Customers of at least half a dozen large registrars been targeted by an email malware attack that exploits confusion about takedown policies.
The fake suspension notices have been spammed to email addresses culled from Whois and are tailored to the registrar of record and the targeted domain name.
Customers of registrars including eNom, Web.com, Moniker, easyDNS, NameBright, Dynadot and Melbourne IT are among those definitely affected. I suspect it’s much more widespread.
The emails reportedly look like this:
The following domain names have been suspended for violation of the easyDNS Technologies, Inc. Abuse Policy:
Domain Name: DOMAIN.COM
Registrar: easyDNS Technologies, Inc.
Registrant Name: Domain Owner
Multiple warnings were sent by easyDNS Technologies, Inc. Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us by email at mailto:firstname.lastname@example.org for additional information regarding this notification.
easyDNS Technologies, Inc.
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101
The “click here” invitation leads to a downloadable file, presumably containing malware.
Of course, the best way to check whether your domain name has been genuinely suspended or not is to use it — visit its web site, use its email, etc.
As domain suspensions become more regularly occurrences, due to ICANN policies on Whois accuracy for one reason, we can only expect more scams like these.
XYZ.com plans to slap a global ban on domain names censored by the Chinese government.
Chinese words meaning things such as “human rights” and “democracy” are believed to be on the block list, which an industry source says could contain as many as 40,000 words, names and phrases.
(UPDATE: Gavin Brown, CTO of XYZ back-end CentralNic, tweeted that the list is nowhere near 40,000 names long.)
The registry seems to be planning to allow the Chinese government to censor its new gTLDs, which include .xyz, .college, .rent, .protection and .security, in every country of the world.
And it might not be the last non-Chinese registry to implement such a ban.
The surprising revelation came in a fresh Registry Services Evaluation Process request (pdf), filed with ICANN on Friday.
The RSEP asks ICANN to approve the use of a gateway service on the Chinese mainland, which the company says it needs in order to comply with Chinese law.
As previously reported, Chinese citizens are allowed to register domains in non-Chinese registries, but they may not activate them unless the registry complies with the law.
That law requires the registry to be located on the Chinese mainland. XYZ plans to comply by hiring local player ZDNS to proxy its EPP systems and mirror its Whois.
But the Chinese government also bans certain strings — which I gather are mostly but not exclusively in Chinese script — from being registered in domain names.
Rather than block them at the ZDNS proxy, where only Chinese users would be affected, XYZ has decided to ban them internationally.
Registrants in North America or Europe, for example, will not be able to register domains that are banned in China. XYZ said in its RSEP:
XYZ will reserve names prohibited for registration by the Chinese government at the registry level internationally, so the Gateway itself will not need to be used to block the registration of of any names. Therefore, a registrant in China will be able to register the same domain names as anyone else in the world.
It seems that XYZ plans to keep its banned domain list updated as China adds more strings to its own list, which I gather it does regularly.
Customers outside of China who have already registered banned domains will not be affected, XYZ says.
If China subsequently bans more strings, international customers who already own matching domains will also not be affected, it says.
CEO Daniel Negari told DI: “To be clear, we will not be taking action against names registered outside of China based on Chinese government requests.”
But Chinese registrants do face the prospect losing their domains, if China subsequently bans the words and XYZ receives a complaint from Chinese authorities.
“We treat requests from the Chinese government just like we treat requests from the US government or any other government,” Negari said.
“When we receive a valid government or court order to take action against a name and the government has jurisdiction over the registration, we will take action the registration,” he said.
Up to a third of the .xyz zone — about three hundred thousand names — is believed to be owned by Chinese registrants who are currently unable to actually use their names.
The company clearly has compelling business reasons to comply with Chinese law.
But is giving the Chinese government the ongoing right to ban tens of thousands of domain names internationally a step too far?
ICANN allows anyone to file public comments on RSEP requests. I expect we’ll see a few this time.
In one of the ongoing battles between registrars and the intellectual property lobby, ICANN’s compliance department seems to have sided with the registrars, for now.
Registrars will not be forced to suspend domain names when people complain about abusive or illegal behavior on the associated web sites, according to chief contract compliance office Allen Grogan.
The decision will please registrars but will come as a blow to the likes of music and movie studios and those who fight to shut down dodgy internet pharmacies.
Grogan yesterday published his interpretation of the 2013 Registrar Accreditation Agreement, specifically the section (3.18) that obliges registrars to “investigate and respond appropriately” abuse reports.
The IP crowd take this to mean that if they submit an abuse report claiming, for example, that a web site sells medicines across borders without an appropriate license, the registrar should check out the site then turn off the domain.
Registrars, on the other hand, claim they’re in no position to make a judgment call about the legality of a site unless presented with a proper court order.
