Network News

X My Profile
View More Activity

Anonymous Domain Sales: A Spammer's Delight

Spammers routinely register their sites under false names, or hijack someone else's identity to do so. But new research shows they're also paying for premium services when registering domain names to ensure a deeper level of anonymity.

Data collected by Knujon, an anti-spam outfit that tries to convince registrars to deep-six spam sites, shows that spammers are increasingly registering sites through a handful of domain privacy services that refuse to provide a direct method to contact domain holders.

These services are offered by many Web site name registrars, which allow customers to hide their name and address from the global, publicly-searchable "WHOIS" directory of domain name holders. Most domain privacy protection services provide at least a custom e-mail address linked to each domain, so that correspondence with the domain holder can be passed along through the registrar. But spammers are increasingly flocking to a handful of domain privacy services that refuse to provide any direct methods to contact domain holders.

Knujon looked back at all of the spam domains advertised in junk messages it received over the past year, with an eye toward those spam sites where all of the registrant's contact data was withheld by one of these anonymization services. Garth Bruen, Knujon's co-founder, said the vast majority of those he found - more than 15,000 domains - were registered through a single anonymization service: While a handful of those 15,000 spam-advertised sites peddle knockoff designer goods or adult Web sites, most redirect users to unlicensed pharmacy Web sites that purport to sell everything from Viagra to Valium without requiring a prescription.

I wanted to know whether these 15,000 sites were perhaps grouped at a handful of registrars or Web hosting providers, so I enlisted the help of Roger So, a technical support manager at, an anti-spam company based in Hong Kong. Mr. So helped me run thousands of automated Web site registration lookups and break the list down by registrar.

What we found closely mirrored the results of a related investigation I detailed last month, which concluded that more than three quarters of all Web sites advertised through spam are clustered at just 10 domain name registrars.

Out of the 15,000 spam-advertised domains we examined, nearly half -- 7,142 names -- were registered through a Broomfield, Colo. company called Dynamic Dolphin. As I noted in my previous story, Dynamic Dolphin is the seventh most-popular registrar among spammers who provide patently false information in their public WHOIS records.

Dynamic Dolphin is owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. The CEO of Media Breakaway is none other than Scott Richter, the once self-avowed "Spam King" who claims to have quit the business. Anti-spam groups also have recently implicated Media Breakaway in the alleged hijacking of more than 65,000 Internet addresses for use in sending e-mail and hosting commercial Web sites.

Dynamic Dolphin is a reseller of registrar services offered by an Indian company called Direct Information PVT Ltd. - also known as Directi and Directi was the second most popular registrar among spammers who used; it handled the registration for nearly 4,000 of those 15,000+ domains that Knujon flagged.

Prior to researching Bruen's data, I'd run across on numerous occasions, but it wasn't until I began this project that I found - perhaps not surprisingly - that it was next to impossible to tell who owned the service.

But, thanks to a few industry sources, I finally worked it out. So who owns Why, Directi, of course.

Bruen said certainly not all spammers use privacy protection or anonymization services; most, he said, just make up phony contact data.

"Which begs the question: why bother [with anonymization]? No one -- except Knujon and a few others -- is policing the records," Bruen said. "The difference here is that the registrar is playing a role in masking the identity and location of the owners. My guess would be the registrars are the real owners of these sites."

I contacted the owners of both Directi and Dynamic Dolphin for comment, and will update this blog in the event that they respond.

No doubt many consumers (this author included) appreciate the privacy these proxy services afford for personal Web sites. But it's never been quite clear to me how these domain anonymization services jibe with the contracts registrars must sign with the Internet Corporation for Assigned Names and Numbers (ICANN), the Marina Del Ray, Calif. entity which oversees the domain name system. ICANN's contracts clearly state that registrars shall make their database of registrant information publicly searchable online.

Turns out I'm not the only one baffled by this apparent conflict in policy.

"Nobody's ever been able to explain to me how anonymized domains meet the ICANN rules," said John Levine, author of Internet for Dummies and a former member of the ICANN At-Large Advisory Committee. "On the one hand, the WHOIS info is for the anonymizers which uniformly disclaim responsibility for the actions of their customers, while the actual info is unavailable, to be disclosed at the whim of the anonymizers whose criteria for disclosure vary from a polite e-mail to a subpoena."

