An Illustrated Guide to the Kaminsky DNS Vulnerability
: great guide to Dan’s most recent discovery. it really is quite nasty (via Jeremy)
(tags: via:jzawodny dan-kaminsky dns security exploits bind)
Tags: bind, dan-kaminsky, dns, exploits, security, via:jzawodny
This is very bad news for North Dakota-based anti-spammers — a guy called David Ritz is being sued there by alleged porn spammer Jerry Reynolds, for performing DNS lookups, a DNS zone transfer and a Whois lookup. It appears the judge has found Ritz guilty.
This is astonishingly bad lawmaking by the judge. These are entirely innocuous tools, part of every network administrator’s toolkit for debugging and examining internet traffic legitimately. There’s nothing remotely criminal or malicious in their use, and the judge has allowed himself to be misled.
North Dakota Judge Gets it Wrong:
‘Ritz’s behavior in conducting a zone transfer was unauthorized within the meaning of the North Dakota Computer Crime Law. A zone transfer is simply asking a DNS server for all the particular public info it provides about a given domain. This is a common task performed by system administrators for many purposes. The judge is saying that DNS zone transfers are now illegal in North Dakota.’
Tags: cases, david-ritz, dns, ed-falk, fargo, law, north-dakota, spam
Words: ‘Pharming’. I recently came across this line in a discussion document:
‘Wait, isn’t this exactly the kind of attack pharmers mount?’
I was under the impression that ‘pharming’ was a transgenics
term: ‘In pharming, … genetically modified (transgenic) animals are
mostly used to make human proteins that have medicinal value. The protein
encoded by the transgene is secreted into the animal’s milk, eggs or
blood, and then collected and purified. Livestock such as cattle, sheep,
goats, chickens, rabbits and pigs have already been modified in this way
to produce several useful proteins and drugs.’
Obviously this wasn’t what was being referred to. So I got googling. It appears the sales and marketing community of various security/filtering/etc. companies, have been getting all het up about various phishing-related dangers.
The earliest article I could find was this — GCN: Is a new ID theft scam in the wings? (2005-01-14):
”Pharming is a next-generation phishing attack,’ said Scott Chasin, CTO of MX Logic. ‘Pharming is a malicious Web redirect,’ in which a person trying to reach a legitimate commercial site is sent to the phony site without his knowledge. ‘We don’t have any hard evidence that pharming is happening yet,’ Chasin said. ‘What we do know is that all the ingredients to make it happen are in place.’
Oooh scary! The article is short on technical detail (but long on scary), but I think he’s talking about DNS cache poisoning, whereby an attacker implants incorrect data in the victim’s DNS cache, to cause them to visit the wrong IP address when they resolve a name. This Wired article (2005-03-14) seems to confirm this.
But wait! Another meaning is offered by Green Armor Solutions, who use the term to talk about the Panix and Hushmail domain hijacks, where an attacker social-engineered domain transfers from their registrars. There’s no date on the page, but it appears to be post-March 2005.
Finally, yet another meaning is offered in this article at CSO Online: How Can We Stop Phishing and Pharming Scams? (May 2005): ‘The Computing Technology Industry Association has reported that pharming occurrences are up for the third straight year.’ What?! Call Scott Chasin!
Steady on — it appears that the ‘pharming’ CSO Online is talking about, has devolved to the stage where it’s simply a pop-up window that attempts to emulate a legit site’s input — no DNS trickery involved. (This trick has, indeed, been used in phish for years.)
So right there we have three different meanings for ‘pharming’, or four if you count the biotech one.
It may be impossible to get the marketeers to stop referring to ‘pharming’. But please, if you’re a techie, don’t use that term, it’s lack of clarity renders it useless. Anyway, the biotech people were there first, by several years…
Tags: article, attack, attacker, cache, dns, domain, line, pharming, site, term, words
Malware: spotted on NANOG — Six PCs caused BigPond problems:
Disconnecting six compromised personal computers on Tuesday evening eased the difficulties caused by bogus requests which clogged BigPond’s domain name servers (DNS), slowing customer e-mail and Web site access, Telstra said.
A Telstra spokesperson said the carrier had narrowed the list of malware that could have infected the computers to three, adding the problem could have been caused by a combination of those viruses or Trojans. He declined to name the suspects.
He said the PCs generated 95 percent of the bogus requests which caused the problems that evening.
