[tlug] Verislime

[Godwin Stewart <gstewart@example.com>]

Hi,

Have any mail admins out there noticed a direct knock-on effect of
Verislime's latest prank (adding wildcards to the .com and .net GTLD
nameservers)?

Obviously, one can no longer reject mail based on a non-existant FROM
address in the SMTP envelope because all domains now exist from a DNS point
of view.

Reminder: any non-existant domain name under .com and .net now resolves to
64.94.110.11, where there's a webserver redirecting browsers to
sitefinder.verisign.com [12.158.80.10] giving the viewer a nice ad for
Verisign.

There's also a non-functional SMTP server on 64.94.110.11 in that it simply
550's all mail after the RCPT TO:. Knowing Verislime's past (such as
trawling through competing registrars' whois databases looking for contacts
who were promptly sent urgent domain registration renewal "reminders"), I
wouldn't AT ALL put it past them to harvest addresses from that mail
rejector.

Action taken here:

My nameserver is now "authoritative" for sitefinder.verisign.com, so my
users will still get the "site can't be found" if redirected there.

64.94.110.0/24 and 12.158.80.0/24 are blocked both in and out:

IPT="/usr/sbin/iptables -t filter -A"
$IPT INPUT -i $EXT_IF -s 64.94.110.0/24 -j DROP
$IPT INPUT -i $EXT_IF -s 12.158.80.0/24 -j DROP
$IPT FORWARD -s $MY_SUBNET -d 12.158.80.0/24 -j REJECT --reject-with icmp-net-prohibited
$IPT FORWARD -s $MY_SUBNET -d 64.94.110.0/24 -j REJECT --reject-with icmp-net-prohibited

-- 
G. Stewart   --   gstewart@example.com -- gstewart@example.com
Registered Linux user #284683 (Slackware 9.0)
---------------------------------------------------------------
I don't approve of political jokes... I've seen too many of them get
elected.

Attachment: pgp00069.pgp
Description: PGP signature