September 16th, 2003, 09:45
As of last night, Verisign has changed their DNS servers to return an IP rather than "not found" when you lookup an address that doesn't exist. If you do an nslookup on "" you get This address returns a "search page" (thinly diguised advertising) to a web browser.


But worse, it hurts anti-spam measures. Modern MTAs will check that the sender's domain exists before accepting it. If it isn't real, you can't reply to it, so it's 99.99% certain to be spam. Now, all addresses in .com and .net appear to be real.

The best defense against this appears to be to hack the DNS resolvers and/or their libraries to return a not-found result if the returned address happens to match the IP(s) for "sitefinder*".

Russell Nelson has hacked djbdns already ...

From: Russell Nelson <>
Date: Mon, 15 Sep 2003 23:38:19 -0400
To: qmail list <>,
Subject: Re: Verisign adds wildcards

Russell Nelson writes:
> Working on a patch to djbdns that rejects A records that resolve to
> Returns NXDOMAIN.

Got it.

Work is underway on BIND 8.

September 17th, 2003, 10:15

hugh nicks
September 17th, 2003, 11:27
user friendly is great! i still use the expression PEBKAC to this day! people look at me like i'm trying to pass them the pipe! for those who don't know, the 'problem exists between the keyboard and chair'.


September 18th, 2003, 08:47
VeriSlime is showing signs of backing down ...

September 18th, 2003, 09:33
Here's an online petition, if you're so inclined ...