Mailing List Archive: NANOG: users

godaddy spam / abuse suspensions?

Index | Next | Previous | View Threaded

mike-nanog at tiedyenetworks

Nov 16, 2008, 10:10 AM

Post #1 of 10 (2828 views)
Permalink

godaddy spam / abuse suspensions?

Hi gang,

I am looking into a dns problem. My resolvers are attempting to
resolve various hosts under "axonplatform.net", but it's nameservers
aren't responding, resulting in many many many repeated queries that end
up going nowhere. I dug around a bit and the nameservers for the domain
are "ns1.suspended-for.spam-and-abuse.com." and so forth. The domain
registrar is godaddy and it doesn't make a whole lot of sense for them
to point the nameservers for any domain at non-functioning hosts, and
these have been dead for at least a few days now that I know about.

Can anyone enlighten me as to what the deal might be here?

Thank you.

rslv1:~# dig -t ns axonplatform.net.

; <<>> DiG 9.2.4 <<>> -t ns axonplatform.net.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42266
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;axonplatform.net. IN NS

;; ANSWER SECTION:
axonplatform.net. 114343 IN NS
ns1.suspended-for.spam-and-abuse.com.
axonplatform.net. 114343 IN NS
ns2.suspended-for.spam-and-abuse.com.

;; Query time: 0 msec
;; SERVER: 65.127.32.36#53(65.127.32.36)
;; WHEN: Sun Nov 16 18:12:00 2008
;; MSG SIZE rcvd: 102

rohan at rs3net

Nov 16, 2008, 10:19 AM

Post #2 of 10 (2764 views)
Permalink

Re: godaddy spam / abuse suspensions? [In reply to]

Name has been suspended for "supposed" abuse by the godaddy abuse team.

I believe the only recourse is to email abuse [at] godaddy (cc
president [at] godaddy) asking what they want to release the domain to
you. I believe the usual charge is like $75 or so.

--Rohan

On Sun, 16 Nov 2008 10:10:20 -0800
mike <mike-nanog [at] tiedyenetworks> wrote:

> Hi gang,
>
> I am looking into a dns problem. My resolvers are attempting to
> resolve various hosts under "axonplatform.net", but it's nameservers
> aren't responding, resulting in many many many repeated queries that
> end up going nowhere. I dug around a bit and the nameservers for the
> domain are "ns1.suspended-for.spam-and-abuse.com." and so forth. The
> domain registrar is godaddy and it doesn't make a whole lot of sense
> for them to point the nameservers for any domain at non-functioning
> hosts, and these have been dead for at least a few days now that I
> know about.
>
> Can anyone enlighten me as to what the deal might be here?
>
> Thank you.
>
>
> rslv1:~# dig -t ns axonplatform.net.
>
> ; <<>> DiG 9.2.4 <<>> -t ns axonplatform.net.
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42266
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;axonplatform.net. IN NS
>
> ;; ANSWER SECTION:
> axonplatform.net. 114343 IN NS
> ns1.suspended-for.spam-and-abuse.com.
> axonplatform.net. 114343 IN NS
> ns2.suspended-for.spam-and-abuse.com.
>
> ;; Query time: 0 msec
> ;; SERVER: 65.127.32.36#53(65.127.32.36)
> ;; WHEN: Sun Nov 16 18:12:00 2008
> ;; MSG SIZE rcvd: 102
>
>

mysidia at gmail

Nov 16, 2008, 1:29 PM

Post #3 of 10 (2751 views)
Permalink

Re: godaddy spam / abuse suspensions? [In reply to]

I don't think he wants the domain. The problem is Godaddy listing NS
records for some domains (for any reason) to only DNS servers that
were all down or didn't exist. The entry of only lame DNS servers is
an inconclusive situation and doesn't let a message be permanently
rejected as spam; it's indistinguishable from a temporary failure of
all that domain's DNS servers.

It also causes (hopefully non-fatal) problems for hosts looking up the
contacting host's ip,
like wasteful repeated queries.

This is not good behavior on the registrar's part; Godaddy would
almost be better seving
the internet community by ignoring spam and doing nothing, or
forwarding reports to ISPs rather than introducing lame DNS zones.

Registrars aren't really in a place to be able to stop spam; the
spammer can simply use any domain or have their reverse zone changed
accordingly, if they have custom reverse.

But for a registrar to do their best.. by pulling domains where they
have proof the owner has performed or authorized spam, they should
pull the domain from the TLD zone entirely and let the response be
NXDOMAIN.

A NXDOMAIN response allows the mail server to definitively reject the message
and move on.

