I got caught a while ago sending spam. A veritable flood of Cialis solicitations and Nigerian phone scams bursted from my domain. Thankfully, the registrar I used (GoDaddy) sprang into action and shut down my account. To ensure I would not return to my dastardly ways, they asked me to pay the $80 fee before they would reinstate my account. I declined. Another evil spammer shut out from the web by the Knights of Self-Governance.

Thing is, I wasn’t sending spam. Someone else was. From one of my domains.

As it turns out, the DNS service I was using (FreeDNS) has a very interesting business model. It’s a subscription platform, like many other things on the Internet. But how do you hook people to pay money? Well, you do that by giving away their domains.

The default behavior for FreeDNS is to allow anyone else who uses their system (free or otherwise) to register subdomains of your domain names. That means if you use them to manage DNS for, say, ying.li, I can create a subdomain called 0wned.ying.li. It’s so easy!

To their credit, FreeDNS lets you put your domains into “private” mode, which ostensibly means you have the ability to shut off any subdomains that other people register. To their discredit, Glyph never received an email that I’d registered a subdomain of his. Also, once he did put his own domain into public mode, we could not figure out where the hell to delete my spammer subdomain.

This is what happened to me a long time ago. Because the default behavior of FreeDNS is an open-door policy, like a bakery that uses the honor system, anybody can come take what they want. Glyph had 44 unauthorized subdomains (just off the one domain). When mine got shut down, there were hundreds.

As I post this, 0wned.ying.li is still cached in DNS (somewhere) to point to my server.

Are we having fun yet?