lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: craig at strong-box.net (Craig Pratt)
Subject: Verisign abusing .COM/.NET monopoly, BIND releases new

Wow. This is amazing - and quite sad.

If you don't appreciate what this means, open your web browser, and 
enter an URL by running your hand across the keyboard, and add ".com" 
or ".net" at the end.

e.g. http://fbbgqqweffewq.com

Expecting a "server not found" message? Guess again:

   We didn't find: "fbbgqqweffewq.com"
   There is no Web site at this address.

   Search the Web: ____________________

   Search Popular Categories:

      Travel  Entertainment  Gambling  Shopping  Gifts  ...

   Copyright? 2003 VeriSign, Inc. All Rights Reserved

There are lots of DNS implications for this, not to mention wasted 
network bandwidth and caching proxy server. Perhaps people can start 
billing VeriSign for these wasted resources?

Next thing you know, they'll be selling banner ads up there for casinos 
and X10 equipment.

Craig

On Tuesday, Sep 16, 2003, at 21:50 US/Pacific, Joshua Levitsky wrote:
>
> On Sep 17, 2003, at 12:42 AM, Joshua Levitsky wrote:
>
>> On Sep 16, 2003, at 11:16 PM, Thor Larholm wrote:
>>
>>> Mail administrators
>>> who use any non-existant DNSBL to mark email as spam suddenly has all
>>> their mails deleted,
>>
>> Actually I figured out how to use it to my advantage. I query "." 
>> which is my own DNS server of course as a ip4r blacklist and if the 
>> IP for verisign's site is returned then I give the spam a very high 
>> score. Any domain that doesn't exist would fail this, but any other 
>> domain would not return that IP, but rather the proper IP.  I'm still 
>> pissed at Verisign, but I always try to turn a problem in to an 
>> opportunity so now I'm using their greed to block spam.
>>
>
> Just to clarify my own post. I meant a right hand side test so it is 
> checking the address that the sender is claiming is theirs rather than 
> how you typically check the host that is handing the mail to you. 
> (It's late and I clicked send too quick.)
>
> -Josh
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
This message checked for dangerous content by MailScanner on StrongBox.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