Latest news of the domain name industry

Recent Posts

Registrars warn of huge domain suspension scam

Kevin Murphy, October 28, 2015, Domain Registrars

Customers of at least half a dozen large registrars been targeted by an email malware attack that exploits confusion about takedown policies.

The fake suspension notices have been spammed to email addresses culled from Whois and are tailored to the registrar of record and the targeted domain name.

Customers of registrars including eNom, Web.com, Moniker, easyDNS, NameBright, Dynadot and Melbourne IT are among those definitely affected. I suspect it’s much more widespread.

The emails reportedly look like this:

Dear Sir/Madam,

The following domain names have been suspended for violation of the easyDNS Technologies, Inc. Abuse Policy:

Domain Name: DOMAIN.COM
Registrar: easyDNS Technologies, Inc.
Registrant Name: Domain Owner

Multiple warnings were sent by easyDNS Technologies, Inc. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us by email at mailto:abuse@easydns.com for additional information regarding this notification.

Sincerely,

easyDNS Technologies, Inc.
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101

The “click here” invitation leads to a downloadable file, presumably containing malware.

Of course, the best way to check whether your domain name has been genuinely suspended or not is to use it — visit its web site, use its email, etc.

As domain suspensions become more regularly occurrences, due to ICANN policies on Whois accuracy for one reason, we can only expect more scams like these.

ICANN boss warns against “content policing” calls

Kevin Murphy, October 20, 2015, Domain Policy

ICANN should resist attempts to turn the organization into a content regulator responsible for fighting piracy, counterfeiting and terrorism.

That’s according to CEO Fadi Chehade, speaking in Dublin yesterday at the opening ceremony of ICANN’s 54th public meeting.

His remarks have already solicited grumbles from members of the intellectual property community, which are eager for ICANN to take a more assertive role against registries and registrars.

Speaking to a packed auditorium, Chehade devoted a surprisingly large chunk of his opening address to the matter of content policing, which he said was firmly outside of ICANN’s remit.

He presented this diagram, breaking up the internet into three layers. ICANN plays in the central “logical” section but has no place in the top “societal” segment, he said.

ICANNs remit

“Where does ICANN’s role start and where does ICANN’s role stop?” Chehade posed. “It’s very clear Our remit starts and stops in this logical yellow layer. We do not have any responsibility in the upper layer.”

“The community has spoken, and it is important to underline that in every possible way, ICANN’s remit is not in the blue layer, it is not in the economic/societal layer,” he said. This is a technical organization.”

That basically means that ICANN has no responsibility to determine which web sites are good and which are bad. That’s best left to others such as the courts and governments.

Chehade recounted an anecdote about a meeting with a national president who demanded that ICANN shut down a list of terrorism-supporting web sites.

“We have no responsibility to render judgement about which sites are terrorists,” he said, “which sites are the good pharmacies, which sites are the bad pharmacies, which sites are comitting crimes, which sites are infringing copyrights…”

“When people ask us to render judgement on matters in the upper layer, we can’t.”

With that all said, Chehade added that ICANN should not shirk its duties as part of the ecosystem, whether through voluntary measures at registries and registrars or via contractual enforcement.

“Once determinations are made, how do we respond the these?” he said. “I hope, voluntarily.”

He gave the example of credit card companies that voluntarily stop doing business with web sites that have been reported to be involved in crime or spam.

The notion of registrars adhering to a set of voluntary principles was first floated by ICANN’s chief compliance officer, Allen Grogan, in a blog post earlier this month.

It was the one bone he threw to IP interests in a determination that otherwise came down firmly on the side of registrars.

Grogan had laid out a minimum set of actions registrars must carry out when they receive abuse reports, none of which contained a requirement to suspend or delete domain names.

The Intellectual Property Constituency appeared to greet Chehade’s speech with cautious optimism, but members are still pushing for ICANN to take a stricter approach to contract compliance.

In a session between the IPC and the ICANN board in Dublin this morning, ICANN was asked to make these hypothetical voluntary measures enforceable.

Marc Trachtenberg disagreed with Chehade’s credit card company example.

“The have an incentive to take action, which is the avoidance of future potential costs,” he said. “That similar incentive does not exist with respect to registries and registrars.”

“In order for any sort of voluntary standards to be successful or useful, there have to be incentives for the parties to actually comply with those voluntary standards,” he said.

“One possibility among many is a situation where those registries and registrars that don’t comply with the voluntary standards are potentially subject to an ICANN compliance action,” he said.

It’s pretty clear that this issue is an ongoing one.

Chehade warned in his address yesterday that calls for ICANN to increase its policing powers will only increase when and if its IANA contract is finally divorced from US government oversight.

Grogan will host a roundtable tomorrow at 10am Dublin time to discuss possible voluntary mechanisms that could be created to govern abuse.

Pirate Bay a victim as Go Daddy suspends hundreds of new gTLD domains

Kevin Murphy, February 25, 2014, Domain Registrars

New gTLDs may have only been in general availability for a few weeks, but there’s already evidence of substantial abuse.

