Latest news of the domain name industry

Recent Posts

Nominet to intercept dangerous coronavirus domains

Kevin Murphy, March 24, 2020, Domain Registries

Nominet, the .uk registry, will start providing informational landing pages when it suspends domains for criminal behavior including coronavirus-related scams.
The company already suspends tens of thousands of domains every year at the request of law enforcement agencies.
The vast majority are related to intellectual property infringement such as counterfitting and piracy. A substantially smaller number are suspended due to the sale of fake pharmaceuticals.
Rather than Nominet suspending these domains, stopping them resolving, they will now instead resolve to landing pages “providing consumer advice and education”.
It’s similar to how the FBI handles domains it has seized during criminal investigations in the US, but Nominet says it’s the first example in the world of such a program being rolled out by a registry.
The first LEAs taking part in the program are the Medicines and Healthcare Products Regulatory Agency and the City of London’s Police Intellectual Property Crime Unit.
While Nominet pitched the news as coronavirus-related, the timing appears to be coincidental.
The company first announced its landing page plan last October, when it was opened to public consultation.
A MHRA spokesperson said in a Nominet press release that suspended domains will redirect to its “#fakemeds website”, which currently has a great deal to say about penis pills but nothing at all to say about coronavirus.

ICANN terminates penis pill pimp registrar

Kevin Murphy, January 5, 2017, Domain Registrars

ICANN is to terminate the contract of a Chinese registrar linked to dodgy pharmaceuticals web sites and other malfeasance.
Nanjing Imperiosus Technology Co, which does business as DomainersChoice.com, has been told it will lose its registrar accreditation February 3.
ICANN said in the termination notice that the company had failed to keep records related to abuse reports, failed to validate Whois records, and failed to provide ICANN with registration records, all in breach of the Registrar Accreditation Agreement.
The breaches related to complaints filed by illegal pharmacy watchdog LegitScript last September, I believe.
DomainersChoice and its CEO Stefan Hansmann were listed in Whois as the owners of potentially hundreds of domains that were being used to sell medicines for conditions ranging from heart disease to erectile dysfunction.
The domains 5mg-cialis20mg.com, acheterdutadalafil.com, viagra-100mgbestprice.net and 100mgviagralowestprice.net were among those apparently owned by the registrar.
According to LegitScript, thousands of DomainersChoice domains were “rogue internet pharmacies”.
The registrar has also been linked by security researchers to mass typosquatting campaigns.
The company’s web site even has a typo generator. While one could argue such tools are also useful to brand owners, DomainersChoice’s name suggests it’s geared towards domainers, not brands.
DomainersChoice had about 27,000 domains under management at the last count, which ICANN will now migrate to another registrar.
It’s not known how many of those were self-registered domains and how many were being used nefariously, but LegitScript CEO John Horton estimated (pdf) at least 2,300 dodgy pharma sites used the registrar.

