[Talk] URGENT: VeriSign upsets MTAs the world over, maybe including yours
Leon Brooks
leon at cyberknights.com.au
Thu Sep 18 11:26:45 EST 2003
If your email queues are filling up and spam-processing mail servers
showing absurd load levels, it might be VeriSIgn's fault.
They're answering A and DNS requests for non-existent domains with
wildcard records. The effect of this is that where an email server
would previously have simply discarded the email, it now has somewhere
to send it, and so it tries.
To complicate matters, VeriSign are having trouble keeping their servers
up (hmm, hard to figure out why).
The dummy email server they have in place accepts three lines of
anything (except QUIT) and then returns a 550 domain-does-not-exist.
What can you do about it? Block 64.94.110.11 completely, or better still
apply a BIND patch which understands and defeats VeriSign's tactic:
http://www.isc.org/products/BIND/delegation-only.html
If you're using a closed-source DNS package, now would be a good time to
suggest upgrading to an open one, since your supplier's not going to
return a fix for this within 24 hours like ISC did.
The patch also helps out proxy managers whose proxies previously
directed their users towards helpful internal error pages, but at the
moment are showing them near-useless VeriSign ads instead.
Cheers; Leon
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Committee Member, Perth Linux User Group
http://slpwa.asn.au/ Committee Member, Linux Professionals WA
http://linux.org.au/ Committee Member, Linux Australia
More information about the Talk
mailing list