Go Daddy has suspended at least 305 new gTLD domain names, putting them on its spam-and-abuse.com name servers, standard Go Daddy practice for domains suspected of abuse.

Over 250 of these were put on the naughty step in the last 24 hours.

The suspended names include, notably, thepiratebay.guru, which matches the name of controversial torrent site frequented by people who like downloading copyrighted material for free.

The Pirate Bay has been switching TLDs like crazy recently, as one ccTLD after another shuts down its latest attempt to find a reliable home.

The .guru domain is registered under Go Daddy’s Domains By Proxy privacy service, so it’s not clear if it actually belongs to The Pirate Bay or to an opportunistic third party.

Other suspended names include premium-looking names such as electric.guru, sexualhealth.guru, as well as obvious cybersquatted names such as verizon.guru (not registered to Verizon).

But the majority of the suspended names seem to belong to a single registrant in Washington state, all in .guru and largely “pigeon shit” names such as bestdrinksites.guru and bestfashionsites.guru.

While 305 seems like a large number (albeit only 0.2% of the current new gTLD names sold), it appears that so far a single individual is responsible for most of the “abuse” in new gTLDs.

ICANN cans “Spam King” registrar

Kevin Murphy, November 26, 2013, Domain Registrars

ICANN has terminated the registrar accreditation of Dynamic Dolphin, which it turned out was owned by self-professed “Spam King” Scott Richter.

The company has until December 20 to take down its ICANN logo and cease acting as a registrar.

ICANN, in its termination notice (pdf) late last week, said that it only became aware earlier this month that Richter was the 100% owner of Dynamic Dolphin.

Richter grew to fame a decade ago for being one of the world’s highest-profile spammers. He was sued for spamming by Microsoft and Myspace and was featured on the popular TV program The Daily Show.

As well as being a thoroughly unpleasant chap, he has a 2003 conviction for grand larceny, which should disqualify him from being the director of an ICANN-accredited registrar.

He removed himself as an officer on October 9 in response to ICANN’s persistent inquiries, according to ICANN’s compliance notice.

But he was much too late. ICANN has terminated the accreditation due to the “material misrepresentation, material inaccuracy, or materially misleading statement in its application”.

The question now has to be asked: why didn’t ICANN get to this sooner? In fact, why was Dynamic Dolphin allowed to get an accreditation in the first place?

Former Washington Post security reporter Brian Krebs has been all over this story for five years.

Back in 2008, with a little help from anti-spam outfit KnujOn, he outed Richter’s links to Dynamic Dolphin when it was just a Directi reseller.

Yesterday, Krebs wrote a piece on his blog going into a lot of the background.

Another question now is: which registrar is going to risk taking over Dynamic Dolphin’s registrations?

As of the last registry reports, Dynamic Dolphin had fewer than 25,000 gTLD domains under management.

According to ICANN’s termination notice, 13,280 of these use the company’s in-house privacy service, and 9,933 of those belong to just three individuals.

According to DomainTools, “Dynamic Dolphin Inc” is listed as the registrant for about 23,000 names.

According to KnujOn’s research and Krebs’s reporting, the registrar was once among the most spam-friendly on the market.

Directi fighting “massive” .pw spam outbreak

Recently relaunched budget TLD .pw is being widely abused by spammers already, but registry manager Directi said it’s enforcing a “zero tolerance” policy.

Anti-spam software makers and users have over the last week reported a “massive” increase in email spam from .pw domain names.

Security giant Symantec reports that .pw jumped to #4 in its rankings of TLDs used in spammed URLs in the week ending April 26.

Anti-spam vendor Fort even recommended its customers block the entire TLD at their mail gateways, blogging:

Since we have yet to see a legitimate piece of mail for the .pw domain but have recently seen massive amounts of spam from this domain, we are recommending that you block mail form this domain as soon as practical.

Anti-spam mailing lists have been full of people complaining about .pw spam, according to spam expert John Levine.

Our own TLD Health Check ranks .pw at #19 in abusive domains (which tracks phishing and malware domains rather than spam) for May, having not ranked it at all before April.

But Sandeep Ramchandani, head of Directi’s .PW Registry unit, told DI that the company has deactivated 4,000 too 5,000 .pw domains for breaching its anti-abuse policy.

He said that a single registrar was responsible for the majority of the abusive names, and that the registrar in question has had its discount revoked, resulting in newly registered domains from it going down to “almost nothing”.

“If you remove that registrar, the percentage of abusive names to non-abusive names is not alarming at all,” Ramchandani said.

He said the company has a “zero tolerance” approach to spam. It’s been communicating with many of its critics to let them know it’s on the case.

He noted that it’s not surprising that people are seeing more bad traffic from .pw than good — spammers tend to start using their domains immediately, whereas legitimate registrants take a bit longer.

Directi, which reported 50,000 names registered in the first three weeks of general availability last week, is now up to 100,000 names.

Many of the names were registered via the same aforementioned registrar, so more are likely to be turned off, Ramchandani said.

.pw is the ccTLD for Palau, but Directi brands it as “Professional Web”. It’s going for the budget end of the market, selling domains for less than .com prices even if you exclude discounts.