Registrar accused of pimping prescription penis pills

Kevin Murphy, October 14, 2016, Domain Registrars

ICANN has implicated a Chinese domain name registrar in the online selling of medications, including Viagra and Cialis, without the required prescription.
The organization’s Compliance department filed a contract breach notice with Nanjing Imperiosus, which does business as DomainersChoice.com, today.
The move follows an allegation from pharmacy watchdog LegitScript in the US Congress that DomainersChoice is “rogue internet pharmacy operator”.
Because ICANN has no authority to police online pharmacies, it’s gone after the registrar based on an obscure part of the Registrar Accreditation Agreement.
Section 3.7.7 of the 2013 RAA says that domains must be registered to a third party, unless they’re used by the registrar in the course of providing its registrar services.
According to ICANN, DomainersChoice has refused to provide evidence that many of its domains are not in fact registered to itself and CEO Stefan Hansmann, in violation of this clause.
It cites 5mg-cialis20mg.com, acheterdutadalafil.com, viagra-100mgbestprice.net and 100mgviagralowestprice.net as examples of domains apparently registered to Hansmann and his company.
Historical Whois records show Hansmann and Nanjing Imperiosus as the registrant of these names until recently.
The domains all refer to erectile dysfunction medicines, which are usually only available in the US with a prescription.
A reverse Whois lookup reveals Hansmann’s name in the records for many more pharmaceuticals-related domains, some of which are for more serious medical conditions.
Several of the domains contain the words “without prescription” or similar, where the drug in question requires a prescription in the US.
Some of the domains do not currently resolve or no longer provide current Whois records and others have been recently transferred, but some resolve to apparently active e-commerce sites.
ICANN’s breach notice (pdf) doesn’t allege any illegal activity.
The same cannot be said for LegitScript CEO John Horton, who lumped DomainersChoice in with a few other registrars he believes are operating “illegal online pharmacies”.
Horton testified (pdf) before Congress last month that the registrar was playing host to 2,300 such sites.
The testimony was filed September 14, the same day ICANN began its compliance investigation.
ICANN’s notice, which alleges a handful of other relatively trivial breaches, asks that Hansmann provide a full list of domains registered in his and his company’s name via DomainersChoice.
It also demands evidence that the domains were either used to provide registrar services or were registered to a third party.
It wants all that by November 2, after which it may start to terminate the company’s RAA.

Grogan hopeful of content policing clarity within “a few weeks”

ICANN may be able to provide registrars, intellectual property interests and others with clarity about when domain names should be suspended as early as next month, according to compliance chief Allen Grogan.
With ICANN 53 kicking off in Buenos Aires this weekend, Grogan said he intends to meet with a diverse set of constituents in order to figure out what the Registrar Accreditation Agreement requires registrars to do when they receive abuse complaints.
“I’m hopeful we can publish something in the next few weeks,” he told DI. “It depends to some extent on what direction the discussions take.”
The discussions center on whether registrars are doing enough to take down domains that are being used, for example, to host pirated content or to sell medicines across borders.
Specifically at issue is section 3.18 of the 2013 RAA.
It requires registrars to take “reasonable and prompt steps to investigate and respond appropriately” when they receive abuse reports.
The people who are noisiest about filing such reports — IP owners and pharmacy watchdogs such as LegitScript — reckon “appropriate action” means the domain in question should be suspended.
The US Congress heard these arguments in hearings last month, but there were no witnesses from the ICANN or registrar side to respond.
Registrars don’t think they should be put in the position of having to turn off what may be a perfectly legitimate web site due to a unilateral complaint that may be flawed or frivolous.
ICANN seems to be erring strongly towards the registrars’ view.
“Whatever the terms of the 2013 RAA mean, it can’t really be interpreted as a broad global commitment for ICANN to enforce all illegal activity or all laws on the internet,” Grogan told DI.
“I don’t think ICANN is capable of that, I don’t think we have the expertise or resources to do that, and I don’t think the ICANN multistakeholder community has ever had that discussion and delegated that authority to ICANN,” he said.
CEO Fadi Chehade recently told the Washington Post that it isn’t ICANN’s job to police web content, and Grogan has expanded on that view in a blog post last week.
Grogan notes that what kind of content violates the law varies wildly from country to country — some states will kill you for blasphemy, in some you can get jail time for denying the Holocaust, in others political dissent is a crime.
“Virtually everybody I’ve spoken with has said that is far outside the scope of ICANN’s remit,” he said.
However, he’s leaving some areas open for discussion,
“There are some constituents, including some participants in the [Congressional] hearing — from the intellectual property community and LegitScript — who think there’s a way to distinguish some kinds of illegal activities from others,” he said. “That’s a discussion I’m willing to have.”
The dividing line could be substantial risk to public health or activities that are broadly, globally deemed to be illegal. Child abuse material is the obvious one, but copyright infringement — where Grogan said treaties show “near unanimity” — could be too.
So is ICANN saying it’s not the content police except when it comes to pharmacies and intellectual property?
“No,” said Grogan. “I’m saying I’m willing to engage in that dialogue and have that conversation with the community to see if there’s consensus that some activities are different to others.”
“In a multistakeholder model I don’t think any one constituency should control,” he said.
In practical terms, this all boils down to 3.18 of the RAA, and what steps registrars must take to comply with it.
It’s a surprisingly tricky one even if, like Grogan, you’re talking about “minimum criteria” for compliance.
Should registrars, for example, be required to always check out the content of domains that are the subject of abuse reports? It seems like a no-brainer.
But Grogan points out that even though there could be broad consensus that child abuse material should be taken down immediately upon discovery, in many places it could be illegal for a registrar employee to even check the reported URL, lest they download unwanted child porn.
Similarly, it might seem obvious that abuse reports should be referred to the domain’s registrant for a response. But what of registrars owned by domain investors, where registrar and registrant are one and the same?
These and other topics will come up for discussion in various sessions next week, and Grogan said he’s hopeful that decisions can be made that do not need to involve formal policy development processes or ICANN board action.

