Latest news of the domain name industry

Recent Posts

ICANN apologizes to “arms dealer” claim security firm after email goes missing

Kevin Murphy, August 31, 2020, Domain Registrars

ICANN has apologized to the security company that claimed an accredited registrar was in league with malware distributors, after an email went AWOL.

You may recall that registrar GalComm was accused by Awake Security last month of turning a blind eye to abuse in a report entitled “The Internet’s New Arms Dealers: Malicious Domain Registrars” and that ICANN’s preliminary investigation later essentially dismissed the allegations.

ICANN had told GalComm (pdf) August 18 that Awake had not “to date” contacted ICANN about its allegations, but that appears to have been untrue.

GalComm’s lawyers had in fact emailed a letter to ICANN, using its “globalsupport” at icann.org email address, on August 6, as said lawyers testily informed (pdf) Global Domains Division VP Russ Weinstein August 20.

Weinstein has now confirmed (pdf) that a letter from Awake was received to said email address but “was not escalated internally”. He said he was “previously unaware” of the letter. He wrote:

I apologize for this inadvertent oversight and we will use this as a training opportunity to prevent such errors in the future.

GalComm has been threatening to sue Awake for defamation since the “arms dealer” report was published, so it looks like ICANN’s decision to eat humble pie is probably a prudent way to keep its name off the docket.

The letter from Awake’s lawyers (pdf) also includes a lengthy explanation of why the original report is not, in its view, defamatory.

The lesson for the rest of us appears to be that the ICANN email address in question is probably not the best way to reach ICANN’s senior management.

Weinstein said that abuse complaints about registrars should be sent to its “compliance” at icann.org address.

“Arms dealer” registrar probed by ICANN

Kevin Murphy, August 20, 2020, Domain Registrars

ICANN’s top security thinkers are looking into hotly denied claims that an Israeli registrar collaborated with malware distributors.

Luckily for the registrar, GalComm, so far they’ve come up empty-handed and ICANN has told the company it does not consider it “malicious”.

ICANN told GalComm this week that its Security, Stability and Resiliency team is looking into a report published by security consultancy Awake Security in June entitled “The Internet’s New Arms Dealers: Malicious Domain Registrars”.

The report connected GalComm to over 100 malicious browser extensions, used to steal data, that have been installed 33 million times. GalComm was apparently the attackers’ registrar of choice.

While Awake did not report the registrar to ICANN, GalComm took it upon itself to write to ICANN to deny the allegations, saying that it merely acted as a neutral registrar and had no involvement in hosting or distributing the malware.

It also demanded that Awake retract its report and apologize or face legal consequences. The report is still available.

Now, ICANN has written back (pdf) to assure the registrar that its investigations to date has been “unable to corroborate the findings Awake Security presented and it does appear that Awake Security had an inaccurate picture of the total domains under management by GalComm”.

It added that the investigation is ongoing, however:

Based on the information we have been able to obtain to date, we have no reason to believe it appropriate for GalComm to be considered a “malicious domain registrar” as asserted by Awake Security. However, as noted in Awake Security’s report, the malicious actors behind the domains in question may be utilizing detection evasion techniques. As such, our investigations continue, and we appreciate GalComm’s cooperation and support of those investigations.

ICANN has previously told news outlets that it receives very few complaints about GalComm, none related to malware.

Israeli registrar denies “arms dealer” claims

Israeli registrar GalComm has denied being involved in a widespread malware distribution scheme after being fingered by a security outfit.

Last month Awake Security accused the registrar, officially Communigal Communication Ltd, of being “at best complicit in malicious activity”.

The firm published a report entitled “The Internet’s New Arms Dealers: Malicious Domain Registrars” which linked GalComm to a network of malicious Chrome browser extensions the firm said can steal sensitive data from users who have them installed.

It identified 111 such plug-ins, which it said have been downloaded 33 million times, using over 15,000 domains registered via GalComm.

GalComm has around 48,000 domains registered in gTLDs at the last count, so that’s a sizable percentage of the registrar’s business.

Awake came to the conclusion that GalComm was well-aware of what its customers were up to.

Now, the registrar has sent a cease-and-desist notice to Awake, CC’d to ICANN (pdf), in which it denies all knowledge and responsibility for the malware.

GalComm’s line, to summarize, is that it’s just a registrar, and that it has no obligation to monitor how its customers use their domains.

It adds that the domains in question amount to 10% of its DUM. Still a pretty big chunk.

The company wants Awake to retract its report by today, which it has not yet done, or it will call in the lawyers.

Go here to help fight against coronavirus abuse

Kevin Murphy, March 26, 2020, Domain Tech

A coalition of over 1,000 security experts, domain name providers and others have got together to help coordinate efforts to combat abusive coronavirus-related domains.

A workspace on the collaboration platform Slack has been growing steadily since it was created a week ago, enabling technology professionals to exchange information about the alarming number of sites currently trying to take advantage of the pandemic.

You can join the channel via this link. Thanks to Theo Geurts of RealtimeRegister.com for passing it along.

The collection of chat rooms appears to have been created by Joshua Saxe, chief scientist at security software firm Sophos, March 19. There are currently 1,104 members.

There’s a channel devoted to malicious domains, which is being used to share statistical data and lists of bad and good coronavirus-related domains, among other things.

Across the workspace, a broad cross-section of interested parties is represented. Current members appear to come from security companies, governments, law enforcement, registries, registrars, ICANN, healthcare providers, and others.

It seems like a pretty good way for the technical members of the domain name industry to keep track of what’s going on during the current crisis, potentially helping them to put a stop to threats using domains they manage as they emerge.

As it releases free download, DomainTools says 68,000 dangerous coronavirus domains have been registered

Kevin Murphy, March 26, 2020, Domain Services

More than 68,000 coronavirus-related domain names have been registered so far in 2020, according to data released by DomainTools today.

The domain intelligence services company has started publishing a list of these domains, updated daily, for free on its web site. You have to submit your email address to get it.

The download comprises a CSV file with three columns: domain, reg date, and Domain Risk Score.

This final field is based on DomainTools’ in-house algorithms that estimate how likely domains are likely to be used in nefarious activities, based on criteria including the domain’s connection to other, known-bad domains.

Only domains with a score of 70 or above out of 100 — indicating they will likely be used for activities such as phishing, malware or spam — will be included on the list, the company said.

The list will be updated daily at 0000 UTC.

You can find out more and obtain today’s list here.

Spam is not our problem, major domain firms say ahead of ICANN 66

Kevin Murphy, October 21, 2019, Domain Policy

Eleven of the largest domain name registries and registrars have denied that spam is something they should have to deal with, unless it’s used to proliferate other types of abuse such as phishing or malware.

In a newly published “Framework to Address Abuse” (pdf), the companies attempt to define the term “DNS abuse” narrowly to capture only five (arguably only four and a half) specific types of online threat.

That abuse comprises malware, phishing, botnets, pharming and spam.

The companies agree that these are activities which registrars and registries “must” act upon.

But the document notes that not all spam is its responsibility, stating:

While Spam alone is not DNS Abuse, we include it in the five key forms of DNS Abuse when it is used as a delivery mechanism for the other four forms of DNS Abuse. In other words, generic unsolicited e-mail alone does not constitute DNS Abuse, but it would constitute DNS Abuse if that e-mail is part of a phishing scheme.

In other words, registrars and registries should not feel responsible for the billions of spams sent every day using their domains, unless the spam runs further malware, phishing, pharming or botnet abuse.

The signatories of the framework are Public Interest Registry, GoDaddy, Donuts, Tucows, Amazon Registry Services, Blacknight, Afilias, Name.com, Amazon Registrar, Neustar, and Nominet UK.

It may seem like they’ve presented a surprisingly narrow definition, but it’s in line with what current ICANN contracts dictate.

Neither the standard Registry Agreement nor Registrar Accreditation Agreement mention spam at all. Six years ago, ICANN specifically said that spam is “outside of ICANN’s scope and authority”.

Under the RA, registries have to oblige their registrars to ban registrants from “distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law”.

They also have to maintain statistical reports on the amount of “pharming, phishing, malware, and botnets” in their zones, and provide those reports to ICANN upon demand. A recent audit found that 5% of registries, mainly dot-brands, were not doing this.

However, ICANN’s Domain Abuse Activity Reporting system, an effort to provide some transparency into how gTLDs are being abused, does in fact track spam. It does not track pharming, which is a fairly obscure and little-used form of DNS attack.

The DAAR report for September shows that spam constituted 73% of all tracked abuse.

The ICANN board of directors today identified DAAR as one of a few dozen priorities for the coming year.

Similarly, the cross-community working group known as the CCT Review Team, which was tasked with looking into how the new gTLD program has impacted competition and consumer trust, had harsh words for spam-friendly registries, and provided a definition of “DNS Security Abuse” that specifically included “high volume spam”.

The review recommended that ICANN introduce more measures to force contracted parties to deal with this type of abuse. This could include incentives for registries to clean up their zones and abuse volume thresholds that would automatically trigger compliance actions.

The new framework document comes in the context of an ongoing debate within the ICANN community about what “DNS abuse” is.

Two partners at Interisle, a security consultancy that often works for ICANN, recently guest-posted on DI to say that this term has become meaningless and should be abandoned in favor of “security threat”.

They argued that the definition should include not only spam, but also stuff like IP infringement, election interference, and terrorism.

But the main threat to contracted parties probably comes from the Governmental Advisory Committee, backed by law enforcement, which is pushing for stronger rules covering abusive content.

During a webinar last week, the US Federal Trade Commission, the FBI, and Europol argued that registries and registrars should be obliged to do more to combat abuse, specifically including spam.

“Whether or not you call it phishing or spam or whether it has a malware payload or not, ultimately it’s all email, and email remains the most common tool of cybercriminals to ensnare their victims, and that’s why we in law enforcement care about the domains used to send emails,” said Gabriel Andrews of the FBI’s Cyber Initiative Resource Fusion Unit, on the call.

Registries and registrars countered, using the same language found in the new framework, that generic spam is a content issue, and outside of their remit.

The two sides are set to clash again at ICANN’s annual general meeting in Montreal next month, in a November 6 face-to-face session.

While 11 entities signed the new framework, it’s arguably only nine companies. Name.com is owned by Donuts and both Amazon firms obviously have the same parent.

But it does include the two largest registrars, and registries responsible for running several hundred commercial gTLDs, dot-brands and ccTLDs.

While none of the signatories of the framework have a particular reputation for being spam-friendly, other companies in the industry — particularly some of the newest and cheapest new gTLDs — tend to attract spammers like flies to a turd.

Some of the signatories are perhaps surprising, given their past or ongoing behavior to tackle content-based abuse in their own zones.

Nominet, notably, takes down tens of thousands of domains ever year based on little more than police assurances that the domains are being used to sell counterfeit merchandise or infringe copyright.

The .uk registry also preemptively suspends domains based on algorithms that guess whether they’re likely to be seen as encouraging sexual violence or could be used in phishing attacks.

Donuts also has a trusted notifier relationship with the movie and music industries that has seen it take down dozens of names being used for mass copyright infringement.

PIR has previous endorsed, then unendorsed, the principal of a “UDRP for copyright”, a method of giving Big Content a way of going through due process to have domains taken or suspended.

Outside the spam issue, while the new registry-registrar framework says that registries and registrars should not get involved in matters related to web site content, it also says they nevertheless “should” (as opposed, one assumes based on the jargon usually found in internet standards, to “must”) suspend domains when they’re being used to distribute:

(1) child sexual abuse materials (“CSAM”); (2) illegal distribution of opioids online; (3) human trafficking; and (4) specific and credible incitements to violence.

These are exceptions because they constitute “the physical and often irreversible threat to human life”, the framework says.

Ultimately, this all boils down to a religious debate about where the line is drawn between “DNS” and “content”, it seems to me.

The contracted parties draw the line at threats to human life, whereas others want action on other forms of abuse largely because registries and registrars are in the best position to help.

Could crypto solve the Whois crisis?

Kevin Murphy, July 10, 2018, Domain Tech

Could there be a cryptographic solution to some of the problems caused by GDPR’s impact on public Whois databases? Security experts think so.

The Anti-Phishing Working Group has proposed that hashing personal information and publishing it could help security researchers carry on using Whois to finger abusive domain names.

In a letter to ICANN, APWG recently said that such a system would allow registries and registrars to keep their customers’ data private, but would still enable researchers to identify names registered in bulk by spammers and the like.

“Redacting all registration records which were formerly publicly available has unintended and undesirable consequences to the very citizens and residents that electronic privacy legislation intends to protect,” the letter (pdf) says.

Under the proposed system, each registry or registrar would generate a private key for itself. For each Whois field containing private data, the data would be added to the key and hashed using a standard algorithm such as SHA-512.

For items such as physical addresses, all the address-related fields would be concatenated, with the key, before hashing the combined value.

The resulting hash — a long string of gibberish characters — would then be published in the public Whois instead of the [REDACTED] notice mandated by current ICANN policy.

