the people should make our own nameservers, and make fair rules governing who gets to own what domain.
Or am I being ignorent to some sad fact?
That's lovely if you accidentally enter "sitefinder.verisign.com". What if you accidentally enter "sakfjdkjf.com" ? The hosts file won't stop that from going to 64.94.110.11.
This isn't much of a workaround since the mistyped DNS name will still resolve. Instead of a no-such-domain response from the resolver, you'll instead get a no-response at the application level. This suggests that the server (website or mailserver for example) exists but is down.
In the case of SMTP traffic, the sender will waste time and bandwidth retrying.
Note also that Mockapetris explicitly intended for wildcarding to be supported in RFC1034 - unfortunately, I don't think he foresaw the crass exploitation of the internet by ICANN 16 years ago.
Here's my favorite:
3. COST OF THE VERISIGN SERVICES.
The Verisign Service(s) are provided to you free of charge.
Something tells me they're gonna have a lot of registrations really soon!
you start getting crap and non-service due to privatization and short-sighted profit motive.
Every country should run a root server for their TLD, and the G7 (and mostly US) should get together to run the global TLDs.
At the very least, VeriSign should lose it's license/contract in this area and someone more decent should have a shot at it. Oh say, IBM. (no affiliation)
Start Running Better Polls
Let's define reserved bit 3 in RCODE to be the "evil bit".
So if a patched named resolves a domain to an IP node on a DNS-tomfoolery blacklist, it returns 11 instead of 3, ie. FUCK_VERISIGN instead of NXDOMAIN.
libresolv on Solaris, glibc, etc. should be modified accordingly. Perhaps an environment variable determines the behavior: default is to map non-existant, of course.
Fuck Beta. Fuck Dice
You Know You Made A Typo When... ... Your SSH client says "Connection refused" instead of "No such host". ... New players on your MUD say that you have been offline for the last three days while they made a typo in the hostname and got "Connection refused" instead of "Host not found".
Etc.... not happy!
bash$
Uncrucking believable...
Looks like they have already changed it:
or is something amuck on my system---
sitefinder.verisign.com 12.158.80.10
Bastards.
Internet Death Penalty, NOW.
I'm blocking *.verisign.com, and associated ip addies.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
You *can't* switch to another set of domain servers. To permit alternate TLDs (as has already been attempted without success) would lead to a partitioned Internet.
I agree with the original poster - somethings should be regulated and commerce should not be the only motivating factor in all matters of policy.
At my last check, only the "a", "c", and "d" COM servers are serving the global A record for *.COM.
I am removing those broken nameservers from my root zone hints at all of the places that I administer. Hopefully enough root servers will remain clean of this aborration to keep up a good level of service.
I encourage others everywhere to do the same and ask their ISPs follow suit. If you don't play fairly with the public trust, the public should stop trusting you.
If Verisign can hijack *.COM and *.NET, what is to keep resolving ISPs from hijacking unused domains at the resolver level to suit their own purposes?
Where was the RFC on this practice? It would never have passed peer review.
--
Eric Ziegast
Former TLD administrator.
Former hostmaster at a major ISP.
slashdot
For a minute there I thought they added a wild card character, so I could have a domain like *iscool.com which would match adamiscool or robertiscool, or spamiscool...
-Adam
Hi All,
Took a look at their setup, and from what I can see, they have partnered with Overture to get their search results. Overture is a pay per click search engine, meaning advertisers bid to get to the top of the search results - anywhere from $0.10 to $50. Most arrangements involve Overture getting half of the the bid, and VeriSign getting the other half.
What this means is that they are making money (probably hundreds of thousands if not millions daily) from most of the searches you make.
Topics which attract high bids (up to $50 per click, it is shocking) include online casinos, dedicated servers, refinancing, and a few others.
I implore you all:
If you want this to stop, please do not click on any of the search results from this 'search engine'. Doing so will contribute to the profit VeriSign will make from this. If you really really want to click on one of the listings plase go to www.overture.com and get it directly from them.
Other things we can do include:
1) Putting them on the spam RBLs for spamming the entire internet. This will have the effect of blackholing them from some parts of the internet that drop packets based on those RBLs right at the router level.
2) Encourage your vendors to modify their DNS server packages to change results for that IP to NXDOMAIN.
3) Encourage your admins to run such modified DNS servers.
SSL Certificate
It appears to point out some simple correction selections that are click-able, and doesn't contain any advertising.
Whats the big deal? Its a damn sight better than a plain "Site Not Found so Fsck Off" page.
"If you love someone, set them free. If they come home, set them on fire." - George Carlin
If you arrived at the site inadvertently, then why do they have a 'Terms of Use'? How can they enforce these terms if you weren't given a chance to not use the site? I hope I make sense.
What is stopping moral persons from starting a renegade DNS? Sure it would be a non-trivial task to get people to actually start using this lesser domain service, but like with anything once you get the ball rolling, it's all downhill from there. Are there any laws that require you to use the rootservers and verisign? Can't people choose to utilize a third party maintained domain service, if it is in fact their choice? This would be purism at the cost of usability, but for some that would be a worthwhile tradeoff. If there were an open-source DNS out there, I'd use it. What do the rest of you think?
`which fortune`
Preliminary (as in, it seems to work for me) BIND 8 patch that I just cooked up available here.
Um, read the subject of the message you replied to. THAT takes care of any requests going to the ip. Although, it is somewhat wrong. The command that I did was route add -host 64.94.110.11 gw 127.0.0.1.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
They have the gall to put a terms of service notice on the page. Like we had a choice of using it or not!
On a global scale, it's not so recent, and it's not just Verisign. A bunch of the ccTLDs have been indulging in this unpleasant behaviour for a while: .ac, .cc, .cx, .mp, .nu, .ph, .pw, .sh, .td, .tk, .tm, and .ws (of course, some of those are run by the same registrar as one another). I was shocked when I first saw this, but I never thought the rot would spread into .com and .net. :/
GROGGS: alive and well and living in
Hopefully they utilize a robots.txt or google is going to index alot of useless pages.
I feel so much better now knowing that the geniuses at Verisign have so much power over DNS. For example, notice that their web page has a basic cross site scripting security hole. Idiots!
This example only opens a Javascript alert, but could just as easily steal your *.verisign.com cookies, etc.Hey, we could all do a DOS attack simply by entering the wrong name over and over!
Show me on the doll where his noodly appendage touched you.
User-agent: * Disallow: /
I've seen several people now post sessions they've had with "Snubby". Snubby is assuming that people are ordering things in a specific order. A session I just had with it:
telnet 64.94.110.11 25
Trying 64.94.110.11...
Connected to 64.94.110.11.
Escape character is '^]'.
220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready
250 OK
250 OK
550 User domain does not exist.
250 OK
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.
That's right. It doesn't parse the input at all (I just hit Enter a bunch of times). If you have multiple RCPT lines, or have an extra command in there anywhere, you will get an OK in the wrong place and it will look like you have succeeded.
Adam
Would you do it for some scoobie crack?
I'm sure most crawler's will be tweaked to ignore this place holder. Imagine all the bandwidth & indexing storage that would be lost on all those broken links to mispelled or expired domains even before pulling a stunt like the one you describe.
add "127.0.0.1 sitefinder.verisign.com" to your HOSTS file.
They are cybersquatting (is that what you call it when you register a misspelling?)
It is a little bit of a stretch---Well, not really, all the components are there.
1. It is for profit. Being an overture search page, verisign gets $X for each link clicked on in the search results. Also, verisign offers to register the page for you (not sure if they do it on sitefinder, i've blocked it, but they do on the *.cc tld).
2. It is willful. Its not like they couldn't notice. Jeezus-----own the root DNS servers, and redirect *.com? Why not just actually redirect *.com---->all traffic to verisign, or "All your base are belong to verisign", even for registered domains.
Isn't this stuff covered by the "Truth in Domains Act" ->They just REDIRECTED EVERYTHING----this is x100000000000 what those porn loosers where doing.
If you run a business which offered domain registration, you should be especially pissed.
www.yourfavoriteregistrarmisspelled.com now goes to verisign.
Sue Them!
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
I predict a relentless DDoS attack on that IP shortly.
This shit isn't going to be tolerated, especially by people who have programs and scripts that function based on a certian type of expetcted behavior with DNS queries
They aren't. "Filtered" means the packet sent to that port simply disappeared, without even a error packet coming back to indicate the failure. In other words, indistinguishable from "There is no machine at all receiving the packet". Here's how to use nmap, see the third paragraph.
The server is only running smtp and http, and theoretically it could be running services on the tens of thousands of other ports you didn't scan, but it almost certainly isn't.
Those filtered ports are why the nmap scan took 24.611 seconds; system without filtered ports will go faster then that under normal circumstances.
I wonder if Verisign has a monster catch all for mail sent to non existant domains.
Seriously!
Verizon has control of the root domain servers through a congressionaly granted trust on the basis that they would be doing public good.
If we can show Congress that they are negatively impacting the public (read: sys and netadmins, not just regular people), we can get Congress to order Verizon to put a stop to this BULLSHIT
Wow, this is the first real reason I have for wanting to restrict outgoing connections from my own network. 100% typosquatting is just disgusting.
:)
I don't want Verisign getting any data on what domains I mistype, and I don't want applications (such as email) breaking when users mistype an address. I don't want my outgoing email being intercepted by Verisign! Even if they say they'll set up a dummy SMTP server to generate error messages and bounce the mail, I don't trust them.
It might be a good idea to make a daily cron job to look up the IP address of Verisign's wildcard, and add that to the list of banned IP addresses (no data allowed, not only for incoming but also for outgoing as well).
dig @a.gtld-servers.net \*.com. | grep \^\*.com.
dig @a.gtld-servers.net \*.net. | grep \^\*.net.
Extracting the IP address from that and banning it is an exercise left to the reader
Note that Verisign might have other domains under their control as well....
Dr. Demento On The 'Net!
You know there is no reason why anyone has to use Verisign, ICANN, or any of that crap. There exist many alternatives. 1) We could go back to using the actual ip address. 2) We could each maintain our own huge hosts file. I don't actually recommend either of those ideas. But the idea I do like is why doesn't GNU or FSF or whoever start their own, open DNS system. There are no barriers to entry other than the bandwidth necessary to run root nameservers. OpenNIC is an example, I'm sure there are others.
.com, ,net & .org to much more descriptive endings. DNS can and should be just as free and egalitarian as GNU software.
There are so many problems with the current system that it's begging to be replaced. Corporations basically stealing domains from individuals who got there first. Incompetant corporations like verisign getting rich off of doing almost nothing.
What's more, the OpenDNS system could be much more accomodating with rolling out more progressive TLD's. Move beyond
Here's a patch to djbdns which lets you ignore certain A records in responses. If you're not already using djbdns, you should.
http://tinydns.org/djbdns-1.05-ignoreip.patch
Don't piss off The Angry Economist
This is fucking hilarious.
9-15-2003: Verisign breaks the Internet.
9-16-2003: FTC investigation begins, NSF urges ICANN to revoke Verisign's write privileges to the root DNS zones.
Googling for OpenDNS returns OpenNIC on top, because that's exactly what it is. An open and democratic alternate DNS system. You really could at least Google around before coming up with an "original" idea like that ;P
I signed up for a
That's my fucking server...
I fuck your server! I fuck your server!
"It's the little touches that make a future solid enough to be destroyed" --William S. Bourroughs
For search engines to find [evil laugh]
:) Teach Verisign a lesson.
this one
and of course
this one also
Let the search engines be unleashed!
I urge everyone to copy these two files....
Even hide them someplace on your website so search engines find them MULTIPLE times but people can't see them!
Verizon has control of the root domain servers through a congressionaly granted trust on the basis that they would be doing public good.
If we can show Congress that they are negatively impacting the public (read: sys and netadmins, not just regular people), we can get Congress to order Verizon to put a stop to this BULLSHIT
Hello Mr AC but Genuity owned those DNS servers and still do. 4.2.2.2 4.2.2.3 Etc still belong to them and not nor never Verizon. What you confuse is probably Verizon using Genuity's network as a backbone for their DSL services which caused me hell a few weeks ago when a Genuity core router in Dallas was having problems talking to a central office border router in Lewisville Tx causing me and all my neighbors to have horrible 1200ms+ ping times.
I had thougth that verizon used their own network but they actually just provide the local loop and dump it all out to various carriers like Genuity.
A more direct issue of verisign would be misstyped email addresses coming back with advertisements thus turning regular bounce messages into Spam also.
Is there any kind of DNS filter that can be installed on a DNS server to block anything that resolves to verisign.com? If so, I will install that at work and at home. Problem solved.
If not, how long until one is written?
I'll happily get our Linux guru to install any (free) "DNS2", or whatever, services that purport to be "better" than DNS, if anyone can suggest a way to resolve names without having to trust these jokers.
Hello all,
After reading this thread I'm convinced that this change at Verisign is going to cause some major havoc with things so, does anyone have a well written letter of condemnation and a list of appropriate addresses to which we can send it?
Douglas
On my BEFSX41, I null-routed it. In the Web admin interface, click on "Advanced",
then "Static Routing". Fill out the fields:
Dest LAN IP: 64.94.110.0
Subnet Mask: 255.255.255.0
Def Gateway: 192.168.1.254
(or other unused local address)
Hop Count: 0
Interface: LAN
and then click Apply. After it says it saved, click on
Show Routing Table
and there should be a line like this:
64.94.110.0 255.255.255.0 192.168.1.254 0 LAN
The North American Network Operators' Group has two ongoing threads ('What *are* they smoking' and 'Change to .com/.net behavior') with further discussion on this topic.
--- Fox
If you have SSL certificates from Thawte (a subsidiary of Verisign), you can send them a message today.
Email your Thawte rep to explain why you or, better yet, your huge organization :) won't be renewing your certificates with Thawte.
You can tell them "it's a trust thing" (their own motto).
Dear clue-free slashdot reader:
You twit! Who do you think GOT us in the sorry position? THE GOVERNMENT! If you weren't such a fardling idiot, you would be calling for the MARKETPLACE to save us from the GOVERNMENT's SCREWUP in granting a monopoly to Verisign. Instead, you want the hair of the dog that bit you. That's a sure sign of someone who's addicted to government.
-russ
Don't piss off The Angry Economist
This will make you search google for your cookie. You can modify it to do whatever you want.
if I typo the address? I am concerned that if I were to send a message with an attachment that contains proprietary information, and I mung the email address (which happens alot with me), now that email and attachment will go to Verisign rather than bouncing? How will I know that my message never got there? I run a company, and my emails may contain information that is legally bound under an NDA with various partners. I'm not sure anyone would apprieciate this information getting lose. After all the BS I go through to make my company secure, firewalls, SSH only, big ugly passwords, etc., this seems like a huge hole in internet security.
