In case you didn't see the news on Slashdot (I didn't--someone had to tell me), it seems that Verisign has decided to demonstrate their evil in a way that I thought only Microsoft would:

As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising.

Okay, everyone. Let's all say it together: Fuck Verisign!

In case you haven't already done so, now would be an excellent time to move your domains to a more sensible registrar. I moved all mine to OpenSRS a while ago and have never looked back.

Consider making an appropriate entry for 64.94.110.11 in your routing table and/or firewall.

Some are reporting that not all the root severs have the wildcard yet. I found that it worked sometimes but not others.

See Also: I feel so dirty...

Posted by jzawodn at September 15, 2003 11:27 PM

Reader Comments
# Mike Hillyer said:

I missed that on slashdot, but caught it from the O'Reilly RSS feed. This is horrid, especially if they wind up being not too choosy with the advertisers and let some poor kid see porn when he mistypes www.disney.com. I already thought it was bad enough when some evil types register common misspellings loke www.googlee.com!

on September 16, 2003 08:04 AM
# BillSaysThis said:

Consider making an appropriate entry for 64.94.110.11 in your routing table and/or firewall.

Could you be more explicit about what to do here for us less knowledgable types?

on September 16, 2003 09:29 AM
# gabe said:

I've sent email to friends and family explaining the situation and asking them to email comments@icann.org to ask them to stop VeriSign. Now I just need to figure out how to get my DSL router to block 64.94.110.11 (that number will now live in infamy).

The thing that pisses me off the most about this is that they've got that mail server running on the host... All it does is listen to the HELO, MAIL FROM and RCPT TO commands (enough to snatch your email address(es)) and then drops the connection. The only possible reason for that existing is to harvest email for spamming.


Fuck VeriSign!

on September 16, 2003 09:49 AM
# Gavin said:

If you're using Win NT/XP you can edit the hosts file. Find c:\windows\system32\drivers\etc\hosts and add a line at the bottom:

0.0.0.0 sitefinder.verisign.com

If you feel like it you could change the ip to a local webserver or something.

on September 16, 2003 10:27 AM
# Jeremy Zawodny said:

On Linux:

route add -host 64.94.110.11 gw 127.0.0.1

should do the trick.

The syntax is similar on other Unixes.

on September 16, 2003 10:46 AM
# Jeff Bearer said:

Off topic, but did you know you can read jeremy's blog in shizzle, Thanks Snoop! ;)

on September 16, 2003 11:13 AM
# Bryant said:

The thing that pisses me off the most about this is that they've got that mail server running on the host... All it does is listen to the HELO, MAIL FROM and RCPT TO commands (enough to snatch your email address(es)) and then drops the connection. The only possible reason for that existing is to harvest email for spamming.

Incorrect.

If they didn't have a mail bouncer running, and you typoed a domain in your email, it would take days before you found out about it. Remember the standard behavior for mail transport agents when a mail server appears to be down: they wait a while, then try again.

So, if I emailed to bob@mispelled.com, my mailer would try and deliver to the VeriSign site and fail. A few hours later, it would try again. A few hours after that, it would try again, and so on. A few days later I'd get the bounce message.

So, annoyingly, VeriSign has to run the bounce agent on that server. The fact that their actions force them to run something which could be used to collect spam targets is another good reason why they shouldn't be doing this at all.

on September 16, 2003 11:53 AM
# Peter said:

From a business perspective, this move by Verisign seems to be a desperate action.

My thought is that we probably won't have to worry about Verisign a few years from now; just like we won't have to worry about Microsoft. :)

on September 16, 2003 12:28 PM
# said:

The problem with Verisign running a bouncing mail server is that mail that is temporarily undeliverable because of DNS issues (someone typo'd a MX record, or a domain's servers are down) that would have retried and ultimately succeeded now bounces immediately fatally.

Yeah, it means that if you make a whoops you don't get immediately notified, but... sheesh--this is mail. Store-and-forward with best effort delivery's the whole point. This new move by verisign gets in the way of that.

on September 16, 2003 01:57 PM
# Alden Bates said:

Yup, seems to be working here, though the server at 64.94.110.11 seems to be rather slow. Probably because it's being flooded with millions of requests per minute...

Bwa ha ha

on September 16, 2003 02:13 PM
# Derek said:

You can vote on whether Verisign's CEO is doing a good job here

on September 16, 2003 02:52 PM
# Matthew said:

There is a collection of patches for various dns servers and resolver libraries at Imperial Violet. I've been running the djbdns one for 12 hours or so and it's working fine, I can't speak for the others.

on September 16, 2003 03:22 PM
# goverisign said:

You go verisign! Show these four eyed little twitts what big business is all about. The whole time they're crying and boo hooing the top dogs will be raking in the cash..... And that, you little idealistic brain-dead blogging twerps is what it's all about!

hahahahahahahahahahahah.......

on September 16, 2003 03:55 PM
# Bryant said:

The problem with Verisign running a bouncing mail server is that mail that is temporarily undeliverable because of DNS issues (someone typo'd a MX record, or a domain's servers are down) that would have retried and ultimately succeeded now bounces immediately fatally.

Agreed. It causes other problems, but I think running a bouncing mail server is the least bad alternative given the original decision. Much as I hate to say it.

