Verisign's land grab

  • Thread starter Thread starter Jonathan de Boyne Pollard
  • Start date Start date
In
William Stacey said:
I tend to think you should let the server do what it normally does in
regards to mail. One of their claims is that they think this did not
effect anything, this can "help" show them that it does effect things.
Click to expand...

I don't think Verisign cares after reading this article (provided to me by
NTCanuck) that asks Verisign to suspend this pending investigation:
http://www.icann.org/announcements/advisory-19sep03.htm

then Verisign's reply of a blatant "NO" with their own excuse of "let's see
what happens" attitude, which disregards the current public outcry of their
implementation:
http://www.icann.org/correspondence/lewis-to-twomey-21sep03.htm


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
William Stacey said:
Yeh. By my read they have violated their contract in at least two spots.
ICANN needs to grow a spine...
Click to expand...

Yep, I agree.

Can't wait to see what happens next, kind of like a thriller...

:-)

Ace
 
BSB> When some (e-mail address removed) sends spam to us and
BSB> it reverses to 64.94.110.11 why shouldn't we bounce it to them?

Who is "them" ? It isn't <[email protected]>. That
mailbox, after all, doesn't exist. It isn't Verisign, either.
Verisign is not the SMTP Relay client that is sending the mail to
you.

There's nowhere that bounce messages for
<[email protected]> can be sent to, and Verisign, by
its assertion that all subdomains of "com." now exist, has broken
your MTS's previous ability to detect this. Complain to Verisign,
loudly and long. Tell it to pay for the increased bandwidth and
disc space costs that it has caused you to incur by its action.

<URL:http://homepages.tesco.net./~J.deBo...-internet-coup.html#ConsequencesBypassAntiUBM>

BSB> Perhaps if they got a few million bounced spams they'd
BSB> understand what they've done to many UBE filters,
BSB> as your own page points out.

The web page also points out, in the item immediately preceding
that one, that Verisign's SMTP Relay server at 64.94.110.11 won't
accept any messages, bounce or other.
 
Sounds like MCI...

Ace


NT Canuck said:
verisign apparently own networksolutions...interesting what they did..
http://computerworld.com/developmenttopics/websitemgmt/story/0,10801,85305,00.html

another really odd way to market domain names from europe side
http://www.vnunet.com/News/1143835

so my point is...it's their aggressive marketing and expansion policy?

--
'Seek and ye shall find'
NT Canuck
http://ntcanuck.com BIND-PE & DNS
http://ntcanuck.com/tq/ Tips & Tweaks
http://ntcanuck.com/net/board/index.php
news://news.grc.com/grc.techtalk.dns.bind_pe_beta
Click to expand...
 
William Stacey said:
I tend to think you should let the server do what it normally does in
regards to mail. One of their claims is that they think this did not effect
anything, this can "help" show them that it does effect things.
Click to expand...

It would normally not accept the mail. Now that it does it's killing
our users. If they don't stop their junk by this time next week they
get all of our spam that reverses to their IP.

Sincerely,
Brian S. Bergin
Terabyte Computers, Inc.
 
Jonathan de Boyne Pollard said:
BSB> When some (e-mail address removed) sends spam to us and
BSB> it reverses to 64.94.110.11 why shouldn't we bounce it to them?

Who is "them" ? It isn't <[email protected]>. That
mailbox, after all, doesn't exist. It isn't Verisign, either.
Verisign is not the SMTP Relay client that is sending the mail to
you.

There's nowhere that bounce messages for
<[email protected]> can be sent to, and Verisign, by
its assertion that all subdomains of "com." now exist, has broken
your MTS's previous ability to detect this. Complain to Verisign,
loudly and long. Tell it to pay for the increased bandwidth and
disc space costs that it has caused you to incur by its action.

<URL:http://homepages.tesco.net./~J.deBo...-internet-coup.html#ConsequencesBypassAntiUBM>

BSB> Perhaps if they got a few million bounced spams they'd
BSB> understand what they've done to many UBE filters,
BSB> as your own page points out.

The web page also points out, in the item immediately preceding
that one, that Verisign's SMTP Relay server at 64.94.110.11 won't
accept any messages, bounce or other.
Click to expand...

I never said I was going to send to 64.94.110.11 I said I was going to
forward to (e-mail address removed) ANY spam that the from domain reverses
to sitefinder's IP. I can only offer them a few thousand/day but if
others will join in we can provide them millions/day. abuse@ is
required by RFC so if they turn it off they will be doing exactly what
they claim they're not, violating RFC.

I told Mike Denning with the VeriSign Registry he had until next
Friday to fix the spam issue or I'd put our script in place. I made
sure he fully understood what I meant and he made no attempts to tell
me I could not do that. We'll see...

Sincerely,
Brian S. Bergin
Terabyte Computers, Inc.
 
Jonathan de Boyne Pollard said:
WS> To counter if Verisign changes the IP addresses daily or weekly,
WS> you could check the returned IP with the return of a query for
WS> actuall wildcard (i.e. *.dns a) and see if they match.

... thereby allowing Verisign to _fully automate_ any
denial-of-service attack that it may make using the mechanism for
doing so that you are handing to it, instead of waiting for human
beings to catch up and modify their configuration files.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/verisign-internet-coup.html>

If one is taking the view that Verisign has gone rogue, handing it
further powers to do more damage (as these mechanisms all do) is not
the way to proceed.
Click to expand...

Given that Verisign is rogue, there is one specific thing that people
can do, and I did yesterday. On my Win2k box yesterday I revoked my
trust on all Verisign and Thawte SSL certificates. Who wants to trust
certifications from a rogue agency?
(tools/options/content/certificates on MSIE)

That created a problem when it comes to updating my win2k system. I
went to install SP4 from the updates page. It turns out that although
MSFT is itself a root certificate authority, and issues its own
certificate, at least according to the certificates table on my box,
it required me to trust one or more Verisign certificates to complete
the SP4 update. It doesn't give you the option of one time accepting
an untrusted certificate - remove Verisign and Thawte certs and the
update will not complete. I had to go to the MSFT update site and
restore them to my 'trusted root certification authorities' table to
complete the SP4 update.

If Microsoft shares the view of everyone else that Verisign is no
longer reliable, it should sever that tie with Verisign and let us
update our Microsoft systems on the basis of our trust of the
Microsoft Root Authority certificate, not Verisign's. Requiring us to
trust Verisign's certs instead as being somehow safer or more reliable
than MSFT's own certs is alot like running MSFT's web site on an
Apache server.

If they aren't willing to do that, I'd at least like to know which of
the multitude of Verisign/Thawte certs I can safely revoke without
losing my ability to run Win2k updates.
 
Back
Top