Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers' Upend DNS

Posted by CmdrTaco on from the cat-and-mouse dept.

Saint Aardvark writes "eWeek reports on the latest trick of spammers: getting around DNS-based lookups. By registering a domain *after* the spam goes out advertising it, they can get around blacklists. However, that causes all sorts of problems for ISPs and anti-spam services. Paul Judge, CTO at Ciphertrust, says "Even in large enterprises, it's becoming very common to see a large spam load cripple the DNS infrastructure.""

41 of 304 comments (clear)

  1. Anti-Spam Legislation Is Only Effective Solution by bigtallmofo · · Score: 5, Funny

    Until they pass a law that makes it completely legal to kill spammers, the spam problem will not go away.

    --
    I'm a big tall mofo.
  2. Fast DNS updates! by Cyn · · Score: 4, Funny

    Thank goodness we can now register domains and have them active within 30 minutes!

    Oh look, my foot's bleeding. Someone must have shot it.

    --
    cyn, free software and *nix operating systems enthusiast.
    1. Re:Fast DNS updates! by 2advanced.net · · Score: 2, Insightful

      Do you stop advancing technology just because the spammers may benefit from it?

      Rapid updates to the .com and .net zones is VERY helpful for a large number of people - punishing them because it also helps spammers is like tearing down skyscrapers to avoid terrorists in airplanes.

      --
      2advanced.net - Business Quality Hosting
    2. Re:Fast DNS updates! by Kissing+Crimson · · Score: 2, Insightful

      Good comparison, but I'm going to pick on it anyway...

      Are terrorism references to become the new Godwin's Law? If so, I'd like to name it Jonesy's Law.

      --
      What's that smell? Ah, that's my karma burning...
  3. That's not the sky falling... by winkydink · · Score: 5, Insightful

    The article goes on to say that some anti-spam applications do as many as 30 dns lookups. This is a design problem with the apps, not with DNS. Do less lookups, minimize the problem. I'd venture that after checking with a few of the major blacklists, you've pretty much hit the point of diminishing return in distinguishing spam/ham.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    1. Re:That's not the sky falling... by Anonymous Coward · · Score: 3, Interesting

      The problem with DNS is that it is very slow, and does a lot of things that make lookups too slow and unreliable.

      Looking up www.name.com should take no more than three DNS lookups with an empty cache (To root: "com" DNS server has IP 10.1.2.3; to 10.1.2.3: "name.com" has DNS server with IP 10.2.3.4; to 10.2.3.4: "www.name.com" has IP 10.3.4.5). However, because of DNS' poor design, it doesn't work that way; it can take dozens DNS lookups from an empty cache to get "www.name.com".

    2. Re:That's not the sky falling... by Zocalo · · Score: 4, Insightful
      No, it's a problem with spammers making references to multiple domains in their email, each of which might need to be checked against several SURBLs. Personally, I'm not fretting this one at all; while it's an ingenious work around from the spammers to get around the SURBLs, there's a trivial fix.

      At the moment, each domain referenced in the body of a spam is checked against one or more SURBLs to see if it has been spamvertised - hence the 30 lookups figure. Instead of immediately checking the SUBLS, we can just make a single check to see if the domain exists at all, if it doesn't then skip the SURBL checks and bias the score towards being spam. If it does exist, then we can proceed to check the SURBLs as normal and still nail any spams using known spamvertised domains. If the domain does exist, then it's a single extra DNS lookup which is possibly going to be cached, so a root server query may be avoided. If it doesn't exist, then we skip the SURBL checks and save our 30 DNS queries.

      Yup, it's the old spam arms race again. Give it a month or so and we'll all be moaning about some completely new spammer tactic brought in to replace this one.

      --
      UNIX? They're not even circumcised! Savages!
  4. Re:Dammit by punkass · · Score: 3, Insightful

    yeah! and make drugs illegal too! that'll teach 'um.

    --
    "Nobody owns the fucking words man." - James Dean
  5. So which is going to come first... by Anonymous Coward · · Score: 2, Interesting

    Email authentication, or the wholesale abandonment of email as a viable communication platform?

    1. Re:So which is going to come first... by TFGeditor · · Score: 3, Interesting

      ..."the wholesale abandonment of email as a viable communication platform?"

      And the alternative with the same capabilities is...?

