Spammers abusing recursive cacheing name servers

Scott Lambert lambert at lambertfam.org
Mon Dec 15 00:15:45 UTC 2003


"We" is the ISP I work for.

Spammers have setup our cacheing recursive name server as one of the
NS records for several spam domains.  We, of course, have disabled the
recursion for IPs not owned by us.

I would like to make their mistake of using our name servers more costly
than simply failing every other lookup.  I could configure the zones
on our name servers as we find out about them and return an IP running
a "Silly Spammers" web page that explains why the user ended up there,
"You were stupid enough to click a link in a spam message."

However, that appears to be a labor intensive method of dealing with
the problem and won't help anyone else whose servers these jerks try to
abuse.  

My thought is to do something in the name server like the Verisign      
workaround. 

Query comes in from outside mycidr/mask;
  Am I configured to be authoritative for this request?
    Yes: answer the query
    No: 
      Do the roots say I am authorative for this request?
      	Yes:
          Case request type in:
            A or AAAA) return the Silly Spammers IP.
	    *)         return NXDOMAIN
	  esac;
        No: 
	  Is requester in abusive ACL?
          Yes: drop the query or return NXDOMAIN
          No: go ahead and do the recursive query.
		# so that the spammers are encouraged to try these tricks
		# and we get more chances to call users "stupid" or otherwise
		# provide education, depending on the BOFHness of the admin. :-)

Is this possible currently?  We are still running Bind 8 from the
FreeBSD base install, and keep it patched.  The above abilities would be
worth enough for me do whatever is necessary to my zone files to switch
to some other version/software.

If we get an installed base of servers that do this, we may make it not
worth doing for the spammers.

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at lambertfam.org      



More information about the bind-users mailing list