Beyond preferred placement on SiteFinder, next think you know, VeriSign will aggregate, analyze and sell the marketing data from all the mistyped domains and the searches from their search engine.
http://tinydns.org/djbdns-1.05-ignoreip.patch
Sometimes when I mistype a URL I get pages which say "BUY THIS DOMAIN - CHEAP!", and they usually have some kind of lame search/portal page as well, with links to say, insurance sites, or online auto sales or auctions.
VeriSign might have taken all the extra domains, which is lame, but this is far from the first we've seen of this.
CAn'T CompreHend SARcaSm?
Is there any way to configure BIND to return DNS errors if the address resolves to this Verisign fucknut of a page?
;-)
If not, is there a good DNS package which can be configured this way? My grandpa keeps telling me there's holes in BIND anyway.
VeriSign Worldwide Headquarters
487 East Middlefield Road
Mountain View, CA 94043
Phone: 650-961-7500
FAX: 650-961-7300
Have fun!
And the brethren went away edified.
Michael Bolton! I love you!!!!!!!!
(not work safe, you've been warned)
A great feature: Every verisign insult typed into their "search engine" returns slashdot...
Including classis such as:
f*ck verisign
f*ck verisign up the a$$
verisign owns your mom
verisign execs spend time pushing their moms
Sweet...
It's my understanding that ICANN gets a cut of every domain registration, isn't that correct? If so, how many domains has Verisign "registered" here? I mean, they're using them, so they are registered to Verisign, in a de facto way. So, it would seem that they owe ICANN a shitload of money.
But I may be mistaken. Someone feel free to correct me on this.
It's a bit interesting to note that using a proxy (e.g. squid) does return an "Unknown host" error for non-existing domains. I guess squid performs a real A lookup first.
220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready
puto
250 OK
laputamadre
250 OK
laconchadelalora
550 User domain does not exist. -- Whoa! it wants a real domain name huh?
laconchadelalora@kagate.com
250 OK
Actually it is not a working MTA. It just prints a series of static messages. If you don't do things in the right order you may not even get a bounce out of it.
#!/usr/bin/python
import socket
x = 0
while True:
try:
x += 1
dns = "www." + "verisignsucks" + str(x) + ".com"
s = socket.gethostbyname(dns)
print dns, "resolved to", s
except: print "resolving", dns, "failed"
why aren't all TLD's handled by a non-profit organization, or standards body? I mean seriously, what advantages does a corporation have in holding such a public service... I mean, a corporation is in it to make money, they shouldn't be given the chance with something like this.
This way the machine will be down, thus not answering request and we will get errors like before. ;)
return NXDOMAIN for www.verisign.com, sitefinder.verisign.com and www.thawte.com while you are at it.
Perhaps they'll rethink the value of unilateral action after that.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
>You *can't* switch to another set of domain servers. To permit alternate TLDs (as has already been attempted without success) would lead to a partitioned Internet.
.com, etc become valueless. Crazy customers that spent $1000 a few years ago to buy a long term registration will go insane with anger. Verisign would be forced to fix their policy or die.
Exactly. That's the whole point.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
From: XXXXXXXXXXXXXXXXXXXXXXXX
To: shollenbeck@verisign.com, mlarson@verisign.com, wmitchell@verisign.com, ssclavos@verisign.com
Date: Tue, September 16, 2003 0:14
Subject: Recent changes that break current RFCs.
Good Morning Gentlemen,
As I am sure you have received many emails each already this morning after
your company's change to the way DNS works on the Internet I shall keep mine
somewhat short.
For all of my clients and contact I am now recommending dead-routing of all
versign IPs. Any root servers that return your incorrect and lame delegation
will be removed from master host files. Any CERTs purchased through your
company will now be purchased instead from Thawte. While I personally won't
make of a difference in your revenue stream many of my contacts and friends
in the industry can. I will vehemently argue against using your services at
any orginization that requests my opinions during consulting work and may in
fact go out of my way to point out your faults.
What I wonder is you must be aware that your returning incorrect
information, logging of such trends, filtering out all mistyped email (no
doubt for email address harvesting), and your pushing people towards
overture searches you get paid for basically turns your company into petty
criminals. It must be hard to sleep at night knowing that instead of running
a business well, you must resort to such shennanigans to stay competitive?
Sincerely,
XXXXXXXXXXXXXXX
XXX-XXX-XXXX
I just noticed that SMTP is open on 64.94.110.11. So if I mistakenly send email to ceo@soemcompany.com... that would bog down verisign's mailserver. Hmm... given that spam crawlers will most likely parse addresses like user@NOSPAMdomain.tld, they're going to get massive amounts of spam that previously was never sent because the DNS didn't resolve. This problem may take care of itself.
I mod down pyramid schemes in sigs.
Of course nobody should be so irresponsible as to do something like
#!/bin/sh /dev/null "http://hey-verisign.stop-arrogantly-appropriating -the-tlds.com/" ;
while [ 1 ] ; do
wget -O
done
at, say, precisely 20:00 EDT every day, assuming your ISP doesn't use SQUID or some other http proxy (they're already being fucked hard enough by Verisign, no need to add insult to injury)
On topic: verisign sucks, if you need SSL get geotrust, and I haven't registered a domain with these bastards after alternatives were allowed (enom.com/opensrs/etc).
. com. com (64.94.110.11) 56(84) bytes of data.
Off topic: (kinda)
OK I switched a test DNS server to use this OpenNIC, but it still resolves unknown domains to sitefinder shouldn't that quit working once I switch my hints to these guys?
[root@www45 named]# ping ns1.opennic.glue
PING ns1.opennic.glue (209.151.84.102) 56(84) bytes of data.
64 bytes from primary-ns.translator.cx (209.151.84.102): icmp_seq=1 ttl=241 time=63.7 ms
Ok so that works but
[root@www45 named]# ping asdfasdfasdfasdfasdfasdfaf3232342f23f23r23r23ffff
PING asdfasdfasdfasdfasdfasdfaf3232342f23f23r23r23ffff
Crap thought switching would stop that?
--- www.f-theocean.com
A fellow SA Goon (thatdog), pointed this out, and it could perhaps be a nice fun tool to screw with them...I'll quote his post over there:
thatdog said:
The most amusing part of this to me is they take whatever is passed in the url parameter and shove it into the html of their page, no questions asked. Remote scripting exploits will be ever so easy!
If you don't get what I'm talking about, just check out this link.
Would be fun to see redirects on major isps and backbones...or even forwarding to an alternate site hosted elsewhere with an explanation.
the fbi idea is great...
So, it does not appear that *.com is being handled.
reply to this post with the config workarounds so that your nameserver will never return this record!
What were to happen if the authors of BIND were to include an option which silently discards A records from the root nameservers? Verisign may control the root namservers, but they don't control the core nameserver software ;)
Then ISP's and businesses could configure their nameservers to ignore root-provided A records and everything will be back to the way they were for clients that use those nameservers.
I'm a bit angry.
From now on any bad URL will resolve to VeriSign. That's sick. They make money on every typo on the Internet.
My real beef is that they could be selling ads for competition. For example, type appke.com instead of Apple.com, and you could be seeing ads for MS Windows. Or vice versa.
Bad things to come.
From me blog: http://robert.accettura.com
OK fellow geeks, I am seeing alot of ranting about clogging mail server queues with typos and the like, let's go over this a little more in depth:
- http://aldvhlddvhlsdfvh.com - Verisign'd
- http://www.aldvhlddvhlsdfvh.com - Verisign'd
- http://aldvhlddvhlsdfvh.com:69 - DNS Error (immidiately)
Aha, so this only affects web browsers. Other ports besides 80 are somehow ignored...at least that is what happens on this end.So perhaps it's not that bad. Port designations aren't sent with DNS queries, though, which makes this a bit puzzling. At least if it's true your mail queue wont' clog. Anyone with more experience in the area care to elaborate/prove it wrong? Not looking for a flame war, but a little scientific method.
CAn'T CompreHend SARcaSm?
So I don't know any Java at all--but I can do "view source" on sitefinder.verisign.com/index.html and there's a lot of JavaScript mumbo jumbo there.
What's it doing exactly?
Check out http://www.haque.net/verisign_dns_rant.php for some more information on how this is damaging to the rest of the net (as well as to your own privacy)
-- a concerned netizen
[sparrowhawk:~/Desktop] hawk% nslookup
Default Server: ns2.attbi.com
Address: 216.148.227.68
> 64.94.110.11
Server: ns2.attbi.com
Address: 216.148.227.68
Name: sitefinder-idn.verisign.com
Address: 64.94.110.11
> sitefinder.verisign.com
Server: ns2.attbi.com
Address: 216.148.227.68
Non-authoritative answer:
Name: sitefinder.verisign.com
Address: 12.158.80.10
if anyone can explain this, it would be appreciated...
clearly, under comcast DNS servers, 64.94.110.11 is slightly different, and the catch-all is 12.158.80.10
a few good links: wowowo
this sig limit is too small to put anything good h
<http://www.icann.org/correspondence/iab-message-t o-lynn-25jan03.htm>
What happened? I STRONGLY URGE that complaints be made to ICANN and the US DoC...right now.
This is so much worse than many folks think.
usually i wouldn't respond to an artical, but this just pisses the phuck out of me!
For a DDOS attack, this is it.
I, for one, welcome our new Versign Overlords.
Too bad that they didn't just point people to google....now that would be useful.
You know, maybe we could give them a call to express our displeasure. From the Verisign web site: Domain Names & Related Services U.S. & Canada: 888-642-9675 Worldwide: +1-703-742-0914 Web Sites Phone: 888-642-9675
VeriSign controls two of the root servers (A and J) but they are returning the same delegation for the COM and NET domains as all the other root servers.
By coincidence I received a (legitimate) domain renewal notice from Verisign today. Instead of renewing with Verisign I am transferring my domain to a new registrar. Verisign-ing off.
Can I claim trademark infringement on my trademarks resolved by Versign?
You can file a complaint at http://www.ftc.gov Man, if ever a company needed to be squashed, now is the time!
Hello,
.com and .net). I think this will negatively impact many applications, business and everyday users. I strongly believe against this decision and will not continue doing business with Verisign unless this issue is resolved.
...
As a customer of Verisign for quite a long time, I would like to express my disapproval of your latest internet DNS abuse, the site finder (resolving of wildcards on
Not to mention all the lawsuits you guys are about to face...
Best regards,
If your user are getting their web access through a squid proxy, you can add these lines to the config to prevent them from seeing verisign's brain damage.
acl verisign dst 64.94.110.11/255.255.255.255
http_access deny verisign
It'll give an access denied error, which is less than optimal. Can anyone describe a less intrusive squid config?
So, why don't all the ISP router admins get together and route all requests for 64.94.110.11 into the bit-bucket, or even better, configure all DNS servers to report it as non-existent.
If you want to get really smart about it, since VeriSign could simply change the * record later, pull a copy of the root zone each day and grep the * record to blackhole whatever it calls for.
Or designate one source to do this and pull from this source.
A few large ISPs could seriously affect Verisign's ability to do this in the future and a little grassroots campaign like this can shape future policies at other companies.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
Dunno if it's my dsl provider stepping in or not, but it just stopped as I was about to change my hosts file... I get the usual 'not found' again.
(FWIW: I'm in Australia and a slave to Telstra, lord and master of my connection)
- I am made of meat.
Try libverisignfix.c. It's an LD_PRELOAD hack to intercept gethostbyname, gethostbyname_r, and gethostbyname2_r. It doesn't intercept anything else (like getaddrinfo), but it works in Mozilla.
I've changed my hosts file to point sitefinder.verisign.com at 127.0.0.1 and it worked. So I would assume that most people in the know can fix it by pointing the address at a non-existant IP, either on the local machine or at the ISP level. Either way, this is the stupidest thing I've seen in quite a while.
Over the past 15 minutes it's been up and down. Getting the Try Again page (after 15 seconds) or cannot find server.
Go scripts!!
One bad effect from the Verisign infection is that many bogus mailers are no longer bogus. Example:
From: spammer@ferewrf.com
To: You
Subject: Herbal supplement
Some spam filters would use DNS to notice that ferewrf.com. is a bogus mail server (no MX, no A), and therefore reject the mail for forging the sender. Well, now ferewrf.com..com has an A record pointing to 64.94.110.11, so it's now a "valid" mail server.
Doh!!!
We gotta get those resolvers to fail on requests to bogus domains.
A wise friend pointed out to me that Verisign owns all of those *.GTLD-SERVERS.NET servers, so they could theoretically pop this record onto any/all of those servers, and it's hard to boycot all of the Verisign-monopoly COM/NET servers because we need to query them to get valid COM/NET answers. Mod my last post -1 Clueless. It's not _the_ solution, but it might work temporarily until Verisign changes who is serving the global record.
One could change resolver software to detect when there's a bogus response. The logic might look as follows:
If QueryType="A" and Answer="64.94.110.11"
Then Respond(SERVFAIL);
or
If QueryType="A" and Member(Answer, *BogusList)
Then Respond(SERVFAIL);
I think DJBDNS's query.c could be one spot. People working on BIND might have a solution, too.
--
Eric Ziegast
www.lookingtoescapeverisign.tv
Well I called and discovered it to be Network Solutions.
I got a operator who informed me that the Supervisors were all busy. I snuck in a comment of how they are owned by versign and after putting me on hold for a few sec came back and asked if I'd give some details which they would try to forward to the correct party.
I told them about a failed lame domain debugging I was doing ending up at 64.94.110.11. How it breaks a number of things. That Larsen is behind it and he should have known better than to sabotage the Internet.
Being a professional Operator she did her best at trying to service me. If that was just to try to keep a lid on upset people calling I don't know. I would imagine a few people have called. At least it's coming back to them on some lines.
I had this thought after reading someone else's post, but the line I inserted looks like:
127.0.0.1 64.94.110.11 # verisign's hijacking IP
(Turns out adding a line to hosts.txt takes about a minute to take effect. Why is that?)
Tho I like your 0.0.0.0 idea better... [goes off, tries it] Resolves to nothing-found in about 5 seconds instead of 30 seconds. Thankx!!
~REZ~ #43301. Who'd fake being me anyway?
Actually I think you are totally right.
The whole thing was done exactly with this
purpose, but I think it can be used to break the
system. If enough bots (and bots only)
constantly "click" on the ads, their price will
plummet. Since now they cannot tell if a person
saw the ad, they "pay per click" becomes
pointless. (and boy they will be mad when find
out they paid all that money for nothing)
On the other other hand if every slashdoter
would ping the thing it would be way more fun.
Come one everybody just type : ping 64.94.110.11
(at -t if you are in windows)
Any attempts to fix this problem externally are just hacks including null routing the IP address for *.com, and resolving sitefinder.verisign.com to 0.0.0.0, as Verisign can easily change both the IP address of sitefinder.verisign.com as well as the IP address for *.com, so this is just an arms race that can't be won.
Therefore the quality of the web will begin to degrade as Verisign is not supporting the internet protocols correctly, and there is no "correct" way to work around this defect they have caused. If they sent back a web error code, that would be "more correct", but still a flawed implementation as a non-existant domain name should not resolve at all.