A domain's servers being down won't cause problems, btw, because the .com/.net nameservers will still return an NS record for that domain, and as long as there's a valid NS record the wildcard won't kick in. I'm sorry to be pedantic about this but I think it's important not to give VeriSign any wiggle room; we need to be very accurate about what they've done wrong.

on September 16, 2003 05:41 PM
# George Kirikos said:

I've create an online petition to help stop this abuse of the DNS by Verisign. If you could help spread the word, that would be great.

on September 16, 2003 06:05 PM
# shawn said:

ok I am not the smartest of this group and Tom of Vpop actually told me about this link but all I gotta say is MONOPOLY!!! i have seen it before but that was on URL's that were already previously hosted on that server OR paid for and lawfully theirs! therefore lets all say FUCK VERISIGN!(i have been pleasently happy with vpop.net though :-D)

on September 16, 2003 09:51 PM
# Adam Gaffin said:

Is this just me or ... ?

I have IE with the Google toolbar. When I tried some nonsense URLs just now, instead of getting a Verisign page, I got a Google page!

"Sorry, no information is available for the URL www.netcsape.com" (as one example, wrapped in the Google interface).

on September 17, 2003 05:58 AM
# Fight back said:

Give em a call at their toll-free numbers:

888-642-9675
888-655-4636
800-361-8319
866-720-2304

on September 17, 2003 09:28 AM
# Sezer Yalcin said:

I
just
want
to
FUCK verisign.
I cannot believe this happen. With special thanks to US gov't and IANA. God may bless you!

I made and was using an advanced script for domain monitoring and availability. As a responsible and inteligent programmer the script was not querying verisign database for those domains who already have a ns record. Since it was stupid and saving internet resources. But now my script gives wrong information, not becase it is a fucking script but because it is a smart and thinkful script.
My script also wishes to fuck verisign. Maybe we enjoy group sex where as a ceo, I fuck ceo of verisign and my script fucks the company itself.

Sorry for being so fucking...

on September 17, 2003 10:56 AM
# Dan Isaacs said:

"Give em a call at their toll-free numbers:"

And make sure you use your Fax machine to make those calls.

on September 17, 2003 11:13 AM
# Derek said:

Bind9 already has the code in place to solve the problem as of this morning believe, you can do

zone "com" { delegation-only; };

and only SOA and NS records from within that zone will be accepted. Thus, if you query the root for "foo.com" and get an A record, it's as though you never got a return result at all, and we're back to status quo.

The net interprets stupidity as an outage and routes around it.

on September 17, 2003 12:50 PM
# FROM: said:

Whoever said "The fact that their actions force them to run something which could be used to collect spam targets is another good reason why they shouldn't be doing this at all" hasn't tested the bouncer. It gives "250 OK" no matter what you enter unless it's "FROM:some@addy.tld". It should return 550 immediately but that wouldn't be what Verisigns partners want...

http://www.circleid.com/article/260_0_1_0_C/

on September 17, 2003 04:21 PM
# TomW said:

64.94.110.11 - The new number for the BEAST... The End is Near! Repent your Internet transgressions!! Versign "SiteBlinder" is the anti-christ!!!

on September 17, 2003 09:29 PM
# Brad said:

Well my co-located server at rackspace cannot even ping the address, so i guess they've null routed the IP for everyone :)

Or somthings wrong with my server, hmmmmm

on September 18, 2003 12:04 AM
# reinhard said:

This is abuse and spam and they have to be stopped!!

on September 19, 2003 12:14 AM
# jason said:

Hmm. Their server seems to have foiled my attempts to send it a comment on their sitefinder service....

[jason@tetsuo jason]$ telnet 64.94.110.11 80
Trying 64.94.110.11...
Connected to 64.94.110.11.
Escape character is '^]'.
FUCK OFF
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>405 Method Not Allowed</TITLE>
</HEAD><BODY>
<H1>Method Not Allowed</H1>
The requested method FUCK is not allowed for the URL OFF.<P>
</BODY></HTML>
Connection closed by foreign host.

on September 19, 2003 06:21 AM
# Mr. Al-Sahhaf said:
on September 19, 2003 05:29 PM
# ryan said:

Why doesn't someone write a app that runs on your pc that requests domains that don't exist. Poison their data collection. Fill up their drives with useless crap.

Eg. www.verisignsucksass.com
www.verisignisshit.com
etc

on September 19, 2003 06:55 PM
# Mark Greenspun said:

My computer has some kind of malware on it. It is called "Mysoft sitefinder.verisign.com" Spybot Search and Destroy finds it but it can't delete it. Do you know what this is and how it affects my computer and how can I can get rid of it. Thank you for any help you can give. Please Email me at intercoman@hotmail.com with your reply.

on April 18, 2005 11:10 PM
Disclaimer: The opinions expressed here are mine and mine alone. My current, past, or previous employers are not responsible for what I write here, the comments left by others, or the photos I may share. If you have questions, please contact me. Also, I am not a journalist or reporter. Don't "pitch" me.

 

Privacy: I do not share or publish the email addresses or IP addresses of anyone posting a comment here without consent. However, I do reserve the right to remove comments that are spammy, off-topic, or otherwise unsuitable based on my comment policy. In a few cases, I may leave spammy comments but remove any URLs they contain.