Network News

X My Profile
View More Activity

Most Spam Sites Tied to a Handful of Registrars

New research suggests that more than three quarters of all Web sites advertised through spam are clustered at just 10 domain name registrars.

The data comes from millions of junk messages collected over the past year by Knujon ("no junk" spelled backwards and pronounced "new john"), an anti-spam outfit that works by convincing registrars to dismantle spam sites.

Knujon's co-founder Garth Bruen said the links in spam messages touting fake pharmacies, knock-off designer products, pirated software and phony lending institutions redirect users to a relatively minuscule subset of sites that are generally under the control of a small number of companies.

Bruen focuses most of his energy on calling attention to spam sites that list blatantly false information in their WHOIS records, the global online directory designed to list the contact data for individuals who register Web sites.

The Internet Corporation for Assigned Names and Numbers (ICANN), the Marina Del Rey, Calif.-based group charged with overseeing the domain name system, requires all Web domain registrars to collect and maintain accurate WHOIS data for all domain holders. Under the terms of their contracts with ICANN, registrars are supposed to cancel any Web site registrations with inaccurate WHOIS data if the domain holder does not update their records within 15 days of receiving notice from the registrar.

It should surprise no one that spammers rarely provide their real credentials when registering new sites. But the trouble is that relatively few registrars police their own WHOIS records, or bother to do any kind of rudimentary checks to verify that the information is accurate when the domain holder first registers the site. And, until very recently, Bruen said, ICANN hasn't done much about it.

"ICANN doesn't have any authority or mandate to deal with spam or Internet abuse, but it does have a mandate to make sure the WHOIS records are accurate," Bruen said. "A lot of our work has focused on what's clearly within ICANN's management and what's in the registrar's contractual agreement with ICANN. And ICANN doesn't like the fact that they're being forced to comply with their own standards by third parties."

Over the past several months, Knujon has submitted so many automated complaints about inaccurate WHOIS records at registrars that it crashed ICANN's database on several occasions.

Bruen said he tried to warn ICANN that this would happen.

"The absurd thing about this is I flew out there in June and said 'Here's the direction we're heading in with Knujon, and from what I can tell, your database can't handle what we have to submit'," Bruen recalls telling the ICANN folks.

Bruen said ICANN tacitly acknowledged in a recent newsletter that the complaint database crashes and that Knujon was responsible for filing 40 percent (19,873 out of 50,189) of all WHOIS inaccuracy reports submitted to ICANN in the latest reporting period.

In April 2007, ICANN launched a new program to address WHOIS compliance issues, including an annual WHOIS data accuracy audit. It also combed through all of the inaccurate WHOIS reports and sent certain registrars a "Notice of Concern," though it declined to publicly name those companies.

So who are the top 10 registrars most favored by spammers? You can see the list along with Knujon's methodology here. A few of the names on it are unsurprising simply by virtue of their market share. Number five -- Bellevue, Wash., based eNom -- is the second largest registrar, according to DomainTools's Number six -- Pompano Beach, Fla., based Moniker -- has the eighth largest market share among registrars.

But size doesn't explain most of the names on the list. The registrars that scored the worst overall - Xinnet Bei Gon Da Software, BEIJINGNN, and Todaynic -- are all located in China, and are 18th, 47th and 99th in terms of market share, respectively.

Perhaps the most interesting name on the list is number 7 - a registrar out of Broomfield, Colo., called Dynamic Dolphin. According to Knujon, more than 10 percent of the company's 45,000-plus domains have false WHOIS data, and more than 17 percent of the domains registered through the company have been observed being advertised through spam.

A bit of digging into Dynamic Dolphin revealed that it is owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. Those of you who read this post a few weeks back will recognize this company: Its CEO is Scott Richter, a notorious, self-avowed spammer who claims to have quit the business. As I noted in that post, anti-spam groups claim that Media Breakaway recently hijacked more than 65,000 IP address for use in sending e-mail and hosting commercial Web sites.

Dynamic Dolphin is a reseller of registrar services offered by number 9 on the list, an Indian company named Direct Information PVT Ltd. (Directi) and doing business as

To its credit, Directi has been fairly active of late in removing spammy and outright nasty customers from its domain portfolio. Last year, the company canceled more than 18,000 registrations tied to the Russian Business Network (RBN), an ISP that experts say served as a front for organized Russian cyber criminals and child pornographers.

RBN was scattered to the four winds in November 2007, after stories from The Washington Post and other media outlets exposed the company's business activities and supporting networks. Experts say RBN may be dispersed, but it is hardly gone. Anti-spam groups have spotted cyber-crime activity that fits RBN's modus operandi at a number of Chinese ISPs and registrars since its original online base of operations was boarded up.