The ‘problems’ in question are described here :
One forum participant (on Aussie forum Whirlpool), who claimed to be a BigPond customer, said on Monday: ‘I’m in Canberra and it’s been almost unusable all afternoon. I’m snowed under at the moment and it is really driving me crazy. Three out of four links fail to load first time and sometimes take eight or nine tries before it does.’
Another said: ‘I am having problems loading Web pages, I get the 404 error. I have to retry five to 10 times to get some places.’
Petri Helenius, in a post to NANOG, notes:
Consumer ISP’s who don’t proactively take care of security/abuse usually end up with harvesting-bots which consume significant amount of DNS resources, typically doing anything from a few dozen to a thousand queries a second. A few hundred of these will seriously hamper an usually provisioned recursive server.
Interesting. It’s been a long time since I’ve relied on an ISP’s recursive DNS servers; in my recent experience (Comcast, Cox.net) they’ve always been overloaded, and take aaaages to give me answers. Maybe this is why.
It makes sense; most Windows machines will indeed use the ISP’s NSes, because that’s what DHCP tells you to do; and setting up a BIND or djbdns instance locally to query the roots directly is still a UNIX-only trick, as far as I know.
The upshot?
(PS: top tip — ever wanted a publically-queriable recursive nameserver,
or a good IP address for pinging, that’s easy to remember? 4.2.2.1
is what you’re after.)
Tags: bigpond, customer, dns, evening, forum, isp, malware, nanog, telstra, time, web
Spam: eWeek recently published an article entitled ‘Spammers’ New Tactic Upends DNS’ , which notes that:
One .. technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. After the mailings go out, the spammer registers the domain early the next morning.
By doing this, spammers hope to avoid stiff CAN-SPAM fines through minimal exposure and visibility with a given domain. The ruse, they hope, makes them more difficult to find and prosecute.
The scheme, however, has unintended consequences of its own. During the interval between mailing and registration, the SMTP servers on the recipients’ networks attempt Domain Name System look-ups on the nonexistent domain, causing delays and timeouts on the DNS servers and backups in SMTP message queues.
This had me stumped when I read it, since an email from a nonexistent domain is a pretty reliable spamsign (it’s used in the NO_DNS_FOR_FROM rule in SpamAssassin, for example, which hits about 2% of spam), has been a rule in the default ruleset for several years, and there’s no sign of that behaviour in our spam traps.
After some discussion, Suresh Ramasubramanian came up with this explanation of what’s really happening:
Verisign now allows immediate (well, within about 10 minutes) updates of .com/.net zones (also same for .biz) while whois data is still updated once or twice a day. That means if spammer registers (a) new domain he’ll be able to use it immediatly (sic) and it’ll not yet show up in whois (and so not be immediatly identifiable to spam reporting tools) - and spammers are in fact using this “feature” more and more!
That does sound a much more likely explanation, and matches what’s been seen in the traps.
So: WHOIS, not DNS.
Tags: article, dns, domain, eweek, explanation, rule, smtp, spam, spammer, spammers
Spam: DNS blocklists are a well-established, low-latency way to query a database of IP addresses for info. If you need to query a database over the internet quickly and in a connectionless manner, they’re ideal.
Declude have a page called how ip4r (DNSBL-style) DNS lookups work, which describes the general method:
All well and good, if all you have is a single IP address as input. But what if you want to attach more query parameters — such as your user ID, or some numeric value to set a ’sensitivity’ level, like the SpamAssassin threshold system?
Easy-peasy: encode it in the looked-up hostname. Assuming you want to pass
a user ID number of ‘9583495′ and a threshold value of ‘7′ along with
the query above, here’s one way to do it:
Note that to avoid charset issues, marshalling into an ‘-a-z0-9.’ namespace is probably safest. Of course, a dynamic DNS server is required to process these. But the protocol itself, at least, will support it.
(Just brain-dumping here so I have an URL to point to in future, and to get it into archive.org etc…)
Tags: database, dns, input, org, query, sbl, spam, threshold, txt, user, value
Spam: DNS blocklists are the oldest means of spam-blocking, and are still exceedingly useful; nowadays, many of these are fully automated systems, using proxy-detection algorithms and sensing patterns in mailer behaviour indicative of spam.
A few months back on the ASRG list, there was a discussion of DNSBL accuracy; I posted some SpamAssassin figures, based on our ‘mass-check’ tests, but noted that they were computed using current DNSBL contents against a corpus of saved mail, so due to the time delta, were not 100% representative.
