Verisign bogosity

Tue Sep 16 15:42:00 IST 2003

Hi,
   I discovered that when I blackholed 64.94.110.11 in DNS, I was
having a lot of DNS lookups timeout.  On my mail server, this meant
that mail started stacking up because it couldn't resolve addresses.
I also started seeing a lot of timeouts for spamassassin and spamcop.
Not good.  When I removed 64.94.110.11 from blackhole, things started
moving again.

   As an aside, I called my stock broker and dumped my shares of Verisign
this morning.  They were going up in morning trading, but I figure the
shares will take a dive once the market hears of their huge business blunder.
I also sent email to "support at verisign.com" informing them that I would not
be renewing my certificates with them in October.  If you own certs from them,
I would advise doing likewise.

--- Jeff Earickson

On Tue, 16 Sep 2003, Remco Barendse wrote:

> Date: Tue, 16 Sep 2003 16:30:19 +0200
> From: Remco Barendse <mailscanner at BARENDSE.TO>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Verisign bogosity
>
> The firewall rule would block access to the Verisign server, therefore the
> domain will never resolve (this is the way it ought to be) because your
> dns server cannot reach it (supposing you are running your own name
> servers!).
>
> Remco
>
>
> On Tue, 16 Sep 2003, Rose, Bobby wrote:
>
> > How would a firewall stop this?  A firewall won't keep the MTA from
> > resolving the bogus domain to that IP correct?  It also wouldn't keep SA
> > from resolving it as part of the dns checks.
> >
> > -----Original Message-----
> > From: Remco Barendse [mailto:mailscanner at BARENDSE.TO]
> > Sent: Tuesday, September 16, 2003 9:59 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Verisign bogosity
> >
> >
> > I have created a firewall rule that silently drops all packets sent to
> > this ip.
> >
> > Mail seems to be flowing normally and all fake .com crap is still
> > rejected.
> >
> > On Tue, 16 Sep 2003, Jeff A. Earickson wrote:
> >
> > > Gang,
> > >    Hold that thought...  I added 64.94.110.11 to my blackhole list,
> > > and things slowly ground to a halt over the next hour.  Hmmm.. I had
> > > to back this out of my DNS.  Wonder why it didn't work? I have
> > > notified Verisign that I won't be renewing my certs with them in
> > > October.
> > >
> > > --- Jeff Earickson
> > >
> > > On Tue, 16 Sep 2003, Jeff A. Earickson wrote:
> > >
> > > > Date: Tue, 16 Sep 2003 08:40:09 -0400
> > > > From: Jeff A. Earickson <jaearick at colby.edu>
> > > > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > Subject: Verisign bogosity
> > > >
> > > > Gang,
> > > >
> > > > If you run a modern version of bind, simply blackhole the Verisign
> > > > number.  This is what I have in my bind boot files:
> > > >
> > > >     #---blackhole queries from RFC1918 private addresses
> > > >     #---routes to them are never advertised, so don't waste time
> > > >     #---see p. 284, DNS&Bind version 4
> > > >     #---64.94.110.11 is Verisign's bogus server.
> > > >     blackhole {
> > > >         10/8;
> > > >         172.16/12;
> > > >         192.168/16;
> > > >         64.94.110.11;
> > > >     };
> > > >
> > > > I've changed my bind configs to do this, I suggest this ASAP.
> > > >
> > > > -----------------------------------
> > > > Jeff A. Earickson, Ph.D
> > > > Senior UNIX Sysadmin and Email Guru
> > > > Information Technology Services
> > > > Colby College, 4214 Mayflower Hill,
> > > > Waterville ME, 04901-8842
> > > > phone: 207-872-3659 (fax = 3076)
> > > > -----------------------------------
> > > >
> > >
> >
>