Most Spam Sites Tied to a Handful of Registrars
New research suggests that more than three quarters of all Web sites advertised through spam are clustered at just 10 domain name registrars.
The data comes from millions of junk messages collected over the past year by Knujon ("no junk" spelled backwards and pronounced "new john"), an anti-spam outfit that works by convincing registrars to dismantle spam sites.
Knujon's co-founder Garth Bruen said the links in spam messages touting fake pharmacies, knock-off designer products, pirated software and phony lending institutions redirect users to a relatively minuscule subset of sites that are generally under the control of a small number of companies.
Bruen focuses most of his energy on calling attention to spam sites that list blatantly false information in their WHOIS records, the global online directory designed to list the contact data for individuals who register Web sites.
The Internet Corporation for Assigned Names and Numbers (ICANN), the Marina Del Rey, Calif.-based group charged with overseeing the domain name system, requires all Web domain registrars to collect and maintain accurate WHOIS data for all domain holders. Under the terms of their contracts with ICANN, registrars are supposed to cancel any Web site registrations with inaccurate WHOIS data if the domain holder does not update their records within 15 days of receiving notice from the registrar.
It should surprise no one that spammers rarely provide their real credentials when registering new sites. But the trouble is that relatively few registrars police their own WHOIS records, or bother to do any kind of rudimentary checks to verify that the information is accurate when the domain holder first registers the site. And, until very recently, Bruen said, ICANN hasn't done much about it.
"ICANN doesn't have any authority or mandate to deal with spam or Internet abuse, but it does have a mandate to make sure the WHOIS records are accurate," Bruen said. "A lot of our work has focused on what's clearly within ICANN's management and what's in the registrar's contractual agreement with ICANN. And ICANN doesn't like the fact that they're being forced to comply with their own standards by third parties."
Over the past several months, Knujon has submitted so many automated complaints about inaccurate WHOIS records at registrars that it crashed ICANN's database on several occasions.
Bruen said he tried to warn ICANN that this would happen.
"The absurd thing about this is I flew out there in June and said 'Here's the direction we're heading in with Knujon, and from what I can tell, your database can't handle what we have to submit'," Bruen recalls telling the ICANN folks.
Bruen said ICANN tacitly acknowledged in a recent newsletter that the complaint database crashes and that Knujon was responsible for filing 40 percent (19,873 out of 50,189) of all WHOIS inaccuracy reports submitted to ICANN in the latest reporting period.
In April 2007, ICANN launched a new program to address WHOIS compliance issues, including an annual WHOIS data accuracy audit. It also combed through all of the inaccurate WHOIS reports and sent certain registrars a "Notice of Concern," though it declined to publicly name those companies.
So who are the top 10 registrars most favored by spammers? You can see the list along with Knujon's methodology here. A few of the names on it are unsurprising simply by virtue of their market share. Number five -- Bellevue, Wash., based eNom -- is the second largest registrar, according to DomainTools's registrarstats.com. Number six -- Pompano Beach, Fla., based Moniker -- has the eighth largest market share among registrars.
But size doesn't explain most of the names on the list. The registrars that scored the worst overall - Xinnet Bei Gon Da Software, BEIJINGNN, and Todaynic -- are all located in China, and are 18th, 47th and 99th in terms of market share, respectively.
Perhaps the most interesting name on the list is number 7 - a registrar out of Broomfield, Colo., called Dynamic Dolphin. According to Knujon, more than 10 percent of the company's 45,000-plus domains have false WHOIS data, and more than 17 percent of the domains registered through the company have been observed being advertised through spam.
A bit of digging into Dynamic Dolphin revealed that it is owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. Those of you who read this post a few weeks back will recognize this company: Its CEO is Scott Richter, a notorious, self-avowed spammer who claims to have quit the business. As I noted in that post, anti-spam groups claim that Media Breakaway recently hijacked more than 65,000 IP address for use in sending e-mail and hosting commercial Web sites.
Dynamic Dolphin is a reseller of registrar services offered by number 9 on the list, an Indian company named Direct Information PVT Ltd. (Directi) and doing business as PublicDomainRegistry.com.
To its credit, Directi has been fairly active of late in removing spammy and outright nasty customers from its domain portfolio. Last year, the company canceled more than 18,000 registrations tied to the Russian Business Network (RBN), an ISP that experts say served as a front for organized Russian cyber criminals and child pornographers.
RBN was scattered to the four winds in November 2007, after stories from The Washington Post and other media outlets exposed the company's business activities and supporting networks. Experts say RBN may be dispersed, but it is hardly gone. Anti-spam groups have spotted cyber-crime activity that fits RBN's modus operandi at a number of Chinese ISPs and registrars since its original online base of operations was boarded up.
Update, May 27, 9:46 a.m: ICANN responded to the Knujon report, saying that "more than half of those registrars named had already been contacted by ICANN prior to publication of KnujOn's report, and the remainder have since been notified following an analysis of other sources of data, including ICANN's internal database."
With tens of millions of domain names in existence, and tens of thousands changing hands each day, ICANN relies upon the wider Internet community to report and review what it believes to be inaccurate registration data for individual domains. To this end, a dedicated online system called the Whois Data Problem Report System ("WDPRS") was developed in 2002 to receive and track such complaints.*
Although the majority of registrars offer excellent services and contribute to the highly competitive market for domains, ICANN's compliance department has developed an escalation process to protect registrants and give registrars an opportunity to cure cited violations before ICANN commences the breach process.
However, while registrars are responsible for investigating claims of Whois inaccuracy, it is not fair to assume a registrar that sponsors spam-generating domain names is affiliated with the spam activity. A distinction must be made between registrars and an end user who chooses to use a particular domain name for illegitimate purposes.
"But if those registrars, including those publicly cited, do not investigate and correct alleged inaccuracies reported to ICANN, our escalation procedure can ultimately result in ICANN terminating their accreditation and preventing them from registering domain names," said Stacy Burnette, director of compliance at ICANN.
The full ICANN response is available here.
May 19, 2008; 11:54 AM ET
Categories: Fraud , From the Bunker , U.S. Government
Save & Share: Previous: Gov't Secrecy and the Mysterious Cyber Initiative
Next: Govt' Earns 'C' on Computer Security Report Card
Posted by: Dr.Noh | May 19, 2008 6:35 PM | Report abuse
Posted by: am | May 19, 2008 7:06 PM | Report abuse
Posted by: SRS | May 19, 2008 10:35 PM | Report abuse
Posted by: Mick | May 20, 2008 4:06 AM | Report abuse
Posted by: toto | May 20, 2008 6:09 AM | Report abuse
Posted by: DomainHolder | May 20, 2008 7:36 AM | Report abuse
Posted by: Knujon | May 20, 2008 9:48 AM | Report abuse
Posted by: Pete from Arlington | May 20, 2008 1:22 PM | Report abuse
Posted by: efa | May 20, 2008 1:57 PM | Report abuse
Posted by: AlphaCentauri | May 20, 2008 6:00 PM | Report abuse
Posted by: Anonymous | May 20, 2008 7:15 PM | Report abuse
Posted by: Knujon | May 21, 2008 12:30 PM | Report abuse
Posted by: Knujon | May 23, 2008 9:41 AM | Report abuse
Posted by: Jason Keenan | May 23, 2008 9:51 PM | Report abuse
Posted by: Knujon Member | May 29, 2008 2:49 AM | Report abuse
Posted by: Knujon | May 29, 2008 11:05 AM | Report abuse
Posted by: Sino | May 29, 2008 11:54 PM | Report abuse
The comments to this entry are closed.