That is a myth: http://www.xtdnet.nl/paul/spam/graphs/versign.png
If you want to blame spam on a single corporatin, the graphs clearly show
to blame microsoft. Besides, they have more money then Verisign anyway 
Paul
> Site Finder on its own added to spam; spam volumes increased as
the number
> of "sender domain does not resolve" bounces dropped away.
That is a myth: http://www.xtdnet.nl/paul/spam/graphs/versign.png
If you want to blame spam on a single corporatin, the graphs
clearly show
to blame microsoft. Besides, they have more money then Verisign
anyway 
Paul
Were you or any of your upstream resolvers implimenting the patch
durring that window? If so that may skew the results.
Joshua Coombs
Paul Wouters wrote:
> Site Finder on its own added to spam; spam volumes increased as the number
> of "sender domain does not resolve" bounces dropped away.That is a myth: http://www.xtdnet.nl/paul/spam/graphs/versign.png
If you want to blame spam on a single corporatin, the graphs clearly show
to blame microsoft. Besides, they have more money then Verisign anyway
Perhaps you didn't (or don't) use a filter that header checks the
domain in the envelope. We did, and we had a tremendous increase in
spam allowed through the servers. It receded as soon as we installed
the BIND fix (as I've posted to the list at that time).
nanog@vo.cnchost.com (JC Dill) writes:
Just as Canter and Siegel's green card spam was a novel way to (ab)use
SMTP for Canter and Siegel's profit, ten years later Verisign develops
Sitefinder [1] - a novel way to (ab)use DNS requests for Verisign's
profit. ...
while i won't fault your analogy on structural grounds, i challenge it
on factual grounds. the c&s green card imbroglio came from nntp, not smtp.
I believe that there is no good "operational" way to solve either problem.
and yet, the place to discuss non-operational solutions is not nanog@. i
suspect that you will find plenty of places to make your proposals, wherein
many other people will also make their own proposals, with nobody reading
anybody else's proposals. sort of like here, except politics not operations.
nanog@vo.cnchost.com (JC Dill) writes:
> Just as Canter and Siegel's green card spam was a novel way to (ab)use
> SMTP for Canter and Siegel's profit, ten years later Verisign develops
> Sitefinder [1] - a novel way to (ab)use DNS requests for Verisign's
> profit. ...while i won't fault your analogy on structural grounds, i challenge it
on factual grounds. the c&s green card imbroglio came from nntp, not smtp.
Yes, the Green Card spam of 4/94 was on usenet, my bad.
But in early 1994 *email* spam also became a problem. I've found various references that say email spam started becoming a problem in January 1994 (starting with the "Global Alert for All: Jesus is Coming" spam to usenet, followed by email spam), and in April 1994 (starting with C&S's Green Card spam to usenet, followed by email spam). I can't pin down an exact date or email for the first unsolicited bulk/commercial email spam spew of 1994 - I keep on finding cites to the "first spam" referring back to the DEC spam on ARPANET in 1978.
<http://www.templetons.com/brad/spamterm.html>
<http://www.templetons.com/brad/spamreact.html>
In any event, UCE/UBE email spam was clearly a big problem by July 1994 when it was the topic of a Time Magazine article:
"Battle for the Soul of the Internet", by Philip Elmer-Dewitt
TIME Domestic, July 25, 1994 Volume 144, No. 4
It is 2004 now, and we have not accomplished a single thing to actually stop the exponentially increasing spew of spam.
> I believe that there is no good "operational" way to solve either problem.
and yet, the place to discuss non-operational solutions is not nanog@. i
suspect that you will find plenty of places to make your proposals, wherein
many other people will also make their own proposals, with nobody reading
anybody else's proposals. sort of like here, except politics not operations.
Are you REALLY saying that:
A) When someone proposes something that will break the operation of the Internet as we know it; and
B) There is no immediately apparent or obvious "operational" solution besides playing Whack-A-Mole with the abuser(s);
C) We shouldn't discuss it here - to attempt to keep it from being implemented or to see if someone discovers a true "operational" solution?
How can we consider the pros and cons of various (operational/social/legal) solutions to network operations problems if we can't discuss and consider *all* possible solutions?
jc
I am curious what the operational impact would be to network operators if, instead of Verisign using SiteFinder over all com and net, Verisign or their technology partner for SiteFinder began coercing a large number of independent ISPs and network operators to install their form of DNS redirection at the ISP-level, until all or most of the end-users out there were getting redirected.
