Home / Industry

DNS on Defense, DNS on Offense

Spam is a never-ending problem for service providers. Unfortunately criminals can still make money at someone else's expense so they persist in their mindless campaigns. The DNS is an integral part of well-established techniques for handling incoming spam, so unwanted mail doesn't get delivered to inboxes.

The other side of the problem is stopping outbound spam at its source, so it never leaves the network where it originates. Providers are interested in this for a bunch of reasons: if their network hits a blocklist it can prevent all emails from being received by organizations that use the blocklist. This diminishes the provider's reputation in the eyes of their peers — both literally and figuratively! There is also very real damage to the brand and typically real costs associated with support calls from unhappy users, lost customers, and wasted network resources.

Techniques for controlling outbound spam have mostly focused on managing port 25 traffic, but it's also possible to control outbound spam with the DNS. Since most spam today is sent by bot-infected hosts it's straightforward to use the DNS to identify which hosts on a network are communicating with known botnet command and control systems. It's equally easy to block these communication channels so infected systems can't get any instructions, so they can't send any spam. MX queries from infected hosts can also be blocked to prevent spam from being sent, or redirected to a mail gateway where the messages can be handled according to operator policies.

These two simple techniques can eliminate a huge proportion, up to 90%, of outbound spam with minimal false-positives. The impact on the DNS is minimal — and there is no need for additional equipment in the network, such as appliances. Nominum is hosting a webinar on this topic on April 24, 2012. It will provide details on the two techniques summarized above and describe how the solution can be deployed. Real-world data from two ISPs who have implemented this approach will be discussed as well as the advantages and disadvantages of this approach versus other techniques such as port 25 blocking or DPI.

By Nominum, Leader in DNS Software & Internet Activity Applications – Nominum is the innovation leader in DNS software and Internet Activity Applications. The company's Vantio™ CacheServe software powers the Internet for the world's largest CSPs in 40 countries. Vantio™ ThreatAvert software arms CSP's with the power to stop the spread of inside threats such as botnets and DNS-based DDoS amplification attacks that could impact network availability and reputation. Nominum's N2 applications enable CSP's marketing and customer care teams to leverage subscribers' Internet Activity to better engage, build brand loyalty, improve marketing ROI, and open up new business models. Nominum is a global organization headquartered in Redwood City, CA. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign


Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias


Sponsored byThreat Intelligence Platform


Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

IP Addressing

Sponsored byIPv4.Global