[Talk] URGENT: VeriSign upsets MTAs the world over, maybe including yours

Leon Brooks leon at cyberknights.com.au
Thu Sep 18 11:26:45 EST 2003


If your email queues are filling up and spam-processing mail servers 
showing absurd load levels, it might be VeriSIgn's fault.

They're answering A and DNS requests for non-existent domains with 
wildcard records. The effect of this is that where an email server 
would previously have simply discarded the email, it now has somewhere 
to send it, and so it tries.

To complicate matters, VeriSign are having trouble keeping their servers 
up (hmm, hard to figure out why).

The dummy email server they have in place accepts three lines of 
anything (except QUIT) and then returns a 550 domain-does-not-exist.

What can you do about it? Block 64.94.110.11 completely, or better still 
apply a BIND patch which understands and defeats VeriSign's tactic:

    http://www.isc.org/products/BIND/delegation-only.html

If you're using a closed-source DNS package, now would be a good time to 
suggest upgrading to an open one, since your supplier's not going to 
return a fix for this within 24 hours like ISC did.

The patch also helps out proxy managers whose proxies previously 
directed their users towards helpful internal error pages, but at the 
moment are showing them near-useless VeriSign ads instead.

Cheers; Leon

-- 
http://cyberknights.com.au/     Modern tools; traditional dedication
http://plug.linux.org.au/       Committee Member, Perth Linux User Group
http://slpwa.asn.au/            Committee Member, Linux Professionals WA
http://linux.org.au/            Committee Member, Linux Australia




More information about the Talk mailing list