I sought clarification from ICANN, but am still awaiting their response to this question, and to hear more on what -- if anything -- they plan to do about the abuse of anonymization services by spammers.

I'm not suggesting that if some regulatory or law enforcement agency were to subpoena the registration records from a company like Dynamic Dolphin that they'd learn the true identities of the people who registered the sites in question. But I am suggesting - for the second time in as many months - that if ICANN is as serious about cracking down on problematic domain name registrars as it claims, it could do a lot worse than to start with Dynamic Dolphin and Directi.

Update, 10:47 p.m. ET: A previous version of this blog post incorrectly stated that Outblaze is headquartered in India.

Update, June 18, 10:15 a.m. ET: - Abhijit Relekar, team lead of Web solutions for Directi, responded in e-mail today to say that the company is aware that its services are being misused, and that it is investigating the domain names and service providers in question.

Relekar dismissed the suggestion that Directi was the owner of the anonymized domains linked with spam. "While I can not speak for Dynamic Dolphin or any other registrar, I can confirm that Directi does not own or have any association with the domain names registered through it that use the privacy protection service."

"Rest assured the issue is being treated with all the seriousness it deserves, and decisive measures will be taken within the next few days to ensure that the violators do not continue to use this service," Relekar said. "Any domain name proven to be indulging in malicious and/or illegal activities such as spamming would have its privacy protection immediately revoked and, if registered through Directi, would also be suspended."

By Brian Krebs  |  June 17, 2008; 10:23 AM ET
Categories:  Fraud , From the Bunker , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Data Loss: The Ultimate Cluestick
Next: Firefox 3 Released - Sort Of


The registration cloaking services are also used by Credit Card scammers as repeatedly found in a long running investigation. As MGD wryly terms it: "hide a criminal" service.

Posted by: Moike | June 16, 2008 6:19 PM | Report abuse

Network administrators should blacklist in DNS any anonymized domain; these anonymization services are "hide a criminal" services.

Posted by: High Plains Drifter | June 16, 2008 7:26 PM | Report abuse

This is interesting, but I hope that in the next few weeks, you will name ALL the domain registrars that are setting up these spammer domains. Maybe that will cause some of these companies to crack down on these untoward activities!

Posted by: Jon van Helsing | June 16, 2008 7:45 PM | Report abuse

If you owned a domain or more than one, you would know that email addresses in the whois are used by spammers. This is the reason that many people choose to use whois privacy.

Posted by: Adam Strong | June 16, 2008 10:14 PM | Report abuse is based in Hong Kong by the way - though we do have offices in India (and in the states and elsewhere).


Posted by: Suresh Ramasubramanian | June 16, 2008 10:40 PM | Report abuse

ICANN should be held accountable. Don't let this one fade away!

Posted by: Kilgore | June 16, 2008 10:42 PM | Report abuse

Speaking of Media Breakaway ... this from today, Brian Bergstein | AP

"An arbitrator has ruled that Scott Richter and his Web marketing company, Media Breakaway LLC of Westminster, Colo., must pay MySpace $4.8 million in damages and $1.2 million in attorney's fees for barraging MySpace members with unsolicited advertisements."

Posted by: Kilgore | June 16, 2008 10:57 PM | Report abuse

Well, its about 5% of what myspace originally demanded and got in the judgement..

Mediabreakaway / Richter is basically saying "they got 95% less than they asked for".

Oh well, c'est la vie.

Posted by: Suresh Ramasubramanian | June 17, 2008 12:12 AM | Report abuse

Blame the governing body of the ICANN for this... they're incompetent and this needs to be regulated by the government.

Posted by: Toomy | June 17, 2008 1:48 AM | Report abuse

Adam Strong:

Putting a fake email address in your whois registration because you don't want spam is not a valid excuse. If you are going to own a registered site, then you ***MUST*** provide a means of contact. Otherwise, you might as well be lumped with and blacklisted with all the scammers who fail to provide valid registration info. Really, if you own a web site, do you want to look legit or look like a cheap rip off site?