Update, May 27, 9:46 a.m: ICANN responded to the Knujon report, saying that "more than half of those registrars named had already been contacted by ICANN prior to publication of KnujOn's report, and the remainder have since been notified following an analysis of other sources of data, including ICANN's internal database."

ICANN continued:

With tens of millions of domain names in existence, and tens of thousands changing hands each day, ICANN relies upon the wider Internet community to report and review what it believes to be inaccurate registration data for individual domains. To this end, a dedicated online system called the Whois Data Problem Report System ("WDPRS") was developed in 2002 to receive and track such complaints.*

Although the majority of registrars offer excellent services and contribute to the highly competitive market for domains, ICANN's compliance department has developed an escalation process to protect registrants and give registrars an opportunity to cure cited violations before ICANN commences the breach process.

However, while registrars are responsible for investigating claims of Whois inaccuracy, it is not fair to assume a registrar that sponsors spam-generating domain names is affiliated with the spam activity. A distinction must be made between registrars and an end user who chooses to use a particular domain name for illegitimate purposes.

"But if those registrars, including those publicly cited, do not investigate and correct alleged inaccuracies reported to ICANN, our escalation procedure can ultimately result in ICANN terminating their accreditation and preventing them from registering domain names," said Stacy Burnette, director of compliance at ICANN.

The full ICANN response is available here.

By Brian Krebs  |  May 19, 2008; 11:54 AM ET
Categories:  Fraud , From the Bunker , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Gov't Secrecy and the Mysterious Cyber Initiative
Next: Govt' Earns 'C' on Computer Security Report Card

Comments has stolen my 2000 top-valued domain names, including,,,by changing my registered email contact info,and stealing my password,and blocking me from accessing my account.
Now i have only 50 domains, after less than one year.
i have been reporting, FBI-LA ...
Nothing seems to be helpful.
Web Post Office
inventor of Next Generation of Email System
Los Angeles, Ca,USA

Posted by: Dr.Noh | May 19, 2008 6:35 PM | Report abuse

A little digging into background of #1 offending registrar, Xinnet Bei Gon Da Software, shows that it is owned by Sino-I Technology of Hong Kong. Legal advisor to Sino-I is the Hong Kong office of Preston, Gates, Ellis; accountant to Sino-I is Grant Thornton. There is no reasonable excuse for the rampant spam support performed by Xinnet spam-site registrations.

Posted by: am | May 19, 2008 7:06 PM | Report abuse

Moniker's "market share" is mostly tasted domains besides prolific spammer hosting.

So it is not as broad a customer base as say Enom.

Posted by: SRS | May 19, 2008 10:35 PM | Report abuse

We need to see the whole list. Not just the 'top 10'. We need to see where all registrars are on this list.

@Web Post Office: see for action on GoDaddy complaints.

Posted by: Mick | May 20, 2008 4:06 AM | Report abuse

@SRS -

URIBL provides more than just the "top 10" at

Posted by: toto | May 20, 2008 6:09 AM | Report abuse

Sorry if what I say sounds strange but hey, I am from Europe
I absolutely do not understand why one should provide accurate contact information for a domain, if the domain is privately held. What is the reason why someone should know where Mr John Doe lives just because he owns
Sure, one can rent a PO box, but I totally miss teh point of having this info available to everyone.

But like I said, i am from Europe and we are a bit biaised about privacy here :)

Posted by: DomainHolder | May 20, 2008 7:36 AM | Report abuse

Mick & toto - The point of the story is that the bulk of of the sites in question are at a minority of registrars. From here let's ask why and what can be done about it. Fix the major offenders and the rest will be easier to deal with.

DomainHolder - People in the U.S. like privacy too. The sites in question are not personal sites, they are selling fake drugs and stolen merchandise. Do you think they should be anonymous?

Posted by: Knujon | May 20, 2008 9:48 AM | Report abuse

Remember how your squad leader used to tell you not to bunch up on the road march so "one grenade couldn't get everyone?" Let's see, now where did I put my grenades?

Posted by: Pete from Arlington | May 20, 2008 1:22 PM | Report abuse

99.9% of my spam come from Xinnet registered domain.

Posted by: efa | May 20, 2008 1:57 PM | Report abuse

@Pete from Arlington: Spam fighters definitely see this as an important strategy -- each time a registrar goes from spammer tolerant to spammer hostile, Gandi being one of the most extreme examples, the spammers have fewer choices and are more clustered and more vulnerable.

