Anomalous Internet Traffic

If you've observed anomalous Internet traffic associated with our address space, we list below more information on research we're conducting, what you might expect to see, and how to opt out.

SMTP connections attempting to deliver mail to postmaster@<your_domain> with an envelope sender having a suffix in the spf-test.dns-lab.org zone

We are conducting experiments related to validation of SPF and DMARC, as part of our research on SMTP anti-abuse. The suffix for any sender email corresponds to a domain with a specific configuration testing a given characteristic of SPF and/or DMARC. We observe the traffic at our authoritative DNS servers to learn more about the state of SPF and DMARC deployment.

We know that people hate spam, so we have tried several ways to reduce, if not eliminate, the amount of unsolicited email reaching someone's inbox as part of our experiment. First, with one methodology we employ, we simply disconnect from the SMTP server after DATA is issued (but before any content is sent). We have and are using that methodology. However, we have learned that many servers begin SPF validation by the point at which we disconnect, but some servers (e.g., gmail) won't validate unless they get some content. Of those, many (e.g., gmail) would immediately dismiss a blank email message, even though they still validate. So we additionally using this methodology. We recognize that there are some servers that don't error out, but we make note of those to not hit them twice---to minimize annoyance and perceived abuse. We also use an invalid SPF and strict DMARC reject policy, so servers adhering to SPF and DMARC should reject our message, but we understand that not all are validating.

DNS queries to DNS servers for DNS records within the resolver-measurement.dns-lab.org zone

We are conducting experiments to characterize DNS server behavior, particularly with respect to open resolver behavior. The custom queries we issue to a resolver supporting recursive DNS queries from our address space force it to in turn issue queries to the servers authoritative for dns-lab.org, which are under our control.

We are also conducting experiments related to DNS-over-TLS, so you might see connection attempts to port 853, which is associated with DNS-over-TLS.

DNS queries to authoritative servers for DNS records that don't exist

We are conducting experiments to understand the handling of negative DNS responses by DNS authoritative servers, which requires us to issue queries to servers for names or types that don't exist within the DNS zone for which the servers are authoritative.

DNS queries to resolvers for DNS records within the resolver-select.dns-lab.org zone

We are conducting experiments to characterize resolver behavior with respect to DNS authoritative server selection. The custom queries we issue to the resolver force it to in turn issue queries to the servers authoritative for resolver-select.dns-lab.org, which are specially configured and under our control.

DNS queries to resolvers for DNS records for non-existent domain names within select domains

We are conducting experiments to characterize resolver behavior with respect to DNS authoritative server selection and proximity to resolvers. Issuing queries for DNS records that don't exist help us to better understand that behavior.

Questions

For questions, comments, and additional information, please send email to imaal@byu.edu.

Opting Out

To opt out of any or all of the listed above, please send email to imaal-abuse@byu.edu, and include the IP address space that you would like to be exempted.