Posted by: trixie | June 17, 2008 3:46 AM | Report abuse

If a SWAT Team is as serious about cracking down on problematic domain name registrars as it claims, it could do a lot worse than to start with the Dolphins and the RNC.

Posted by: Ralph Reed | June 17, 2008 8:08 AM | Report abuse

@trixie: not sure how this is in the US, but in Europe people are quite happy not to advertise all over the place their address. If I have a home based server and a domain name I will not (sorry) put my home address together with my name in a publicly available place.
An email address is fine, though.

I completely fail to understand why ICANN needs my full PRIVATE details when registering a virtual entity (a domain name). What is the home address of the head of this organization?

Posted by: Eur | June 17, 2008 9:16 AM | Report abuse

Eur> I completely fail to understand why ICANN needs my full PRIVATE details when registering a virtual entity (a domain name).

What they need is reliable contact information, especially email. If you're going to maintain a space on the 'Net, people need to be able to contact you if something in your domain should behave pathologically. And the mailing address doesn't have to be your home address.

If you control your own domain, you can avoid spam by simply creating a unique email address for your contact record and rotating it out every few months as the spammers catch on.

Posted by: antibozo | June 17, 2008 10:08 AM | Report abuse

Euros, as we have stated before. We like Privacy in the U.S. as well. The question here is whether COMMERCIAL entities selling controlled substances, knockoff products, pirated software and the like should be able to hide behind multiple layers of anonymity. The services described above do not actually have -any- responsive contact information associated with their sites.

Posted by: Knujon | June 17, 2008 10:29 AM | Report abuse

While is a privacy provider, they are totally unaccountable.

Try and phone them. You cannot. All you get is a pre-recorded voice message to visit their website. Try and email them. You cannot since it bounces immediately. You cannot snail mail them, they clearly state "Note - All Postal Mails Rejected, visit"

So how do you contact themselves?

Use their web form as said on the prerecorded phone message or email? Does not work.

Wow, isn't the internet a great place for everybody?

Posted by: Questioner | June 17, 2008 11:31 AM | Report abuse

ICANN? I don't think so. Sounds like ICANNOT (or won't). Too bad, because eventually the government will step in to what they won't.

Posted by: Pete from Arlington | June 17, 2008 1:31 PM | Report abuse

Protecting Domain Contact Information by Privacy Protection services is fine. But the Registrar should have to take initiative to validate the domain owner by few steps:

1) Few registrar process the domain if the domain registrant put the wrong ( not existed ) domain in the contact details. The domain must have to be approved automatically only after sending some code to the email id and this code the domain registrant can use for registering their domain.
2) The other steps of validating the user is that if they have mobile number then the domain registrar's automated system can send some code ( not the same as in the email ) to the registrant mobile number. The registrant can put this code to the registrar system for the validation purpose.

There are so many other steps domain registrar can think to make the WWW clean.

Posted by: Mentor | June 17, 2008 2:33 PM | Report abuse

The Registrar Accreditation Agreement (RAA) is an agreement between ICANN and all ICANN-accredited registrars. The RAA requires registrars to include certain provisions in their registration agreements with registrants. Section is a provision that must be included all registration agreements.

Section states, "Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm."

Pursuant to Section of the RAA, privacy protect services used by alleged spammers must provide full Whois contact information and must accept liability for harm caused by wrongful use of a domain name, unless the privacy protect service promptly discloses the identity of the licensee (the alleged spammer) to a party providing the privacy protect service reasonable evidence of actionable harm. This is consistent with ICANN's goal of ensuring that Whois data is available to the public and ensuring that some party is responsible when harm is caused by the wrongful use of a domain name.

When registrars include the language in Section of the RAA in their registration agreements with registrants, they are compliant with regard to their obligation to do so under the RAA.

ICANN does not have contractual authority to address spam matters. However, ICANN takes Whois accuracy very serious. In addition to other projects intended to improve Whois accuracy, commencing in July 2008, ICANN will follow-up on every Whois inaccuracy claim filed through the Whois Data Problem Report System to ascertain if registrars are complying with their obligation to investigate Whois inaccuracy claims.