--
-J

On Sun, Nov 16, 2008 at 12:19 PM, Rohan Sheth <rohan [at] rs3net> wrote:
> Name has been suspended for "supposed" abuse by the godaddy abuse team.
>
> I believe the only recourse is to email abuse [at] godaddy (cc
> president [at] godaddy) asking what they want to release the domain to
> you. I believe the usual charge is like $75 or so.
>
> --Rohan
>

andrew.fried at gmail

Nov 16, 2008, 2:38 PM

Post #4 of 10 (2754 views)
Permalink

Re: godaddy spam / abuse suspensions? [In reply to]

Chances are if the domain has been sandboxed, it was because it was
involved in some kind of phishing scheme, not spam. This is the
typicaly way of mitigating fast flux botnets. So I don't agree with the
assessment that this is bad behavior on the part of GoDaddy - to the
contrary, they are acting quite responsibly.

AF

James Hess wrote:
> I don't think he wants the domain. The problem is Godaddy listing NS
> records for some domains (for any reason) to only DNS servers that
> were all down or didn't exist. The entry of only lame DNS servers is
> an inconclusive situation and doesn't let a message be permanently
> rejected as spam; it's indistinguishable from a temporary failure of
> all that domain's DNS servers.
>
> It also causes (hopefully non-fatal) problems for hosts looking up the
> contacting host's ip,
> like wasteful repeated queries.
>
> This is not good behavior on the registrar's part; Godaddy would
> almost be better seving
> the internet community by ignoring spam and doing nothing, or
> forwarding reports to ISPs rather than introducing lame DNS zones.
>
>
> Registrars aren't really in a place to be able to stop spam; the
> spammer can simply use any domain or have their reverse zone changed
> accordingly, if they have custom reverse.
>
> But for a registrar to do their best.. by pulling domains where they
> have proof the owner has performed or authorized spam, they should
> pull the domain from the TLD zone entirely and let the response be
> NXDOMAIN.
>
> A NXDOMAIN response allows the mail server to definitively reject the message
> and move on.
>
>
> --
> -J
>
> On Sun, Nov 16, 2008 at 12:19 PM, Rohan Sheth <rohan [at] rs3net> wrote:
>
>> Name has been suspended for "supposed" abuse by the godaddy abuse team.
>>
>> I believe the only recourse is to email abuse [at] godaddy (cc
>> president [at] godaddy) asking what they want to release the domain to
>> you. I believe the usual charge is like $75 or so.
>>
>> --Rohan
>>
>>
>
>
>

--
Andrew Fried
andrew.fried [at] gmail

mysidia at gmail

Nov 16, 2008, 2:50 PM

Post #5 of 10 (2754 views)
Permalink

Re: godaddy spam / abuse suspensions? [In reply to]

It's also not effective in various situations.
The bad behavior is not disabling abused domains, it's the method used to do it
(by giving no answer instead of actively giving a negative answer).

When a http client asks recursive resolver A for an A RR, and no
response is received,
the client will then go to recursive resolver B and make the very
same query again,
and possibly on to recursive resolver C.

One of the secondary/tertiary recursive resolvers may hand the client
a cached response that had been obtained before the registrar took any
action.
If instead recursive resolver A returned a NXDOMAIN, that would be
the end of it,
no new queries, the answer has returned name does not exist.

The impact of the additional queries can be significant as well.

--
-J

On Sun, Nov 16, 2008 at 4:38 PM, Andrew Fried <andrew.fried [at] gmail> wrote:
> Chances are if the domain has been sandboxed, it was because it was
> involved in some kind of phishing scheme, not spam. This is the
> typicaly way of mitigating fast flux botnets. So I don't agree with the
> assessment that this is bad behavior on the part of GoDaddy - to the
> contrary, they are acting quite responsibly.
>
> AF
>

ops.lists at gmail

Nov 16, 2008, 3:45 PM

Post #6 of 10 (2745 views)
Permalink

Re: godaddy spam / abuse suspensions? [In reply to]

On Mon, Nov 17, 2008 at 4:20 AM, James Hess <mysidia [at] gmail> wrote:
> One of the secondary/tertiary recursive resolvers may hand the client
> a cached response that had been obtained before the registrar took any
> action.

Yes, and that'd make a good case for the good old ops practice of
dialing down the TTL for a while before any NS change is made.

--srs

jerj at coplanar

Nov 16, 2008, 4:02 PM

Post #7 of 10 (2749 views)
Permalink

Re: godaddy spam / abuse suspensions? [In reply to]

or how about using an NS that returns ICMP errors instead of NXDOMAIN,
perhaps using anycast for reducing network load?

