zone transfers, a spammer's dream?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: zone transfers, a spammer's dream?
From: Lode Vermeiren <lode@xxxxxxx>
Date: Tue, 07 Dec 2004 23:38:58 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: lode@xxxxxxx

Hello all,

while doing some experiments with dig using a .fm domain I made a small
typo. Much to my surprise the whole fm zone was transferable by anyone.
It's obvious this is a fabulous source for dictionary spammers who just
mail to generic addresses at as much domains as they can possibly find.
(info@xxxxxxxxxxx, sales@xxxxxxxxxxx, ...)

Intrigued by the .fm zone, I did a quick scan to see which other top
level domains allowed zone transfers. It was no surprise to me that some
small zones of developing countries were open, but one top level domain
immediately caught my eye: getting the complete .ca zone (Canada), 48 Mb
in total, serving 471.686 domains is as easy as doing 'dig axfr ca
@ca01.cira.ca.'

Some zones weren't transferable at the master nameservers, but were
transferable at slave servers.

Other publicly transferable zones: (quick and dirty count, divide by +/-
3 to get the number of domains, as this lists multiple name servers per
domain)

wc -l *.zone
     432 ao.zone
    5050 ba.zone
      15 biz.et.zone
    4645 bo.zone
      45 bt.zone
     923 bw.zone
 1031788 ca.zone
      20 cf.zone
   11167 com.eg.zone
     208 com.er.zone
     377 com.ye.zone
     313 cv.zone
    5216 dj.zone
    3724 ec.zone
   51054 ee.zone
      36 eg.zone
      42 er.zone
      54 et.zone
   10063 fm.zone
     498 ga.zone
     482 gd.zone
    6829 ge.zone
     885 gp.zone
      27 gq.zone
   13622 gs.zone
      45 gu.zone
      31 gw.zone
     541 gy.zone
   16522 jm.zone
    2732 kg.zone
      76 kh.zone
      17 km.zone
    1467 kn.zone
     210 lc.zone
      36 mh.zone
      75 mp.zone
   22047 ms.zone
      69 mt.zone
    3697 museum.zone
    2013 mw.zone
     156 mz.zone
     264 na.zone
     732 org.eg.zone
     415 org.mt.zone
   26665 pk.zone
    4280 sm.zone
    3172 sn.zone
   17495 tc.zone
      38 td.zone
    1999 tp.zone
     171 uk.zone
      16 um.zone
      70 uy.zone
    2407 vc.zone
   15645 vg.zone
    3308 vu.zone
      61 ye.zone
     220 yu.zone

This does not include some second level domains like net.** and org.**,
as my quick and dirty script didn't check these.

After a much too long introduction here comes my questions: is this
deliberate? I can understand that Chad has bigger things to worry about
than 24 domains getting on yet another spam list, but why Canada makes
nearly half a million domains as easy to grab as this really is a
mystery to me.

What do you think?


Best regards,
Lode Vermeiren

__
lode@xxxxxxx

Attachment: signature.asc
Description: Dit berichtdeel is digitaal ondertekend

Follow-Ups:
- RE: zone transfers, a spammer's dream?
  - From: Marcin Pacyna

Prev by Date: 7a69Adv#16 - Konqueror FTP command injection
Next by Date: MDKSA-2004:143 - Updated ImageMagick packages fix vulnerability
Previous by thread: Re: 7a69Adv#16 - Konqueror FTP command injection
Next by thread: RE: zone transfers, a spammer's dream?
Index(es):
- Date
- Thread