Recent searches
Search options
Today's #DynDNSHistory brought to you by @jtk , who asks about early or interesting abuse-related issues.
There's lots here so this one will be a thread...
The first one that jumps to mind is credit card fraud. This isn't really surprising/interesting in the later days, but what surprised me was that people used stolen credit cards even when we were just taking donations.
Like, really? You're going to abuse some kids who are just trying to run a free service? Not cool.
1/?
The next one, which also started surprisingly early, was using #DynDNS hostnames for botnet command and control. That's what actually got me involved in the #infosec community (and where I met @jtk !)
DynDNS was good for C&C because they could move it around quickly, and have the bots follow. If the C&C got taken down, boom, switch to a new one. We were unintentionally helping them keep their control going.
2/?
We eventually got plugged into the InfoSec community, though, and were able to build systems to detect this and both take action (blocking accounts, etc) and also collect information to help security researchers.
I take my users' security and privacy seriously, but if you're doing malfeasance, it all goes out the window - you're not a user anymore, you're an abuser. And don't worry, we put that in our ToS too.
3/?
Once we started doing paid services, the credit card fraud really picked up - in some cases it just seemed like they were using us to check stolen cards before using them for something bigger, other times they were really trying to get services.
I never quite understood the logic of the second one - you have to know it's not gonna last for long when you're using someone else's card. But maybe people don't notice and report the fraud?
4/?
This one led to some of the most interesting things about abuse - getting surprising new domain names! When someone bought a domain with a stolen credit card, there was usually no way for us to cancel the registration (eventually we could if we caught it fast enough, but by the time there was a chargeback it'd for sure be too late).
So, we figured - we paid for these, I guess they're ours now! I don't remember any specifics, but there was definitely some weird ones in there.
5/?
I don't remember if we ever turned any of them into actual customer domains for our free services - I don't THINK any of them happened to be good for that purpose.
Credit card fraud was a huge pain back then (not that it isn't now) - there wasn't nearly the range of intelligent analysis and risk assessment that's out there today. And as I recall we got chargebacks via fax (or had to respond via fax, maybe both). The bad old days...
6/?
Next time on #DynDNSHistory I'll talk about credit card processing - it was so much more complicated than just getting a Stripe account those days.
The hoops and shenanigans we had to go through as a small start-up doing online card processing in those early days were wild.
7/7
@tim Oh, I'd love to hear more about credit card processing. I'm working with a start up Member owned Co-Op and we're trying to find an economical way of accepting SNAP benefits. It's literally the only reason we have our Heartland account, and we lose money every month in fees.
@lisagetspolitik I know less about anything specialty today, bit I know (or at least used to know) a lot about the landscape of 20 years ago! 
@tim we’re they using you as a registrar / reseller?
I never knew that DynDNS was in that line of business.
@drscriptt yeah we started off as an OpenSRS reseller and then moved on to being an accredited registrar. Domain registration was generally a combination with our DNS for your own domain services.
@tim cool
Thank you for explaining.