Security researchers would then be able to identify domains belonging to the same purported registrant by searching for domains containing the same hash values.

It’s not a perfect solution. Because each registry or registrar would have their own key, the same registrant would have different hash values in different TLDs, so it would not be possible to search across TLDs.

But that may not be a huge problem, given that bad guys tend to bulk-register names in TLDs that have special offers on.

The hashing system may also be beneficial to interest groups such as trademark owners and law enforcement, which also look for registration patterns when tracking down abuse registrants.

The proposal would create implementation headaches for registries and registrars — which would actually have to build the crypto into their systems — and compliance challenges for ICANN.

The paper notes that ICANN would have to monitor its contracted parties — not all of which may necessarily be unfriendly to spammers — to make sure they’re hashing the data correctly.

Over 750 domains hijacked in attack on Gandi

Gandi saw 751 domains belonging to its customers hijacked and redirected to malware delivery sites, the French registrar reported earlier this month.

The attack saw the perpetrators obtain Gandi’s password for a gateway provider, which it did not name, that acts as an intermediary to 34 ccTLD registries including .ch, .se and .es.

The registrar suspects that the password was obtained by the attacker exploiting the fact that the gateway provider does not enforce HTTPS on its login pages.

During the incident, the name servers for up up to 751 domains were altered such that they directed visitors to sites designed to compromise unpatched computers.

The redirects started at 0804 UTC July 7, and while Gandi’s geeks had reversed the changes by 1615 it was several more hours before the changes propagated throughout the DNS for all affected domains.

About the theft of its password, Gandi wrote:

These credentials were likewise not obtained by a breach of our systems and we strongly suspect they were obtained from an insecure connection to our technical partner’s web portal (the web platform in question allows access via http).

It’s not clear why a phishing attack, which would seem the more obvious way to obtain a password, was ruled out.

Gandi posted a detailed timeline here, while Swiss registry Switch also posted an incident report from its perspective here. An effected customer, which just happened to be a security researcher, posted his account here.

Gandi says it manages over 2.1 million domains across 730 TLDs.

Schilling, Famous Four rubbish Spamhaus “worst TLD” league

Kevin Murphy, March 17, 2016, Domain Registries

Uniregistry and Famous Four Media have trashed claims by Spamhaus that their gTLDs are are much as 75% spam.

FFM says it is “appalled” by the “wholly inaccurate” claims, while Uniregistry boss Frank Schilling said Spamhaus has “totally jumped the shark here.”

In a statement to DI today, FFM chief legal officer Oliver Smith said the spam-fighting organization’s recently launched World’s Worst TLDs list is “reckless”, adding that the numbers are:

not only wholly inaccurate, but are misleading and, potentially, injurious to the reputation of Famous Four Media and those TLDs it manages. It is particularly worrisome that Spamhaus’s “findings” seem to have been taken as gospel within certain corners of the industry, despite not being proffered with any analytical methodology in support of the same.

The Spamhaus report, which is updated daily, presents the 10 TLDs that are more spam than not.

The rank is based on a percentage of domains seen by Spamhaus that Spamhaus considers to be “bad” — that is, are advertised in spam or carry malware.

Today, Uniregistry’s .diet tops the chart with “74.4% bad domains”, but the scores and ranks can and do shift significantly day by day.

Spamhaus describes its methodology like this:

This list shows the ratio of domains seen by the systems at Spamhaus versus the domains our systems profile as spamming or being used for botnet or malware abuse. This is also not a list that retains a long history, it is a one-month “snapshot” of our current view.

The words “seen by the systems at Spamhaus” are important. If a domain name never crosses Spamhaus’s systems, it isn’t counted as good or bad. The organization is not running the whole zone file against its block-list to check what the empirical numbers are.

In important ways, the Spamhaus report is similar to the discredited Blue Coat report into “shady” TLDs last September, which was challenged by myself and others.

However, in a blog post, Spamhaus said it believes its numbers are reflective of the TLDs as a whole:

In the last 18-years, Spamhaus has built its data gathering systems to have a view of most of the world’s domain traffic. We feel the numbers shown on this list are representative of the actual full totals.

I disagree.

In the case of .diet, for example, if 74% of the full 19,000-domain zone was being used in spam, that would equate to 14,000 “bad” domains.

But the .diet zone is dominated by domains owned by North Sound Names, the Frank Schilling vehicle through which Uniregistry markets its premium names.

