Verisign bogosity
Rose, Bobby
brose at MED.WAYNE.EDU
Tue Sep 16 15:22:26 IST 2003
How would a firewall stop this? A firewall won't keep the MTA from
resolving the bogus domain to that IP correct? It also wouldn't keep SA
from resolving it as part of the dns checks.
-----Original Message-----
From: Remco Barendse [mailto:mailscanner at BARENDSE.TO]
Sent: Tuesday, September 16, 2003 9:59 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Verisign bogosity
I have created a firewall rule that silently drops all packets sent to
this ip.
Mail seems to be flowing normally and all fake .com crap is still
rejected.
On Tue, 16 Sep 2003, Jeff A. Earickson wrote:
> Gang,
> Hold that thought... I added 64.94.110.11 to my blackhole list,
> and things slowly ground to a halt over the next hour. Hmmm.. I had
> to back this out of my DNS. Wonder why it didn't work? I have
> notified Verisign that I won't be renewing my certs with them in
> October.
>
> --- Jeff Earickson
>
> On Tue, 16 Sep 2003, Jeff A. Earickson wrote:
>
> > Date: Tue, 16 Sep 2003 08:40:09 -0400
> > From: Jeff A. Earickson <jaearick at colby.edu>
> > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Verisign bogosity
> >
> > Gang,
> >
> > If you run a modern version of bind, simply blackhole the Verisign
> > number. This is what I have in my bind boot files:
> >
> > #---blackhole queries from RFC1918 private addresses
> > #---routes to them are never advertised, so don't waste time
> > #---see p. 284, DNS&Bind version 4
> > #---64.94.110.11 is Verisign's bogus server.
> > blackhole {
> > 10/8;
> > 172.16/12;
> > 192.168/16;
> > 64.94.110.11;
> > };
> >
> > I've changed my bind configs to do this, I suggest this ASAP.
> >
> > -----------------------------------
> > Jeff A. Earickson, Ph.D
> > Senior UNIX Sysadmin and Email Guru
> > Information Technology Services
> > Colby College, 4214 Mayflower Hill,
> > Waterville ME, 04901-8842
> > phone: 207-872-3659 (fax = 3076)
> > -----------------------------------
> >
>
More information about the MailScanner
mailing list