Spammers abusing recursive cacheing name servers

Scott Lambert lambert at lambertfam.org
Tue Dec 16 05:04:58 UTC 2003 

On Mon, Dec 15, 2003 at 11:35:52PM +0000, Simon Waters wrote:
> Scott Lambert wrote:
> > 
> > Query comes in from outside mycidr/mask;
> >   Am I configured to be authoritative for this request?
> >     Yes: answer the query
> >     No: 
> >       Do the roots say I am authorative for this request?
> >       	Yes:
> >           Case request type in:
> >             A or AAAA) return the Silly Spammers IP.
> >             *)         return NXDOMAIN
> > 	  esac;
> >         No: 
> > 	  Is requester in abusive ACL?
> >           Yes: drop the query or return NXDOMAIN
> >           No: go ahead and do the recursive query.
> > 		# so that the spammers are encouraged to try these tricks
> > 		# and we get more chances to call users "stupid" or otherwise
> > 		# provide education, depending on the BOFHness of the admin. :-)
>
> The problem is you don't want to abuse such clients too roundly, as
> some may be confused paying clients.

Obviously, I am merely venting when I threaten to tell people who go
to spamvertized web pages that they are idiots.  Note the "provide
education" clause above.  That is what would hit the production server.
A clue-by-four can be shaped like a lollypop.

After all, I'm bound to have dial-up customers who still have the DNS
servers hard coded while roaming.  I'll have to explain to them why
they ended up on that page, if for some reason they get redirected
to that page due to some error in configuration of the name server.
For instance, BIND refuses to load a zone file because of corruptions
somewhere between the working directory and the CVS server and the
checkout on the actual name server; or, I do something stupid while
editing the zone file.
 
> If you discover domains spuriously delegated to your DNS servers, well I
> think they are fair game, at least as far as reducing load on your own
> name servers goes. Just load up a generic "duff" zone file for each such
> zone with a few hours cache time.

I am not worried about the stray spuriously delegated zone.  The load
imposed by BIND is not really significant to any of my name servers.
Not even while we were being abused by the spammers.  

Although this config might help administrators who lack clue notice what
is wrong with their domain name service in the unlikely event that they
typo a name server IP and it ends up being a name server configured the
way I want; or, if someone transfers a domain and misses changing one
or more of the name server IP addresses.  I guess that will have to
be another "Possible reasons you arrived at this page" clause on the
educational page.

I am after the maliciously delegated zones of spammers or anyone else
being abusive who wants to use my name server's cache to reduce load on
their servers.

I know I can manually configure bad zones.  I am simply hoping, not
demanding, that a feature to do this automagically might appeal to
others with the skills to implement it.

I've not heard of anyone else having their cacheing server abused
in this manner, yet.  One of my users may have brought this on by
aggressively chasing spammers in the abuse newsgroups.  He tends to get
someone mad enough to DDoS him occasionally.  

I've had to deal with many spam complaints because my name servers
IP appears in the registration data for these scam artist spammer's
domains.  None of the complaints had actually tried to see if my server
would answer respond for the domains in question.  I would like to be
able to encourage them to look at what comes up in their browser when my
name servers resolve the problem domain.  I think it should be good for
giggles.
 
> Punishing people for stupidity may seem superficially attractive, until
> you are having an off day, and find your own stupidity punished.

It is great fun to talk about.  Just like those daydreams of making
the classic "good start" of the lawyer joke apply to the spammers, the
PEBKAC and ID-10-T errors.  Then you pick up the phone and help the
customer figure out how to repair their trojaned Windows box.
 
> More generally split authoritative and recursive servers and the problem
> should go away.

As I mentioned originally, We have made the problem go away.

	allow-recursion { 216.223.192/19; };

In the long term we do plan to split them.  Right now, that's not the
top priority.

I just think that giving the spam victims a web page explaining what
happenned to them, why they shouldn't open random links sent by
strangers, and encouraging them to seek anti-spam software / mail
hosting would be more hurtful to the spammer's business model than just
acting like a lame server.  Maybe I'm wrong.  It feels right while I
respond to abuse e-mail.

It seems like a neat, proactive, anti-spam weapon to me.  But it's my
idea; I *have* to like it.

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at lambertfam.org

More information about the bind-users mailing list