Network News

X My Profile
View More Activity

Report: Most Spam Sites Tied to Just 10 Registrars

Nearly 83 percent of all Web sites advertised through spam can be traced back to just 10 domain name registrars, according to a study to be released this week.

The data come from millions of junk messages collected over the past year by Knujon ("no junk" spelled backwards and pronounced "new john"), an anti-spam outfit that tries to convince registrars to dismantle spam sites.

While there are roughly 900 accredited domain name registrars, spammers appear to register the Web sites they advertise in junk e-mail through just one percent of those registrars. Knujon's rankings include:

1. XinNet Cyber Information Company Limited
2. eNom
3. Network Solutions
4. Register.com
5. Planet Online
6. Regtime Ltd.
7. OnlineNIC Inc.
8. Spot Domain LLC
9. Wild West Domains
10. Hichina Web Solutions

Knujon co-founder Garth Bruen said registrars made his list based on several factors, including: the number of reported illicit domains held by the registrar; the number unsolicited messages used to advertise those domains; the percentage of illicit domains compared to the registrar's total portfolio; the rate of unsolicited emails for the total illicit domains. If two registrars earned the same ranking after all of these factors were considered, the tiebreaker was the registrar's volume of unlicensed online pharmacies.

knuchart.jpg

The registrar with the most number of domains advertised in spam over the past six months was Beijing-based XinNet, a subsidiary of a Chinese conglomerate called Sino-i Technology Limited. XinNet also appeared at the top of Knujon's list in a similar study published in May.

XinNet responded that the company tries its best to "suspend all the sites which [are] abused by spammers" and "as one of... China['s] largest domain registrar, we are ready to cooperate with the security organizations such as the Knujon or RSA.... to suspend all the illegal site to make the Internet become more [secure]."

XinNet also appears to be the sole registrar used by the authors of the Waledec worm, a worm that uses e-mail to lure people to visiting Web sites that try to install and spread the worm. As of publication time, dozens of the domains used by Waledec were still functioning, although it is possible some of them have been preserved at the request of security researchers. The company did not respond to requests for information about how it is dealing with Waledec domains.

It's interesting to point out that Sino-i lists the law firm of Kirkpatrick & Lockhart, Preston, Gates, Ellis LLC as its legal counsel. Among K&L Gates's largest clients is Microsoft Corp., a company that no doubt spends tens of millions of dollars annually trying to make life more difficult for spammers. That's because the majority of spam is sent via Microsoft Windows PCs that have been compromised by malicious software designed to turn them into spam relays.

K&L Gates spokesman Peter Kalis, however, said representing both entities did not present a conflict of interest.

"As Sino-I states, we serve as its securities and regulatory counsel in Hong Kong, where it is a publicly listed company," the company said in a statement e-mailed to Security Fix. "We have never been requested to represent, have not represented and do not currently represent XinNet in any capacity or any unit of the company in connection with online activities."

Four of the registrars on Knujon's list are among the top registrars in the industry. According to rankings from registrarstats.com, eNom -- which landed at number two on Knujon's list -- has the second-largest portfolio of domains. Network Solutions, which placed third on Knujon's tally of registrars most favored by spammers, is the world's fourth-largest registrar. Fourth in Knujon's list is Register.com, which is the eighth largest registrar. Wild West Domains, which appeared ninth on the list, is seventh in terms of overall market share.

But Bruen maintains that there is little correlation between the size of a registrar's portfolio and the amount of abuse taking place. For example, he notes that while Godaddy is by far the largest domain registrar -- registrarstats.com says Godaddy.com has about 30 percent of the market -- they are not in Knujon's top 10 (this statement is not entirely true, as Wild West Domains is owned by Godaddy and is a reseller of its domain registration services).

Bruen notes that Planet Domains and Regtime are tiny compared to the others on the list but have a high volume of spammed domains. Network Solutions, on the other hand is six times the size of XinNet, but according to Knujon, XinNet has six times the number of recorded spam messages than Network Solutions.

"By looking at varying data and taking into consideration registrars who have cooperated, I think this is a pretty fair assessment," Bruen said. "Regardless of which data point I look at the same Registrars show up again and again in each category. I don't think that is coincidence."

Bill Mushkin, chief executive at Spot Domain LLC (a.k.a. domainsite.com), called Bruen's study "amazingly unscientific," and said it fails to measure how well registrars respond to reports about spammy domains. In any event, he said, while registrars have a duty under their contract with ICANN to suspend domains with blatantly false or missing data in their WHOIS contact records, there is nothing in their contract that requires them to shutter domains advertised in spam.

"I do not believe it is our duty. It would be great for us if there were some sort of governing body that says you need to shut them down, because the downside of shutting anybody off is that if you're wrong, you're really screwing up someone's life or businesses," Mushkin said. "If it were black and white and simple and we knew for sure in each case, it would be really easy. But it's not like that."

eNom also questioned the reliability of Knujon's data, saying the customers suspected of using its products and services for sending spam are investigated, and if eNom determines there is a problem with spam, the company "takes appropriate action to resolve the situation."

"We hope to have an opportunity to review KnuJon's research and understand their formulas for pulling together this data, as we question their algorithm and its ability to accurately measure which registrars are fighting spam the most, or which are the most spam-friendly," the company said in a statement e-mailed to Security Fix.

Bruen said most of the spam sites are registered by the same abusive customers over and over again.

"The registrars know who they are an don't block them from buying new domain names," Bruen said. "In my experience, the registrars have to be pushed so hard to dump these sites and will refuse to do so unless there is enormous pressure."

