Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers' Upend DNS

Posted by CmdrTaco on from the cat-and-mouse dept.

Saint Aardvark writes "eWeek reports on the latest trick of spammers: getting around DNS-based lookups. By registering a domain *after* the spam goes out advertising it, they can get around blacklists. However, that causes all sorts of problems for ISPs and anti-spam services. Paul Judge, CTO at Ciphertrust, says "Even in large enterprises, it's becoming very common to see a large spam load cripple the DNS infrastructure.""

8 of 304 comments (clear)

  1. Anti-Spam Legislation Is Only Effective Solution by bigtallmofo · · Score: 5, Funny

    Until they pass a law that makes it completely legal to kill spammers, the spam problem will not go away.

    --
    I'm a big tall mofo.
  2. Fast DNS updates! by Cyn · · Score: 4, Funny

    Thank goodness we can now register domains and have them active within 30 minutes!

    Oh look, my foot's bleeding. Someone must have shot it.

    --
    cyn, free software and *nix operating systems enthusiast.
  3. That's not the sky falling... by winkydink · · Score: 5, Insightful

    The article goes on to say that some anti-spam applications do as many as 30 dns lookups. This is a design problem with the apps, not with DNS. Do less lookups, minimize the problem. I'd venture that after checking with a few of the major blacklists, you've pretty much hit the point of diminishing return in distinguishing spam/ham.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    1. Re:That's not the sky falling... by Zocalo · · Score: 4, Insightful
      No, it's a problem with spammers making references to multiple domains in their email, each of which might need to be checked against several SURBLs. Personally, I'm not fretting this one at all; while it's an ingenious work around from the spammers to get around the SURBLs, there's a trivial fix.

      At the moment, each domain referenced in the body of a spam is checked against one or more SURBLs to see if it has been spamvertised - hence the 30 lookups figure. Instead of immediately checking the SUBLS, we can just make a single check to see if the domain exists at all, if it doesn't then skip the SURBL checks and bias the score towards being spam. If it does exist, then we can proceed to check the SURBLs as normal and still nail any spams using known spamvertised domains. If the domain does exist, then it's a single extra DNS lookup which is possibly going to be cached, so a root server query may be avoided. If it doesn't exist, then we skip the SURBL checks and save our 30 DNS queries.

      Yup, it's the old spam arms race again. Give it a month or so and we'll all be moaning about some completely new spammer tactic brought in to replace this one.

      --
      UNIX? They're not even circumcised! Savages!
  4. Auto-register domains by crow · · Score: 5, Interesting

    Some anti-spam group should set up a spam filter that looks for domain names, and registers any that it sees that aren't valid. They would point to a web site that politely explains to users how stupid they are for clicking on a link in spam.

    I expect spammers would drop that technique quite quickly if that were done.

  5. spam protocol hogging by Doc+Ruby · · Score: 4, Insightful

    DNS could play a role in beating spam. DNS servers suffering from "spam overload" can see that they're handling a lot of the same lookups, that are overloading them. They could flag their responses back to the isolated SMTP servers that are processing the spams, which can tell that they're all the same message. So the distributed network can identify spams, and at least require the senders to share some of the processing load (through another extension to the SMTP and DNS protocols). A more severe response that might affect mere mass-mailers (different from "spam" because content is either noncommercial, or was solicited by the recipient) would be to report such spam-suspects to blacklist servers, which in turn inform users spam filters.

    Having had several mass-mailed (big Cc: lists) urgent messages filtered out by corporate spam filters in the past couple of months, I know we need a much better system. Spam is taking down DNS, blocking SMTP, and, even worse, censoring legitimate message needles in the spam haystack. We need network protocols to get smarter, taking advantage of the distributed intelligence that can kill spam. Can the IETF overcome its interest in perpetuating the spam that pays for so much of the Internet, in leading us out of the spam trap?

    --

    --
    make install -not war

  6. Negative Caching by whoever57 · · Score: 4, Insightful

    BIND, at least, does negative caching. Surely this means the load on DNS servers due to looking up the non-existent spam domains is minimal.

    Also, once the mail server has decided that a bounce reply is undeliverable (because of no DNS records), surely it is going to dump the email immediately, rather than continuning to attempt to deliver it?

    So is this a case of SOME brain dead implementaions of DNS and mail servers, or a real problem for all?

    --
    The real "Libtards" are the Libertarians!
  7. Re:Thats a nice stunt by Kissing+Crimson · · Score: 4, Interesting

    Yup. If it shouldn't come in, and it can't be returned, drop it on the floor.

    So often times my (l)users ask me why they received an email saying their computer is infected with a virus (bogus bounces due to a virii changing their source addresses)

    My servers drop anything that doesn't seem right: virus infections, RBL tagged connections, obviously forged senders, etc. When a message gets delivered to the bit bucket; no more processing, no more network traffic, no more (l)user complaints.

    And I never get a complaint.

    --
    What's that smell? Ah, that's my karma burning...