      --
      Ignorance is curable, stupid is forever.
    2. Re:So which is going to come first... by stratjakt · · Score: 2, Funny

      A fax machine.

      --
      I don't need no instructions to know how to rock!!!!
  6. Wanted: DNS geek by RealityMogul · · Score: 3, Interesting

    When a DNS query goes to an ISPs DNS server, and the entry does not exist, does it go to the root servers?

    Secondly, do invalid domain names get cached (I'm thinking not)?

    1. Re:Wanted: DNS geek by stratjakt · · Score: 2, Insightful

      I don't get it. If this is true, it sounds like a MAJOR MAJOR design flaw in DNS.

      Surely it allows for invalid domain requests, or did they just assume everyone on the net will correctly type the domain name every time?

      Or, is it not the email or DNS itself, but the anti-spam filters that are hammering the DNS servers?

      I don't understand the problem. It sounds like a made up non-issue by the anti-spam crowd, frankly.

      --
      I don't need no instructions to know how to rock!!!!
    2. Re:Wanted: DNS geek by marsvin · · Score: 3, Informative
      When a DNS query goes to an ISPs DNS server, and the entry does not exist, does it go to the root servers?
      Yeah, how else would you know it doesn't exist?
      Secondly, do invalid domain names get cached (I'm thinking not)?
      Nowadays yes, but not for very long (on the order of 5 minutes, usually).
    3. Re:Wanted: DNS geek by ngc5194 · · Score: 2, Informative

      When a DNS query goes to an ISPs DNS server, and the entry does not exist, does it go to the root servers?

      When we make a DNS query, it goes to our name server. If the name server does not have a result for that query cached, it queries a higher-level server for information on which name server is authoritative for that domain. It is possible that any DNS query where no component of the domain name is cached to require a query of the root name servers. This is true for any existant or nonexistant domain name.

      Secondly, do invalid domain names get cached (I'm thinking not)?

      I don't know about all implementations, but contemporary versions of BIND all perform "negative caching" for some amount of time. The invalidity of DNS records can be cached.

  7. Re:Thats a nice stunt by skaladin · · Score: 2, Insightful

    Who cares about typos? If it doens't exist don't forward it. Plain and Simple.

  8. Crippling DNS? How much does DNS suck? by stratjakt · · Score: 2, Interesting

    I don't get it.

    So I send out a million spams, all saying "go to www.stratjaktsmadeupdomainname.com for hot viagra and lower mortgage payments."

    The domain doesn't exist, and people click on it, which "cripples" dns because the dns servers have to respond with a "no such domain name" reply?

    How does this cripple them? Was DNS not designed to handle fat-fingered domains gracefully?

    What happens, do all the requests for my domain get propogated up the chain, is that the crux of the problem? If so, doesn't DNS update like, quite often (several times a day) now? There's no need to kick all requests up to the top, right?

    --
    I don't need no instructions to know how to rock!!!!
  9. all this just makes me sad... by jxyama · · Score: 2, Insightful
    ...and also mad.

    this is not meant as any kind of informative post, but every time i read something like this, or receive another spam in my Inbox, i feel a bit of both sadness and anger...

    here is a wonderful tool that made communication easy, fast and cheap but is absolutely being ruined by the malicious few with absolutely no morals, ethics or concerns for others.

    just like those orphan traders at tsunami disaster areas... i really would like to have a chance to confront these disguisting people and try to make sense of their thought process...

  10. Auto-register domains by crow · · Score: 5, Interesting

    Some anti-spam group should set up a spam filter that looks for domain names, and registers any that it sees that aren't valid. They would point to a web site that politely explains to users how stupid they are for clicking on a link in spam.

    I expect spammers would drop that technique quite quickly if that were done.

  11. spam protocol hogging by Doc+Ruby · · Score: 4, Insightful

    DNS could play a role in beating spam. DNS servers suffering from "spam overload" can see that they're handling a lot of the same lookups, that are overloading them. They could flag their responses back to the isolated SMTP servers that are processing the spams, which can tell that they're all the same message. So the distributed network can identify spams, and at least require the senders to share some of the processing load (through another extension to the SMTP and DNS protocols). A more severe response that might affect mere mass-mailers (different from "spam" because content is either noncommercial, or was solicited by the recipient) would be to report such spam-suspects to blacklist servers, which in turn inform users spam filters.

    Having had several mass-mailed (big Cc: lists) urgent messages filtered out by corporate spam filters in the past couple of months, I know we need a much better system. Spam is taking down DNS, blocking SMTP, and, even worse, censoring legitimate message needles in the spam haystack. We need network protocols to get smarter, taking advantage of the distributed intelligence that can kill spam. Can the IETF overcome its interest in perpetuating the spam that pays for so much of the Internet, in leading us out of the spam trap?

    --

    --
    make install -not war

  12. Re:Thats a nice stunt by 2advanced.net · · Score: 3, Informative

    You've misunderstood the problem ...

    The domains sending the email exist, but the ones advertised in the email do not. Because SpamCop (et. al) punish not only the sending IP block, but also the advertised host/IP block, spammers are advertising sites that won't exist for a few hours, tricking SpamCop (et al) into reporting on domains that don't exist and therefore cannot be penalized.

    --
    2advanced.net - Business Quality Hosting
  13. Negative Caching by whoever57 · · Score: 4, Insightful

    BIND, at least, does negative caching. Surely this means the load on DNS servers due to looking up the non-existent spam domains is minimal.

    Also, once the mail server has decided that a bounce reply is undeliverable (because of no DNS records), surely it is going to dump the email immediately, rather than continuning to attempt to deliver it?

    So is this a case of SOME brain dead implementaions of DNS and mail servers, or a real problem for all?

    --
    The real "Libtards" are the Libertarians!
  14. Spam by clinko · · Score: 2, Funny

    I hate this new trend! I have to wait until morning until I can order my v!@gra!!!

    What happened to the good old days, when I could order B0n3r Juic3 as soon as I got my mail!

  15. Re:Thats a nice stunt by Kissing+Crimson · · Score: 4, Interesting

    Yup. If it shouldn't come in, and it can't be returned, drop it on the floor.

    So often times my (l)users ask me why they received an email saying their computer is infected with a virus (bogus bounces due to a virii changing their source addresses)

    My servers drop anything that doesn't seem right: virus infections, RBL tagged connections, obviously forged senders, etc. When a message gets delivered to the bit bucket; no more processing, no more network traffic, no more (l)user complaints.

    And I never get a complaint.

    --
    What's that smell? Ah, that's my karma burning...
  16. Re:Crippling DNS? How much does DNS suck? by 2advanced.net · · Score: 2, Informative

    Failed requests (non existent domains) always go to the root servers.

    --
    2advanced.net - Business Quality Hosting
  17. Bogus article by SSpade · · Score: 2, Interesting

    Either the journalist drastically misunderstood and misinterpreted what they were told, or one of the people interviewed is launching some magic snake-oil product that'll "solve" this non-existant problem. (Yes, I know exactly what spammers do. That's my job. I know exactly what DNS does, that was my previous job. This article is fiction.)

    1. Re:Bogus article by Anonymous Coward · · Score: 2, Funny

      Yes, I know exactly what spammers do. That's my job

      Helpful suggestion: work on the phrasing a little bit, there, when you update your resume.

  18. Re:Thats a nice stunt by networkBoy · · Score: 3, Interesting

    Overall I agree with this, but my concern is that if you parse the message and find invalid url's then a valid message will be dropped because of a malformed text string. While I suppose that's better than letting more spam through, I would be uneasy about the increase in false positives.
    -nB

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  19. I noticed I am getting spam again by Billly+Gates · · Score: 2

    With Yahoo mail.

    I typically get 80 messages a day which the builk mailer always finds. These last 2 or 3 weeks only half the spam is being caught and my mail box is becoming loaded again. I was wondering why the fail rate was going up.

    My guess is Yahoo used dns lookups in its anti-spam software.

    --
    http://saveie6.com/
  20. Two words: RICO Prosecution by swb · · Score: 2, Insightful

    Spam involves criminal activity (fraud at the least). It involves many people (mail-senders, product suppliers, and some legitimate businesses like credit card processors, banks, and ISPs).

    Smells like a Racketerr-Influenced Corrupt Organization to me. Anyone even remotely involved gets a ticket to the proverbial Federal PMITA prison for 20 years, $100k in fines.

    These penalties and a wide net are all that can influence spam.

  21. Yet Another Silly Article. by ngc5194 · · Score: 2, Insightful

    Wow. The article itself is ... stunning. On a per-word basis, I don't know where I've seen a higher concentration of misconceptions about DNS.

    Most modern MTAs have the ability to reject email purportedly coming from domains that aren't registered. Just as one example, sendmail does this by default. Not registering domain names makes it *much* *easier* for me to avoid spam. I encourage spammers to adopt the practice described in this article.

    Moreover, the costs of looking up nonexistant domains is roughly comparable to the costs associated with lookup up existing domains.

    Of course, despite the article being worthless, it's still more than enough cause for the /. regulars to get whipped up into a frenzy.

  22. Re:Thats a nice stunt by DarkTempes · · Score: 2, Insightful

    the problem is that when you have to look up domains that don't exist it tends to take longer, especially for DNS servers, as my understanding they then ask ANOTHER server if it has it, etc and thus when you multiply that times about a billion... you end up killing/lagging DNS servers and the server recieving the mail in the first place ;p

  23. Re:Thats a nice stunt by bentfork · · Score: 2, Insightful
    Good point. I would hate it if this email got stuck in the spam trap

    To Accounting@bla.com:
    Please authorise my PO so I may purchase the domainname OurNewProduct.com

  24. Legal countermeasures by earthforce_1 · · Score: 2, Interesting

    Standard IANAL disclaimer, but:

    Couldn't the spammers be sued for causing what amounts to a DOS attack on the recipient mailserver?

    Also, if sexual predators and hackers can be barred from going online, and if corrupt executives can be barred from acting as corporate directors, why can't judges ban unrepentant spammers from going online, or carrying on an internet related business? (And extradited if they subsequently set up shop offshore)

    --
    My rights don't need management.
  25. Re:False positive when dropping invalid link by statusbar · · Score: 2, Insightful

    The invalid link may be a link to an internal website. For instance http://wiki.local./ is valid in the office but invalid outside the firewall.

    Jeff

    --
    ipv6 is my vpn
  26. Re:Thats a nice stunt by Gr8Apes · · Score: 2, Insightful

    Seems the simple solution is to cache "bad" addresses in your local DNS server for some specified period of time, probably in a LRU type cache to prevent Spammers from taking it down.

    Adding features in your SMTP server that if a certain source has multiple failing emails, that source could be processed on a queue basis, or even automatically bitbucket anything from that address since spam comes in waves.

    --
    The cesspool just got a check and balance.
  27. The article is wrong. by mortonda · · Score: 3, Informative

    The article is just wrong, and there's a feedback post on the same page that explains why very well. (Although, what's with the stupid formatting?)

  28. Re:I bet... by AndroidCat · · Score: 2, Informative

    That's the one that by default, sends spam bounces to forged email addresses?

    --
    One line blog. I hear that they're called Twitters now.
  29. Just Greylist! by emil · · Score: 2, Informative

    OpenBSD's spamd will initially reject all mail from previously unknown sources. It will only permit access to sendmail after an attempt at redelivery. This has brought my spam load down to about zero.

    Unless a spammer using the above trick attempted redelivery (which is unlikely), it would not cause a DNS flood.

    spamd is only one of a great many reasons to consider OpenBSD on your critical servers.

    1. Re:Just Greylist! by Greyfox · · Score: 2, Informative
      There's a similar daemon out there called postgrey which does pretty much the same thing. If you run Debian and your own mail server, you can just apt-get install postgrey.

      It doesn't work 100% of the time but betweem that and SPF checking, my spam load has been reduced to 3 or 4 a month. I could ban hotmail and yahoo and that'd pretty much eliminate spam from my mailbox completely.

      They'll figure this trick out eventually though, then I'll have to come up with something else.

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  30. Re:Thats a nice stunt by Anonymous Coward · · Score: 2, Informative
    You've misunderstood the problem

    Not according to the article:

    One troublesome technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. [...] During the interval between mailing and registration, the SMTP servers on the recipients' networks attempt Domain Name System look-ups on the nonexistent domain, causing delays and timeouts on the DNS servers and backups in SMTP message queues.


    The sending domains *don't* exist.

    Honestly, this seems pretty overrated - any mail coming into our domain gets a single lookup - if the domain doesn't exist, it gets a 500. If the domain exists, but the DNS servers time out, it gets a 450.

    Why anyone would accept mail from a domain that doesn't exist is beyond me.