HomeBlog

It's Just this Little Chromium Switch Here

Weblogging and commentary by Chip Rosenthal

Earthlink to Verisign: Piss Off

Submitted by chip on Thu, 18-Sep-2003 - 4:44 pm
in

It's been 48 hours since Verisign broke the Internet, and only a day since ISC released a workaround. The next step is to see whether the major providers deploy a workaround for the Verisign corruption. In particular, I'm curious what AOL, MSN, and Earthlink choose to do.

It turns out Earthlink may have acted already. I have their cable Internet service at home. If I try to look up a bogus domain, I get an error rather than the address of the Site Finder service. 

    $ host www.die-verisign-scum.com
    Host www.die-verisign-scum.com. not found: 2(SERVFAIL)

If the Verisign corruption was being passed through, I'd expect to see an answer that said: 

    www.die-verisign-scum.com. has address 64.94.110.11

There are two perplexing parts to this, however. First, the error returned is unexpected: SERVFAIL rather than NXDOMAIN. Second, Earthlink is running BIND 8.2.3-REL, and I'm not aware of patches being available for this version.

I'm a little confounded by the results. Maybe some DNS guru can explain what I'm seeing.

Verisign Greed Breaks the Internet

Submitted by chip on Tue, 16-Sep-2003 - 11:49 pm
in

Link: Verisign redirects error pages.

Verisign, the operator of the largest databases for Internet domains, has taken greed to a new level. This week, they implemented a new service to squat on domain typos, and cavalierly broke major Internet functions in the process. Their service, called Site Finder, redirects web queries for non-existent domains to a web site they manage. They will be able to make money by showing you advertising when you make an error typing in a URL. The change, however, creates signficant havoc.

I've estimated my spam load will go up about 6.25% because of Verisign greed. Spammers can get into trouble if they forge a return address using a valid domain. So spammers often use an invalid domain in their return address. That's good news, because bogus domains are easily recognized and mail from them can be bounced as spam.

Verisign broke that. Now, when the mail server checks on a bogus domain, it no longer gets a "no such domain" response. Instead, the mail server gets a response saying the domain is valid, and it points to a Verisign mail server. This means the checks for forged domains no longer work, and all that spam that used to be bounced out of hand will now be accepted.

The Verisign change is going to create confusion for my users. Before, if they made a typo in a the domain part of an email address, my mail server would intercept it and return an error. Now, the message is going to be passed along to a Verisign mail server, which is going to cause a misleading error. The user is going to be told the user does not exist, rather than the domain is invalid.

Verisign has shown continued arrogance and hubris in their management of the Domain Name System. Unfortunately, the organizations that oversee them have been ineffectual in their management. This time, however, they may have pushed too far. The Internet Software Consortium which writes the software that runs most of the DNS, is preparing a new version that will filter out the bogus Verisign responses. I expect this will be deployed quickly, so that network operators can route around the damage created by Verisign.

Goodbye, Friend

Submitted by chip on Thu, 11-Sep-2003 - 11:57 pm
in

photo of my cat ccYesterday afternoon, I lost my best friend. I've written how over the past month he's gone from sad to worse. Unfortunately, we never could get a diagnosis, and he kept slipping further every day.

photo of my cat ccFor the past week, I've been force feeding to keep him alive. Yesterday morning, I think both of us finally had enough of that. It was time for him to go. He was fourteen years old.

The photographs were taken earlier this week.

Gentoo and FreeBSD: Not for Me

Submitted by chip on Wed, 10-Sep-2003 - 9:09 pm
in

For the last many years, I used an old 486DX-33 computer as a router between my local network and the Internet. I powered it down yesterday, but when I tried to bring it back the disk wouldn't spin up. Can't really blame it. That computer should have received an honorable burial sometime last decade.

The failure of my old router presented an opportunity to try out a new operating system, because: a) I like to turn a bad situation into a positive experience, b) I like to take bad situations and make them even more complicated, or c) pain is my friend. (correct answer: b)

Product is Shipping

Submitted by chip on Wed, 10-Sep-2003 - 11:39 am
in

Link: CATool Product Information

One of the reasons I like product design so much is because I get giddily excited when people are willing to pay good cash money for something I built. There hasn't been a lot of product shipping during this economic downturn, but last week I received a little piece of joyous news.

On-and-off over the past year, in conjunection with Amaranth Networks, I've been designing a product that implements a private certificate authority and manages X.509 certificates for an organization. These certificates are used to secure and identify everything from web servers to AOL Instant Messenger sessions.

