Spammer Technique Straining Domain Name System Servers

In their search for ways around anti-spam legislation, some spammers are using unregistered domains to distribute unwanted messages, a tactic experts say is putting additional strain on servers at Internet service providers and on corporate networks.

Illegal commercial spammers, wary of being tracked and prosecuted under the CAN-SPAM act that took effect a year ago, are said to be using domain names that have not yet been registered to distribute e-mail, then later submitting the domains for registration.

The result is strain on the SMTP servers of the recipient’s network, which might spend hours searching in vain for the domain in central Domain Name System (DNS) lookup files, eating up enormous resources in the process.

Message Delays

If enough of the messages arrive to a network at once, it can cause delays in distributing waiting messages, including legitimate e-mail, a potentially disastrous consequence in enterprise environments given the pace at which business decisions must be made. To avoid the slowdowns, corporations and others might be forced to upgrade their servers to be able to accommodate the extra load.

The tactic is in some ways a modification of another trick spammers have tried to use: shutting down domains they use to distribute messages within hours after unleashing a batch of e-mails. That approach also can cause havoc with receiving mail servers that try to match the messages with the sending domains after they have been shut down.

Ironically, DNS servers are used by many anti-spam programs to identify when messages are being sent from addresses that are known to distribute spam. As a result, those servers continually attempt to verify where a message originated. It also means that disabling some DNS functions, which could lessen the burden on the servers, would likely let more spam through in the long run.

To some, the latest wrinkle is just another example of how the CAN-SPAM act has failed to fulfill its promises and, at least in this case, has apparently led to dire unintended consequences.

Spammers More Creative

The act has led to at least one jail term for a spammer as well as a slew of lawsuits and other legal action. Also, leading Internet service company AOL said it noticed a sharp drop in spam being sent to its members during 2004. Yet most observers say spam is at least as bad, and by some measures worse, than it was the day before the act took effect.

In fact, MessageLabs said that 73 percent of all messages sent last year could be categorized as spam, the highest level ever and nearly double the 2003 percentage.

“One of the likely scenarios heading into 2004 was that spammers would get more creative and aggressive in their tactics,” Sophos antivirus consultant Graham Cluley said.

The DNS-bogging tactic is one example of that adaptation. Another is the use of so-called zombie computers that are infected with a virus or worm and then are used to send spam without the machine’s owner being aware of it. Such tactics now account for more than half of the spam being distributed.

New Motivation

Taken together, the tactics represent an enormous drain on Internet and network resources. “It’s a reminder of why spam is more than just a nuisance,” Cluley said.

Forrester Research analyst Jim Nail said each time spammers’ techniques impact another group adversely, it builds the type of support needed for more drastic approaches to address the problem.

Corporations being forced to upgrade networks simply to accommodate illegal spam is one example. “The spammers are helping to build a coalition that will eventually be strong and broad enough to stop them,” Nail said.