Hello,
Bluewin also considers "closing" it's name servers for "non-bluewin" users.
Apparently some people use our nameservers for their servers on leased-lines
(and many with dial-up or adsl)
Some of these servers send a huge amount of queries to our name servers.
They should either operate their own name servers (at least cacheing servers)
or use their ISP's name server.
I will rather keep the servers open but implemement a black-list for the worst abusers.
Daniel Lorch wrote:
Maybe it's an implicit DDOS caused by the spammer:Hi
They're rather trying to prevent Spammers (and other scum) from
> abusing their DNS servers, by disabling recursion for non-trusted > hosts.
Have a look at: http://www.securityfocus.com/archive/1/336958/2003-09-06/2003-09-12/0
Interesting read. To summarize the rather lenghty text:
1. Spammer registers throwaway-domain, so he can spam with a valid "From" address. 2. Spammer populates some victim's DNS cache with information about his domain. TTL is set very high so this data will not expire in cache. 3. Spammer changes the authoritative DNS servers of his domain to that cache, which will then respond to requests for this domain.
Now's the part I don't quite understand:
4. Because [someone] wants to stop this domain from working, the DNS servers for this Domain will be attacked (DDoS, whatever).
I know that RBL servers are quite a popular target among black hats, but c'mon, since when do good guys (=the victims of spam) fight back like this?
- Spammer sends X millions of e-mails
- Many MTA's will do forward and reverse lookups for the names and IP addresses used
These go to the abused name servers which might not be able to handle the load.
Guido Roeskens Hostmaster Bluewin AG
_______________________________________________ swinog mailing list [EMAIL PROTECTED] http://lists.init7.net/cgi-bin/mailman/listinfo/swinog