Would that stop the timeout errors? server is still lame, you just know
faster?

On Mon, 2008-11-17 at 05:15 +0530, Suresh Ramasubramanian wrote:
> On Mon, Nov 17, 2008 at 4:20 AM, James Hess <mysidia [at] gmail> wrote:
> > One of the secondary/tertiary recursive resolvers may hand the client
> > a cached response that had been obtained before the registrar took any
> > action.
>
> Yes, and that'd make a good case for the good old ops practice of
> dialing down the TTL for a while before any NS change is made.
>
> --srs
>
--
Jeremy Jackson
Coplanar Networks
(519)489-4903
http://www.coplanar.net
jerj [at] coplanar

Mark_Andrews at isc

Nov 16, 2008, 7:12 PM

Post #8 of 10 (2751 views)
Permalink

Re: godaddy spam / abuse suspensions? [In reply to]

In message <1226880169.6912.321.camel [at] ragnaro>, Jeremy Jackson writes:
> or how about using an NS that returns ICMP errors instead of NXDOMAIN,
> perhaps using anycast for reducing network load?

ICMP is not particularly useful unless the nameserver uses
connected sockets. Now that randomised ports are used this
well may be true but there are still lots of nameservers that
don't see the ICMP message even it makes it past the firewalls.

> Would that stop the timeout errors? server is still lame, you just know
> faster?
>
> On Mon, 2008-11-17 at 05:15 +0530, Suresh Ramasubramanian wrote:
> > On Mon, Nov 17, 2008 at 4:20 AM, James Hess <mysidia [at] gmail> wrote:
> > > One of the secondary/tertiary recursive resolvers may hand the client
> > > a cached response that had been obtained before the registrar took any
> > > action.
> >
> > Yes, and that'd make a good case for the good old ops practice of
> > dialing down the TTL for a while before any NS change is made.
> >
> > --srs
> >
> --
> Jeremy Jackson
> Coplanar Networks
> (519)489-4903
> http://www.coplanar.net
> jerj [at] coplanar
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews [at] isc

Skywing at valhallalegends

Nov 16, 2008, 8:22 PM

Post #9 of 10 (2760 views)
Permalink

RE: godaddy spam / abuse suspensions? [In reply to]

Why not just return NXDOMAIN if you are going to all of that trouble and be guaranteed that it'll work for standards-compliant caching resolvers? I don't see what would be available to gain by adding this extra complexity, and there's certainly a (much) lesser guarantee, or so I would tend to believe, that things will stop asking if they get an ICMP unreach as opposed to an NXDOMAIN.

- S

-----Original Message-----
From: Jeremy Jackson [mailto:jerj [at] coplanar]
Sent: Sunday, November 16, 2008 7:03 PM
To: Suresh Ramasubramanian
Cc: nanog [at] nanog
Subject: Re: godaddy spam / abuse suspensions?

or how about using an NS that returns ICMP errors instead of NXDOMAIN,
perhaps using anycast for reducing network load?

Would that stop the timeout errors? server is still lame, you just know
faster?

On Mon, 2008-11-17 at 05:15 +0530, Suresh Ramasubramanian wrote:
> On Mon, Nov 17, 2008 at 4:20 AM, James Hess <mysidia [at] gmail> wrote:
> > One of the secondary/tertiary recursive resolvers may hand the client
> > a cached response that had been obtained before the registrar took any
> > action.
>
> Yes, and that'd make a good case for the good old ops practice of
> dialing down the TTL for a while before any NS change is made.
>
> --srs
>
--
Jeremy Jackson
Coplanar Networks
(519)489-4903
http://www.coplanar.net
jerj [at] coplanar

jerj at coplanar

Nov 17, 2008, 8:00 AM

Post #10 of 10 (2740 views)
Permalink

Re: godaddy spam / abuse suspensions? [In reply to]

On Mon, 2008-11-17 at 05:15 +0530, Suresh Ramasubramanian wrote:
> On Mon, Nov 17, 2008 at 4:20 AM, James Hess <mysidia [at] gmail> wrote:
> > One of the secondary/tertiary recursive resolvers may hand the client
> > a cached response that had been obtained before the registrar took any
> > action.
>
> Yes, and that'd make a good case for the good old ops practice of
> dialing down the TTL for a while before any NS change is made.

That would work only if Godaddy was considering suspending it for
greater than TTL time before actually suspending them...it takes the
same time to dial-down TTL (old TTL time) then change it, as it does to
just change it outright.

--
Jeremy Jackson
Coplanar Networks
(519)489-4903
http://www.coplanar.net
jerj [at] coplanar

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads