Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers' Upend DNS

Posted by CmdrTaco on from the cat-and-mouse dept.

Saint Aardvark writes "eWeek reports on the latest trick of spammers: getting around DNS-based lookups. By registering a domain *after* the spam goes out advertising it, they can get around blacklists. However, that causes all sorts of problems for ISPs and anti-spam services. Paul Judge, CTO at Ciphertrust, says "Even in large enterprises, it's becoming very common to see a large spam load cripple the DNS infrastructure.""

9 of 304 comments (clear)

  1. Re:Thats a nice stunt by 2advanced.net · · Score: 3, Informative

    You've misunderstood the problem ...

    The domains sending the email exist, but the ones advertised in the email do not. Because SpamCop (et. al) punish not only the sending IP block, but also the advertised host/IP block, spammers are advertising sites that won't exist for a few hours, tricking SpamCop (et al) into reporting on domains that don't exist and therefore cannot be penalized.

    --
    2advanced.net - Business Quality Hosting
  2. Re:Wanted: DNS geek by marsvin · · Score: 3, Informative
    When a DNS query goes to an ISPs DNS server, and the entry does not exist, does it go to the root servers?
    Yeah, how else would you know it doesn't exist?
    Secondly, do invalid domain names get cached (I'm thinking not)?
    Nowadays yes, but not for very long (on the order of 5 minutes, usually).
  3. Re:Wanted: DNS geek by ngc5194 · · Score: 2, Informative

    When a DNS query goes to an ISPs DNS server, and the entry does not exist, does it go to the root servers?

    When we make a DNS query, it goes to our name server. If the name server does not have a result for that query cached, it queries a higher-level server for information on which name server is authoritative for that domain. It is possible that any DNS query where no component of the domain name is cached to require a query of the root name servers. This is true for any existant or nonexistant domain name.

    Secondly, do invalid domain names get cached (I'm thinking not)?

    I don't know about all implementations, but contemporary versions of BIND all perform "negative caching" for some amount of time. The invalidity of DNS records can be cached.

  4. Re:Crippling DNS? How much does DNS suck? by 2advanced.net · · Score: 2, Informative

    Failed requests (non existent domains) always go to the root servers.

    --
    2advanced.net - Business Quality Hosting
  5. The article is wrong. by mortonda · · Score: 3, Informative

    The article is just wrong, and there's a feedback post on the same page that explains why very well. (Although, what's with the stupid formatting?)

  6. Re:I bet... by AndroidCat · · Score: 2, Informative

    That's the one that by default, sends spam bounces to forged email addresses?

    --
    One line blog. I hear that they're called Twitters now.
  7. Just Greylist! by emil · · Score: 2, Informative

    OpenBSD's spamd will initially reject all mail from previously unknown sources. It will only permit access to sendmail after an attempt at redelivery. This has brought my spam load down to about zero.

    Unless a spammer using the above trick attempted redelivery (which is unlikely), it would not cause a DNS flood.

    spamd is only one of a great many reasons to consider OpenBSD on your critical servers.

    1. Re:Just Greylist! by Greyfox · · Score: 2, Informative
      There's a similar daemon out there called postgrey which does pretty much the same thing. If you run Debian and your own mail server, you can just apt-get install postgrey.

      It doesn't work 100% of the time but betweem that and SPF checking, my spam load has been reduced to 3 or 4 a month. I could ban hotmail and yahoo and that'd pretty much eliminate spam from my mailbox completely.

      They'll figure this trick out eventually though, then I'll have to come up with something else.

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  8. Re:Thats a nice stunt by Anonymous Coward · · Score: 2, Informative
    You've misunderstood the problem

    Not according to the article:

    One troublesome technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. [...] During the interval between mailing and registration, the SMTP servers on the recipients' networks attempt Domain Name System look-ups on the nonexistent domain, causing delays and timeouts on the DNS servers and backups in SMTP message queues.


    The sending domains *don't* exist.

    Honestly, this seems pretty overrated - any mail coming into our domain gets a single lookup - if the domain doesn't exist, it gets a 500. If the domain exists, but the DNS servers time out, it gets a 450.

    Why anyone would accept mail from a domain that doesn't exist is beyond me.