VeriSign slammed for .com spam aid

Network operators, anti-spam campaigners, security experts and engineers have hit out at VeriSign over the changes it made to the top level domain system.

On Monday, VeriSign began to redirect domain lookups for misspelled or nonexistent names to its own site, a process that has confused internet email utilities and drawn angry denunciations of the company's business practices from frustrated network administrators. The company enjoys a government-granted monopoly as the master database administrator for .com and .net.

The operator of the Spam and Open Relay Blocking System (SORBS), Matthew Sullivan, told silicon.com's sister site ZDNet Australia the company's actions have thrown a huge spanner in the works. "All of the header checks that you normally do ... suddenly don't work," he said. "So of course all of these forged email addresses that spammers are using are getting through."

Spam software can no longer check the validity of a domain name to make sure it's not forged, Sullivan says. "I don't think they should have done it at all ... there is absolutely no reason at all that they should have done it," he said. "The Internet Architecture Board (IAB) has already said that it should be withdrawn."

Echoing those calls is Chris Wysopal, the research director with security company @stake. "When things that have been working one way for a long time change ... now they have to re-invent all of those things," he said.

However Wysopal says the problems experienced by anti-spam software could just be the tip of the iceberg. "The anti-spam is one thing ... I'm sure there are other things out there that people don't even realise are going to break," he said.

"I think they should reverse it. Maybe there is some merit to this service but it shouldn't be a unilateral thing," he added.

Doubting the government will intervene, Wysopal says the only way a reversal of the change will occur is "if a lot of their big customers say 'we're unhappy with this and we're going to stop doing business with vsig'".

VeriSign's new policy is intended to generate more advertising revenue from additional visitors to its network of websites. On Monday, VeriSign released an eight-page paper describing the implementation of its "Site Finder" program, saying it "improves the user web-browsing experience when the user has submitted a query for a nonexistent second-level domain in the .com and .net second-level domains.... [Previously] his or her web browser returned an error message that contained no useful information."

In an unusual kind of grassroots movement, some network administrators have begun to invent and launch technical countermeasures against VeriSign. A discussion thread on the North American Network Operators' Group mailing list was titled "What *are* they smoking?" and offered technical tips on how to configure routers and servers to block access to VeriSign's site, so web users would receive the traditional 'nonexistent domain' error message.

"There are already modifications to BIND software to take responses that contain that VeriSign address and turn it into a nonexistent domain error," Karl Auerbach, a veteran internet engineer and former board member of the Internet Corporation for Assigned Names and Numbers (Icann), said about the standard utility used for domain name lookups. "There are also several internet service provider-type people dealing with routing information who are already talking about blocking (the VeriSign site). I believe some have."

VeriSign is not the first domain-name company to try to profit from typos and errors, but because .com and .net represent such a huge percentage of Internet names, its decisions have the most profound impact. Some of the other top-level domains that have adopted a similar policy include .cc, .museum, .nu, .ph, .tm and .ws. Microsoft's Internet Explorer also returns a similar error message and search box, but because the redirection is performed by the end user's computer, the effect is limited.

VeriSign's decision, which was done without consulting the internet standards groups, came just a few days after the US Federal Trade Commission accused the company of deceptive business practices for sending "domain name expiration notices" to competitors' customers in early 2002.

Earlier this year, VeriSign was dealt a harsh rebuke in a similar matter by the highly regarded IAB. Referring to the Domain Name System (DNS), the board's unanimous statement said: "The system VeriSign had deployed for .com and .net contains significant DNS protocol errors, risks the further development of secure DNS, and confuses the resolution mechanisms of the DNS with application-based search systems."

Declan McCullagh writes for CNET News.com. Patrick Gray writes for ZDNet Australia