Move over Zuccarini

For those who don’t know, John Zuccarini is the most notorious of the so-called “typo-squatters,” people who register domain names that are common typos of popular websites and then flood the poor fat-fingering visitor with advertisements. Zuccarini had at least 5,500 copycat Web addresses, and the FTC estimated he was earning between $800,000 and $1 million annually from the mostly porn-based banner ads he displayed, in spite of numerous lawsuits against him for trademark violations. Zuccarini was arrested last week under the new Truth in Domain Names provision in the PROTECT Act of 2003, which makes it illegal to use misleading domain names to lure children to sexually explicit material.

But to add insult to injury, no sooner has Zuccarini been arrested than he has been toppled as the typo-squatting king by a new upstart: the domain-name register VeriSign. Trumping Zuccarini’s 5,500 copycat domain names, VeriSign has used their position as keeper of the keys to redirect ALL unregistered typos to their site. Try going to http://whattheheckisverisignsmoking.com/ and see for yourself. VeriSign has posted a white paper on their new move, which creates a top-level “wildcard” registry for every domain-name request in the .com or .net domains. The change redirects any entry without DNS service to VeriSign’s own SiteFinder search engine, including reserved domain names such as a.com and domain names that are registered to other people but don’t have an active name server.

The main problem is that VeriSign is abusing their position as gatekeeper of the com and net domains, which are a public trust and not VeriSign’s commercial property. Network types have also been quick to point out other ways this move breaks things on the Net. Most important to everyday users, Web browsers are no longer able to gracefully handle bad links or mistyped URLs. Most browsers pop up a small dialog box for a bad URL, leaving the user on the old page. With the new changes, browsers cannot give this functionality. (Of course, for people who use versions of IE that redirect to Microsoft’s search-page, the only difference will be a change of masters.) Furthermore, debugging scripts often use domain-not-found errors to check for routing problems; these are no longer returned. And finally, anti-spam software also often uses domain-not-found errors to detect mail from invalid email addresses. (There was also concern that email sent to a typoed domain name would not bounce properly, but it seems this was either not the case or has been fixed.)

As one might expect, the flameage has been fast and furious on this one. Of particular note is the discussion on the North American Network Operators Group mailing list, where members have already contributed several patches to routing software that would essentially ignore VeriSign’s wildcard lookup, restoring the Internet (or at least the portions that apply the patch) to the old way things operated. Many are also simply dropping the IP address for sitefinder.verison.com (64.94.110.11) on the floor. If widely adopted such actions would essentially neutralize VeriSign’s change, but I expect the adoption levels will only be enough to be a statement of protest, not an actual revolution. However, Computer Business Review notes that the Internet Corporation for Assigned Names and Numbers (ICANN), which manages aspects of the DNS for the US government, has yet to weigh in on whether VeriSign’s changes are actually valid according to agreed-upon specs.

UPDATE: It seems VeriSign is only half-handling email correctly. What they’ve done is hooked up their own special mail-handler (which they call the Snubby Mail Rejector Daemon v1.3) that returns a fixed set of responses to SMTP transactions. Currently, VeriSign reads the From and To headers and then returns an error code. This means all misaddressed email relies on VeriSign’s server to bounce mail, and should the server not be available bounces might be delayed by several days. It also means that all addresses of typoed email are actually sent to VeriSign before being bounced, rather than stopped locally. Of course, I’m sure no VeriSign employee would be so criminal as to actually use this information for industrial espionage, nor would he change the Snubby Mail Daemon to actually collect the contents of said messages.

Friends of mine have also pointed out that ISPs and businesses “cache” DNS addresses on their local DNS servers. By claiming that all DNS requests are legitimate, VeriSign is clogging these caches with bad requests.

References