Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Spammers' New Tactic Upends DNS
Yahoo! News ^ | 9 January 2005 | Dennis Fisher

Posted on 01/10/2005 10:05:01 AM PST by ShadowAce

Although some ISPs and legislators are crediting the year-old CAN-SPAM Act and better technology for recent gains in the war on spam, many in the industry say the advances are forcing spammers to employ new tactics, which are destabilizing the Internet's crucial DNS.

One troublesome technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. After the mailings go out, the spammer registers the domain early the next morning.

By doing this, spammers hope to avoid stiff CAN-SPAM fines through minimal exposure and visibility with a given domain. The ruse, they hope, makes them more difficult to find and prosecute.

The scheme, however, has unintended consequences of its own. During the interval between mailing and registration, the SMTP servers on the recipients' networks attempt Domain Name System look-ups on the nonexistent domain, causing delays and timeouts on the DNS servers and backups in SMTP message queues.

"Anti-spam systems have become heavily dependent on DNS for looking at all kinds of blacklists, looking at headers, all of that," said Paul Judge, a well-known anti-spam expert and chief technology officer at CipherTrust Inc., a mail security vendor based in Atlanta. "I've seen systems that have to do as many as 30 DNS calls on each message. Even in large enterprises, it's becoming very common to see a large spam load cripple the DNS infrastructure."

The DNS handles address look-ups for all Web sites on the Internet, translating natural language names into IP addresses. But its first use was as a look-up service for mail records, and it continues to be used for the billions of e-mail messages traversing the Internet daily.

The CAN-SPAM Act, which went into effect at the beginning of last year, was designed to reduce spam by making it illegal to send messages with spoofed addresses. One spammer already has been sentenced to jail for violating the law, and America Online Inc. said recently that the threat of prosecution, along with better filtering, has helped reduce spam complaints by 75 percent.

In reality, experts say, spammers shut down DNS access to domains that they control after as few as 12 hours to prevent ISPs or law enforcement officials from tracking them down. This tactic also wreaks havoc with the DNS as mail servers trying to return undeliverable messages will continue to perform DNS queries on the defunct domain.

"We've had to reset our architecture to make nine DNS look-ups, which is an insane amount. And we've bought a bunch of workstations and small servers to use as redundant DNS servers because of the load," said Bill Franklin, president of Zero Spam Network Corp., an anti-spam hosting provider based in Coral Gables, Fla. "The DNS system is a good warning indicator."

More troubling than the DNS problems is that there is little ISPs and enterprises can do, other than buying more capacity and setting up redundant DNS servers.

"We have to figure out how to taper DNS services gracefully rather than having catastrophic failures," said Paul Mockapetris, the author of the first DNS implementation and chief scientist at Nominum Inc., based in Redwood City, Calif. "Mail look-up was the first application put on top of DNS after I designed it, and I was so excited to see that. And now, 20 years later, people are trying to figure out how to stop doing mail look-up on DNS. It's bizarre."


TOPICS: Business/Economy; Technical
KEYWORDS: dns; spam; spammersarescum
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061 next last
To: taxcontrol

What are the biggest spam companies? Are there many? For the guy having trouble with earthlink, get Firefox!


41 posted on 01/10/2005 11:13:38 AM PST by FreeManWhoCan ("Credo!")
[ Post Reply | Private Reply | To 36 | View Replies]

To: ShadowAce

Enabling a caching DNS server on the inbound email relays fixes this sort of thing... and spammers have been doing it for years.


42 posted on 01/10/2005 11:23:22 AM PST by dfrussell
[ Post Reply | Private Reply | To 1 | View Replies]

To: KoRn

Reverse lookups are not a good idea because many people use return email addresses not associated with the sending IP. A good example is all the people with yahoo/hotmail IDs and sending email out from their place of employment.


43 posted on 01/10/2005 11:25:33 AM PST by dfrussell
[ Post Reply | Private Reply | To 5 | View Replies]

To: A Ruckus of Dogs
Ha ha, true. What cracks me up about getting those spam ads is that I don't even have the organ in question.

Until I found out they were sent out randomly, I was really angry. I thought an ex-girlfriend was telling everyone my size.

44 posted on 01/10/2005 11:29:18 AM PST by killjoy (My kid is the bomb at Islam Elementary!)
[ Post Reply | Private Reply | To 40 | View Replies]

To: general_re
And what happens in the case of new domains that have been legitimately registered, or old domains that have expired out of your local DNS cache?

Assuming your email relay has a cached DNS service on it, it does a lookup and provides the response until it [again] times out. A single lookup every couple of hours is not a big deal.

45 posted on 01/10/2005 11:31:04 AM PST by dfrussell
[ Post Reply | Private Reply | To 24 | View Replies]

To: general_re
We do incremental updates during the week and full zone transfers over the weekend. Works well for us. As always, others will likely have different needs and mileage.

The only thing most of my customers are missing is the bastion host to filter the mail prior to sending to the mail server.
46 posted on 01/10/2005 11:33:34 AM PST by taxcontrol (People are entitled to their opinion - no matter how wrong it is.)
[ Post Reply | Private Reply | To 38 | View Replies]

To: frog_jerk_2004
These domains should then be distributed to multiple DNS blacklists and only proper petitioning and authorization can lift the ban.

Blacklists are maintained by IP address -- not domain name. Creating a local name blacklist is a waste of time due to the frequency with which they are created/discarded.

Much of the current spam stream can be mitigated via use of RBLs such as spamhaus, spamcop, njabl etc and [free] products such as mimedefang/spamassassin.

47 posted on 01/10/2005 11:36:08 AM PST by dfrussell
[ Post Reply | Private Reply | To 27 | View Replies]

To: dfrussell; taxcontrol
You guys are missing my point. It's one lookup for you, but the problem is not on the local level. It's not your DNS machine that gets gummed up, but the higher-level DNS machine that has a flood of umpteen zillion requests - all for the same nonexistent record, and all in the span of three seconds - from your DNS machine and all the other DNS machines that query it. It's a problem of heirarchy, one that you don't see down there at the bottom of the pile, because it's the mid-level DNS machines that are getting hit with ten million A-record requests per microsecond, not yours.
48 posted on 01/10/2005 11:40:09 AM PST by general_re (How come so many of the VKs have been here six months or less?)
[ Post Reply | Private Reply | To 45 | View Replies]

To: taxcontrol
The companies centralized DNS server, I will refer to it as the local DNS, maintains the current table using updates, etc. Zone transfers only occur between the mail bastion host and the local DNS server, and yes the entire table.

"Local DNS" is sort of an oxymoron.

Generally speaking, domains for which a company will be permitted to do a zone transfer are unlikely to be large sources of spam.

You're probably thinking of a caching dns server...

Master DNS servers are really the only place changes are done and when they are rebuilt, the serial number changes and that should trigger a transfer on the secondary servers.

Companies/ISPs maintain the primary and secondary servers. Anyone can create a caching DNS server to hold information it requests from domains which is is not SOA (start of authority).

This is something which is not uncommon on inbound email relays for locations with substantial volume of email.

49 posted on 01/10/2005 11:46:50 AM PST by dfrussell
[ Post Reply | Private Reply | To 36 | View Replies]

To: dfrussell
That's exactly right. Someone using an email client from work pulling messages from a different server appear to be spammers. That has been the source of many of a headache for me. If I had my way people at the company would only use their email clients for company email, and would only use their company email for company purposes. Too bad that decision isn't up to me :-(

Most providers have web based email that can be used by their customers.
50 posted on 01/10/2005 11:49:32 AM PST by KoRn
[ Post Reply | Private Reply | To 43 | View Replies]

To: KoRn
Most providers have web based email that can be used by their customers.

Yes, but this is trivial to circumvent.

51 posted on 01/10/2005 11:56:21 AM PST by dfrussell
[ Post Reply | Private Reply | To 50 | View Replies]

To: KoRn
Someone using an email client from work pulling messages from a different server appear to be spammers. That has been the source of many of a headache for me. If I had my way people at the company would only use their email clients for company email, and would only use their company email for company purposes. Too bad that decision isn't up to me :-(

You know, if you just kick everyone off the network completely, it's much easier to manage it.
52 posted on 01/10/2005 11:56:27 AM PST by beezdotcom (I'm usually either right or wrong...)
[ Post Reply | Private Reply | To 50 | View Replies]

To: general_re
And you missed my point. I never intended to solve the DNS issue, I was looking to solve the mail server and mail delay issues.

Moving the DNS table into memory on the bastion host makes sense from that perspective. It allows the bastion mail relay to determine if the mail is spam or not prior to the mail be forwarded on to the mail server.

You also are making the mistake of applying DNS flow to the bastion server. The server would look up the domain against 1st, the "blacklist", 2nd the outbound cache (a local cache of domains gleaned from outbound mail messages) and then if it could not find it there, would check its own local copy of DNS. If it was not in DNS, then take some action.

Most likely, I would configure it to drop the email. Note that no DNS query is generated. However, if you wanted to, I'm sure you could configure it to do a DNS query but that would not be my recommended solution. Perhaps it could be allowed through but marked as possible spam?

If this flow is followed, it will have the side effect of reducing DNS requests, but I doubt it will be a significant reduction. It would have a significant reduction on the burden placed on the mail host and since fewer emails are be processed, it would be able to process emails with better performance -- or so the theory goes.

Yes it has a trade off - all computer / networking issues do. The trade off is that a new domain, not yet available via incremental updates, or not yet in a full zone transfer, would not be reachable -- UNTIL -- either the DNS was fixed or until one of my employees sent an email to their server (it would show up in the local outbound domain cache).
53 posted on 01/10/2005 11:57:47 AM PST by taxcontrol (People are entitled to their opinion - no matter how wrong it is.)
[ Post Reply | Private Reply | To 48 | View Replies]

To: dfrussell
I was using "local DNS" meaning a local (intra autonomous system caching DNS server), as opposed to an "ISP DNS" meaning an DNS server that is beyond my control (extra autonomous system caching DNS server), or the "master DNS" you described.

LOL, all of this has made me realize how wholly inadequate our language is when dealing with technology. A "server" used to mean a person who brought food to your table, A "computer" used to mean a mathematician who performed complex calculations for his employer.
54 posted on 01/10/2005 12:05:40 PM PST by taxcontrol (People are entitled to their opinion - no matter how wrong it is.)
[ Post Reply | Private Reply | To 49 | View Replies]

To: taxcontrol
That's fine, but it's those DNS lookups that are causing the problem described here, and that's the problem, on a global level, that needs solving.

The trade off is that a new domain, not yet available via incremental updates, or not yet in a full zone transfer, would not be reachable -- UNTIL -- either the DNS was fixed or until one of my employees sent an email to their server (it would show up in the local outbound domain cache).

How do you know if the DNS information has been updated unless you ask? Wait a week for the next zone transfer to propagate? If the answer is "no", we're back to square one ;)

55 posted on 01/10/2005 12:21:55 PM PST by general_re (How come so many of the VKs have been here six months or less?)
[ Post Reply | Private Reply | To 53 | View Replies]

To: general_re
PART of the problem described is spammers using domains not in the existing system and then registering the names. By having the mail bastion host that I described, you would reduce the effectiveness this tactic and save the DNS system from the subsequently generated queries.

Not a full fix but it would help control spam and reduce the associated DNS queries. What you "loose" in unreachable domains as a result of the trade off, I would consider a minor trade off.

56 posted on 01/10/2005 12:33:12 PM PST by taxcontrol (People are entitled to their opinion - no matter how wrong it is.)
[ Post Reply | Private Reply | To 55 | View Replies]

To: taxcontrol
It's a possibility, as long as we understand that sooner or later you're going to drop something (or mark something) as spam that isn't really spam, especially if you try as hard as you can to avoid external DNS lookups. Probably that won't happen too often, but when it does, hopefully it won't be something too important ;)

The other thing that I think would help somewhat is that there are still too many DNS boxes out there that don't cache negative results, so they keep pounding away for no reason. If you're responsible for your DNS server, please make sure you cache negative results for at least some minimal amount of time, perhaps an hour or so. It's also not a complete fix, but it might result in some improvement.

57 posted on 01/10/2005 12:43:16 PM PST by general_re (How come so many of the VKs have been here six months or less?)
[ Post Reply | Private Reply | To 56 | View Replies]

To: taxcontrol
Most likely, I would configure it to drop the email. Note that no DNS query is generated. However, if you wanted to, I'm sure you could configure it to do a DNS query but that would not be my recommended solution. Perhaps it could be allowed through but marked as possible spam?

In general, dropping anything except a virus is a bad idea and will eventually cause grief for the admin.

If inbound email relays are configured to simply refuse email from invalid domains, afterwards, it becomes a problem for the intermediate relay... which should not have accepted it anyway, so no big deal.

That said, maintaining a local domain name blacklist to circumvent a lookup is not a workable solution due to the frequency at which bogus domains are sent/changed... even the domain names included in spam are now changing rather frequently and they have to resolve.

For spam control, you want to nibble away at the content via multiple filters rather than trying to get it all at one time.

58 posted on 01/10/2005 1:37:20 PM PST by dfrussell
[ Post Reply | Private Reply | To 53 | View Replies]

To: ShadowAce

How many spammers have they caught in THIS country? One, two perhaps, maybe three? Yeah, real effective.


59 posted on 01/10/2005 1:53:56 PM PST by BigSkyFreeper (PEST/Suicide Hotline 1-800-BUSH-WON)
[ Post Reply | Private Reply | To 1 | View Replies]

To: dfrussell
In general, dropping anything except a virus is a bad idea and will eventually cause grief for the admin.

I've never had a problem with it. Usually all I need to do is provide the text out of the security policy that tells me to drop spam.

60 posted on 01/10/2005 2:24:02 PM PST by taxcontrol (People are entitled to their opinion - no matter how wrong it is.)
[ Post Reply | Private Reply | To 58 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson