[conspire] Re: penlug DNS seems to be down...
Rick Moen
rick at linuxmafia.com
Tue Dec 13 06:34:19 PST 2005
Quoting Bill Ward (bill at wards.net):
[Apologies if I slightly injure threading by using the wrong In-Reply-To
header, but I've already deleted your post, and so am quoting it from
the Web archive.]
> Well, I assume you've heard about the whole Ebay Christmas issue? It
> seems someone phished ebay and did some domain registration hijinks on
> Ebay's behalf using joker.com, and joker.com was unresponsive when
> Ebay tried to breathe down their necks about it. They ended up
> getting Network Solutions to pull the plug on that domain, and my
> guess is somehow that ended up affecting joker itself.
Covered by the fellow who attempted to end the phishing scam in
question, on his blog at
http://richi.co.uk/blog/2005/12/ebay-phishing-saga-in-summary.html :
Thursday, December 08, 2005
eBay phishing saga; in summary...
(VRSN)(EBAY)
Last week I noted a problem reporting a phishing email to eBay. I'm
pleased to report that the phishing website -- ebaychristmas.net -- is
now down. However, I'm not pleased to report how long it took. The
detail behind the delay is instructive...
From first report to takedown took 13 days (November 25 to December 7),
which is simply unacceptable. However, despite the hilarious response
(http://richi.co.uk/blog/2005/12/ebays-anti-phishing-desk-sucks.html)
from their "Trust and Safety Department," you should note that eBay
wasn't the main factor in this delay. Indeed, the company claims that it
first started takedown proceedings on November 8.
The main issue was that the phishing webserver was hosted on a botnet of
virus-compromised PCs. The DNS entry for the web site served up a
sequence of IP addresses, so that requests for the webpage could go to
one of many machines. In other words, taking down "the website" wasn't
an option.
Removing the DNS entry was the only practical takedown option. However,
the DNS registrar for the domain -- Joker.com, a small company based in
Switzerland -- was completely unresponsive to all requests to
investigate. Finally, it seems Verisign -- the controller of the .net
top-level domain stepped in and removed authority for ebaychristmas.net
away from Joker.com. Now requests for the web site come back "no such
host."
This sorry saga illustrates the fact that it's important for domain
registrars to act quickly and responsibly when abuses such as phishing
are brought to their attention. Authorities upstream of the registrar
need to be able to exercise some sort of leverage if they don't act.
Things have calmed down a little on the site now, but please feel free
to click an interesting advertisement to help me pay for bandwidth!
Coverage at:
http://news.yahoo.com/s/pcworld/20051206/tc_pcworld/123842
http://www.pcmag.com/article2/0,1895,1897035,00.asp
(None of this casts any light on why _all_ of joker.com's namservers
simultaneously dropped off the Net over the weekend, but it's
interesting, anyway.)
More information about the conspire
mailing list