I hope this assists the public in understanding the circumstances under which privacy protect services must accept liability and ICANN's contractual authority.

Posted by: Stacy Burnette, ICANN | June 17, 2008 2:36 PM | Report abuse

Please ignore earlier post, there is little mistake:

Protecting Domain Contact Information by Privacy Protection services is fine. But the Registrar should have to take initiative to validate the domain owner by few steps:

1) Few registrar process the domain if the domain registrant put the wrong ( not existed ) E-mail in the contact details. The domain must have to be approved automatically only after sending some code to the registrant email id and this code the domain registrant must have to enter for registering their domain.
2) The other steps of validating the user is that if they have mobile number then the domain registrar's automated system can send some code ( not the same as in the email ) to the registrant mobile number. The registrant must have to enter this code to the domain registrar's system for the validation purpose.

There are so many other steps domain registrar can think to make the WWW clean.

Posted by: Mentor | June 17, 2008 2:38 PM | Report abuse

I don't get any spam. Every one of my addresses has a spam filter that works great (Gmail). Rather than arguing for dubious anti-anonymity measures, just get with the program.

I run a dozen non-commercial web site. I see no need to advertise my full name and postal address on these web sites.

Let's not use Spam as an excuse to allow more heavy-handed regulation of the Internet. I can tell you one thing: there is NO WAY that the Feds will do ANYTHING effective against Spam. And if they try anything, I guarantee it will impose a great cost on innocent users for no benefit whatsoever.

Posted by: Anonymous (of course) | June 17, 2008 3:11 PM | Report abuse

"Pest control"methods should be employed to deal with Scott once and for all. It would be a great service to mankind.

Posted by: Chas | June 17, 2008 4:00 PM | Report abuse

Media Breakaway LLC also appears in a VERY interesting story about stolen IP blocks

related to the earlier post "A Case of Network Identity Theft?"

Posted by: Moike | June 17, 2008 4:26 PM | Report abuse

A company called 'perfspot' is the home of multiple spams, the spamers will not 'unscribe me', and perfspot will not stop them from spamming me. Graphic and sexual messages to them don't work, saying i'll sue don't work. WHY CAN'T MY SOFTWARE THAT SEPERATES OUT THE SPAM, just send it back to the spammers and clog up their sites?

Posted by: leroy slater | June 17, 2008 5:52 PM | Report abuse

Misleading story title. The Domain SALE, ISN'T anonymous.

The number of spammers using these services is dwarfed by the number of people with a legitimate need for them.

Stop inventing news.

Posted by: blah | June 17, 2008 6:07 PM | Report abuse


I believe, if you read it in context, you might be able to see that he is referring to the sale of "anonymous domains". Much like a second-hand car sale, the sale isn't really second-hand.

Posted by: Charles Decker | June 17, 2008 7:42 PM | Report abuse

So government sets up a couple of companies to deliver top notch NSA designed privacy services, sets out brand story and history for the assigned "founders" and faces of the companies for the general public and gathers most of the traffic wanted to be hidden.

You bet these stories have to be dependable, and appear trustworthy to the intelligent minds, to the point of not trusting the privacy provider would be paranoid behaviour.

A diversity of these companies, but still running a joint database (with some generally popular sites too), would easily pinpoint out just about anyone using privacy services. Kind of triangular tracking plus getting into hidden data.

That works of course with regular sites too, but the amount of data to go thru would be like volume of the low end of the pyramid, in terms of amount of data, compared to the top.

Of course such powerful and privacy intrusive tools must be handled with deep understanding of world history, and the mathematics of large numbers in relation to population, and presence of the butterfly effect in one way or another, and what we know of thinking, statistoics, what we consume as culture, and the known workings of human mind.

Such a tool would need to have a guidance group to use it, Chairman and the Board of Use Controllers guarding the release of information in relation to statistics of the whole population. Like in China or Russia, we can see that people need to have privacy from their governments, or the result can be close to slavery or living in a lie of the outside world and what people themselves are, capable of, being something else than just workforce with little little lives and thinking how clever they are in their boxed thinking. To others their cleverness could be compared to cleverness of optimizing standard life to secure experienceless life, never seeing any of the humanly possible opportunities. Still there would be the rest of the world to see. Ok, sure many are forced to be practical and then sink into that life.

I would bet that those spam excists, because no-one is thoroughly right, there are different worldviews, differences and business models. Maybe there is more behind it all than just front figures? Data mining and building interesting personal profiles based on data trails on the net, with observation points carefully chosen to give most interesting results with least data to mine, that is a great power and a tool.

Posted by: pwm | June 17, 2008 7:55 PM | Report abuse

Fundamentally, I don't think there is any practical way to prevent "privacy registrations". A parent can register a domain for a child; a lawyer can register a domain for a client; a web designer can be the registrant of many domains on behalf of various clients. Legally, a privacy service is registering domains for others to use. I suspect that any regulation that could deal with all these nuances would be either too complicated, or too draconian to stand.

Posted by: Kent Crispin | June 17, 2008 8:40 PM | Report abuse

ICANN has a long record of burying themselves in administrivia whilst IGNORING the concept of ethics.
Their (ICANN) conduct can only be described as shameful.
Pretty obvious who ICANN works for !

Posted by: Howard Hoyt | June 17, 2008 10:30 PM | Report abuse

all I know is that spam got worse once the FEDS made it illegal.

Posted by: gp | June 17, 2008 11:39 PM | Report abuse

There are hundreds of reasons why you want to keep a domain name anonymous.

* Gain Jurisdictional Benefits
* Prevent Oppressive Government Harassment
* Prevent harassers, stalkers & data miners!
* Maintain your privacy
* Let you run a home business without unwanted intervention

Posted by: Takeshi Hikumura | June 18, 2008 12:16 AM | Report abuse

We are constantly bombarded with would-be hackers and spammers.

You can use any of the WhoIs services to see who is responsible for abuse, but many of them are so convoluted that it is next to impossible to find who is the IP Address range ISP Adminsytartor, and even when you DO manage to find one, mails to them are almost always returned with "Address Unknown".

We are getting up to 15,000 spam mails per day the majority of which are blocked by our servers. Expand this across all companies world-wide and see where the bandwidth is going!

Over and above all that we can be subjected to anything up to 5,000 attempts to hack each of our servers EVERY DAY. Most of this is from the Far East and the Balkans.

The more spam filters put in place, the more genuine emails go "missing" and the longer it takes for mail to be delivered.

Unless something drastic is done (I would like to see the Death Penalty for spammers), it will soon be so bad that it will be cheaper and more efficient to go back to 'snail mail'

Posted by: Solomon | June 18, 2008 5:06 AM | Report abuse

These spammers are detrimental to the effective functioning of the internet as a whole. What can we do to shut them down?

Posted by: Jacques Snyman | June 18, 2008 7:33 AM | Report abuse

All commercial business beyond the net is subject to laws and regulation (and for legitimate reasons). Why should the Internet be any different? Why should it get a free pass, if it really wants to compete for the world market?

Posted by: EPGEEK | June 18, 2008 10:17 AM | Report abuse

@Abhijit Relekar--contrary to your assertion to SecurityFix, it appears that almost 90% of recently registered websites using Directi and have been reported as spamsites. In fact on Wednesday, the same day you contacted SecurityFix, the counterfeit, pharma, and herbal spammers that have been supported by Xin Net, began migrating their spamsite registrations to Directi and using nameservers conveniently left in place by Xin Net. Until Directi stops this spamsite migration in its tracks, I believe ICANN should consider DirectI fully responsible for the illegal activities of these spamsites.

Posted by: Anonymous | June 20, 2008 5:03 AM | Report abuse

Anonymous domains, are you kidding? I'm supposed to be upset?

What about endless paper junk mail in our physical mail boxes. No one is more secretive than Choicepoint and the other mail list hawkers. Gonna track them down?

Of course not, since they do population surveillance. Which is illegal for feds, but not Choicepoint. A nice arrangement for all.

