Spammers’ New Tactic Upends DNS

Although some ISPs and legislators are crediting the year-old CAN-SPAM Act and better technology for recent gains in the war on spam, many in the industry say the advances are forcing spammers to employ new tactics, which are destabilizing the Internet’s crucial DNS.

One troublesome technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. After the mailings go out, the spammer registers the domain early the next morning.

By doing this, spammers hope to avoid stiff CAN-SPAM fines through minimal exposure and visibility with a given domain. The ruse, they hope, makes them more difficult to find and prosecute.

The scheme, however, has unintended consequences of its own. During the interval between mailing and registration, the SMTP servers on the recipients’ networks attempt Domain Name System look-ups on the nonexistent domain, causing delays and timeouts on the DNS servers and backups in SMTP message queues.

“Anti-spam systems have become heavily dependent on DNS for looking at all kinds of blacklists, looking at headers, all of that,” said Paul Judge, a well-known anti-spam expert and chief technology officer at CipherTrust Inc., a mail security vendor based in Atlanta. “I’ve seen systems that have to do as many as 30 DNS calls on each message. Even in large enterprises, it’s becoming very common to see a large spam load cripple the DNS infrastructure.”

Click here to read Larry Seltzer’s Jan. 5 column on the spam war.

The DNS handles address look-ups for all Web sites on the Internet, translating natural language names into IP addresses. But its first use was as a look-up service for mail records, and it continues to be used for the billions of e-mail messages traversing the Internet daily.

The CAN-SPAM Act, which went into effect at the beginning of last year, was designed to reduce spam by making it illegal to send messages with spoofed addresses. One spammer already has been sentenced to jail for violating the law, and America Online Inc. said recently that the threat of prosecution, along with better filtering, has helped reduce spam complaints by 75 percent.

In reality, experts say, spammers shut down DNS access to domains that they control after as few as 12 hours to prevent ISPs or law enforcement officials from tracking them down. This tactic also wreaks havoc with the DNS as mail servers trying to return undeliverable messages will continue to perform DNS queries on the defunct domain.

“We’ve had to reset our architecture to make nine DNS look-ups, which is an insane amount. And we’ve bought a bunch of workstations and small servers to use as redundant DNS servers because of the load,” said Bill Franklin, president of Zero Spam Network Corp., an anti-spam hosting provider based in Coral Gables, Fla. “The DNS system is a good warning indicator.”

Click here to read about the effectiveness of various anti-spam technologies.

More troubling than the DNS problems is that there is little ISPs and enterprises can do, other than buying more capacity and setting up redundant DNS servers.

“We have to figure out how to taper DNS services gracefully rather than having catastrophic failures,” said Paul Mockapetris, the author of the first DNS implementation and chief scientist at Nominum Inc., based in Redwood City, Calif. “Mail look-up was the first application put on top of DNS after I designed it, and I was so excited to see that. And now, 20 years later, people are trying to figure out how to stop doing mail look-up on DNS. It’s bizarre.”

Check out eWEEK.com’s for more on IM and other collaboration technologies.