Spam

Spam / Featured Blogs

SECSAC Special Meeting on Site Finder: A Technical Analysis

After attending the afternoon ICANN Security & Stability Committee meeting, I realized that the issues involved fall into several related but independent dimensions. Shy person that I am *Cough*, I have opinions in all, but I think it's worthwhile simply to be able to explain the Big Picture to media and other folks that aren't immersed in our field. In these notes, I'm trying to maintain neutrality about the issues. I do have strong opinions about most, but I'll post those separately, often dealing with one issue at a time.

3rd Lawsuit Against VeriSign; Seeks Class Action Status

A third lawsuit has been filed late Friday in a federal district court in California against VeriSign, Inc. over its controversial DNS wildcard redirection service known as SiteFinder. It was filed by the longtime Internet litigator Ira Rothken. In addition, while two other lawsuits have been filed by Go Daddy Software, Inc. and Popular Enterprises, LLC. in Arizona and Florida, this is the first lawsuit to seek class-action status. Here is an excerpt from the "Introduction" section of this class-action lawsuit...

The Value of Trust in 2007

Applications and devices like cell phones, email, search engines, and automated programs handle the error messages differently; it would be naive for VeriSign to think only humans with browsers rely on DNS. When a user enters a non-exist domain name on their cell phone the DNS error message would prevent downloading. Now cell phones download VeriSign's SiteFinder webpage and Service Providers bill the cell phone user for that extra usage. SPAM prevention programs also rely on this error message to check to see if the domain is real.

Blacklists Down from Fear of DDoS

Yet another DNS blacklist has been taken down out of fear of the DDoS attacks that took down Osirusoft, Monkeys.com, and the OpenRBL. Blackholes.compu.net suffered a Joe-Job (A Joe-Job is essentially spam designed to look like it's coming from someone else.) earlier this week. Apparently the Joe-Jobing was enough to convince some extremely ignorant mail administrators that Compu.net is spamming and blocked mail from compu.net. Compu.net has also seen the effects of DDoS attacks on other DNS blacklist maintainers. They've decided that the risk to their actual business is too great and they are pulling the plug on their DNS blacklist before they come under the gun by spammers.

It’s “Verisign vs. Users”

But even if the collateral damage is left out of the picture, the very idea behind SiteFinder is user-unfriendly, and that's the second half of the ALAC's note: SiteFinder is, ultimately, about short-cutting other error handling methods, and redirecting any users that enter non-existing domain names into a web browser to Verisign's own service, for commercial purposes. SiteFinder is designed so it becomes difficult to deploy superior error handling services that would compete with it -- because errors aren't flagged.

Site Finder: The Technical, Legal & Privacy Concerns

It is openly admitted , in the same Implementation PDF file, that all accesses to the Site Finder service are monitored and archived. A further worry for users is the privacy policy and terms of service posted on the Site Finder service. Not only does the simple act of mistyping a URL implicitly cause you, the end user, to accept VeriSign's Terms of Service and Privacy Policy without the chance to review and accept or decline either, but critical information as described above is not disclosed in either policy (as of this writing). The Privacy Policy clearly states...

Paul Vixie in Response to Site Finder Controversy

As a domain holder myself (of vix.com), I would not have chosen ".com" for my parent domain name back in 1988 had there been a wildcard domain name [that activates Site Finder service] under ".com". The risk of someone attempting to reach me but ending up talking to someone else instead would have been seen as "too great". I am now searching for a new parent domain whose publisher will guarantee me, in perpetuity, that there will be no wildcard name as there now is in "com".

Brad Templeton in Response to Site Finder Controversy

A harmful, highly unilateral and capricious action. Tons of software out there depended on the ability to tell the difference between a domain name which exists and does not. They use that to give a meaningful, locally defined error to the user, or to identify if an E-mail address will work or not before sending the mail. Many used it as a way to tag spam (which came from domains that did not exist). It is the local software that best knows how to deal with the error.

Report on Reaction to Zuccarini’s Arrest

On September 3, 2003, United States federal law enforcement officers arrested the notorious John Zuccarini accused of allegedly creating misleading domain names to deceive children and direct them to pornographic websites. Zuccarini's arrest is the first to be made under the Truth in Domain Names Act, which took effect earlier this year prohibiting people from creating misleading domain names as a means to deceive children into viewing content that's harmful to minors, or tricking adults into clicking on obscene websites. What follows is a collection of commentaries made by experts in response to this event...

Rediscovering the Internet

I wrote a guest column for ZDNet last month on the importance of IPV6. I fear that the Internet has been devolving into a recreation of the old smart networks with a lot of perverse complexity in the infrastructure. The latest calls for protection from all that bad stuff only adds to my concern since the problems attributed to the "Internet" will encourage people to seek more meddling. Unfettered connectivity has been a necessary precondition for allowing innovation to thrive on the Internet. It worked because the same openness allowed those at the edges to protect themselves against the errors whether malicious or just problematic. In fact, the so-called Internet revolution was triggered by the key concept of the browser -- treating other systems with suspicion but leaving it to the end points to decide how much to trust each other.