Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers' Upend DNS

Posted by CmdrTaco on from the cat-and-mouse dept.

Saint Aardvark writes "eWeek reports on the latest trick of spammers: getting around DNS-based lookups. By registering a domain *after* the spam goes out advertising it, they can get around blacklists. However, that causes all sorts of problems for ISPs and anti-spam services. Paul Judge, CTO at Ciphertrust, says "Even in large enterprises, it's becoming very common to see a large spam load cripple the DNS infrastructure.""

11 of 304 comments (clear)

  1. Re:Thats a nice stunt by 2advanced.net · · Score: 3, Informative

    You've misunderstood the problem ...

    The domains sending the email exist, but the ones advertised in the email do not. Because SpamCop (et. al) punish not only the sending IP block, but also the advertised host/IP block, spammers are advertising sites that won't exist for a few hours, tricking SpamCop (et al) into reporting on domains that don't exist and therefore cannot be penalized.

    --
    2advanced.net - Business Quality Hosting
  2. Re:Wanted: DNS geek by marsvin · · Score: 3, Informative
    When a DNS query goes to an ISPs DNS server, and the entry does not exist, does it go to the root servers?
    Yeah, how else would you know it doesn't exist?
    Secondly, do invalid domain names get cached (I'm thinking not)?
    Nowadays yes, but not for very long (on the order of 5 minutes, usually).
  3. Re:Wanted: DNS geek by ngc5194 · · Score: 2, Informative

    When a DNS query goes to an ISPs DNS server, and the entry does not exist, does it go to the root servers?

    When we make a DNS query, it goes to our name server. If the name server does not have a result for that query cached, it queries a higher-level server for information on which name server is authoritative for that domain. It is possible that any DNS query where no component of the domain name is cached to require a query of the root name servers. This is true for any existant or nonexistant domain name.

    Secondly, do invalid domain names get cached (I'm thinking not)?

    I don't know about all implementations, but contemporary versions of BIND all perform "negative caching" for some amount of time. The invalidity of DNS records can be cached.

  4. Re:Crippling DNS? How much does DNS suck? by 2advanced.net · · Score: 2, Informative

    Failed requests (non existent domains) always go to the root servers.

    --
    2advanced.net - Business Quality Hosting
  5. Re:Wanted: DNS geek by Anonymous Coward · · Score: 1, Informative
    Here is what happens when there is a DNS lookup for a non-existant domain, such as www.thisdoesntexistfuqwehfiufqwehfoewuwfqeho.com

    • The ISP's caching server will probably already have the .com DNS server name and IP cached. If not, it will ask the root server for the .com server name and IP. (OK, the dns server will really ask the root server for www.thisdoesntexistfuqwehfiufqwehfoewuwfqeho.com when the cache is empty, and get a reply from the root server "The .com name server is im-too-lazy-to-run-dig-right-now.gtld.net, and im-too-lazy-to-run-dig-right-now.gtld.net has the ip 10.19.2.83)
    • The caching DNS server will ask a .com name server the ip for www.thisdoesntexistfuqwehfiufqwehfoewuwfqeho.com
    • The .com name server will reply (in a very ugly way involving giving out an SOA answer in the NS section, as I recall) with "thisdoesntexistfuqwehfiufqwehfoewuwfqeho.com. doesn't exist, and remember that fact for one day"
    • The ISP's DNS server will remember that thisdoesntexistfuqwehfiufqwehfoewuwfqeho.com doesn't exist for one day; it will not keep on asking the .com server for this non-existant domain

  6. Re:all this just makes me sad... by Anonymous Coward · · Score: 1, Informative
    here is a wonderful tool that made communication easy, fast and cheap but is absolutely being ruined by the malicious few with absolutely no morals, ethics or concerns for others.

    Sadly it is quite easy:

    1) profit

    cost to spam: (tiny fixed amount) + ($0.00 * number_of_spam)
    means that there is very little cost to the sender of spam. This means that if 1 in 100000 buy their product they have made money.

    (Remember this: There Aint No Such Thing As A Free Lunch. We ate our `free' lunches and now we have to pay.)

  7. The article is wrong. by mortonda · · Score: 3, Informative

    The article is just wrong, and there's a feedback post on the same page that explains why very well. (Although, what's with the stupid formatting?)

  8. Re:I bet... by AndroidCat · · Score: 2, Informative

    That's the one that by default, sends spam bounces to forged email addresses?

    --
    One line blog. I hear that they're called Twitters now.
  9. Just Greylist! by emil · · Score: 2, Informative

    OpenBSD's spamd will initially reject all mail from previously unknown sources. It will only permit access to sendmail after an attempt at redelivery. This has brought my spam load down to about zero.

    Unless a spammer using the above trick attempted redelivery (which is unlikely), it would not cause a DNS flood.

    spamd is only one of a great many reasons to consider OpenBSD on your critical servers.

    1. Re:Just Greylist! by Greyfox · · Score: 2, Informative
      There's a similar daemon out there called postgrey which does pretty much the same thing. If you run Debian and your own mail server, you can just apt-get install postgrey.

      It doesn't work 100% of the time but betweem that and SPF checking, my spam load has been reduced to 3 or 4 a month. I could ban hotmail and yahoo and that'd pretty much eliminate spam from my mailbox completely.

      They'll figure this trick out eventually though, then I'll have to come up with something else.

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  10. Re:Thats a nice stunt by Anonymous Coward · · Score: 2, Informative
    You've misunderstood the problem

    Not according to the article:

    One troublesome technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. [...] During the interval between mailing and registration, the SMTP servers on the recipients' networks attempt Domain Name System look-ups on the nonexistent domain, causing delays and timeouts on the DNS servers and backups in SMTP message queues.


    The sending domains *don't* exist.

    Honestly, this seems pretty overrated - any mail coming into our domain gets a single lookup - if the domain doesn't exist, it gets a 500. If the domain exists, but the DNS servers time out, it gets a 450.

    Why anyone would accept mail from a domain that doesn't exist is beyond me.