It is my wish that some governing body like ICANN or IETF can make a ruling banning this disruptive behavior from Verisign.
As of about 05:35 UTC 64.94.110.11 has trouble being reached, traffic stops at the first hop into verisign's IP space - but the wildcard is still in place ... coincidence or... they have seen what they have wrought and .. removed the IP ?
Ahh good to see libertarians keeping up their usual standard of intelligent debate.
I'm sorry but critical infrastructure should not be left in the hands of a free market. It is just oo damn important to leave to the whims of the stock market.
Management of the root servers should be placed into the hands of an international body with an international charter. This body should be a non-profit organisation funded by its member governments with true representation from both its member governments and the Internet community at large. Yes this means a body created under the auspices of the UN.
And if you are thinking of spouting any more libertarian gems just remember this, in a libertarian world, you are valued by how much you have, not by who you are and what you can contribute to society. I thought we got rid of that idea years ago.
Their supid SMTP server doesn't read any of the input. It just looks for newlines. It 250's the first two inputs, 550's the third, and 250's the fourth, and then it closes the connection.
It should work ok most of the time, but that's far from a compliant implementation.
So, if you use the internet that means you agree to this:
/ in dex.html
http://sitefinder.verisign.com/terms.jsp
but you don't so how do you 'unsubscribe' to this service? Hmm....
I would suggest trying to contact someone here and telling them you do not agree to these terms and that you want them to stop re-directing your mis-typed addresses:
http://www.verisign.com/corporate/about/contact
Who should run the root nameservers instead of verisign? ICANN, IETF, ISO, ANSI, the US FCC, the UN, or some new organization?
IANAL, but I dated on once, so take this for what it's worth. This appears to me to be a clear violation of anti-trust laws. Verisign is using their monopoly position as the root DNS to create business opportunities which are not available to others. Verisign can create a nearly infinite number of domains for free, and sell advertising on all those domains. Any of their competition would have to pay for those domains (in fact, would have to pay Verisign). If this isn't abuse of a monopoly position, nothing is. Somebody should sue them under the Sherman Anti-Trust act and get an immediate injunction against them.
Eric
eric at koldware dot SpamThisSucker dot com
It doesn't look for DATA. I rejects the third command no matter what it is.
I've created a Squid redirector to deal with this problem. I tried to post it here, but couldn't get past the Slashdot lameness filter.
It catches anything going to a gTLD's wildcard response (there's about 15 gTLDs doing this!) and redirects it to google. It also does some other niceties that don't automatically happen when using a proxy, such as adding www. and .org/.com/.net if needed.
If anybody wants the code, then post a reply here and I'll set up a web page with it and post the URL. (I won't bother if nobody wants it.)
You may want to know, also, that some of the NANOG folks have patches for BIND to change these responses back into NXDOMAIN.
Isn't this EXACTLY what that other fellow sued (successfully?) for in a previous story?
I wonder how many lawsuits against them people could file citing the other case as precident? At least those in the jurisdiction where the case is controlling precident could make them sweat a little... *hmm*
I'm sorry but critical infrastructure should not be left in the hands of a free market.
Interestingly, you didn't even bother addressing my point: that government intervention in the marketplace created this problem. You just repeated your assertion. I suppose that there are are bunch of people who agree with you, and that merely repeating the Big Lie is sufficient for you and them.
-russ
Don't piss off The Angry Economist
Isn't it quite similar to the fake error message ad banners? The ones that got Doubleclick(? or some other ad serving scum) in the court?
The moon is not fully subjugated. I demand a second assault wave preceded by a massive nuclear bombardment.
Is it just me, or might this be an instance where a class action lawsuit would be in order?
Get the team of lawyers over at EFF (or someplace similar) to get a class-action on behalf of all of us Internet and techie users, sue Verisign's assess of, and then the awarded "legal fees" normally awarded in such suits go to the EFF. (Win win?)
I, for one, feel compelled to DO something about this... but I'm not sure what.
$0.02 (CDN)
What big lie? That humanity is naturally inclined to government? That the libertarian model is doomed to failure? Or maybe that Verisign is a private company and it is the one that is fucking up here precisely because there is not enough government oversight of how it operates?
We have seen in the last couple of years some major incidents involving private organisations running vital infrastructure in to the ground, all in the name of share holders profits. The government has done nothing to stop this happening, instead leaving it to "Free Market" to sort out the problems. This has patently been an abject failure.
This is what I love about the libertarian dream, it makes the assumption that people are not at the very root of their being out for themselves and their immediate family. Its so rose tinted. Face it humanity was, is and always be a tribal beast, and we need governments to make sure that that tribality does drag us back down from the heights we have achieved.
You do know, don't you, that this is NOT how moderation works? When you get your points, use 'em. Otherwise, make useful posts that add value to the discussion.
Just... like... this post... er... right.
- A. Coward Sr.
I tried a random .edu URL ... that was about 256 characters long, so I know it did not exist already.
.net & .com I guess
Bam, verizon's ad page. Not just
Verisign installs a mailsink on this new catch-all domain. Spammer sends to a fake address using a fake address. Verisign bounces with a 550 -- to themselves, which bounces -- to themselves, which bounces...
I think you see the picture. Am I right?
In the states, it is illegal, under the Sherman Antitrust Act, to use a monopoly to push business in another area. Besides being in incredibly bad faith (abusing a trust which has been given to them), Verisign is probably guilty of violating antitrust violations. I hope the gov't will slap them with an injunction asap.
The ICANN website has an online complaint form.
To quote from the site in question:
Although ICANN's limited technical mission does not include resolving individual customer-service complaints, ICANN does monitor such complaints to discern trends.
Let your voices be heard!
If you look for a file that doesn't exist on your hard drive, you will get ads for MS Office, telling you that you can create your own files with that!
What would happen if I added some IMG SRC tags to webpages we serve that point to unregistered domain names ... between all the sites I operate that I could easily drive several million hits to semi-random unregistered domains everyday.
... VeriSign has only itself to blame if they resolve unregistered domains improperly.
Before someone says this is a DoS...remember, the mere reference of a domain name is not a DoS...especially when said domain name is unregistered and in addition contains OUR extremely unique registered service/trade marks
Welcome thoughts...
Ron
At my last check, only the "a", "c", and "d" COM servers are serving the global A record for *.COM.
Unfortunately, if only a, c, and d were doing it for *.com three hours ago, it's spreading. Now a through e are doing it for *.com.
Also, they're all currently doing it for *.net, so if you want to ignore broken nameservers, you have to ignore all the GTLD servers.
My personal DNS cache is simply returning NXDOMAIN for any query whose result contains a certain IP address :-)
Verisign's current practices imply that Verisign owns veritable rights to all domain names, EXCEPT those which have been registered by others.
Clearly this is not ethical: all others need to pay a yearly fee for registration, while Verisign does not. This must be corrected.
Specifically, Verisign is using all un-registered domain names as aliases (redirects) to their own business sites. This can realistically be a significant step towards ending the internet as we know it - every single internet user puts an immense amount of trust into "the system" every day she or he uses a web browser to surf the web. Verisign threatens to end our trust in the system, with serious consequences for us all.
spacemeat:/# /usr/lib/sendmail -bt foo@foothefuckinghell.comc om
foo@foothefuckinghell.
deliver to foo@foothefuckinghell.com
router = lookuphost, transport = remote_smtp
host foothefuckinghell.com [64.94.110.11]
spacemeat:/# telnet 64.94.110.11 25
Trying 64.94.110.11...
Connected to 64.94.110.11.
Escape character is '^]'.
220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready
QUIT
221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.
Umm, the fact that email is going to go there for every typo or expired domain opens up a great deal of legal trouble. They really haven't thought this out very well have they?
(Even if it currently bounces everything. It still has to get there to be rejected. And there's nothing that says they aren't keeping it, reading it, or won't do so in the future.)
It's just a poorly written mock SMTP server with canned responses for a sequence of commands. It looks like it's probably not even buffering the data, it just looks for a CR or LF and sends its next dummy response.
No sig, sorry.
To: comments@icann.org; registrar-info@icann.org; antitrust@ftc.gov
.COM and .NET TLD's and giving Verisign complete control over them is like handing them the Internet. Please respond with action and stop this unfair practice from happening.
Subject: Verisign's Unfair Wildcard DNS
I think this change in the global DNS is unfair to competetion in the registration, hosting, advertising and search engine businesses. This feature gives them an unfair advantage over any of their competetors for many internet services. I think this should be stopped immediately and I think the ICANN organization should more strictly control what registration companies can and cannot do. The Internet was essentially created on the
-Concerned Internet User and Professional Business Member
Now porn sites can send unlimited spam. I just received this p0rn spam in my email
From: sexkitten@ihadsexatverizonswebsite.com
Message-ID: 20030915.9ie4s@ihadsexatverizonswebsite.com
Subject: Hi!
Well it would if they didn't just transfer the domain info from the root servers. They end up with the same problem then.
Using them would benefit you when and if they decide to block any domain records with the versign faked "A" records.
"I was shocked to discover that ome company actually tries to sell products on a website called 'www.fuck-children.com'"
Who are these verisign paedophiles anyway?
done: the patch is here
A patch against this is available for djbdns.
:)
:
:
g z
It gives the server a new feature to answer that a
host is nonexistent if it actually resolves to certain IP address.
It was specifically designed for Verisign
It works extremely well and brings back the DNS caching the way it was working until the Verisign change.
Get it here
http://tinydns.org/djbdns-1.05-ignoreip.patch
Or if you want a pre-patched djbdns including this patch and other recommended patches (like the Linux glibc patch and other patches that don't break the stability)
ftp://ftp.fr.pureftpd.org/misc/djbdns-jedi.tar.
{{.sig}}
No company will ever have to pay verisign again.
Think about it. You can't register a trademark or similarly "owned" name unless you own the trademark. If you do, the UDRP process will yank it away from you and give it over to the "real" owner. So any company can now file a claim against verisign for any trademark they haven't bothered to buy the domain for, or have let lapse, because now it resolves to verisign, and verisign is clearly using it to make money. Before you can say "corporate stooge arbitration", verisign will have to fork over any trademarks to the companies that own them.
Note: http://sitefinder.verisign.com/lpc? Access Denied by Squid rules.
:)
Generated Tue, 16 Sep 2003 07:06:57 GMT by server.series.org (squid/2.5.STABLE3)
--I don't know which rule it tripped on, but I consider that a BONUS!
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
Here is the agreement that Versign operates the .COM and .NET TLD's.
http://www.icann.org/nsi/nsi-registry-agreement-0Section 3.C.ii says:
Does this mean that they are prohibited from doing this as a registar?
This will be the obvious fix. Just add a plug-in (oops, sorry EOLAS, better make that a JavaScript or DLL) that avoids all contact w/ Verisign.
SCO: 800-726-8649
Verisign: 800-361-8319, 888-642-9675
Diebold: 800-433-VOTE (8683)
not bad Verisign. Only 3 hours before "fuck verisign" now return no results. I hope their customer service is that quick.
VIVA1023.com | Political Fashion.
--Running squid with an ACL list of banned ad / other sites is a great line of defense.
--Goatse is, of course, an entry in porn.txt. Remember k1dd135, port 3128 is your friend.
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
It seems that they backed out and removed those wildcard records.
Still, poisoning might not be too bad for spiders that misbehave.
Copyrights, Patents, Trademarks: temporary loans from the Public Domain, not real property ("intellectual" or otherwise)
If your upset about this, I think a better solution is to ring up network solutions sales telephone number - every day - at your local office.
:)
Quite frankly if the phone is ringing they will have to pay someone to answer it, and that someone can take your complaint. If they spend all day taking complaints from people upset about it, they will not be very productive - and it won't take that many slashdotters to convince them to change their mind - call now
I'm starting to write a small perl program that will hopefully cause some annoyance to verisign, but not cause much extra load on the legitimate infrastucture.
My idea is that the program will perform a lookup on a random and quite inconcievably legitimate second level domain (using perhaps a random string of characters and numbers at least 20 chars in length). It will only perform the lookup every 15 minutes (the expire time of the wildcard A record according to verizign's documentation).
The program will then continue to generate random domain names and send HTTP requests to the IP address that is stored from the periodic lookups.
Some particularly vitriolic comment would be placed in the client ID section of the request, of course.
I figure in this manner I can be kind to the DNS systems by only making lookups every 15 minutes, yet creating some extra traffic for Verisign to analyze (they claim to do this in 10 minute chunks), and track for thier connection refusal logic.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
The plans have been on file for how long??? eeesh
Enjoy. Applying this to bind 9.2.2 will cause those annoying IP addresses to go away. This is not tested in production ; use at your own risk.
:68@*')E ,245.5%]604Q)1"AC;&EE;G0I*3L*(`H@"4-44D%#12@B<V5N9 "(I
uuencoded for tab protection.
begin 664 bind9-diffs
M9&EF9B`M=7(@8FEN9"TY+C(N,B]B:6XO;F%M 960O8VQI96YT+F,@8FEN9"TY
M+C(N,BUP871C:&5D+V)I;B] N86UE9"]C;&EE;G0N8PHM+2T@8FEN9"TY+C(N
M,B]B:6XO;F %M960O8VQI96YT+F,),C`P,RTP,BTQ-B`R,SHP-3HP-"XP,#`P
M,#`P,#`@+3`X,#`**RLK(&)I;F0M.2XR+C(M<&%T8VAE9"] B:6XO;F%M960O
M8VQI96YT+F,),C`P,RTP.2TQ-B`P,#HU-C HU-BXP,#`P,#`P,#`@+3`W,#`*
M0$`@+3@P."PV("LX,#@L- #0@0$`*(`EN<U]C;&EE;G1?;F5X="AC;&EE;G0L
M(')E<W5L ="D["B!]"B`**W-T871I8R!I;G0**W-A;FET:7IE7W9S9VXH9& YS
M7VUE<W-A9V5?="`J;7-G*2!["BL):7-C7W)E<W5L=%]T( ')E<W5L=#L**PED
M;G-?;F%M95]T("IN86UE.PHK"61N<U]R 9&%T87-E=%]T("IR9',["BL)9&YS
M7W)D871A7W0@<F0["BL )=6YS:6=N960@:6YT(&EN970@/2!H=&]N;"@P>#0P
M-64V93 !B*3L**PHK"7)E<W5L="`](&1N<U]M97-S86=E7V9I<G-T;F%M 92AM
M<V<L($1.4U]314-424].7T%.4U=%4BD["BL):68@*') E<W5L="`A/2!)4T-?
M4E]354-#15-3*0HK"0ER971U<FX@*# `I.PHK"BL)=VAI;&4@*')E<W5L="`]
M/2!)4T-?4E]354-#1 5-3*2!["BL)"6YA;64@/2!.54Q,.PHK"0ED;G-?;65S
M<V%G 95]C=7)R96YT;F%M92AM<V<L($1.4U]314-424].7T%.4U=%4B P@)FYA
M;64I.PHK"0ER9',@/2!.54Q,.PHK"0ER97-U;'0@/ 2!D;G-?;65S<V%G95]F
M:6YD='EP92AN86UE+"!D;G-?<F1A =&%T>7!E7V$L"BL)"0D)"2`@("`@(#`L
M("9R9',I.PHK"0E I9B`H<F5S=6QT(#T]($E30U]27U-50T-%4U,I('L**PD)
M"7 )E<W5L="`](&1N<U]R9&%T87-E=%]F:7)S="AR9',I.PHK"0D)
M<W5L="`A/2!)4T-?4E]354-#15-3*0HK"0D)"7) E='5R;B`H,"D["BL)"0EW
M:&EL92`H<F5S=6QT(#T]($E30U ]27U-50T-%4U,I('L**PD)"0ED;G-?<F1A
M=&%?:6YI="@F< F0I.PHK"0D)"61N<U]R9&%T87-E=%]C=7)R96YT*')D<RP@
M )G)D*3L**PD)"0EI9B`H;65M8VUP*')D+F1A=&$L("9I;F5T+" `T*2`]/2`P
M*2D<RD["BL)"0E]"BL)"7T**PD)<F5S=6QT(#T@9&YS7VUE
M<W-A9V5?;F5X=&YA;64H;7-G+"!$3E-?4T5#5$E/3E]!3E-7 15(I.PHK"7T*
M*PHK"7)E='5R;B`H,"D["BM]"BL*('9O:60 *(&YS7V-L:65N=%]S96YD*&YS
M7V-L:65N=%]T("IC;&EE;G 0I('L*(`EI<V-?<F5S=6QT7W0@<F5S=6QT.PI`
M0"`M.#$W+ #$R("LX-34L,C0@0$`*(`EI<V-?<F5G:6]N7W0@<CL*(`ED;G- ?
M8V]M<')E<W-?="!C8W1X.PH@"6ES8U]B;V]L96%N7W0@8V QE86YU<%]C8W1X
M(#T@25-#7T9!3%-%.PHK"6ES8U]B;V]L9 6%N7W0@979I;#L*(`EU;G-I9VYE
M9"!C:&%R('-E;F1B=69; 4T5.1%]"549&15)?4TE:15T["B`*(`E215%525)%
M*$Y37T-
M.PH@"BL)+RH**PD@*B!396%R8V@@=&AE(&UE<W-A9V4@ 9F]R(&%N>2!O9B!T
M:&4@*&-U<G)E;G1L>2D@:&%R9"UC;V1 E9`HK"2`J($E0(&%D9')E<W-E<R!T
M:&%T('=E('=I;&P@<F 5F=7-E('1O(&=I=F4@;W5T+@HK"2`J+PHK"65V:6P@
M/2!)4 T-?5$8H<V%N:71I>F5?=G-G;BAC;&EE;G0M/FUE<W-A9V4I*3L **PHK
M"6EF("AE=FEL*0HK"0E#5%)!0T4H(DES179I;"(I.P HK"65L<V4**PD)0U12
M04-%*"
I have two things to say:
o ooooobaaaaaaaaaaaaarrrrrrrr.com
(1) It runs Apache on Linux! Yay!
(2) That had better be the most secure Linux box on the face of the planet
http://uptime.netcraft.com/up/graph/?host=foooooo
http://sitefinder.verisign.com/lpc?url=www.verisig n.com&host=www.verisign.com
[verisign.com]
Well, people are suggesting looking for some bogus address range of Verisign servers, which they could change any time they want. However, it appears that if you do a NS or SOA query on a bogus domain, you'll not get back any A records. If you do an A query on said domain, you get back an A record for Verisign servers. Patch is obvious. It sucks, because it doubles the traffic on the root nameservers, but what more can we do? Oh, I guess we could just configure the root nameservers to take away .com and .net from Verisign...?
Verisign Has Its Hands Up the Internet's Ass
Sysops jump when thumbs begin twiddling.
In other news...
Vital Oxygen Produced By Selfishly Dying-Out Biomass
Plant reluctance to fend for self may reduce your ability to take breaths, needed every two or three seconds.
har har,
not to toot the old whoop-de-doo horn, but: HOLY FUCKING SHIT, we all know verisign is the John Holmes to our Goatse.
I think that the government will probably have to regulate on their asses, but perhaps (late as it may come) we are learning a vital lesson about the global internet: you can trust everyone once, but you can't trust one person all the time (or something). DNS is a bug truster-fuck, and when the truster gets fucked, the fucked stop trusting.
alright, enough with the yuk yuk
I mean that alternate roots may have found their time to rise, or maybe somebody needs to come up with something better. The ROBUST internet would have multiple diverse systems, not prone to the old carpet-pulled-out-from-under-us trick. I'm sure China, and the rest of the Non-USA is thrilled by this stuff. How soon until we need an Inter-Domain-Name-System protocol?
Sometimes at night, I close my eyes and wish that DNS would just collapse, so the good fairies might build it back up afresh.
Love,
Your Mom
"What thou shalt not, I shalt did!" -Bart Simpson
I tried some obvious alternate spellings for Versign's domain name, such as verisign-sucks.net, and they do reach that page. Verisign-sucks.com doesn't get there, but that's because somebody's already registered it....
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Hmmm, I went to somerandomdomain.com to test this out and there was a site there.....
They still get money from InterNIC which is a shame, but if we all transferred all of our domains aware from NetSol, this will send a message that Internet sabotage does not pay.
My redelegation is happening, assuming no lameness. Since lame delegation checks no longer work properly, hell, I could lose all my e-mail for a few days. Thanks a lot Verisign.
Andrew
Andrew van der Stock
This complaint is regarding Verisign's recent decision to claim all non-registered .com and .net domain names for itself. It has done this by inserting a wildcard into the DNS registers, meaning an IP of 64.94.110.11 is returned for any domain name that has not yet been registered. That page is an advert for Verisign's domin registration services
This is unfair competition with existing registrars - there is no means for myself, for example, to gain a similar foothold without actually purchasing each and every currently unregistered .com/.net name. It is also a technical breach of trust - the internet is not merely the web, and unknown domains should return errors rather than constantly try to contact Versign advert servers. Non web-based applications, such as ftp clients etc., will now incorrectly log that they have contacted the host you asked for when in fact they should have returned an error 'hostname unknown'. The same for traceroute, ping...any of these will not behave in a manner expected.
I would be grateful if you could investigate this matter.
Yours,
Ian McCall
Ultimately, these guys tell ICANN what to do, so it can't hurt to drop them an email too. Their site is here (I think that's a good page to start with - if someone finds a better one, feel free to reply). I've personally mailed ICANN and also the address listed on this page. If enough people make noise about this (polite noise, I should add), with a bit of luck they'll do something about it.
Even if you do not have a firewall, you can at least do:
# route add -host 64.94.110.11 reject
-gps
Verisign as deep pockets. You think they'll act " swiftly " in this case ? Spam fighters have been arguing with ICANN; point out false domain contact info to them for years and they've yet act "swiftly" on those. Think that a powerhouse like Verisign will listen to ICANN? They never have in all the years that VS has been in business. ICANN is a joke when it comes to big-time registrars.
Best way to nip this in the bud? GET every damn verisign customer to quit them and sign up with registrars who are better ( ie. Godaddy )
as noted in some other post, it is possible to dump malicious scripts using the verisign link. For ex, try to navigate to verisign using this link
"When the only tool you own is a hammer, every problem begins to resemble a nail." - Abraham Maslow (1908-1970)
Other domain registrars were doing this way before Verisign. If you typed in a non-existent domain name for .tv or .cc you'd get the registrar's page.
To me it's a stupid tactic to make more money. But I've moved all 50 of my domains away from Verisign a long time ago anyways.
eTrade SUCKS
10.
# Sole Remedy.
YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED WITH ANY OF THE MATERIALS, RESULTS OR OTHER CONTENTS OF THE VERISIGN SERVICES OR WITH THESE TERMS AND CONDITIONS, OUR PRIVACY STATEMENT, OR OTHER POLICIES, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE.
Stop using the Verisign services? Excellent! Now all I have to do is... uh... stop using the Internet?
(Lameness filter filler Lameness filter filler Lameness filter filler Lameness filter filler Lameness filter filler Lameness filter filler Lameness filter filler Lameness filter filler Lameness filter filler)
Just a random thought, but if someone holds a trademark for which they haven't yet registered the domain, the new Verisign system will display a verisign page when someone types in www.insert-trademark-here.com.
Isn't that still cybersquatting, and what's more isn't it squatting on a whole heap of registered trademarks with no registered domain?
For a month or two, I've found that referring to non-existent domain names via my employer's Internet connection (PSInet) resulted in an ultimatesearch.com page popping up in a similar way to the new Verisign page. I tried quite hard to figure out if I had some IE spyware doing this but didn't manage to find anything - so perhaps ultimatesearch.com had a deal with PSInet to do something similar to Verisign's setup.
Does anyone know if ISPs are also doing this, or is this more likely to be spyware?
I wonder whether this would be deemed anticompetitive should it come to court? After all, providing search and suggestion features when a user mistypes a domain is the kind of service that Google, Microsoft etc. might want to provide. What's more, Verisign's solution prevents third parties providing an effective solution through means such as browser plugins etc. Surely this is then a misuse of Verisign's 'monopoly' on .com assignment?
.com can just register with some other TLD (well, maybe) - and some other TLD admins do exactly the same?
In their defence - it's not anticompetitive as customers who don't like
NOT - If we get M$ on side for this battle we could get verisign to change their mind. After all , all non resolved names would go to MSN search before wouldnt they - hmm i wonder if M$ has lost lots of hits to MSN search which they are not too happy about......
Slashdot - The one stop shop for procrastination
We've set a /32 route to one of our webservers and have a *.net and *.com alias for http://wildcard.artoo.net. At least this way customers know WTF is going on and can complain to Congress/ICANN, or just go try Google, but mainly VeriSign gets no traffic.
A recipe to avoid general DNS wildcarding: .com and submit DNS request to a toplevel .net, .org, .biz ...
- create a 15-char random string r
- append
server
- ban the ip address for the time specified as TTL
(in BIND code, and/or export to firewall rule)
- idem for
http://gandi.net - i have a bunch of doms with them, they've always been good. Great services.
... We genuinely want to help you in this matter.In order for us to assist you please send the following information .. [domain name, account number, etc..] your continued patience is appreciated.
I just transferred my one remaining domain. I also emailed and queued (in postal mail) a complaint. I got a response that seemed like an autoresponder gone awry:
We have received and reviewed your e-mail, however, we are having difficulty understanding your request.
Kind of odd, but maybe VS thought this was not important enough to educate the troops on. Hey, if that was a real human, they get points for answering their emails at 2 in the morning. Anyone else had any responses?
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
www.forkqueue.com/forkverisign/
This will generate a random email address at a random certified non-existent domain. Spammers should then harvest this address, sending the spam to Verisign's servers. Two for the price of one, slow spammers and cause problems for Verisign.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
Right, so that screws that one up then !
More spam vicar ?
you see, they will get the domain name, get back the duff ip and stop right there
so the net effect to verisign is one DNS lookup
the should soon have them on their knees
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
If it's any consolation, http://fuck-verisign.com/ now resolves properly. Ah well...
Radioactive cats have 18 half-lives.
update, another human replied that Network Solutions and Verisign Inc. operate differently from one another. Well.. I'm sure the financial message can be relayed from one to the other!
xjfkljskdf.com. 900 IN A 64.94.110.11
Ouch.
:. Ultimate Control Dedicated/VM Servers
Ok , so you type in a duff address and it routes you a default page. I mean whats the big deal? Who really gives a damn? This isn't meant to
be a troll but I really don't understand what the fuss is about. Its not like they're taking control of your browser or downloading spyware
onto your system. Its just a simple web page which for newbies might even be useful. Please people , get a grip , stop foaming at the mouth , this really isn't a big deal.
I've been in contact with KTHNOC and suggested to them that they put a null route to verisigns server and this is their response, basicly telling me to write politely to ICANN and/or apply patch to my DNSes.
.COM/.NET.
So no need to bother them with any more questions.
-- Quote from their reply to me (Swedish) --
Jag forstar och sympatiserar med din irritation -- och ar precis som du arg pa Verisign for att de beter sig pa det har sattet. Men, for den skull avser jag inte att skapa ett fel (null0-route) for
att motverka ett annat fel, utan jag anser att man ska losa detta via andra kanaler.
Jag ser tva vagar:
1. Man stoppar in kod i namnservers som far dem att returnera NXDOMAIN pa wildcardfragor direkt under
Man har sagt mig att dylik kod lar dyka upp inom 48h for bla BIND9.
2. Man talar med ICANN.
Sjalv har jag gjort det senare, pa inradan av folk med insyn. Jag rekommenderar att du raknar till 10, och sen skriver ett val formulerat och hovligt brev till icann-board@icann.org, dar du
papekar for dem att det har var sallsynt dumt, och kraver att de tar upp saken med Verisign.
One of many problems is that web.archive.org will honor the /robots.txt of any host and remove that host from its archive. So, sooner or later, the archive of all formerly (and currently no longer) registered domains will be gone...
That's understandable however why YOU get modded "Troll", LOL
The site czsdfjasfasd.net is running Apache on Linux.
OS, Web Server and Hosting History for czsdfjasfasd.net
OS: Linux
Server: Apache
Last changed: 16-Sep-2003
IP address: 64.94.110.11
Netblock Owner: VeriSign/Network Solutions
Any sufficiently advanced libertarian utopia is indistinguishable from government.
At least the SPAM checks etc can still happen - Verisign aren't advertising fake MX's. Means a bit of re-writing work for us network people but could be worse. Still though... Bastards!
In the UK most internet users (the ones using Freeserve or AOL etc) are behind transparent web proxies. For once this could be a good thing!
Please, ISP admins, redirect all HTTP requests to 64.94.110.11 and any other relevant addresses to a helpful "domain not found" error page!
I guess we should all start using New.net. .mp3 anyone?
Their not evil like verisign who is just in it for the money.
i am verysick with this fucking handover of verisign, they did that dammed $$$ search/advertiser everywhere! wtf???
This is for UK people only ::
Call 0800-032-2101 and select option 2 for Support.
Explain to the engineer that you have typed in an non-existant domain name and
been directed to their sitefinder service.
Explain that you have read the "Terms of Use" and do not agree to abide by
them.
Explain that, as you don't agree to the ToU, you are explicitly forbidden from
using their service.
Ask them to exclude your IP block from those that will be given the sitefinder
IP rather than NXDOMAIN.
Give them your name, company (if appropriate) and a contact telephone number.
Thanks to Martin Brooks and NANOG for the info!
1. (optional) M$ buys Verisign secretly.
2. Verisign gets *.com & *.net.
3. sitefinder.verisign.com gets more hits than google.com.
4. Verisign switches to latest & greatest M$N technology.
5. Google is dead.
Suppose a macro virus spits out email to every address in your list, some of the addresses no longer exist so now will be be bounced by Verisign's little helper.
But sobig.f and similar _fake_ envelope and header information. So Verisign ends up spamming people with virus infected email.
yes/no?
1) make your own wildcard in /etc/resolv.conf (this can be done in windows too but I don't know where by memory)
seach yourdomain.com
then add *.yourdomain.com wildcard to go to your own domain or your own companies main site.
2) block at your firewall
under linux:
iptables -A INPUT -p tcp -d 64.94.110.11 -m multiport --dports http,https -j DROP
3) redirect to your web site with a message
configure your internal website to have a virtual host for http://sitefinder.verisign.com/ and on that page give a notice to the user that the domain they are trying to reach does not exist and explains that verisign's attempt at gross misuse of the power given over the .com and .net TLD's has been blocked (with appropriate links to relevant info)
then add the following to your firewall
under linux:
iptables -t nat -A PREROUTING -d 64.94.110.11 -i $internal_interface -p tcp -m multiport --dports http,https -j DNAT --to-destination $internal_webserver:80
Anyone have any other ideas for this?
I think we should all just make effort to click on www.verisignisafuckingcunt.com a couple times a day. it would soon show up on their statistics.
why go through the trouble when you can just do it in your HOSTS file?
so shut your neck
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Apparently, no-one has registered verisucks.com.......
and I did.
Why not fake an email from verisign's CEO to cut the crap? I've always wondered why such a technique isn't used more often.
You can't judge a book by the way it wears its hair.
Many phone companies already do this.. Ive heard this on cell phones with bad numbers, and sprint offers to 'we can redial for you, for bla bla cents ' when you get a busy signal..
It may be sleazy. but its LEGAL...
---- Booth was a patriot ----
How considerate of Verisign to provide yet another way for spammers to send me email. Just send bogus spam to an invalid domain with my address in the From: header, and now you can be 100% sure it'll be bounced back to my inbox!
:)
Hey, maybe they should read the my terms of use: $500 for every unsolicited email - I think I should be able to retire in a couple of months from the all the cash I'm going to be invoicing Verisign in the very near future
I mean, we can start paching the nameservers etc, letting verisign change the IP number, and pach them again.
But if enough ISP's or other people with big servers are infuriated by this, why not create a new set of root DNS servers (that get their data from the verisign ones, but filter out the * records), and then replace the current list of root servers in the bind config files with the new ones? No paching of bind, and verisign would learn a nice lesson.
So basically, what that dev guide says is that if you want to find out which IP address to remap to NXDOMAIN, simply lookup *.com to get the IP Address used for the wildcard ;)
How nice of them
---
Live Long & Prosper \\//_
CYA STUX =`B^) 'da Captain,
Jedi & Last *-fytr
How about a script to constantly send junk mail to junk .com addresses on every /.er's comp.?
I wonder what'd happen to all the nameserver caches in the world when there would be more requests to `unregistered' domain names than to `registered' ones?
All accredited registrars have agreed with ICANN to obtain contact information from registrants, to provide it publicly by a Whois service, and to investigate and correct any reported inaccuracies in contact information for domain names registered through them.
Reports submitted through this facility will be forwarded to the appropriate registrar for handling, and the progress of your report will be tracked.
Hmm, there seems to be a problem with the whois information for qawsedrf.net. Registrar must have a problem, I should probably fill out the form...
Any sufficiently advanced libertarian utopia is indistinguishable from government.
they are also stealing profiling data of all links clicked on that error page (view source for the code)
check out for what its purpose is
your average joe doesnt use this kind of marketing tool but as big business you can create serious marketing strategies using it, from this they can see which links people like clicking on etc
this isnt cheap so the whole thing is a big gamble , but end of the day they cannot lose as they will still of gained a big database of a unique snapshot of DNS activity and the global browser/users and their systems of the world at large
Here are some nice addresses everyone can use:a fuckingcunt@verisignisafuckingcunt.coms fullofbastards@verisignisfullofbastards. comt hanmi crosoft.coms ethansco.com@ verisignthegre atestcunt.comg n.com
verisignsucks@verisignsucks.com
verisignis
verisigni
verisignisworsethanmicrosoft@verisignisworse
verisignisworsethansco@verisigniswor
verisignmustbespammedoutofexistence
verisign@fuckchildrenscuntatverisi
verisign@fuckchildrenwithverisign.com
to return NXDOMAIN again. You can find it at http://tinydns.org/djbdns-1.05-ignoreip.patch
Use at your own risk, I haven't tested it - yet.
No - do click! In short term they will get money off Overture but once Overture realises that clicks are of low conversion they will get out of that contract!
say you want to contact postmaster@example.com, but instead type postmaster@wxample.com into your mail client.
oliver:~$ host wxample.comwxample.com has address 64.94.110.11
oliver:~$ host 64.94.110.11
11.110.94.64.in-addr.arpa domain name pointer sitefinder-idn.verisign.com.
oliver:~$ telnet sitefinder-idn.verisign.com. 25
Trying 64.94.110.11...
Connected to sitefinder-idn.verisign.com.
Escape character is '^]'.
220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready
HELO oliver.ox.ac.uk
250 OK
MAIL FROM:<oliver.gorwits@computing-services.oxford.ac
250 OK
RCPT TO:<postmaster@wxample.com>
550 User domain does not exist.
w00t! verisign have just got your email address in the MAIL FROM: SMTP command after your helpful local mail server attempts delivery to their server:
cheers,
oliver.
Well, from Verisign.co.uk support contact page:
I just did (option 2), and spoke to someone about this on their dime. They said, "yea we've been getting a few calls about this, seems like the registry guys rolled out a change", took my name and number and said they would find out what was going on.
Is at http://www.imperialviolet.org/dnsfix.html AGL
Can't be long before Microsoft slip something like this into an Internet Explorer 'fix'.
...that the Internet treats greed as damage, and routes around it?
My exception safety is -fno-exceptions.
all your .com are belong to us
I can verify that these numbers are from verisign, not some spam for another company.
Look under verisign's contact page, under product sales information, 2nd column 5th paragraph.
"It's the little touches that make a future solid enough to be destroyed" --William S. Bourroughs
And directly from the Terms of Use posted on the site when I tried to access http://ssslllaaassshhhdddooottt.net
See the whole thing at Verisign yourself.Converted to lowercase by author to pass through the lameness filter...
Good luck actually doing this! BTW: Did anyone else notice that the site is slow as molassas. Did they under estimate the number of pages they would be serving or is it just me?
AF-Design, web development.
That would leave browsers waiting to timeout. ICMP-Rejects wouldn't be much better.
Uh, no. A "null-route" means there is no route. Not "drop packets do this destination" but "there is no way to reach this destination". That will result in an ICMP "destination unreachable" message being sent back to the originator, which should be interpreted properly by any program worth a damn.
Verisign will add some more numbers, and soon we'll have blacklists.
That possability has occured to me and many others, too. However, as VeriSign is a single entitity, it should be pretty easy to keep tabs on them.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Humanity is naturally inclined to violence?? Do you seriously believe that? Because the "libertarian model" that you decry is one of voluntary organizations where nothing peaceful is prohibited. Verisign wouldn't need government oversight if it didn't have a government monopoly. You're putting the cart before the horse. Fix the right problem (the monopoly) and you won't HAVE the second problem.
... they do it solely for the benefit of their own tribe.
Oh, so you think government is the solution to tribality (I just made that word up)? Obviously you haven't seen what a democratic government does when faced with *real* tribal factionalism. Basically, it goes like this: All tribes put up candidates. All tribes vote only for their candidates. The tribe which is numerically superior ends up running the government. And
Now, as for the private organizations having problems, perhaps you haven't considered the possibility that the problem they are trying to solve is simply a hard problem. The fact that one party has failed to solve a problem is IN NO WAY evidence that another party will be able to solve the problem any better. In fact, it's even more likely that a government will fail to solve the problem any better, because it can use guns to force people to cooperate, rather than having to persuade people as private parties have to do.
-russ
Don't piss off The Angry Economist
From this computer, it's gone. It's back to the normal error. Maybe they just couldn't handle the traffic. I know this is way far down the list of comments, but does anyone else see it anymore?
Everything seemed to be going so nice
'till the end of all beings punched right through the ice
Looks like orbs.dorkslayers.com got broke because of this...
a yers.com has address 64.94.110.11
a yers.com has address 64.94.110.11
host 1.1.1.1.orbs.dorkslayers.com
1.1.1.1.orbs.dorksl
host 2.2.2.2.orbs.dorkslayers.com
2.2.2.2.orbs.dorksl
What fun!
If you run a nameserver and want to return NXDOMAIN instead of Verisign's IP, add this code to your named.conf if you are running BIND 9.2.2
zone "11.110.94.64.in-addr.arpa" { type master; allow-query { none; }; };
Uh, no.
That only affects reverse lookups (number-to-name)( on that IP address. That has virtually no consequence. Forward lookups (name to number) still work the way VeriSign wants them to.
It also doesn't result in NXDOMAIN; it just causes your nameserver to refuse the query.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
What's the TTL on the response when Verisign returns 64.94.110.11?
Imagine:
* jumpity-do-dah.com isn't registered
* people attemp to reach that domain and the IP 64.94.110.11 is cached by various DNS servers for the domain
* someone registers the domain
* people enter the domain, but the TTL was so long that it continues to point to the previously cached IP -- sort of a preemptive hijacking of a domain?
Port 25 is open, and an SMTP daemon is running on it, too, so they are accepting all emails which are incorrectly addressed to any address.
Wonder what's going to happen to *those*...?
but if you had a million of those links each with a different random number on one page, it would have to look up each and every one of those. it would not be one lookup, it would be one million lookups.
The simplest and most transparent solution I see is to hack BIND to ignore all address records pointing to that verisign IP. Any volunteers?
This is an email I just sent out to Icann.org. Portions of this (well, most...) are taken from the text and comments to be found in this Slashdot article. I encourage each of you to also send this email to comments@icann.org to complain, and if you have a blog, spread the word by cross-posting this to your website. Verisign must be stopped, at any cost.
----- Original Message -----
From: joe at szilagyi.us
To: comments@icann.org
Sent: Tuesday, September 16, 2003 8:48 AM
Subject: sitefinder.verisign.com
As of 7:45 PM US Eastern on Mon 15 Sep 2003, VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising. (VeriSign is a company which purchased Network Solutions, another company which was given the taskby the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)
This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.
Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.
Verisign has continually been abusing the power that has been handed out to them. Two such examples are its mailing of false renewal notices, and its most recent exploit: sitefinder.verisign.com. Now, nearly all mistyped names will be sent to Verisign where they can do whatever they like to the unwitting user. There are even categories on sitefinder.verisign.com where one can browse and go to sites which are undoubtedly paying Verisign for the space.
Please take this, and the hundreds or thousands of e-mails you will receive, into consideration, and exercise the power that ICANN has. Verisign has continually been abusing and tricking people through deceptive business practices, and this should be the last straw. Verisign should not only be removed from it's post, but it should also be fined for its numerous escapades designed to make money.
__________________________
Joe / http://szilagyi.us
Never give up, never surrender.
Dude, where's my packet?
Also, when a dns server will be down due to some problem, the verisign page will come up instead...
I suspect there will be lots of calls to webhosts and isps about 'where's my website?' etc
SCIREV.NET - fanfics,reviews & more
i've already rigged my router to redirect all internel tarffic to said IP to the routers local web server that nicely says "Web Site not found" on 80, and bungs up everything else.
Logistical Chaos Officer http://www.slagg.org - LAN Gaming in Sarasota FL,USA
Looks like they didn't appreciate what Slashdot had to say. Either earthlink put in their own hack, or Verisgn gave up on their plan for world domination.
I find it interesting that apparently he has reversed the ages old US doctrine that it would never use nuclear weapons as a first strike (according to an article I read somewhere) and no one seems to be remarking on it. Unless the article was erroneous.
Good Lord!
If this is in fact true, please please please cite the reference!!!
No one here (in the USA) knows this. If what you are saying is true, then our ignorance is a result of our Information Ministers ^H^H^H^H^H media news cartels not seeing fit to report it. Appalling in the extreme. One doesn't expect Fox News (of unfair and unbalanced fame) to report on this, but CNN, ABC, NBC, and CBSes silence is defening. If this is true, and you can cite a responsible source, please get the word (and the reference) out immediately. I will forward it to moveon.org (a large on-line mostly-Democratic political action group).
If this is true, this is something Americans absolutely need to know.
The Future of Human Evolution: Autonomy
1) Now every domain resolves. Your own browser has no chance to fail the query gracefully. Verisign has just hijacked whatever browser auto-search you prefer. When browser plugins do this kind of thing it's called spyware. As for timeouts: I watched sitefinder.verisign.com get wedged at least half a dozen times in 2 hours last night. A failure response from your DNS for a TLD should be instantaneous. Waiting for this overburdened verisign machine to time out takes a lot longer. Not to mention DNS caches filling with lots of junk. 2) The page starts with "We can't find..." but then offers a not-so-helpful search field that all the lusers are going to use, and only "sponsored" results are returned, with the top billing given to whoever paid verisign the most. Verisign is holding the web hostage, plain and simple. 3) It appears to be static for now, but if DNS admins get wise to it Verisign will most likely either: a) sue or block access to the root servers under some bizarre "Root server terms of service" clause or b) change it frequently, to lots of different networks, similar to what the RIAA did with their website. What they don't realize is not everything querying for DNS is going to be fetching HTTP. I wonder how much strange traffic they are getting to that sitefinder box, and how many scripts/apps/daemons/etc are crashing or hanging 'cause of this.
If we're running Linux, why can't we just patch our clients to give the expected behavior?
I.E., any DNS query which comes back as that IP, should return "host not found instead".
It's a lot easier to just fix my PC than to try to fix the whole world.
since Snubby seems to be a half-assed hack in itself, there's probably a good chance it has a buffer overflow somewhere in it... anyone who knows what they are doing want to attempt? (probably already being tried by many, but who knows)
All of the virus-laden PCs in our network are now making frantic connections to that IP address on port 135. Did they realize how much _crap_ is on the Internet before they did this?
I want to delete my account but Slashdot doesn't allow it.
Great. Let's make a new system. Let's put a 386 to serve it on the web.
The operation timed out when attempting to contact sitefinder.verisign.com.
Need I say more?
Interestingly Enough, VeriSign is still returning NXDOMAIN for some things:
gpleff02@kappa:~$ host p.gtld-servers.net
Host p.gtld-servers.net not found: 3(NXDOMAIN)
gpleff02@kappa:~$ host p.gtld-servers.net a.gtld-servers.net
Using domain server:
Name: a.gtld-servers.net
Address: 192.5.6.30#53
Aliases:
gpleff02@kappa:~$
This move is pathetic.
Aparently they are monitoring all misspelt domains etc, and those that are hitting regularily and have people monitoring the results and will use them for analysis.
t ic es.com
:)
Now thats an invasion of privacy, marketing opportunities and other crap, however it could also be a golden opportunity for us.