Indeed, the response I received from Ben Butler, director of network abuse at Wild West Domains in Scotsdale, Ariz., seemed to support Bruen's claim. Butler said the majority of abuse appears to be coming from customers who abuse the company's reseller model.

"In one case you may have a reseller who sells domains using our service as company 'abc,' which can then set up reseller accounts for anyone who buys a reseller account through them," Butler said. "Company 'def' is underneath that reseller, 'ghi' is under them, and so on, so that if you're using different names under each of those, due to the nature of the reseller agreement, we may have no idea initially if we're dealing with the same reseller. There's no immediate feeback that tells us all of these resellers are the same individuals."

eNom, Butler said, is "almost certainly dealing with the same problem for much the same reason. Their whole model is designed for resellers."

Several of the registrars Security Fix documented in its coverage of Knujon's last report -- particularly India-based Directi -- indicated they were struggling with problematic resellers. In November, ICANN canceled its registrar contract with EstDomains, a Directi reseller whose own resellers had become virtually synonymous with domains that pushed spam products and malicious software.

In October 2008, ICANN issued breach of contract notices to number two and number four on last year's Knujon list -- Beijing Innovative Linkage Technology Ltd. (d.b.a. DNS.COM.CN) and Joker.com. Neither company is present on Knujon's list this time around.

Registrars that did not respond to requests for comment include Woodland Hills, Calif., based Planet Online Inc.; Russia-based Regtime Ltd; OnlineNIC Inc. in Oakland, Calif.; and Beijing based Hichina Web Solutions.

Network Solutions responded to the Knujon report:

"We take spamming very seriously and are continually evaluating and improving our systems from fraud detection to product provisioning. In addition, we are active participants in a number of anti-spam policy working groups that try to create standards for fighting such practices.

In making improvements to our DNS propagation for our customers, which propagates their domains within a minute or less versus within 24 hours, it has made us attractive to both legitimate customers and, unfortunately, spammers.

We are continually reviewing and improving our systems; however, no matter how good our systems are, we are still reliant on the speed at which stolen information is reported. Unfortunately, there will continue to be a window of time at which spammers will operate. Our goal is to significantly shorten that period of time."

Register.com sent the following statement via e-mail:

At Register.com, we take the issue of domains used in spamming campaigns -- or any other inappropriate activities -- very seriously. We have a process that lets the public alert us to any inappropriate or illegal uses of the domains under our management by emailing abuse@register.com. Once notice of a potential abuse is received, either through our abuse process or any governing agency, we take prompt action to investigate the report. If any inappropriate use of the domain is found we take the domain offline immediately.

While Register.com is committed to taking action and doing whatever we can to minimize these types of abuses, there is a trade-off between our responsibilities to minimize abuse and protect the privacy of our customers. With this in mind, Register.com does not judge domain usage or proactively monitor/govern how our customers use their domains. We are as diligent about safeguarding our customers' freedom to use domains for any legitimate purpose, as we are about squashing any abuses that are reported to us."

By Brian Krebs  |  February 4, 2009; 11:15 AM ET
Categories:  From the Bunker , Latest Warnings , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Data Breaches More Costly Than Ever
Next: OpenOffice Installs Insecure Java Version

Comments

This is truly interesting information. It seems that if there are just this many primary violators out there (violators of my time!) then something could be done to regulate them.

Beyond that, something could be designed beyond what is typically applied to secure oneself from them, the spam, the malware, the spyware, etc.

I'd be interested in reading an article about that if you don't mind.

http://www.justaskgemalto.com

Posted by: ThomasWhitney | February 4, 2009 1:36 PM | Report abuse

I guess it depends on how one reads the Registrar Accreditation Agreement, but the following section seems to indicate that the registrars do have to verify the registrant data when they sign up:

"3.7.8 Registrar shall abide by any specifications or policies established according to Section 4 requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information associated with a Registered Name sponsored by Registrar or (b) periodic re-verification of such information."

The registrars seem think that sending an email one a year asking the domain name holders to see if their information is correct and do nothing if it is, qualifies as a substitute for actual verification.

Or maybe it is too much work for them, even if KnujOn has offered to do it for free.

Posted by: diogenes7 | February 4, 2009 1:54 PM | Report abuse

Many thanks for the links to ICANN publications! Always entertaining to read or hear the PR flacks papering over sleaze.

Posted by: featheredge9 | February 5, 2009 12:37 AM | Report abuse

It is following 80-20 Pareto Law!

Posted by: subhash1 | February 5, 2009 1:57 AM | Report abuse

While registrars aren't required to police site content or spamming activity, they are required to make sure the registration information is accurate. As the most heavily spammed sites are also blatantly illegal, they're also being registered with fake data.

I don't want to hear registrars complaining that they aren't getting reports about spamming domains. URIBL makes their spamtrap data public within a short period after they receive it, and for a fee registrars can get even earlier notifications and more sophisticated analysis of likely problem domains. And the Castlecops bulk domain reporting has been continued by battlespam.info and inboxrevenge.com.

From there, it's a question of confirming the registration information. Since some email information has to be exchanged to get a registration completed, the registrar should NOT use email contact as confirmation of the registrant's identity. Pick up a phone, check Google maps, contact the credit card company to see if the person whose card was used really authorized that purchase. It sounds like a lot of trouble. But a registrar only has to do this for a couple months before the majority of spam registrations go elsewhere. A registrar doesn't have to continue that level of effort once they've made it clear they'll do it when they need to.

The other problem is that it is impossible to get spam reports to most registrars. They use commercial spam filters that block emails containing spammy domain names, even that registrar's own registered domains. Domainsite at least provides notice that they are blocking your emails; most other registrars just fail to respond at all.

Posted by: AlphaCentauri | February 5, 2009 10:30 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company