• United States

VeriSign move ignites uproar

Sep 22, 20035 mins
DNSEnterprise ApplicationsMalware

Help for Web users a headache for others.

VeriSign’s launch last week of a controversial URL-redirection service has created such a backlash and so many headaches for network managers that workarounds already are surfacing, and mounting pressure might force the company to rethink its strategy.

Gibbs: Time to regulate VeriSign

VeriSign’s SiteFinder redirects unknown or mistyped URLs ending in .com or .net to the company’s own site-searching engine. The company says the feature is a convenience for Web surfers, but others characterize it as blatantly commercial and an ill-advised disruption of DNS.

“Technically, this change has caused a lot of problems,” says DNS inventor Paul Mockapetris, chairman and chief scientist of Nominum, a provider of DNS services to corporations and government agencies. “Obviously, VeriSign is doing this for a commercial interest. But VeriSign is also claiming this will be a useful navigation service for users.”

AOL and Microsoft already provide similar redirection services at the browser level, as do smaller domain-name registrars.

“The problem with VeriSign making this change in .com and .net is where VeriSign sits in the DNS hierarchy,” Mockapetris says. “It introduces this change into any protocol looking up Internet addresses: FTP, e-mail, any protocol sooner or later looks up an Internet address. . . . Some [corporate] mail servers have been there for 10 years and have never had to deal with this case before.”

VeriSign acknowledges SiteFinder has caused unwelcome side effects, but turning off the service “is not under discussion right now,” according to Brian O’Shaughnessy, a company spokesman.

“We are looking for ways the service can be modified to accommodate the concerns of anti-spam and e-mail vendors,” O’Shaughnessy says. “We’re trying to work out the incompatibilities.”

VeriSign attempts to help Web surfers find a mistyped site by redirecting unrecognizable URLs to its SiteFinder page that suggests close matches, and the company also sells links from that page to sponsors. But by redirecting all unrecognizable URLs ending in .com and .net to SiteFinder, VeriSign also is wreaking havoc with anti-spam filters that determine if a message is junk mail by attempting to verify the sender’s domain name. Spammers often use bogus domain names, leading the anti-spam filters to reject those messages or mark them as spam.

Now with this VeriSign service, any message originating from a bogus domain name ending in .com or .net that’s queried by such a filter will appear to have come from SiteFinder – a legitimate Web address – and not flagged as spam. Some fear that the result will be an avalanche of junk mail and spikes in Internet traffic that will overwhelm servers.

“We’ve seen problems not only with spam but with the entire infrastructure of the Internet,” says Rand Wacker, director of product strategy and development with SendMail. “[SiteFinder is] causing rippling effects and problems biting users, administrators, everyone who uses the Internet.” In reaction to customers concerns, SendMail soon will release a configuration change to its software that will let users override VeriSign’s service.

The Internet Software Consortium has released a patch to its BIND software that will let servers circumvent SiteFinder. ISP EarthLink is testing the patch and plans to implement it, says company spokesman Dave Blumenthal. The company wants to override SiteFinder to avoid the problems it’s reportedly causing, he says, although he wasn’t aware of EarthLink customers complaining about an increase in spam.

Other anti-spam vendors say the SiteFinder problem is not severe. Most anti-spam software and services implement different procedures to detect whether an e-mail is spam, so having one method derailed by SiteFinder shouldn’t render anti-spam efforts useless, says Ken Schneider, CTO of Brightmail.

“For our products it hasn’t been a big deal. We use a whole bunch of different techniques” to flag spam, he says. “Our biggest problem has been that it’s caused a lot of questions.”

While junk mail caught by filters that verify the originating domain name only account for about 10% or 20% of all spam caught, SendMail’s Wacker says, the volume of spam is bound to increase as soon as spammers realize the opportunity SiteFinder created. SiteFinder also causes similar problems for other anti-spam methods, such as Realtime Blackhole Lists of known spammers that attempt to verify the origin of messages, he adds.

Some members of the industry appear more frustrated with VeriSign for mucking with DNS than for the problems SiteFinder causes. The Internet Corporation for Assigned Names and Numbers’ At Large Advisory Committee last week sent a letter to the group urging it to use its influence to stop SiteFinder.

“This practice raises grave technical concerns, as it de facto removes error diagnostics from the DNS protocol, and replaces them by an error-handling method that is tailored for HTTP, which is just one of the many Internet protocols that make use of the DNS,” the letter says. “We will leave it for others to explain the details of these concerns, but note that returning resource records in a way which is contrary to the very design of the DNS certainly does not promote the stability of the Internet.”