Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers' Upend DNS

Posted by CmdrTaco on from the cat-and-mouse dept.

Saint Aardvark writes "eWeek reports on the latest trick of spammers: getting around DNS-based lookups. By registering a domain *after* the spam goes out advertising it, they can get around blacklists. However, that causes all sorts of problems for ISPs and anti-spam services. Paul Judge, CTO at Ciphertrust, says "Even in large enterprises, it's becoming very common to see a large spam load cripple the DNS infrastructure.""

17 of 304 comments (clear)

  1. That's not the sky falling... by winkydink · · Score: 5, Insightful

    The article goes on to say that some anti-spam applications do as many as 30 dns lookups. This is a design problem with the apps, not with DNS. Do less lookups, minimize the problem. I'd venture that after checking with a few of the major blacklists, you've pretty much hit the point of diminishing return in distinguishing spam/ham.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    1. Re:That's not the sky falling... by Zocalo · · Score: 4, Insightful
      No, it's a problem with spammers making references to multiple domains in their email, each of which might need to be checked against several SURBLs. Personally, I'm not fretting this one at all; while it's an ingenious work around from the spammers to get around the SURBLs, there's a trivial fix.

      At the moment, each domain referenced in the body of a spam is checked against one or more SURBLs to see if it has been spamvertised - hence the 30 lookups figure. Instead of immediately checking the SUBLS, we can just make a single check to see if the domain exists at all, if it doesn't then skip the SURBL checks and bias the score towards being spam. If it does exist, then we can proceed to check the SURBLs as normal and still nail any spams using known spamvertised domains. If the domain does exist, then it's a single extra DNS lookup which is possibly going to be cached, so a root server query may be avoided. If it doesn't exist, then we skip the SURBL checks and save our 30 DNS queries.

      Yup, it's the old spam arms race again. Give it a month or so and we'll all be moaning about some completely new spammer tactic brought in to replace this one.

      --
      UNIX? They're not even circumcised! Savages!
  2. Re:Dammit by punkass · · Score: 3, Insightful

    yeah! and make drugs illegal too! that'll teach 'um.

    --
    "Nobody owns the fucking words man." - James Dean
  3. Re:Thats a nice stunt by skaladin · · Score: 2, Insightful

    Who cares about typos? If it doens't exist don't forward it. Plain and Simple.

  4. Re:Fast DNS updates! by 2advanced.net · · Score: 2, Insightful

    Do you stop advancing technology just because the spammers may benefit from it?

    Rapid updates to the .com and .net zones is VERY helpful for a large number of people - punishing them because it also helps spammers is like tearing down skyscrapers to avoid terrorists in airplanes.

    --
    2advanced.net - Business Quality Hosting
  5. all this just makes me sad... by jxyama · · Score: 2, Insightful
    ...and also mad.

    this is not meant as any kind of informative post, but every time i read something like this, or receive another spam in my Inbox, i feel a bit of both sadness and anger...

    here is a wonderful tool that made communication easy, fast and cheap but is absolutely being ruined by the malicious few with absolutely no morals, ethics or concerns for others.

    just like those orphan traders at tsunami disaster areas... i really would like to have a chance to confront these disguisting people and try to make sense of their thought process...

  6. spam protocol hogging by Doc+Ruby · · Score: 4, Insightful

    DNS could play a role in beating spam. DNS servers suffering from "spam overload" can see that they're handling a lot of the same lookups, that are overloading them. They could flag their responses back to the isolated SMTP servers that are processing the spams, which can tell that they're all the same message. So the distributed network can identify spams, and at least require the senders to share some of the processing load (through another extension to the SMTP and DNS protocols). A more severe response that might affect mere mass-mailers (different from "spam" because content is either noncommercial, or was solicited by the recipient) would be to report such spam-suspects to blacklist servers, which in turn inform users spam filters.

    Having had several mass-mailed (big Cc: lists) urgent messages filtered out by corporate spam filters in the past couple of months, I know we need a much better system. Spam is taking down DNS, blocking SMTP, and, even worse, censoring legitimate message needles in the spam haystack. We need network protocols to get smarter, taking advantage of the distributed intelligence that can kill spam. Can the IETF overcome its interest in perpetuating the spam that pays for so much of the Internet, in leading us out of the spam trap?

    --

    --
    make install -not war

  7. Re:Wanted: DNS geek by stratjakt · · Score: 2, Insightful

    I don't get it. If this is true, it sounds like a MAJOR MAJOR design flaw in DNS.

    Surely it allows for invalid domain requests, or did they just assume everyone on the net will correctly type the domain name every time?

    Or, is it not the email or DNS itself, but the anti-spam filters that are hammering the DNS servers?

    I don't understand the problem. It sounds like a made up non-issue by the anti-spam crowd, frankly.

    --
    I don't need no instructions to know how to rock!!!!
  8. Re:Auto-register domains by Anonymous Coward · · Score: 1, Insightful

    Keep in mind that domains are about $10 a pop to register. I am sure many spammers would love to break the bank of anti-spam activists.

  9. Negative Caching by whoever57 · · Score: 4, Insightful

    BIND, at least, does negative caching. Surely this means the load on DNS servers due to looking up the non-existent spam domains is minimal.

    Also, once the mail server has decided that a bounce reply is undeliverable (because of no DNS records), surely it is going to dump the email immediately, rather than continuning to attempt to deliver it?

    So is this a case of SOME brain dead implementaions of DNS and mail servers, or a real problem for all?

    --
    The real "Libtards" are the Libertarians!
  10. Re:Fast DNS updates! by Kissing+Crimson · · Score: 2, Insightful

    Good comparison, but I'm going to pick on it anyway...

    Are terrorism references to become the new Godwin's Law? If so, I'd like to name it Jonesy's Law.

    --
    What's that smell? Ah, that's my karma burning...
  11. Two words: RICO Prosecution by swb · · Score: 2, Insightful

    Spam involves criminal activity (fraud at the least). It involves many people (mail-senders, product suppliers, and some legitimate businesses like credit card processors, banks, and ISPs).

    Smells like a Racketerr-Influenced Corrupt Organization to me. Anyone even remotely involved gets a ticket to the proverbial Federal PMITA prison for 20 years, $100k in fines.

    These penalties and a wide net are all that can influence spam.

  12. Yet Another Silly Article. by ngc5194 · · Score: 2, Insightful

    Wow. The article itself is ... stunning. On a per-word basis, I don't know where I've seen a higher concentration of misconceptions about DNS.

    Most modern MTAs have the ability to reject email purportedly coming from domains that aren't registered. Just as one example, sendmail does this by default. Not registering domain names makes it *much* *easier* for me to avoid spam. I encourage spammers to adopt the practice described in this article.

    Moreover, the costs of looking up nonexistant domains is roughly comparable to the costs associated with lookup up existing domains.

    Of course, despite the article being worthless, it's still more than enough cause for the /. regulars to get whipped up into a frenzy.

  13. Re:Thats a nice stunt by DarkTempes · · Score: 2, Insightful

    the problem is that when you have to look up domains that don't exist it tends to take longer, especially for DNS servers, as my understanding they then ask ANOTHER server if it has it, etc and thus when you multiply that times about a billion... you end up killing/lagging DNS servers and the server recieving the mail in the first place ;p

  14. Re:Thats a nice stunt by bentfork · · Score: 2, Insightful
    Good point. I would hate it if this email got stuck in the spam trap

    To Accounting@bla.com:
    Please authorise my PO so I may purchase the domainname OurNewProduct.com

  15. Re:False positive when dropping invalid link by statusbar · · Score: 2, Insightful

    The invalid link may be a link to an internal website. For instance http://wiki.local./ is valid in the office but invalid outside the firewall.

    Jeff

    --
    ipv6 is my vpn
  16. Re:Thats a nice stunt by Gr8Apes · · Score: 2, Insightful

    Seems the simple solution is to cache "bad" addresses in your local DNS server for some specified period of time, probably in a LRU type cache to prevent Spammers from taking it down.

    Adding features in your SMTP server that if a certain source has multiple failing emails, that source could be processed on a queue basis, or even automatically bitbucket anything from that address since spam comes in waves.

    --
    The cesspool just got a check and balance.