While Xin Net fully deserves to be #1 on that list, there have been recent changes in procedures that look promising: They now at least send autoreplies to reports, and at least one poster at has been able to get a considerable number of domains suspended. That doesn't sound like much to celebrate, but it was inconceivable just a few months ago. Beijing Innovative Linkage Technologies (possibly what BeijingNN refers to??), TodayNIC, and have also been responding to complaints and shutting down spammer domains. Whether this is due to the Chinese government making it known that internet laws on the books are going to start being enforced, to particular reporters getting on whitelists so their reports aren't lost in a sea of Roman character spam, or in Xin Net's case, to new owner Sino-i cleaning up the mess, who can tell. But spammers are now starting to flee from Chinese to Russian registrars.

As far as the rest of the list, I don't find it as useful as URIBL's list of spam domains as a percentage of total domains for each registrar.

I've never heard of Dolphin, so if they are among the top ten spam friendly registrars, then my Spamcop reports must have gotten me removed from their clients' email lists.

Posted by: AlphaCentauri | May 20, 2008 6:00 PM | Report abuse

@AlphaCentauri, point of clarification--Sino I Technology has owned Xinnet since 2003/2004--a period of 4+ years. It has been under SinoI ownership that Xinnet became the registrar of choice for spam operations--as Gandi and Joker in 2007 stopped supporting mass spam-site registration, Xinnet/Paycenter picked up the slack. The good folks at Castlecops are indeed now getting some response from Xinnet customer support, but customer support is often not indicatitive of overall company policy. The scope of Xinnet support for spam-site registration is such that ICANN needs to step-up and send Notice of Breach to Xinnet and begin backup operations for eventual removal of Xinnet accreditation.

Posted by: Anonymous | May 20, 2008 7:15 PM | Report abuse

The URIBL list is different information for different intent - blacklisting. By looking at the bulk offenders, scoring the site content and trademark abuse we're hoping to steer the conversation into an examination of what within the hierarchy allows these conditions to exist? While shutting down individual sites is important it is more important to review the policy failures that lead their original population. I would think there would be more discussion here about whether certain providers are playing fair with the industry and consumers.

Posted by: Knujon | May 21, 2008 12:30 PM | Report abuse

Consider The Spam Balloon: Knowing that a minority of companies control most of the sites advertised in spam helps put the junk email problem into better perspective. To illustrate this consider a typical spam campaign. The emails are generated by tens of thousands of malware compromised machines and networks on the Internet. They send millions of spam messages to millions of victims. Sounds like a big problem, right? Not exactly. Because the number of actual websites advertised in those millions of messages is rather small in comparison the derivative of a spam campaign is seriously reduced. Reducing the true size even further is the fact that these real websites are held by one or maybe two registrar companies per campaign. Imagine that a spam campaign is a balloon. A balloon is actually made of a very small amount of real material, it only appears bigger because it's full of hot air. The huge volume of sent spam messages is the hot air that pushes the boundaries the Internet's resources, making the problem look bigger than it is. However, the air only stays in the balloon because it is knotted at the bottom. The registrars are this knot. Graphic here:

Posted by: Knujon | May 23, 2008 9:41 AM | Report abuse

ICANN has put out a response to KnujOn's report earlier today:

"Worst Spam Offenders" Notified by ICANN

It says in it: "More than half of those registrars named had already been contacted by ICANN prior to publication of KnujOn's report, and the remainder have since been notified following an analysis of other sources of data, including ICANN's internal database."

Further details of the processes that ICANN follows to deal with this issue are included, complete with links.

Jason Keenan
ICANN Media Advisor

Posted by: Jason Keenan | May 23, 2008 9:51 PM | Report abuse

I really appreciate the effort Knujon is doing in the last 20 months. My spam mails have been reduced significantly. The methods are cool and inovative.
Now I also can see that anti-spam activities are working with each other which is just perfect ...
Keep going and many thanks!
Oliver (Germany)

Posted by: Knujon Member | May 29, 2008 2:49 AM | Report abuse

Danke schoen, Oliver. We're always glad to know that we have helped someone. We understand that folks are frustrated by this problem and solutions do not come quickly or easily. This is not over, not by a long shot, it's the beginning of a beginning. This report and response has only opened the door to more questions. Does it seem right that Scott Richter has a stake in 3 registrars? The system has completely failed to protect the consumer here. But this is what Knujon is about, a detailed examination of the policy structure to find opportunities to fix it for everyone's benefit.

Posted by: Knujon | May 29, 2008 11:05 AM | Report abuse

China we own you, Ha ha

Posted by: Sino | May 29, 2008 11:54 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company