These figures are a lot better. Since August, I’ve been collecting real-time DNSBL hit data on my mail, as it is delivered at my SpamAssassin installation. In other words, it’s live accuracy data — it’s using just what the DNSBLs had listed at scan time.
(DNS blocklist accuracy figures continued…)
Note, however, that it’s still incomplete:
But the results should still be quite useful.
The time period covered:
Recap of the fields:
OVERALL% SPAM% HAM% S/O RANK SCORE NAME 21839 1993 19846 0.091 0.00 0.00 (all messages) 100.000 9.1259 90.8741 0.091 0.00 0.00 (all messages as %) 5.989 59.0567 0.6601 0.989 1.00 2.25 RCVD_IN_BL_SPAMCOP_NET 3.869 37.7822 0.4636 0.988 0.96 1.10 RCVD_IN_DSBL 0.751 8.2288 0.0000 1.000 0.95 4.30 RCVD_IN_OPM_HTTP 1.964 20.2709 0.1260 0.994 0.95 1.10 RCVD_IN_NJABL_PROXY 0.659 7.1751 0.0050 0.999 0.95 0.64 RCVD_IN_NJABL_SPAM 0.614 0.0000 0.6752 0.000 0.94 -0.10 RCVD_IN_BSP_OTHER 0.050 0.5519 0.0000 1.000 0.94 4.30 RCVD_IN_OPM_SOCKS 0.027 0.3011 0.0000 1.000 0.94 4.30 RCVD_IN_OPM_WINGATE 0.119 0.0000 0.1310 0.000 0.94 -4.30 RCVD_IN_BSP_TRUSTED 0.939 9.7341 0.0554 0.994 0.94 4.30 RCVD_IN_OPM 1.081 10.9383 0.0907 0.992 0.93 1.52 RCVD_IN_SORBS_SOCKS 1.062 10.7376 0.0907 0.992 0.93 1.27 RCVD_IN_SBL 0.229 2.4084 0.0101 0.996 0.93 1.10 RCVD_IN_SORBS_MISC 0.618 6.3221 0.0453 0.993 0.93 1.10 RCVD_IN_SORBS_HTTP 0.595 5.9709 0.0554 0.991 0.92 4.30 RCVD_IN_OPM_HTTP_POST 0.078 0.7526 0.0101 0.987 0.90 2.60 RCVD_IN_SORBS_ZOMBIE 0.815 7.5263 0.1411 0.982 0.89 1.39 DNS_FROM_RFCI_DSN 3.594 24.8369 1.4613 0.944 0.81 2.55 RCVD_IN_DYNABLOCK 1.685 11.4400 0.7054 0.942 0.78 0.10 RCVD_IN_RFCI 0.380 2.4586 0.1713 0.935 0.75 1.31 RCVD_IN_NJABL_RELAY 6.182 33.9689 3.3911 0.909 0.73 0.10 RCVD_IN_NJABL 10.422 44.4054 7.0090 0.864 0.63 0.10 RCVD_IN_SORBS 0.037 0.1505 0.0252 0.857 0.54 2.80 RCVD_IN_SORBS_WEB 2.344 4.1144 2.1667 0.655 0.17 0.00 RCVD_IN_SORBS_SPAM
Tags: accuracy, asrg, behaviour, dns, dnsbl, mail, mailer, spam, spamassassin, time
Trustic: ‘We regret to inform you that we are no longer taking registrations and will soon be closing the service. We have determined that the system as it currently is designed will not achieve the level of accuracy that we require, and an inaccurate system is worse than no system.’
‘The DNS blocklist will remain for a couple of weeks, but it has been configured to never return a match. Please reconfigure your mail servers to not query the blocklist.’
That’s a shame…
Tags: accuracy, blocklist, couple, dns, level, match, reconfigure, service, system, trustic
Given that something like 8.13% of of the hosts that have sent non-spam mail to me do not have reverse DNS information recorded, the fact that AOL have just switched this on as a requirement will be interesting:
: jm ftp 1019...; dig aol.com mx aol.com. 3559 IN MX 15 mailin-01.mx.aol.com. mailin-01.mx.aol.com. 92 IN A 152.163.224.26 ... : jm ftp 1020...; telnet 152.163.224.26 25 Trying 152.163.224.26... Connected to 152.163.224.26. Escape character is '^]'. 220-rly-za01.mx.aol.com ESMTP mail_relay_in-za1.6; Thu, 22 May 2003 15:09:54 -0400 220-America Online (AOL) and its affiliated companies do not 220- authorize the use of its proprietary computers and computer 220- networks to accept, transmit, or distribute unsolicited bulk 220- e-mail sent from the internet. Effective immediately: AOL 220- may no longer accept connections from IP addresses which 220 have no reverse-DNS (PTR record) assigned. ^] telnet> q Connection closed.