NSN snapped up well over 13,000 .diet names at launch, and Schilling said today that NSN owns north of 70% of the .diet zone.

That would mean either Uniregistry is a spammer, or Spamhaus has no visibility into the NSN portfolio and its numbers are way the hell off.

“Spamhaus’ assertion that 74% of the registrations in the .diet space are spam is a numerical impossibility,” Schilling said. “They totally jumped the shark here.”

NSN’s domains don’t send mail, he said.

He added that diet-related products are quite likely to appear in spam, which may help account for Spamhaus’s systems identifying .diet emails as spam. He said:

Spamhaus is a high-minded organization and we applaud their efforts but this report is so factually inaccurate it casts into doubt the validity of everything they release. Spamhaus should be smarter than this and at a minimum consult with registries (our door is open) to gain a better understanding of the subject matter they wrongly profess to be expert in.

Similarly, FFM’s .review gTLD was briefly ranked last week as the “worst” gTLD at 75.1% badness. With 66,000 domains, that would mean almost 50,000 names are spammy.

Yet it appears that roughly 25,000 .review domains are long-tail geo names related to the hotels industry, registered by a Gibraltar company called A Domains Limited, which appears to be run by AlpNames, the registry with close ties to FFM itself.

Again, if Spamhaus’s numbers are accurate, that implies the registrar and/or registry are spamming links to content-free placeholder web sites.

FFM’s Smith says the registry has been using Spamhaus data as part of its internal Registry Abuse Monitoring tool, and that its own findings show significantly less spam. Referring to .review’s 75% score, he said:

This simply does not accord with FFM’s own research, which relies heavily on data made available by Spamhaus. The reality is that, in reviewing registration data for the period 8 February to 8 March 2016, only 4.8% of registered domains have been blacklisted by Spamhaus – further, it is questionable as whether every single such listing is wholly merited. When reviewing equivalent data for the period of 1 January to 8 March 2016 across ALL FFM managed TLDs this rate averages out to a mere 3.2%.

I actually conducted my own research into the claims.

Between March 8 and March 15, I ran the whole .review zone file through the Spamhaus DBL and found 6.9% of the names were flagged as spam.

My methodology did not take account of the fact that Spamhaus retires domains from its DBL after they stop appearing in spam, so it doesn’t present a perfect apples-to-apples comparison with Spamhaus, which bases its scoring on 30 days of data.

All told, it seems Spamhaus is painting a much bleaker picture of the amount of abuse in new gTLDs than is perhaps warranted.

During ICANN meetings last week and in recent blog comments, current and former executives of rival registries seemed happy to characterize new gTLD spam as a Famous Four problem rather than an industry problem.

That, despite the fact that Uniregistry, Minds + Machines and GMO also feature prominently on Spamhaus’s list.

I would say it’s more of a low prices problem.

It’s certainly true that FFM and AlpNames are attracting spammers by selling domains for $0.25 wholesale or free at retail, and that their reputations will suffer as a result.

We saw it with Afilias and .info in the early part of the last decade, we’ve see it with .tk this decade, and we’re seeing it again now.

Registrars warn of huge domain suspension scam

Kevin Murphy, October 28, 2015, Domain Registrars

Customers of at least half a dozen large registrars been targeted by an email malware attack that exploits confusion about takedown policies.

The fake suspension notices have been spammed to email addresses culled from Whois and are tailored to the registrar of record and the targeted domain name.

Customers of registrars including eNom, Web.com, Moniker, easyDNS, NameBright, Dynadot and Melbourne IT are among those definitely affected. I suspect it’s much more widespread.

The emails reportedly look like this:

Dear Sir/Madam,

The following domain names have been suspended for violation of the easyDNS Technologies, Inc. Abuse Policy:

Domain Name: DOMAIN.COM
Registrar: easyDNS Technologies, Inc.
Registrant Name: Domain Owner

Multiple warnings were sent by easyDNS Technologies, Inc. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us by email at mailto:abuse@easydns.com for additional information regarding this notification.

Sincerely,

easyDNS Technologies, Inc.
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101

The “click here” invitation leads to a downloadable file, presumably containing malware.

Of course, the best way to check whether your domain name has been genuinely suspended or not is to use it — visit its web site, use its email, etc.

As domain suspensions become more regularly occurrences, due to ICANN policies on Whois accuracy for one reason, we can only expect more scams like these.

  • Page 1 of 2
  • 1
  • 2
  • >