Do you know how many anonymous fronts the unFederal nonReserve uses in the Caymans to buy its own paper and rig gold markets? Gonna track them down for us? There's some anonymity to expose.

Ridiculous nonissues like 'whois' are excuses for the real agenda, which is information control. The spam angle is just a wedge to install China style controls on the net.

After the Post divulges how many CIA agents of influence anonymously populate its news desks, I'll consider this trivia. Right after I watch Anderson Cooper and read Daily Kos.

Posted by: Jacques | June 20, 2008 5:31 AM | Report abuse

I don't think it's trivial. I'm dealing with thousands of nondelivery messages right now because someone is sending spam and using my domain in the "from" field. Yup, when all those mailhosts reply that the destination is not valid, that report goes back to me. ALL of these messages contain a link to either or I can't even identify these folks because their domain points only to Read some of the other comments to see how it goes trying to research that. Any legitimate business could be held accountable, or at least contacted (or at least it would be possible to contact the registrar and complain). My $.02.

Posted by: Jeff | June 22, 2008 7:27 PM | Report abuse

The mess created by socially deviant spammers is trivial only to the spammer, not to the legitimate businesses whose reputations and resources have been damaged. The growth of financial crimes that support the spammer ecosystem is trivial only to those who profit from it.

I am a life-long believer in a god-given right to privacy--but have chosen to accept increasing filtering of internet traffic. A sad state of affairs when spammers can intrude into an individual's home or business and damage their privacy, livelihood and finances and then can further waste society's resources by crying and lying in US courts about the abuse of their (spammer) rights.

Posted by: Anonymous | June 24, 2008 6:43 AM | Report abuse

Abhijit Relekar's comments in the article look quite strange when contrasted with the comments from ICANN -


Pursuant to Section of the RAA, privacy protect services used by alleged spammers must provide full Whois contact information and must accept liability for harm caused by wrongful use of a domain name, unless the privacy protect service promptly discloses the identity of the licensee (the alleged spammer) to a party providing the privacy protect service reasonable evidence of actionable harm.


Now, has an arguably fake postal address and telephone number though they dont accept postal mail per their statement in the whois. +45 is not the IDD code for the Netherlands, its the IDD code for Denmark. It isnt the IDD code for New Zealand either.

Domain Admin (
P.O. Box 97
All Postal Mails Rejected, visit
null,5066 ZH
Tel. +45.36946676

Domain Admin (
PO Box 83-000
All Postal Mails Rejected, visit
Tel. +45.36946676

Contrast that with, say, Enom's whois protection - they include a valid address, one that does belong to Enom.

Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard
Registrant Address1: 8939 S. Sepulveda Blvd
Registrant Address2: 8939 S. Sepulveda Blvd
Registrant City: Westchester
Registrant State/Province: CA
Registrant Postal Code: 90045
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.6613102107

Given all this fakery, and the prevalence of fraudulent domains on privacyprotect (perhaps thanks to some of directi's resellers), there is no reason to believe that contacting privacyprotect will actually produce any results at all. Where results ARE produced .. for example in this case before WIPO, the process is boringly predictable.

You can see the comments the WIPO panelist makes about privacyprotect. Comments that I tend to agree with. This service is not operating in the manner that other whois protection services operate. Or in a manner that facilitates convenient takedown of any malicious sites (spam, botnet, phish etc sites, say)


Posted by: Suresh Ramasubramanian | June 24, 2008 8:59 AM | Report abuse

To follow up on my previous comment, I filed a report on's inaccurate whois at

Submitting it got me this ..

"Thank you for helping make Whois data more accurate. A Whois Data Problem Report related to was recently submitted, so no further action is required. "

I wonder how many such reports have been submitted. And what was the result?'s whois moving from New Zealand to the Netherlands?


Posted by: Suresh Ramasubramanian | June 24, 2008 9:09 AM | Report abuse

Ironically, the original impetus for anonymizing domain registrations was because spammers harvested the details.

I personally wouldn't ever register a site under my own name if I could help it and I have hunted spammers down on occasion.

Posted by: Joe | August 25, 2008 8:57 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company