We have been approached by a guy named Mark Lewyn, president Paxfire, Inc., the company he claims created the SiteFinder technology and offerred it to Verisign. Based here in the Washington DC area, he now also wants individual ISPs to implement his technology of redirection to a web page for unknown domains as a means of earning click-through revenue, and will split the take 50/50 "when Paxfire gets paid"
As a network operator of a fair-sized regional ISP, as well as operators of arguably the least-expensive nationwide wholesale dial platform for other ISPs to gain nationwide access, we have been approached by Mr. Lewyn on behalf of his company Paxfire Inc. He wants our company to come have meetings at his law firm's offices, consider accepting and implementing his technology at our local DNS server level, and then supposedly share in the rich profits when customers get redirected, possibly to web pages featuring click-through banner ads. He says that this is the exact same techology (more accurately, he said that it was evolved one step further, I think) that he sold or licensed to Verisign and that Verisign refers to as SiteFinder.
Until now, the identity of the technology and marketing partner who created SiteFinder has been kept very confidential, so I was surprised to learn that Mr. Lewyn's company Paxfire Inc. was indeed that partner!
Further, he claims that Vint Cert himself thinks it is a great idea at the ISP level to do this, and is one of his advisory board supporters.
Naturally, with the fracas of last Sept 2003, we are hesitant to give up any negative caching, essential anti-spam techniques, and suffer other disruptions that such a redirection service may generate within our networks whenever a non-existent domain request results in a redirection.
Is there concern to be raised by network operators over such schemes if deployed at the individual ISP level, particularly if such technology becomes widespread?
Before considering meeting with these guys, we would like to solicit the opinions of this list to be better equipped to say "no" if indeed "no" is the right operational and technological decision for the integrity of our nationwide networks and our interconnection outwards to the rest of the world's networks.
Thanks most sincerely,
Randall Pigott
At the ISP level, there's nothing inherently wrong with this, IMO; AOL and MSN do it
already, as does Microsoft. If your customers don't like it, they are capable
of voting with their checkbooks, particularly with dial service; with cable and
DSL, the waters are a bit muddier because a cable ISP or LEC could have a captive
audience.
Verisign's crime against the internet was forcing SiteFinder upon the ENTIRE
internet, like it or not, and in the process abusing a resource that had been placed
in their care with the trust that it would not be abused for profit.
-C
They're your customers. This week, anyhow.
That's the big difference between the ISP doing it and Verisign doing it -
the ISP has a built-in feedback on the idea, since they're doing it to people
they have a business relationship with. Verisign did it to people they *didnt*
have a direct relationship with....
That's not the point. A failed DNS lookup actually needs to fail, not get
redirected.
Curtis
<quote who="Curtis Maurand">
That's not the point. A failed DNS lookup actually needs to fail, not get
redirected.
Perhaps you need to change your definition of failed?
The lookup has not failed if the rcode in the reply is set to a
non-failing value.
-davidu
Is there concern to be raised by network operators over such schemes if
deployed at the individual ISP level, particularly if such technology
becomes widespread?
Yes: the DNS structure is a scalable way to locate IP addresses for names,
but it needs trust as people can bypass it and go directly to root servers,
gtld servers, cctld servers. The more non-standard hacks the structure get,
the more distrust it will have; if it becomes widespread, off-the-shelf
operating systems with internal recursive DNS will also become widespread.
Revenue from DNS redirection will go towards zero, and load at the central
servers will go to the sky and never come down ever again.
Rubens
rubens@email.com ("Rubens Kuhl Jr.") writes:
... the DNS structure is a scalable way to locate IP addresses for names,
but it needs trust as people can bypass it and go directly to root servers,
gtld servers, cctld servers. The more non-standard hacks the structure get,
the more distrust it will have; if it becomes widespread, off-the-shelf
operating systems with internal recursive DNS will also become widespread.
Revenue from DNS redirection will go towards zero, and load at the central
servers will go to the sky and never come down ever again.
Um. That happened years ago, mostly by mistake.
However I agree with the premise -- as middlemen continue to try to monetize
other people's transactions, the endpoints will continue to try to work around
the middlemen. So it is with carpet sales, home electronics, online auctions,
and now DNS.
DNSSEC, now in its eleventh year of preproduction, is supposed to make this
kind of middletweaking more detectable, but not more preventable. I suspect
that Rodney's idea for doing DNS over IP tunnels is even more desireable than
he thinks, for reasons he may not have yet considered.
nanog@riva.net (Randall Pigott) writes:
I am curious what the operational impact would be to network operators
if, instead of Verisign using SiteFinder over all com and net, Verisign
or their technology partner for SiteFinder began coercing a large number
of independent ISPs and network operators to install their form of DNS
redirection at the ISP-level, until all or most of the end-users out
there were getting redirected.
