[conspire] Re: penlug DNS seems to be down...

Rick Moen rick at linuxmafia.com
Tue Dec 13 06:34:19 PST 2005 

Quoting Bill Ward (bill at wards.net):

[Apologies if I slightly injure threading by using the wrong In-Reply-To
header, but I've already deleted your post, and so am quoting it from
the Web archive.]

> Well, I assume you've heard about the whole Ebay Christmas issue?  It
> seems someone phished ebay and did some domain registration hijinks on
> Ebay's behalf using joker.com, and joker.com was unresponsive when
> Ebay tried to breathe down their necks about it.  They ended up
> getting Network Solutions to pull the plug on that domain, and my
> guess is somehow that ended up affecting joker itself. 

Covered by the fellow who attempted to end the phishing scam in
question, on his blog at
http://richi.co.uk/blog/2005/12/ebay-phishing-saga-in-summary.html :

  Thursday, December 08, 2005
  eBay phishing saga; in summary...

  (VRSN)(EBAY)
  Last week I noted a problem reporting a phishing email to eBay. I'm
  pleased to report that the phishing website -- ebaychristmas.net -- is
  now down. However, I'm not pleased to report how long it took. The
  detail behind the delay is instructive...

  From first report to takedown took 13 days (November 25 to December 7),
  which is simply unacceptable. However, despite the hilarious response
  (http://richi.co.uk/blog/2005/12/ebays-anti-phishing-desk-sucks.html)
  from their "Trust and Safety Department," you should note that eBay
  wasn't the main factor in this delay. Indeed, the company claims that it
  first started takedown proceedings on November 8.

  The main issue was that the phishing webserver was hosted on a botnet of
  virus-compromised PCs. The DNS entry for the web site served up a
  sequence of IP addresses, so that requests for the webpage could go to
  one of many machines. In other words, taking down "the website" wasn't
  an option.

  Removing the DNS entry was the only practical takedown option. However,
  the DNS registrar for the domain -- Joker.com, a small company based in
  Switzerland -- was completely unresponsive to all requests to
  investigate. Finally, it seems Verisign -- the controller of the .net
  top-level domain stepped in and removed authority for ebaychristmas.net
  away from Joker.com. Now requests for the web site come back "no such
  host."

  This sorry saga illustrates the fact that it's important for domain
  registrars to act quickly and responsibly when abuses such as phishing
  are brought to their attention. Authorities upstream of the registrar
  need to be able to exercise some sort of leverage if they don't act.

  Things have calmed down a little on the site now, but please feel free
  to click an interesting advertisement to help me pay for bandwidth!


Coverage at:  
http://news.yahoo.com/s/pcworld/20051206/tc_pcworld/123842
http://www.pcmag.com/article2/0,1895,1897035,00.asp

(None of this casts any light on why _all_ of joker.com's namservers
simultaneously dropped off the Net over the weekend, but it's
interesting, anyway.)

More information about the conspire mailing list