Tags: aol, com, dns, fact, ftp, information, mail, requirement, something, telnet
Some folks reckon that mailservers should have reverse DNS — in other words, that the SMTP server should have a fully-valid forward-to-reverse mapping for its address, to cut down on spam and forgeries. All well and good.
Some other folks reckon that filtering on it is therefore a good way to cut down on spam.
It’s a nice idea, apart from 2 things:
filtering based on this suffers the same problem some DNSBLs have: a false positive hurts the user, rather than the person who is at fault; also the user is virtually powerless to fix it.
the correlation between spam and missing reverse DNS is no longer as strong as it used to be, as far as I can tell; spammers know they should pick a relay or proxy with a reverse DNS entry to get through filters, and as it becomes a requirement for relaying in general, more hosts have this anyway (regardless of exploitability or not).
Tags: address, dns, idea, mapping, reverse, server, smtp, spam, user, way
Nice one! The IE Domain Registry (IEDR) has just sent out a ‘free newsletter‘ to all postmaster addresses in the entire .ie top-level domain. Yes, every one.
And did they follow the best practices for legit mailing list operators, like
(a) never mailing without a previous sign-up, or even
(b) setting up the list to use verified opt-in (”reply to confirm that you want to receive further mail”), instead of opt-out (”reply if you do not want to receive further mail”)?
Of course not:
YOU WILL BE RECEIVING this free bi-monthly ezine because you are one of our 31,000+ .ie domain name holders, an Irish journalist, with an Irish government body or have a legitimate interest in matters relating to the Domain Name System (DNS) in all Ireland, concerning .ie domain names. This publication is delivered by email and will serve as an official channel of the IEDR to deliver notices and announcements.
If you do not wish to receive Inside.ie, you can unsubscribe by clicking on the link below.
Not my emphasis, BTW. But don’t worry — their mail host was already listed in the DNS blacklists as a Confirmed Spam Source by the time I received it, so I don’t think we’ll be actually receiving many more of them ;)
For more information on the hi-larious antics of our national registrar, take a look at IEWatch.
Date: Thu, 24 Oct 2002 06:08:10 -0400
From: “Sophie Pozzey” (spam-protected)
To: (spam-protected)
Subject: The IEDR’s Inside.ie e-mail newsletter - Welcome
Dear Sir/Madam,
The IE Domain Registry Ltd. (IEDR - www.iedr.ie) is an independent not-for-profit organisation that manages the .ie country code Top Level Domain (ccTLD) namespace in the public interest of the Irish and global Internet communities. In line with the Best Practice Principles of IANA, ICANN, and CENTR, the IEDR is committed to the concept of administering .ie throughout all Ireland in an open and transparent manner.
INSIDE.IE, THE IEDR’S FREE BI-MONTHLY E-MAIL NEWSLETTER, assists us in attaining and maintaining this standard and in ensuring that recipients will be kept abreast of .ie and DNS related issues, nationally and internationally.
YOU WILL BE RECEIVING this free bi-monthly ezine because you are one of our 31,000+ .ie domain name holders, an Irish journalist, with an Irish government body or have a legitimate interest in matters relating to the Domain Name System (DNS) in all Ireland, concerning .ie domain names. This publication is delivered by email and will serve as an official channel of the IEDR to deliver notices and announcements.
If you do not wish to receive Inside.ie, you can unsubscribe by clicking on the link below.
Yours sincerely Sophie Pozzey
Co-ordinator, Inside.ie
Head of Public Affairs & Communications
IE Domain Registry Ltd
Tel: 01 2300 797
Email: (spam-protected)
Web: http://www.iedr.ie
-|To be removed from this list, use this link: (spam-protected) To receive future messages in HTML format, use this link: (spam-protected)
Tags: dns, domain, iedr, interest, list, mail, name, newsletter, postmaster, registry
The weblog of Justin Mason; incoherent ramblings about Apache SpamAssassin, anti-spam, perl, software development, and the web, from an Irish software developer.
The opinions expressed on this web site are my personal opinions, and do not in any way represent those of my employer.