The product is called CATool. There is a white paper (150KB PDF) with a pretty good overview of the features. Open System Consultants just signed on as the world-wide distributor. So, if you ever wanted to run your very own certificate authority out of your sewing room, your chance has come.

My Sick Pussy

Submitted by chip on Fri, 05-Sep-2003 - 11:30 am
in

Things with the kitty have gone from unhappy to worse. I'm trying to avoid negative predictions about the outcomes, but I am steeling myself for the worst.

My Unhappy Pussy

Submitted by chip on Fri, 29-Aug-2003 - 5:31 pm
in

This is not one of my typical hard-hitting, entertaining (not to mention fair and balanced) blog postings. Instead, it's an article about my sad kitty cat.

Texas AG Weighs in on Spam

Submitted by chip on Mon, 25-Aug-2003 - 10:13 pm
in

Link: Can Texas Lasso Spam?

The linked article, from the Foat Wurth Startlegram, discusses the pending Texas spam law and quotes me being skeptical.

It says the Texas Attorney General office is ready to go after some spammer hide. Unfortunately, I'm not getting a lot of comfort that they know how to go about doing it--let alone have a plan in place.

For instance, the mechanism they have setup for collecting spam complaints (report via phone or web form) is exactly wrong. People who collect spam complaints know most spam victims don't submit actionable spam reports. Heck, most spam victims will admit it themselves. I'll be surprised if more than 10% of the reports they receive by these mechanisms include the trace information necessary for a spam investigation.

I think the FTC model is superior, where they setup a general mailbox uce [at] ftc [dot] gov to feed a collection that can be used for data mining.

I'm pleased the reporter presented my position accurately, unlike the recent TV news story on the law. There were two key points I wanted to make, and I'm glad to see they were reported. First, this is a weak law, one of the weakest in the nation. Second, this is not a law that prohibits spam, but rather enables it.

Top Sobig Morons: Pace Enterprises

Submitted by chip on Fri, 22-Aug-2003 - 12:51 pm
in

I previously ranted about moronware virus scanners. Now I shall rant about the morons who run them.

I thought I'd look at some of the Sobig.F bounce messages I'm getting and pick out the stupidest of the bunch. The current leader is Pace Enterprises, with this entry.

Why was Pace Enterprises selected for top moronicity? Let me count the ways.

  • First, spamming people with these useless reports qualifies one for instant moronhood. Pace Enterprises to the clue phone: I did not email you this worm.
  • Next, whoever setup the Pace Enterprises mail system misconfigured it, so it is identifying itself with an illegal Internet hostname (phoenix.paceent instead of, what I suspect should be, phoenix.paceent.com).
  • Moreover, the moronware that Pace Enterprises uses generates illegal mail headers. If you look at the From: and Sender: fields of their report, you'll note my mail server added its own name. It needed to do that to correct protocol violations in what they sent.
  • Finally, and here is the clincher, they add a message to their moronware notice that says (with clueless AOL luser all-caps formatting preserved):
    YOUR COMPUTER IS INFECTED WITH A VIRUS AND HAS TRIED TO SENT A VIRUS TO Thomas Umstead. PLEASE REMOVE THE VIRUSES FROM YOUR COMPUTER, OR WE WILL BE FORCED TO BLOCK YOUR ADDRESS FROM SENDING MAIL TO OUR USERS.

The "we will be forced to block" an innocent bystander threat is precious. In fact, I wish they would--provided they also block me from receiving mail from their misconfigured, moronware virus scanner.

Continuing Adventures in the Land of Software Morons

Submitted by chip on Wed, 20-Aug-2003 - 11:45 am
in

I'm not seeing so much of the Sobig.F worm. What I am seeing, however, is dozens and dozens of reports generated by virus scanners written by morons.

Most every email worm transmits itself using forged sender information. If a virus scanner catches the message and tries to mail back a report, it almost certainly is going to hit the mailbox of an innocent victim, not the true sender. When you combine a particularly virulent worm (like Sobig.F) and a particularly well-distributed email address (like mine) you end up with a mailbox full of useless moronware reports.

For the record, the ideal way to handle this is to scan the email during SMTP delivery, and don't accept the message until the scan completes. That way you don't ever have to generate a bounce message.

For poorly designed software that does not run at delivery time, the next best thing is to discard the contaminated message and generate a report to the recipient, letting them know of the action.

Could everybody out there please check the configuration of your virus scaner and disable sending bounce notices? I thank you, and my "D" key thanks you.