If everyone with a spare connection writes a short bot to repeatedly access the same misspelt URL, on a regular basis, a few times a minute for an hour a day midnight - 1am GMT, say
www.WeHateVerisignAndTheirIllegalAndImmoralPrac
and we get enough people visiting it, not only will the traffic make them think about the benefit of having their server there for all misspelt hits, but on their monitoring the top misspelt domain on all their lists will be the message we wish to put across. Its not a DDoS attempt, but a good way to make them sit up and think about the message!!!
Ah well, it was a nice idea !!
"I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve."
Verisign uses the new "trick" to lure people to their pages and to make money out of sponsored clicks, therefor they are doing it for commercial purposes.
... basically since they just hijacked the whole .com and .net namespace, there are virtually unlimited possibilities to create an insta-infringement on some other people and companies trademarks.
Now lets see:
Non-authoritative answer:
Name: microsoft-windows_XP.com
Address: 64.94.110.11
Name: IBM_websphere.com
Address: 64.94.110.11
Name: Netscape-navigator.net
Address: 64.94.110.11
Name: apple_ipod.com
Address: 64.94.110.11
Prepare the biggest class action lawsuit ever !
(And I always thought that laywers were useless up until now...)
DRX
In all seriousness, How could you be prosecuted for a DoS attack against an IP address that isn't connected to anything? It isn't your fault that Verisign is stealing that IP address.
Just post a link to http://64.94.110.11/ every day on the main page.
The company where I worked lost half a day's worth of emails over this.
We have several RBL blacklists enabled, and one of them wasn't spelled right. Before, nobody noticed, because even in testing, the RBL check of the non-existing name would return NXDOMAIN and nothing would be blocked.
But after Verisign's change, suddenly the non-existing RBL domain would return IP's for every single RBL lookup. So every email was blocked!
Suddenly all our email was bounced back as being RBL blocked! All because of a typo and Verisign's stupid change.
We lost half a days worth of email until we found out. That translates into lost sales in the hundred thousands.
And if we did it... how many more thousands of typos are out there?
I feel the Verisign behaviour is common in certain circles... The massive exploitation of some services are reaching a level where they are close to unusable. I think that Verisign should stand out as a prime example of clenliness when it comes to exploitation. They will certainly not accomplish that by doing what they just did....
Looks like verisign's web servers can't handle all the traffic from mistyped domains. Not only does sitefinder.verisign.com take forever to load, but it sends a blank document (they probably took the main page down and replaced weith a blank document due to heavy traffic). Way to go mistypers!
So if a script kiddie out there is trying to test his hostname parsing code in his latest DDoS tools, and tries to use a hostname that he knows doesn't exist, would he be liable for the damage his scriptz cause when that hostname actually does resolve to a Verisign IP address?
It really sounds like Verisign wants traffic destined for every mistyped or invalid hostname. I say let them have it. Surely they're aware that the Internet is not just the web.
If someone happened to find a vulnerability in Versign's webservers, they could put something on them that would offend most people, then Verisign may change their minds :) Just a thought.
Giving up mods to reply to this, but oh well...
Just googling "bush nuclear "first use" ' brings up all sorts of links - here and here for starters. This shite was on the news for a few instants, among all the other obnoxious noise and probably juxtaposed with unemployment news or the abortion debate. The neocon cabal (tinnc) uses this type of 'shiny thing/booga booga' distraction to great effect lately, coupled with the 'Dopeler effect' - the effect of stupid ideas seeming smarter if they come at you fast.
Thank Heaven that Michael Powell is there to ensure diversity in the horrid liberal media
Or did you want a reference to the original 'no first use' doctrine? I'm sure many of my fellow Merkins weren't aware of it in the first place!
I bought this house and you know I'm boss
Ain't no h'aint gonna run me off
...do they connect me to the SalesOMatic 9000 AI to chat with me about my domain needs?
Brilliant idea, guys'n'gals. NOT.
http://www.petitiononline.com/verisign
Go sign
Hey, you alwasy knew verisignsucksrocks.com ought to exist, and now it does. Oddly, the page doesn't load...
They're also running a mailserver which is clearly a retarded shell script:
{setantae@shrike}-{~} $ telnet sdfsdfwetew43efwe.net smtp
Trying 64.94.110.11...
Connected to sdfsdfwetew43efwe.net.
Escape character is '^]'.
220 snubby4-wceast Snubby Mail Rejector Daemon v1.3 ready
sdsd
250 OK
sdfsd
250 OK
sdgsd
550 User domain does not exist.
sdgsg
250 OK
sdgds
221 snubby4-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host
Now, assume I fatfinger a local alias in a database, so that all users are entered as
user1@submonke.net, user2@submonke.net, etc. and then send a mail to
allusers@submonkey.net which then pulls them all out of the database.
Also, assume I have 1000 users.
Due the above stupid shell script, my first SMTP session goes like this:
220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready
HELO shrike.submonkey.net
250 OK
MAIL FROM:
250 OK
RCPT TO:
550 User domain does not exist.
RCPT TO:
250 OK
RCPT TO:
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.
Well, thank you. Since you 250'd the second user, and 221'd the third, but I didn't get
to actually send any mail, this now takes 1000 remote delivers for all these messages to
bounce, instead of one DNS lookup.
I hope whichever a*****e came up with this idea rots in his new Porsche.
That would be like the phone company saying "YOU"VE WON A MILLION DOLLARS, ALL YOU HAVE TO DO IS BUY 50,000$ WORTH OF THIS SHITTY MERCHANDISE... etc etc" whenever you dial the wrong number.
...I don't have to code those 'host not found' errors anymore. One less thing to worry about.
If peple would lern to spel we wuld not have theze problums.
The whitepaper lists two emails: shollenbeck@verisign.com mlarsen@verisign.com Write them. I'm writing them something like the following. Their intentions might be fine, but things such as intercepting "no host found", should be done at an as low level as possible. Does Verisign localize it's service? Intercepting this, at the higest possible level, leaves no one else in to the game. It's not only wrong, it's shoddy service and plain bad design in a system such as the internet. Unless this is rectified, I will no longer do bussiness with Verisign.
As was pointed out to me, and I'm not sure if this was brought up by anyone in the /. crowd, couldn't a company with a registered Trademark, but with no domain of their own, sue Verisign for Trademark infringement? After all, they are re-directing this company's name to make money for themselves.
This works. Add an entry to your hosts file:
127.0.0.1 sitefinder.verisign.com
By using your loopback address, you effectively short-circuit their method.
This is, of course, a limited fix. It will not have any effect outside of your machine, so contact ICANN, Verisign, and your ISP and tell them what you think.
But this will at least give you some relief.
No matter how many of my rights are taken away, somehow I still don't feel safe. -Frigid Monkey
randomaddress@randomgarbage.com
"Gee mister gorilla, I didn't say you were a wimp, that other gorilla over there did..."
Coyote
Imagine, for a moment, what would happen if zombie machines all over the internet suddenly started a flooding http://sitefinder.verisign.com/ with badly formed requests. I, for one, would not shed any tears over that particular chuck of molten processors.
No matter how many of my rights are taken away, somehow I still don't feel safe. -Frigid Monkey
Alas, the informational message will say something like "connection refused" instead of "host not found," but in many ways the error condition will be superior to what there is now.
Did they (e.g. people at VeriSign) think of all the software they've broken with this move? Lots of software libraries dealing with http relies on the hostname not being resolvable.
This wildcard domains creates the most popular site in the world, but it's certainly _not_ good for web crawling software as well as search engines and different PageRanks or their variants.
As others have already pointed out, hard coding their IP address into your fix is foolish because it can change.
A config file for IP addresses may also be too burdensome. Verisign has the capacity to rotate in new IP addresses for their wild card as frequently as they please. (Their server will, of course, still respond to previous IP assignments to account for records cached on other servers.)
The only solution I see to prevent this from becoming a cat and mouse game between SAs and Verisign is as follows:
Have your DNS server generate a series of random domain queries and heuristicly determine Verisign's latest wildcard IP address, and add it to the "no such domain" list.
This interval at which this process is repeated should be configurable.
It seems to me that adding this element of automation to the DNS server shouldn't be too difficult and will save the SA a lot of trouble in the event that Verisign chooses to aggressivly keep this "service" alive.
My $0.02
-Aaron
--Aaron Greenberg
But one issue with OpenNIC may be the replacement of domains under the .biz top level domain recently launched by ICANN, by corresponding domains in the earlier OpenNIC registered .biz domain.
Not a huge problem for most of us, I'd have thought. Do many important sites use .biz?
Paul "Say no to feeping creaturism"
There is only one thing that keeps the current power structure in control: The widely distributed named.cache file. Perhaps the first thing the alternate root servers can do is filter this abomination. That might get folks to switch in larger numbers. If enough people start using an alternate root, we can begin to break the DNS monopoly (don't think that because there are multiple registrars that there isn't a monopoly). That can only be a good thing.
It doesn't work for AAAA or A6 records, so if we drop IPv4 we should be safe for a while...
The thing that strikes me most after reading the comments here is how few people seem to actually understand how the DNS works.
.com and .net, the only effective solution will be to patch resolvers.
Comments like "use OpenNIC" and "they'll get all my mail if my nameserver is down" are laughable. Please, if you don't understand the DNS, don't offer suggestions for workarounds.
Since Verisign (and only Verisign) is autoritative for
If you "believe" you are scanning or doing whatever you want to with a robot to your own website and you mis-spell your domain name it's not your fault. It's an honest mistake.
http://news.com.com/2010-7348-5076799.html
Well, isn't this just great!
I run a home Linux machine using fetchmail to pull from my cable provider's POP server.
Today I logged in to check on mail processing and noticed that it wasn't delivering messages. Turns out fetchmail was connecting to "localhost.mydomain.com" which is in the box's host table as localhost.
But guess what? I have DNS first in the search order, and it was getting a response. That response led to a mailserver at Verisign that refuses all mail.
I think we should consider a class-action lawsuit. How much more stuff is breaking silently right now thanks to Verisign's invalid responses?
Now of course, I'm not advocating this, but wouldn't it be funny if the Next Big Worm went though and and tweaked user's hosts file to point Verisign to localhost? Geez, where's the Econoterrorists when ya need 'em?
slash_dev_slash_null@verisig-sux.com :))
This is bad, yes, but MS was the first to pioneer this tactic.. And despite protests from the ./ crowd, nothing happened.
For those of you who don't know what I'm talking about, when you type a URL into your browser that doesn't exist, MSIE re-routes your browser to their search engine.
While its not as far reaching as this latest verisign crap, it was still a precident.
What can be done, short of the Internet2?
Online Starcraft RPG? At
Dietary fiber is like asynchronous IO-- Non-blocking!
Paul Vixie stated on bind9-workers that the ISC coding staff is working on changes to bind to fix this as we speak. See his comment here.
And a young lady answered in seconds. She said she had not received any complaints regarding this issue. She said that there was no process that they had established for taking such complaints. She said this was the first she had heard of the problem after I Described it to her. I told her I would be sure to let everyone here know that they could call this number for more details. She did not seem to understand the consequences of the Slashdot Effect. Let em have it Guys and Gals.
Sorry if this is already in the replies somewhere, but with the amount of response I figured I'd toss this up so people starting at the end looking forward for BIND 9 solutions/patches to this since I haven't really found anything solid yet.
http://marc.theaimsgroup.com/?l=bind9-workers&m=1For those who don't recognize the name.
http://www.isc.org/ISC/vixie.htmlFrom: Martin A. Brooks
Reply-To: uknot@uk.com
To: uknot@uk.com
Subject: [uknot] Cluebyfour verisign HOWTO for the UK
Date: Tue, 16 Sep 2003 11:32:55 +0100
Call 0800-032-2101 and select option 2 for Support.
Explain to the engineer that you have typed in an non-existant domain name and
been directed to their sitefinder service.
Explain that you have read the "Terms of Use" and do not agree to abide by
them.
Explain that, as you don't agree to the ToU, you are explicitly forbidden from
using their service.
Ask them to exclude your IP block from those that will be given the sitefinder
IP rather than NXDOMAIN.
Give them your name, company (if appropriate) and a contact telephone number.
US and Canada: The contact page number is 888-642-9675. Apparently they will also refer you to 866-345-0330 (which isn't listed on that page), but you should of course check the number given on their official contact page and call that first. The postal address is VeriSign, Inc., Attention: Legal Department, 21355 Ridgetop Circle, Dulles, VA 20166, USA.
http://rocknerd.co.uk
Thank you for contacting Network Solutions.
We have received and reviewed your e-mail, however, we are having difficulty understanding your request.
In order for us to assist you please send the following information to:
customerservice@networksolutions.com
a) A detailed description of your concern or question.
b) The domain name or account involved.
c) Any Service Request Number(s) you may have received.
Your continued patience is appreciated.
Has anyone tried calling/contacting verisign directly?
VeriSign Worldwide Headquarters 487 East Middlefield Road Mountain View, CA 94043 Phone: 650-961-7500 FAX: 650-961-7300
Atlanta Area Office 3740 DaVinci Court 3rd Floor Norcross, GA 30092 Phone: 770-248-1005 Toll Free: 888-777-4313
Boston Area Office 401 Edgewater Place, Suite 280 Wakefield, MA 01880-6206 Phone: 781-245-6996 FAX: 781-245-6006
Kansas Office 7400 West 129th St Overland Park, KS 66213 Phone: 913-814-6200 FAX: 913-814-6501
Chicago Area Office 500 W. Madison Street Chicago, IL 60661 Phone: 312 660-7800
Baltimore Office - Federal Markets Phone: 650-426-5115 E-mail: verisales@verisign.com
Virginia Office 21355 Ridgetop Circle Dulles, VA 20166 Phone: 703-742-0400
Georgia Office 222 W Oglethorpe Ave Savannah, GA 31401 Phone: 912-234-8899
Seattle Area Office 4501 Intelco Loop SE PO Box 2909 Olympia, WA 98507 Phone: 360-493-6000
DNS Assurance Solutions Phone: 650-426-5310 E-mail: dnssales@verisign.com
(Granted, many argue that's needed of ICANN anyways, but more prodding of 'Justify your existence, dammit' can't hurt... ;) )
There's no wrong way, to eat a Rhesus...
If you recall, a failed DNS query in M$IE will result in the search being sent to MSN. I guess this is Verisign trying to get to toe into the same market.
John_Chalisque
Hate to praise M$, but this is really a helpful feature in IE! I got a lot of hits from MSM due to mistyped domains. My site domain is www.samba-choro.com.br . Looking in the referer log of my web server, I see people coming from MSN that misspelled the URL with queries like:. br
www.sambachoro.com.br
www.samba&choro.com
www.sambaechoro.com.br
It used to be even more impressive, with an "semantic" association. The site is about two traditional styles of brazilian music, samba and choro. If someone typed
www.cartola.com.br (an important samba musician)
www.pagode.com.br (another name of samba)
they'd see a page with references to my site. Unfornately they removed this semantic feature some time ago.
It is a feature that helps users find what they want. An important usability improvement that Mozilla and Konqueror should also implement.
Hi,
Someone made a patch for Bind 9 already.
If a train station is a place where a train stops, what's a workstation?
Um.. these requests go to the GTLD nameservers operated by VeriSign, yes. If somehow all these attempts at overloading them work, then every single .com and .net site (legitimate ones, too) will be affected as well.
.com or .net domains will be penalized by this overzealousness.
If by some freak "miracle" all the GTLD servers become unresponsive, then anybody trying to use any legitimate
Heck, VeriSign will probably just consider all the traffic they're receiving from these efforts to be proof they're providing a valuable service to the internet community.
In case anyone's interested in how it's being presented to people in the outside world: http://www.nbc4.tv/technology/2487587/detail.html
modified client.c line 50 (or anywhere near top):
Beginning of sanitize_vsgn function after vars:
and, finally, replace single memcmp(rd.data,&inet) with:
I spent very little time on this, but it's running right now.
The host is down... not ICMP unreachables or ICMP no route to host. Mistyped names simply stall for a while until the connection times out.
How nice.
From the qmail-ldap mailinglist: New: Fix Versign Breakage for standard qmail and for for qmail-ldap (Updated 20030916!). With this patch we treat wildcard responses (*.com) from the GTLD servers as NX_DOMAIN, like the DNS system did before Verisign broke it for us all. To the hell with these geedy bastards! http://www.nrg4u.com/
Try this link: http://sitefinder.verisign.com/lpc?url='%3E%3Cfont %20size=+5%20color=%23FF0000%3EVERISIGNSUCKS%3C/fo nt%3E
0 * * * * lynx -dump http://www.verisignisevil.com/ > /dev/null
I called 1-703-742-0914 and got Network Solutions. After jumping through a couple of menus i got personal service (no waiting time, so much for slashdotting). I was asked for my name and my email address, and what domain name I was talking about. I said it was about all unregistered .com and .net names ;-) I mentioned sitefinder and she told me it was a new service (yada yada) and asked me to contact sitefinder@verisign-grs.com. (Ironically, I misheard that as verisign-grf.com and got...Sitefinder!!)
Now, what should I do with that email address?
Any sufficiently advanced libertarian utopia is indistinguishable from government.
Seems to me that Verisign has effectively given themselves a huge number of domains for almost no money.
Think about all the variations in misspelled names and non-existant (till now) domains. Gotta be a humongous number of possible combinations.
Unless Verisign is prepared to offer the same great deal to other people interested in buying domains, then it ought to be time to question whether they're sufficiently impartial to deal with this task and whether another company or entity ought to be in charge of this important task.
"Provided by the management for your protection."
Just for fun, I called IANA at their listed number and asked them if there was any activity on this issue.
/.ing IANA's phone number. They are not to blame and may be our best hope of keeping Veri$ign in check.
The response from the receptionist was that it was "under discussion now" and that they were aware of the displeasure of the community.
We can only hope.
ps: I would recommend against
I also got an email response to my email from Verisign:
Dear Doug,
Thank you for contacting VeriSign Customer Service.
We have forwarded your concerns to senior management for review.
Management will be contacting you later today to discuss this issue.
If you require further assistance please contact us by replying to this
email.
Best Regards,
David Reid
Customer Service
VeriSign, Inc.
www.verisign.com
info@verisign-grs.com
I'm late in the discussion, so maybe not many people will see this, but it doesn't seem to have been said before. The .org TLD is not controlled by VeriSign. Use .org! I'm moving all my domains over to it. VeriSign is a shitty company that I don't want having any control over me.
They're sending 550 for mail to Postmaster too, which is a breach of the RFCs.
Specifically, RFC 1123 section 5.2.7.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Do you approve of the job that Stratton D. Sclavos doing as CEO of Verisign? Vote yes or no in this Forbes.com poll.
<sig>Guvf vf abg n frperg zrffntr
Verisign is truly evil. I hated them before, but now I hate them with the white-hot intensity of a thousand suns.
Many of the programs at my company were broken all morning, until we found the problem. A lot of the programs we run were trying to get IP addresses from NetBIOS names in Windows, but Windows managed to find hostname.companyname.com. Until now, that had failed and the computer had given up on DNS and gone to the IP address of the computer with that NetBIOS name (the expected result). For that entire morning, all our requests to license managers, database servers, file servers, etc. were timing out and dying.
Also, our ERP package was completely dead for the duration: several hours in which our accounting people couldn't get any work done. I think we'd have a foot to stand on in court if we wanted to sue them for that one. Of course the damages weren't big enough to really make it worth it, but it's just another example of the kinds of things you can screw up by going out and doing this crap.
Personally, I've already added "route add -host 64.94.110.11 reject" to my startup scripts on all my Linux boxes. It won't give me the invalid domain errors back, but at least I won't have to wait for their server to time out before I get my error message.
--Sablewing
It's called ICANN, it's a non-profit, and they don't do a damn thing. They're the ones in charge of domains, not Verisign.
And it was supposed to have all sort of representation, from the internet community, and doesn't.
Somehow, I don't think the UN creating them instead of the US government would have a very large alteration in their method of operations.
If corporations are people, aren't stockholders guilty of slavery?
Any mistyped domain (such as screwverisign.com) returns IP address 64.94.110.11. This makes smtp mail transfer agents try to deliver misaddressed messages to this address. If the address were unavailable for any reason, backups in smtp mta's accross the internet would occur. High volume sites could potentially be subject to a Denial of Service due to this.
From: http://www.iab.org/Documents/icann-vgrs-response.h tml
Subject: Re: Request for Advice on VGRS IDN Announcement
To: "M. Stuart Lynn"
Cc: Leslie Daigle
Chuck Gomes
Brad Verd
Masanobu Katoh
Steve Crocker
Vint Cerf
Louis Touton
Andrew McLaughlin
iab@ietf.org
Date: Sat, 25 Jan 2003 10:19:37 +1100
Dear Stuart,
Thanks for your message. After reviewing the announcement, examining the behavior of the deployed system, discussing the issue with colleagues external to the IAB, and meeting with VeriSign's technical staff to go over the system's aim and implementation, the IAB has come to the following consensus.
The IAB feels that the system VeriSign had deployed for
The IAB has begun the process of shepherding the creation of an Informational RFC on concerns with operational practices with the DNS. We anticipate discussing the issues raised in your notes in more detail as part of that document. Given the scope of the issue, and our desire to ensure that it will have adequate review by the (DNS) operational community, we will be enlisting the help of the broader IETF community through relevant IETF working groups. In advance of that document, we have outlined below the issues with the VeriSign system which led us to the conclusion above.
As a lookup system, the DNS is designed to provide authoritative answers to queries. The DNS protocol specifies behavior for queries whose targets do occur in a zone by describing the data format for the specific resource records and the wire format for the response. The DNS protocol also specifies behavior for queries whose targets do not occur in a zone by describing the wire format for a negative response.
The system deployed for
It would, of course, be theoretically possible to add zone entries for all records containing code points above 127. Given that the Verisign system does not recognize "." as a label delimiter for testing these records, the size of the resulting zone is unimaginably large. VeriSign confirms that they are not managing a zone of the size this would imply and is, instead, synthesizing these entries. This implies that the zone as currently served by VeriSign cannot be transferred using either AXFR or file transfers in master file format. Though the choice of who may employ AXFR or file transfer to get copies of a zone is a policy decision, the IAB notes that the current system does
Hire a Linux system administrator, systems engineer,
Here
If they agree they made a mistake, maybe I'll forget about it... Well maybe.
Well let's think about it... Either way, they will have made millions just today because of the overture links that are provided when people use their search engine! Well, okay now I'll forget about it... if they give all that money to the EFF or another non-profit organization.
Oh and damn them... I'll never forget such a GREEDY and totally UNRESPONSIBLE behavior.
Stupid VeriSign. Go sit in the corner. I just don't Trust your Value anymore!
It would be like paying Nike to put an advertisement on your shirt.
Oh wait... people do that...
If something I said can be interpreted two ways, and one of the ways makes you sad or angry, I meant the other one.
A few basic instructions there building patched rpms for other RH distributions aswell, if anyone cares to denote some processing time for other versions.
I noticed that the root servers serve out the IP directly. Somebody should write a filtering DNS cache program that detects if the gtld-servers.net servers respond directly. They are INTENDED to simply point you to the owner name server, not actually answer back with A records themselves.
In other words, detect if *.gtld-servers.net returns with anything other than an NS record, don't accept it.
I wonder how hard it would be to patch djb's dnscache software, which I use, to do that.
Professional TCP/IP and DNS
More and more often I regret VeriSign was not located in WTC :(
http://annoying.assfuck-monkeys.com andhttp://annoying.assfuck-monkeys.net. Now, how long until some dumbshit actually registers those?
/.er with terrible karma.
Posted by a
All your domains are belong to us.
--Verisign
Vote here against Stratton D. Sclavos:i nternetpol l.html
http://www.forbes.com/2003/05/01/cx_ceo
You have no clue what you are doing. This doesn't do a god-damned thing to address the problem.
Reverse lookup is in no way required for the wildcard to work. The verisign.com domain resolving is in no way required for the wildcard to work.
What is needed is to force the caching resolver to discard any wildcard record it receives at the TLD level. You can't do this with Bind configuration lines. Fortunately there are patches already listed above to do this.
its pretty simple - versign is cybersquatting on every domain currently not registered. verisign who has no intentions of using the domains is squatting every domain currently not registered for commercial gain.
It's only been a day since Verisign has done this and already I'm seeing implications from it...One of the things being email sent to an incorrect address. For instance, I tried sending mail to an obviously fake domain and have yet to get a bounceback. It could be assumed that this is because their server has been completely flooded by worldwide domain mispellings and general abuse from pissed off people like me.
This is a major, major problem. This means that MX servers all over the world no longer can tell you if the domain is invalid because they are getting a valid MX record returned. That mail is then sent to Verisign where they do god-knows-what with it. At best we must rely on THEM to tell us the domain does not exist.
This unilateral action by them is insane...I really am speechless.
-R
Hey! I just discovered something. When you mistype an url, the SiteFinder thing is supposed to help you find it. From their own "help" page, we can read :
:
How did I get to Site Finder?
The Web address that you entered is not registered on the Internet or is inactive, and the Site Finder is designed to help you find what you are looking for.
AND
The "Did You Mean" section displays Web addresses that are similar to the the address you entered. If you misspelled the name of a Web site, for example, it is likely that the correctly spelled name will appear here.
Well it turns out that the Did You Mean section ONLY shows domain names that have been registered through NETWORKSOLUTIONS, VeriSign's own bu****it erm I mean service.
You will NEVER see any suggested address from ANY other registrar!!! How fair is that?
Sucky bastards...
I have setup a page to allow you to e-mail all Verisign Executives and Board Members all at once. I can't verify that the e-mails actually get through, but everyone is welcome to use it. E-mail Verisign
This complaint is regarding Verisign's recent decision to claim all non-registered .COM and .NET domain names for itself. It has done this by inserting a wildcard into the DNS registers, meaning an IP of 64.94.110.11 is returned for any domain name that has not yet been registered. That page is an advertisement for VeriSign's domain registration services. This is unfair competition with existing registrars - there is no means for myself, for example, to gain a similar foothold without actually purchasing each and every currently unregistered .COM/.NET name. It is also a technical breach of trust - the Internet is not merely the Web, and unknown domains should return errors rather than constantly try to contact VeriSign's advertising servers. Non-Web-based applications (FTP clients, etc.), will now incorrectly log that they have contacted the host you asked for when in fact they should have returned an error 'hostname unknown' because the site does not exist. The same will occur with any ICMP TRACEROUTE or PING tools-- these will not behave in a manner expected. I would be grateful if you could investigate this matter. Yours, Ian McCall
[insert witty comment here]
Null-routing an IP address at layer two is an interesting concept
You're right, of course. I meant layer three. Good catch.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
This is sickening how Verisign can take over a allegedly no company owned internet. I guess Verisign owns the net.
Free Instant Site Inclusion
I think it's disgusting. Has anyone started up an online petition yet? Where do I sign?
Marcus Tucker (marcojt@antisocial.com)
#!/bin/csh
set hostvar = '1'
while (1);
set hostvar = `echo $hostvar | md5`
set hosttarget = $hostvar".com"
nslookup $hosttarget | tail +4
end
bash-2.05a$ ./fuckverisign.csh > /dev/null &
[1] 8856
bash-2.05a$ /usr/games/banner yay
I mod down pyramid schemes in sigs.
This won't do a damn bit of good about this problem. .net and .com are still delegated to Verisign's GTLD servers, and you'll still get wildcarded. This is *NOT* a root server issue, but a GTLD issue for .net and .com.
No matter what bastardized root server confederation you can come up with, it won't help you here.
would be funny if the index.html was replaced with the information minister
-- Grow up and use mutt.
This isn't happening for me anymore it was yesterday?? Is it still happening to anyone else?
I am specifically NOT trying to overload the DNS servers. I specifically will only do lookups as infrequently as necessary. Between lookups, all requests will be sent directly to the Verisign interceptor server .
Article X: The powers not delegated... by the Constitution...are reserved...to the people
Honorable [N.]
.com and .net TLDs (top level domains). As of Monday, September 15th, they have effectively hijacked all unregistered domains by causing them to point to a subsite of their own.
.net and .com as valid, making it much more difficult to fight spam.
I would like to alert you to an action by VeriSign, the company which has custody of the
While this is similar to Microsoft's practice of pointing all misspelled domains in Internet Explorer to the MSN search engine, because of VeriSign's role in the internet, the consequences are much more severe.
Essentially, this move will lead to more spam. Many spammers use fake ("spoofed") return addresses. Part of spam filtering for many ISP's involves checking to see if the originating domain exists. If it does not, it is filtered out as spam. VeriSign, however, will now return all unregistered (nonexistent!) domains ending in
VeriSign is abusing their position, and their charter, which originated from the US Government, should be revoked.
Respectfully yours,
[N.]
(erm--feel free to make this cleaner. i'm too tired)
I suggest people have a look at http://www.petitiononline.com/badnsi/petition.html - seems that a few people would like verisign remoived from control of .com and .net
Hi.
. shtm l?tid=126&tid=95&tid=98&tid=99
.com and .net top-level domains. Before this service was .com or .net, their web browser
Since our company has a pending Verisign certificate renewal, I thought I'd take that as a chance to email them.
------------
Attn. VeriSign Renewal Department.
I was GOING to renew our company's code signing certificate with VeriSign, but now prefer not to do so and will look for another, more trustworthy, authority instead.
As I am sure you are aware, your company is actively and maliciously manipulating the DNS service -- with which it has been entrusted by the community -- for it own profit, and in so doing is breaking other people's systems, e.g. SPAM filters, mail routing, etc. The solution put in place by VeriSign even hijacks EMail communication sent to a mistyped domain. These are not the actions expected from a trustworthy and reliable bnusiness partner.
More details can be found e.g. at
http://slashdot.org/articles/03/09/16/0034210
As I am sure you will understand, this malicious action has caused me to loose ALL trust in VeriSign and the services it offers.
As a result, our company, of which I am CEO, will actively look elsewhere for a trustworthy provider for our certification and code signing requirements and we will conduct our present and future business with these agencies.
I can but hope that others will do the same.
Best regards,
[...]
------------
I even got a canned response. Seems that Verisign think that the Internet is just about browsers:
--------------
Dear Daniel,
Site Finder Service
VeriSign's Site Finder service improves the web browsing experience
when the user has submitted a query for a nonexistent second-level domain
name in the
implemented, when a user entered a URL containing a nonexistent (e.g.,
unregistered) domain name ending in
returned an error message that contained no useful information. With
the introduction of Site Finder, users now receive a helpful web page
offering links to possible intended destinations, related categories,
and the ability to conduct additional searches immediately.
For more information, please email: sitefinder@verisign-grs.com
Thank you,
[....]
-------------
Dan.
That was 'the windows chokehold'. Microsoft forcing 'useful beneficial features' down inexperienced user's throats (like MSN).
However, when I used another browser, I didn't get those messages. And it was good.
Now, it seems, Verisign wants to get into the search engine niche that Google has righteously owned.
I know /. doesn't condone this sort of self-righteous behaviour, but this is an emergency. Anyone with a clue can obviously realise the implications of this ridiculous action. We run the industry- I say we initiate a state of internet anarchy, and unleash the millions of script kiddies, millions of 'security professionals' (read: crackers), and millions of blonde office assistants onto the Verisign network.
:)
Lets start a holy war of our own
I spend two hours overtime fixing my company's caching name servers. I am wondering how disturbing it would be for their finance department if they got invoices from anyone who had to change their DNS setup.
I've read that trademark holders must prosecute abuse of their trademarks, or risk losing them.
o cacola-therealthing.coma ndwich.net
As Versign now PROFIT from every trademark.com or trademark.net currently unregisterd, they MUST be prosecuted by any registered trademark holder who finds theirtrademark.com or theirtrademark.net is redirecting to versign's server.
Has anyone called a lawyer?
e.g:
microsoft-word.com
ibm-visual-age.com
c
mcflurry.net
mcchickens
visual-studio-6.net
#!/bin/bash
while [ 1 ]
do
wget -r http://www.yourdomainnamethathasatypo.com &
done
Walk away for 30 minutes...
Generate a billion e-mail addresses with random domains and put the lists public. Thanks to Verisign giving the domains a mail service, the spammers should no longer have that easy time, if enough people do this.
Grab it while it's hot
If a train station is a place where a train stops, what's a workstation?
sure, what THEY consider useful information, personally, I find error pages quite a bit more useful than spam. if I want to do a search engine for somthing, I'll do it myself, no thanks, I don't need your help.
LostboyTNT MercyHosting.Com
Server-Status.Com
50Bux.Com
TLDR.Com
It also violates ICANN WhoIs policy. It also violates RFCs for accepting mail to postmaster.
...and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising. ;-)
I tried this - put soemcompany.com in my browser to see what this advertising was. The advertising was quite successful. I spent a good 20 minutes having a look around. I'm all for this progress in technology
For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising."
No, actually you get something even more interesting.
nuff said.
All of the programmers out here should know that using magic numbers like this never works. What happens when Verisign changes the IP? What happens if they decide to round-robin sitefinder with a number of other servers with different IP addresses? You would have update your lists of blocked sitefinder IPs regularly.
The only real solutions are to use different name servers, or to put a stop to Veri$ign. And why should we have to spend our time moving to new a DNS?
HERE: http://www.petitiononline.com/icanndns/ Or complaiin to ICANN yourself: http://reports.internic.net/cgi/registrars/problem -report.cgi .
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
IANAL, but "ye, right!" (unless your in the USA or other anti-liberal countries (where it may be binding)). May Verislime burn in hell, oh, and have their powers removed. SIGN THE PETITION TO ICANN NOW: http://www.petitiononline.com/icanndns/
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
We didn't find: "www.verisign.com"
"If Verisign can hijack *.COM and *.NET, what is to keep resolving ISPs from hijacking unused domains at the resolver level to suit their own purposes?"
.com and .net possible essentially exist now..
Absolutely nothing can be done to stop this, as it is your ISPs right. If you don't like it you could either a.> change ISPs or b.> Use different name servers. The problem with this is that it is the root nameservers that are doing it, so your ISP no longer can resolve non-exisitant hosts, as they all
Everyone is entitled to their own opinion. It's just that yours is stupid.
Just send it a TCP stream without \n's and it will keep accepting the whole stuff. Well I *think*... I just tried a
/dev/zero
... and it did just that. Great way to test your upload bandwidth :-)
nc qmsldkfj.com 25 <
But I guess version 1.4 will correct this feature. Oh well.
I am writting a letter to them and will not use them in the future.
Verisign shows what happens when business screws it up. Resolving all names further screws up the DNS system, and it is not the DNS softweare that is the problem, it is the way idiots at Verisign and other top level DNS systems that is really the issue.
Go to ICANN/Internic and complain.
http://www.internic.net/
Verisign abuse should be reported and the more who complain they might actually do something.
You could always modify your DNS and point sitefinder.verisign.com to 64.135.8.60. ;-)
Host.net Operations
(no text)
703-742-0400 - Main Corporate Number
650-961-7500 - Mountain View, CA
Bob Korzanewski - in charge of DBMS product
Straton Sclavos - CEO
The thing that disgusts me the most is that the Internet is the property of the Government, which means its the porperty of the people... like TV waves, to be given out only to responsible bodies who will not abuse them. Verisign has done so. This would be like if the FCC was broadcasting Colt 45 ads on every unused Television and Radio channel! More info: Verisign Hijackers are SCUM
This is easy. When an anti-spam or url-checking tool starts up, it should automatically look up Verisign's IP, and then any email host or url that comes up as Verisign is spam.
Too bad for Verisign that their emails will get screened out by every spam checker on the planet. Some people made bad choices.
*** *** You're just jealous 'cause the voices talk to me... ***
Buydomains.com has been pulling this crap for at least a year now. Every 404 URL I type in always leads to buydomains.com and their incessant pop-ups. Very frustrating. I hope Verisign gets the hint and stops their practice
'mmmmmmmmm.... forbidden donut'
Actually, your sig should read:
Incest: it's all relative.
I used to have a sig, but I set it free and it never came back.
Okay I have done the following sending a mail and I have gotten the following response:
o m
Dear x,
Thank you for contacting VeriSign Customer Service.
There is no way for us to remove your subnet ranges from accessing the
SiteFinder service. If you do not wish to be re-directed to the
SiteFinder service when typing in an NXDOMAIN, you should look for ways
internally to block the service.
If you require further assistance please contact us by replying to this
email.
Best Regards,
Bonnie Bryant
Customer Service
VeriSign, Inc.
www.verisign.com
sitefinder@verisign-grs.c
A petition with 4600+ signers (and going up fast) is at http://www.petitiononline.com/icanndns/petition.ht ml - not sure if there's another link to it or not.
I would like to thank you for breaking that pesky DNS protocol. I mean, why should people rely upon standards-based protocols anyway? I really didn't need the "reject_unknown_recipient_domain" and "reject_unknown_sender_domain" options from my postfix email server anyway. They're useless, right? You have saved us from having effective address resolution for numerous internet protocols, well established networking practices, and sanity.
Thank you, again, for thinking only of your customer.
Sincerely,
Chad C. Walstrom
A disgruntled Network Administrator who has spent all afternoon trying to "fix" what you broke.
assert(expired(knowledge));
However, I am curious about the liability Verisign might face when some pre-teen mistypes a common kid's website (let's say www.barney.com --> www.baremy.com) and gets a Verisign suggested spelling that links to a porn site (www.bareny.com).
IANAL, but it seems there would be some civil and criminal liability here, if the parents or school district or other computer provider were aware of how the kid was directed to the porn site....
Ah, well, I am just trying to think beyond the "they ate up 1 gazillion hours of network admin time" box here...
I would hate to be THE guy who said "Do it," to this idea.
Here are the phone numbers of the creeps who designed the system
Matt Larson
Phone: +1 703 948-3239
mlarson@verisign.com
Scott Hollenbeck
Phone: +1-703-948-3257
FAX: +1-703-421-0064
shollenbeck@verisign.com
It's as if you were walking down the street looking for "Bob's Hardware" and on either side of the actual "Bob's Hardware" were hundreds of porn stores and strip joints with various names like "Bob'z Hardware" and "Bop's Hardware", "Bob's Gardware", etc... imagine the hijinks that would ensue!
"There is nothing more useless than a lock with a voice print." - Cardinal Borusa
To: 'forum at alac.icann.org'; 'letters at nytimes.com'
.COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising."
2 10&mode=threaded&tid=126&tid=95&tid=98&tid=99)
CC: 'press@verisign.com'; 'IR@verisign.com'; 'dcpolicy@verisign.com'
Dear Sirs,
Re: [Slashdot.org] Posted by timothy on Monday September 15, @09:23PM from the gotcha dept.
DragonHawk writes "As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the
Adamant to scrub my machine of what I assumed at the time to be a hostile infection of my windows OS, I eventually found references to the above posting (http://slashdot.org/article.pl?sid=03/09/16/0034
As Verisign's tag line 'The Value of Trust" proclaims, we expect and demand simple and honest actions by those bestowed with power.
I therefore write in protest. I consider this action by Verisign to be a blatant exploitation of their position as domain name registrar. It is a flagrant abuse of trust for such a company in a monopoly position to redirect non-existent lookups to their advertising site. I believe this action demonstrates the need for tighter regulation of the industry and for the removal of those companies that abuse their monopoly position.
As you will note in the detailed technical and commercial opinions on the above page, am not alone in my opinion. I sold my Verisign shares on the news.
Yours faithfully,
Martin Cleaver
--
Martin at Cleaver.org
Melbourne Business School MBA Candidate 2004 on Exchange to The Rotman School of Business. MSc BSc (Hons)
...You know, that IP address isn't responding anymore.
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
#route add 64.94.110.11 reject
Easy!
I USE THE ROOT SERVERS FROM MY DIALUP! It's the only way to be sure that you can get the latest DSN information! Try it everybody! When it says what DSN server U want 2 use, pick A.GTLD-SERVERS.NET (that one is the FASTEST!) and Z.GTLD-SERVERS.NET (this one is good 2!!1!)
On the linux box that handles your Internet connection: #route add 64.94.110.11 reject Attempted connections will now fail with "No route to host", blocking Verislime's advertising completely. This hack is trivial to adapt for other OSen, just check your 'route' or 'netstat' man pages.
Anybody interested ... build with bind-9.2.2 and the official ISC patch P1 the Redhat 9.0 rpm's.
they must have some damn juicy servers on sitefinder.verisign.com... imagine the kind of hits they would be getting from all unresolvable DNS queries!
It has nothing to do with TTLs or RFCs, though they are good reasons in and of themselves.
It also has nothing to do with being a good network citizen.
It has to do with how much memory your webserver has.
Start at A.com and work your way up to ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ.com.
Do this from a few hundred locations, constantly.
Watch root nameservers die.
(Actually, don't know if this would work, but possible - if they cache every request.)
Even a better Idee, just let them fuck themself
/usr/bin/lynx -dump http://www.verisign-`date +"%Y%d%h%m%s"`.com | /var/qmail/bin/qmail-inject -fwebsitesales@verisign.com shovethis@verisign-`date +"%Y%d%h%m%s"`.com
#!/bin/bash
export QMAILUSER=websitesales
export QMAILSUSER=websitesales
export QMAILHOST=verisign.com
export QMAILSHOST=verisign.com
export QMAILNAME=info
export QMAILINJECT=sfi
export QMAILIDHOST=verisign.com
echo run `date ` >>/var/log/x.log
Hello,
:0
:0Bc
/usr/games/fortune ; \
:0
I got spam bounces from unknown domains, and since I don't control DNS for backup MX, I think about doing a procmail rule to forward it to Veri$ign:
* ^From: Mail Delivery Subsystem \<MAILER-DAEMON@sundog\.phear\.org\>$
* ^To: postmaster@sundog\.phear\.org$
* ^Subject: Postmaster notify: see transcript for details$
{
* ^... 550 User domain does not exist
| ( formail -rk | head -25 ; \
echo ; \
echo "We dont want to receive bounce e-mails from unexistant domains" ; \
echo "So we forward them back to you." ; \
echo ; \
echo -- ; \
) | $SENDMAIL -f dev.null@phear.org info@verisign-grs.com
sundog-bounces
}
I am wondering if something like that done by many postmasters would be nice for them. If you try, adapt to your domain/hostnames.
PS: I'm pretty sure that's not the best way to do it, but at least it seems to work. *nasty* *nasty* (but still pissed off by VeriSign)
Someone will get pissed and hit them with DOS attacks. Shut em down!
Registrant:
Stockroom.com
2140 Hyperion Av
Los Angeles, CA 90027
US
Registrar: DOTSTER
Domain Name: SOEMCOMPANY.COM
Created on: 16-SEP-03
Expires on: 16-SEP-04
Last Updated on: 16-SEP-03
lol, pathetic.
I've left to find myself. If you happen to see me, please, keep me there until I return.
For those who have upgraded/patched BIND to allow for the "type delegation-only" zones, here is a listing of all known publicy accessible TLDs configured for such operation.
Simply put this in your named.conf, or use the new "include" operation and store these in a separte file.
Due to the lameness of the lameness filter I can't post the list here. Get it from here This is a plain text file signed with GPG.
My web server should be able to handle the load since it's only a 16KB text file. Feel free to mirror it elsewhere.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
into the hosts file in your windows dir or /etc somewhere
127.0.0.1 sitefinder.verisign.com
I think it doesn't block the whole of verisign just their pesky router thing, so now if I type
www,google.com
I get a page not found, which is more helpful to me than their dodgy site finder.
-- it must be true, it's on the internet.
I've been carefully avoiding XP and now I find along with the evil spyware inbuilt, it is trying to emulate unix structures?
Que? (translation: WTF?)
Will SCO sue?
Can I do an LS instead of a DIR at the command prompt?
BTW I installed my windows into a dir not named windows so that the self-copying destructive code writers would have to be a bit more creative than rote. Ie know how to use %windir% or whatever it is.
-- it must be true, it's on the internet.
How can they do this? I don't understand the legalities (if any apply) of such a move. It's disturbing to think that each time I mistype or attempt to find a website I'm going to be hit with VeriSign. I've had enough of an experience with them to move all my domain names as far away from them as possible, this is certainly not going to make me change my mind. They effectively now 'own' the internet, and I think that's wrong.
In the public interest I'm releasing the following files to aid those who may wish to research the wildcarded TLD problem. The scripts are KornShell 88, developed on AIX 4.3.3.
While I'm at it, here is something that can be used to generate traffic to spamhost web servers:
Look at the bright side: there's always seppuku.