Grogan appears to have taken this view also, though he indicated that his work is not yet done. He wrote:
Sometimes a complaining party takes the position that that there is only one appropriate response to a report of abuse or illegal activity, namely to suspend or terminate the domain name registration. In the same circumstances, a registrar may take the position that it is not qualified to make a determination regarding whether the activity in question is illegal and that the registrar is unwilling to suspend or terminate the domain name registration absent an order from a court of competent jurisdiction. I am continuing to work toward finding ways to bridge these gaps.
It’s a testament to how little agreement there is on this issue that, when we asked Grogan back in June how long it would take to provide clarity, he estimated it would take “a few weeks”. Yet it’s still not fully resolved.
His blog post last night contains a seven-point checklist that abuse reporters must conform to in order to give registrars enough detail to with with.
They must, for example, be specific about who they are, where the allegedly abusive content can be found, whose rights are being infringed, and which laws are being broken in which jurisdiction.
It also contains a six-point checklist for how registrars must respond.
Registrars are only obliged to investigate the URL in question (unless they fear exposure to malware or child abuse material), inform the registrant about the complaint, and inform the reporter what, if anything, they’ve done to remediate the situation.
There’s no obligation to suspend domains, and registrars seem to have great leeway in how they treat the report.
In short, Grogan has interpreted RAA 3.18 in a way that does not seem to place any substantial additional burden on registrars.
He’s convening a roundtable discussion for the forthcoming ICANN meeting in Dublin with a view to getting registrars to agree to some non-binding “voluntary self-regulatory” best practices.
Disputing the recent Blue Coat report into “shady” new gTLDs, domain security firm Architelos says that the shadiest namespace is just under 10% shady.
That’s a far cry from Blue Coat’s claim earlier this week that nine new gTLDs are 95% to 100% abusive.
Architelos shared with DI a few data points from its NameSentry service today.
NameSentry uses a metric the company calls NQI, for Namespace Quality Index, to rank TLDs by their abuse levels. NQI is basically a normalized count of abusive domains per million registered names.
According to Architelos CEO Alexa Raad, the new gTLD with the highest NQI at the end of June was .work.
Today’s NameSentry data shows that .work has a tad under 6,900 abusive domains — almost all domains found in spam, garnished with just one suspected malware site — which works out to just under 10% of the total number of domains in its zone file.
That number is pretty high — one in 10 is not a figure you want haunting your registry — but it’s a far cry from the 98.2% that Blue Coat published earlier this week.
Looking at the numbers for .science, which has over 324,000 names in its zone and 15,671 dodgy domains in NameSentry, you get a shadiness factor of 4.8%. Again, that’s a light year away from the 99.35% number published by Blue Coat.
Raad also shared data showing that hundreds of .work and .science domains are delisted from abuse feeds every day, suggesting that the registries are engaged in long games of whack-a-mole with spammers.
Blue Coat based its numbers on a sampling of 75 million attempted domain visits by its customers — whether or not they were valid domains.
Architelos, on the other hand, takes raw data feeds from numerous sources (such as SpamHaus and SURBL) and validates that the domains do actually appear in the TLD’s zone. There’s no requirement for the domain to have been visited by a customer.
In my view, that makes the NameSentry numbers a more realistic measurement of how dirty some of these new gTLDs are.
Security vendor Blue Coat apparently doesn’t check whether domains are actually domains before it advises customers to block them.
Unrepentant, Blue Coat continued to insist that businesses should consider blocking .zip domains, while acknowledging there aren’t any.
It said that its censorware treats anything entered into a browser’s address bar as a URL, so it has been treating file names that end in .zip — the common format for compressed archive files — as if they are .zip domain names. The blog states:
when one of those URLs shows up out on the public Internet, as a real Web request, we in turn treat it as a URL. Funny-looking URLs that don’t resolve tend to get treated as Suspicious — after all, we don’t see any counter-balancing legitimate traffic there.
Further, if a legal domain name gets enough shady-looking traffic — with no counter-evidence of legitimate Web traffic — it’s possible for one of our AI systems to conclude that the behavior isn’t changing, and that it deserves a Suspicious rating in the database. So it gets one.
In other words, Blue Coat has been categorizing Zip file names that somehow find their way into a browser address bar as .zip domain names.
That may sound like a software bug that Blue Coat needs to fix, but it’s still telling people to block Google’s gTLD anyway, writing:
In conclusion, none of the .zip “domains” we see in our traffic logs are requests to registered sites. Nevertheless, we recommend that people block these requests, until valid .zip domains start showing up.
That’s a slight change of position from its original “Businesses should consider blocking traffic that leads to the riskiest TLDs”, but it still strikes me as irresponsible.
The company has still not disclosed the real numbers behind any of the percentages in its report, so we still have no idea whether it was fair to label, for example, Famous Four’s .review as “100% shady”.