It would be no worse than NEW.NET or any other form of DNS pollution/piracy
(like the alternate root whackos), as long as it was clearly labelled. As
an occasional operator of infrastructure, I wouldn't like the complaint load
I'd see if the customers of such ISP's thought that *I* was inserting the
garbage they were seeing. So I guess my hope is, it'll be "opt-in" with an
explicitly held permission for every affected IP address (perhaps using some
kind of service discount or enhancement as the carrot.)
Paul Vixie wrote:
DNSSEC, now in its eleventh year of preproduction, is supposed to make this
kind of middletweaking more detectable, but not more preventable. I suspect
that Rodney's idea for doing DNS over IP tunnels is even more desireable than
he thinks, for reasons he may not have yet considered.
Windows users get more Yes / No / Cancel dialogs to better educate them on clicking Yes without spending too much time thinking about it?
Pete
Paul, you have no problem support the corrupt ICANN monopoly.
The colonists and minutemen were called their day's name for
"whackos" as well. You have the right to speak without
being shot for your opinion because those "whackos" fought
and died to make it so. Just remember that the next time
you fling that word around.
ICANN is a threat to freedom on the internet. There is no
technical reason why there cannot be 1,000's of TLDs
out there, except that it foils someone's monopoly
stranglehold on one of the few chokepoints of the internet.
The biggest threat is from WIPO which is trying to
control the namespace and use it as a fulcrum to
enforce their narrow intellectual property interests.
WIPO has no place in the namespace and its UDRP
is just a method for rich and powerful interests to
steal domains from poor people, especially those in
less-than-well-to-do countries. I will never stop
fighting against that kind of thing, nor will others
in this struggle.
There are many people who have been working against
this unacceptable state of affairs for many years, myself
included and I will not let you mis-characterize our
struggle.
John Palmer
ICANN is a threat to freedom on the internet. There is no
Very true.
technical reason why there cannot be 1,000's of TLDs
out there, except that it foils someone's monopoly
stranglehold on one of the few chokepoints of the internet.
Also true.
Unfortunately, Paul is still correct in calling anybody who doesn't
understand why RFC2826 matters a "whacko". Read it *carefully*,
and note that nowhere does it say ICANN has to run the root, only
that if there is other than exactly one consistent view of the root,
things go pear-shaped quickly.
I'm probably on my own here but I dont think its that bad an idea.. seems like a
decent way to earn some money, of course you may create some bad press and upset
some customers but doesnt everything.
At least we the operators are left in control, and even end sites always have
the option of running their own dns servers in order to bypass their provider,
this isnt possible with wildcards in the verisign root.
I also did a comparison in my head but this is also not comparable to
fragmentation of the root so nothing broken there either.
Steve
> I am curious what the operational impact would be to network operators
> if, instead of Verisign using SiteFinder over all com and net, Verisign
> or their technology partner for SiteFinder began coercing a large number
> of independent ISPs and network operators to install their form of DNS
> redirection at the ISP-level, until all or most of the end-users out
> there were getting redirected.It would be no worse than NEW.NET or any other form of DNS pollution/piracy
(like the alternate root whackos), as long as it was clearly labelled. As
Sorry my threading is screwed, something to do with the headers so I missed half
the replies.
Anyway I just sent an email, I dont think this is the same as the new.net thing,
in that case you have an unstable situation of competing roots arising which as
it grows or collides the operator community is left to pick up the pieces and
complaints.
With a local redirection you get to choose that you want it, you dont impose it
on other parts of the Internet and given enough clue level your customers can
run their own DNS if they object.
So with that in mind this is no worse that http caching/smtp redirection or
other local forms of subversion..
Steve
Whackos.. ! Where..?!
Can't see no pesky whackos, nope sir, all normal people here.
steve@telecomplete.co.uk ("Stephen J. Wilcox") writes:
> ... It would be no worse than NEW.NET or any other form of DNS
> pollution/piracy (like the alternate root whackos), as long as it was
> clearly labelled. ...With a local redirection you get to choose that you want it, you dont
impose it on other parts of the Internet and given enough clue level your
customers can run their own DNS if they object.So with that in mind this is no worse that http caching/smtp redirection or
other local forms of subversion..
I guess I should have put some :-)'s into my earlier post on this thread.
Anyone using MSIE already has sitefinder-like functionality. And there are
adware companies who offer plugins for MSIE, Safari/Konquerer,
Netscape/Mozilla, and probably other browsers as well, to map "no such url"
to an adware/search site.
Therefore anyone who wants to opt into this can already do so.
Therefore the likelihood of an ISP offering this on an "opt in" basis is low.
I apologize for having to explain that I was joking. I'll try to do better.