Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers' Upend DNS

Posted by CmdrTaco on from the cat-and-mouse dept.

Saint Aardvark writes "eWeek reports on the latest trick of spammers: getting around DNS-based lookups. By registering a domain *after* the spam goes out advertising it, they can get around blacklists. However, that causes all sorts of problems for ISPs and anti-spam services. Paul Judge, CTO at Ciphertrust, says "Even in large enterprises, it's becoming very common to see a large spam load cripple the DNS infrastructure.""

16 of 304 comments (clear)

  1. Anti-Spam Legislation Is Only Effective Solution by bigtallmofo · · Score: 5, Funny

    Until they pass a law that makes it completely legal to kill spammers, the spam problem will not go away.

    --
    I'm a big tall mofo.
  2. Fast DNS updates! by Cyn · · Score: 4, Funny

    Thank goodness we can now register domains and have them active within 30 minutes!

    Oh look, my foot's bleeding. Someone must have shot it.

    --
    cyn, free software and *nix operating systems enthusiast.
  3. That's not the sky falling... by winkydink · · Score: 5, Insightful

    The article goes on to say that some anti-spam applications do as many as 30 dns lookups. This is a design problem with the apps, not with DNS. Do less lookups, minimize the problem. I'd venture that after checking with a few of the major blacklists, you've pretty much hit the point of diminishing return in distinguishing spam/ham.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    1. Re:That's not the sky falling... by Anonymous Coward · · Score: 3, Interesting

      The problem with DNS is that it is very slow, and does a lot of things that make lookups too slow and unreliable.

      Looking up www.name.com should take no more than three DNS lookups with an empty cache (To root: "com" DNS server has IP 10.1.2.3; to 10.1.2.3: "name.com" has DNS server with IP 10.2.3.4; to 10.2.3.4: "www.name.com" has IP 10.3.4.5). However, because of DNS' poor design, it doesn't work that way; it can take dozens DNS lookups from an empty cache to get "www.name.com".

    2. Re:That's not the sky falling... by Zocalo · · Score: 4, Insightful
      No, it's a problem with spammers making references to multiple domains in their email, each of which might need to be checked against several SURBLs. Personally, I'm not fretting this one at all; while it's an ingenious work around from the spammers to get around the SURBLs, there's a trivial fix.

      At the moment, each domain referenced in the body of a spam is checked against one or more SURBLs to see if it has been spamvertised - hence the 30 lookups figure. Instead of immediately checking the SUBLS, we can just make a single check to see if the domain exists at all, if it doesn't then skip the SURBL checks and bias the score towards being spam. If it does exist, then we can proceed to check the SURBLs as normal and still nail any spams using known spamvertised domains. If the domain does exist, then it's a single extra DNS lookup which is possibly going to be cached, so a root server query may be avoided. If it doesn't exist, then we skip the SURBL checks and save our 30 DNS queries.

      Yup, it's the old spam arms race again. Give it a month or so and we'll all be moaning about some completely new spammer tactic brought in to replace this one.

      --
      UNIX? They're not even circumcised! Savages!
  4. Re:Dammit by punkass · · Score: 3, Insightful

    yeah! and make drugs illegal too! that'll teach 'um.

    --
    "Nobody owns the fucking words man." - James Dean
  5. Wanted: DNS geek by RealityMogul · · Score: 3, Interesting

    When a DNS query goes to an ISPs DNS server, and the entry does not exist, does it go to the root servers?

    Secondly, do invalid domain names get cached (I'm thinking not)?

    1. Re:Wanted: DNS geek by marsvin · · Score: 3, Informative
      When a DNS query goes to an ISPs DNS server, and the entry does not exist, does it go to the root servers?
      Yeah, how else would you know it doesn't exist?
      Secondly, do invalid domain names get cached (I'm thinking not)?
      Nowadays yes, but not for very long (on the order of 5 minutes, usually).
  6. Auto-register domains by crow · · Score: 5, Interesting

    Some anti-spam group should set up a spam filter that looks for domain names, and registers any that it sees that aren't valid. They would point to a web site that politely explains to users how stupid they are for clicking on a link in spam.

    I expect spammers would drop that technique quite quickly if that were done.

  7. spam protocol hogging by Doc+Ruby · · Score: 4, Insightful

    DNS could play a role in beating spam. DNS servers suffering from "spam overload" can see that they're handling a lot of the same lookups, that are overloading them. They could flag their responses back to the isolated SMTP servers that are processing the spams, which can tell that they're all the same message. So the distributed network can identify spams, and at least require the senders to share some of the processing load (through another extension to the SMTP and DNS protocols). A more severe response that might affect mere mass-mailers (different from "spam" because content is either noncommercial, or was solicited by the recipient) would be to report such spam-suspects to blacklist servers, which in turn inform users spam filters.

    Having had several mass-mailed (big Cc: lists) urgent messages filtered out by corporate spam filters in the past couple of months, I know we need a much better system. Spam is taking down DNS, blocking SMTP, and, even worse, censoring legitimate message needles in the spam haystack. We need network protocols to get smarter, taking advantage of the distributed intelligence that can kill spam. Can the IETF overcome its interest in perpetuating the spam that pays for so much of the Internet, in leading us out of the spam trap?

    --

    --
    make install -not war

  8. Re:Thats a nice stunt by 2advanced.net · · Score: 3, Informative

    You've misunderstood the problem ...

    The domains sending the email exist, but the ones advertised in the email do not. Because SpamCop (et. al) punish not only the sending IP block, but also the advertised host/IP block, spammers are advertising sites that won't exist for a few hours, tricking SpamCop (et al) into reporting on domains that don't exist and therefore cannot be penalized.

    --
    2advanced.net - Business Quality Hosting
  9. Negative Caching by whoever57 · · Score: 4, Insightful

    BIND, at least, does negative caching. Surely this means the load on DNS servers due to looking up the non-existent spam domains is minimal.

    Also, once the mail server has decided that a bounce reply is undeliverable (because of no DNS records), surely it is going to dump the email immediately, rather than continuning to attempt to deliver it?

    So is this a case of SOME brain dead implementaions of DNS and mail servers, or a real problem for all?

    --
    The real "Libtards" are the Libertarians!
  10. Re:Thats a nice stunt by Kissing+Crimson · · Score: 4, Interesting

    Yup. If it shouldn't come in, and it can't be returned, drop it on the floor.

    So often times my (l)users ask me why they received an email saying their computer is infected with a virus (bogus bounces due to a virii changing their source addresses)

    My servers drop anything that doesn't seem right: virus infections, RBL tagged connections, obviously forged senders, etc. When a message gets delivered to the bit bucket; no more processing, no more network traffic, no more (l)user complaints.

    And I never get a complaint.

    --
    What's that smell? Ah, that's my karma burning...
  11. Re:So which is going to come first... by TFGeditor · · Score: 3, Interesting

    ..."the wholesale abandonment of email as a viable communication platform?"

    And the alternative with the same capabilities is...?

    --
    Ignorance is curable, stupid is forever.
  12. Re:Thats a nice stunt by networkBoy · · Score: 3, Interesting

    Overall I agree with this, but my concern is that if you parse the message and find invalid url's then a valid message will be dropped because of a malformed text string. While I suppose that's better than letting more spam through, I would be uneasy about the increase in false positives.
    -nB

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  13. The article is wrong. by mortonda · · Score: 3, Informative

    The article is just wrong, and there's a feedback post on the same page that explains why very well. (Although, what's with the stupid formatting?)