Is the Defending Internet Freedom Act pro-crime?

The Defending Internet Freedom Act of 2015, introduced to the US Congress last month, contains a provision that could be interpreted as pro-pron, pro-piracy or even just pro-crime.
The act is designed to prevent the US giving up its oversight of ICANN/IANA unless certain quite strict conditions are met.
It’s a revised version of a bill that was introduced last year but didn’t make it through the legislative process.
Like the 2014 version, it says that the US cannot sever ties with ICANN until its bylaws have been amended in various ways, including:

ICANN is prohibited from engaging in activities unrelated to ICANN’s core mission or entering into an agreement or modifying an existing agreement to impose on a registrar or registry with which ICANN conducts business any condition (such as a condition relating to the regulation of content) that is unrelated to ICANN’s core mission.

It’s the “regulation of content” bit that caught my eye.
Presumably written as a fluffy, non-controversial protection against censorship, it ignores where the real content regulation conversations are happening within the ICANN community.
It’s a constant mantra of ICANN that is “doesn’t regulate content”, but the veracity of that assertion has been chipped away relentlessly over the last several years by law enforcement, governments and intellectual property interests.
Today, ICANN’s contracts are resplendent with examples of what could be argued is content regulation.
Take .sucks, for a timely example. Its Registry Agreement with ICANN contains provisions banning pornography, cyber-bulling and parked pages.
That’s three specific types of content that must not be allowed in any web site using a .sucks domain.
It’s one of the Public Interest Commitments that were voluntarily put forward by .sucks registry Vox Populi, but they’re still enforceable contract provisions.
Using a dispute resolution process (PICDRP), ICANN would be able to levy fines against Vox Pop, or terminate its contract entirely, if it repeatedly allows porn in .sucks web sites.
This sounds quite a lot like content regulation to me.
It’s not just .sucks, of course. Other registries have PICs that regulate the content of their gTLDs.
And every contracted new gTLD registry operator has to agree to this PIC:

Registry Operator will include a provision in its Registry-Registrar Agreement that requires Registrars to include in their Registration Agreements a provision prohibiting Registered Name Holders from distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law, and providing (consistent with applicable law and any related procedures) consequences for such activities including suspension of the domain name.

It’s convoluted, but it basically indirectly forces (via registrars) new gTLD domain registrants to, for example, agree to not infringe copyright.
The PIC is paired with a provision (3.18) of the 2013 Registrar Accreditation Agreement that requires all registrars to investigate and “take necessary and appropriate actions” in response to abuse reports within 24 hours of receipt.
Section 3.18 is essentially the RAA mechanism through which ICANN can enforce the PIC from the RA.
This is currently one of the most divisive issues in the ICANN community, as we witnessed during the recent Congressional hearings into ICANN oversight.
On the one hand, big copyright owners and online pharmacy watchdogs want ICANN to act much more ruthlessly against registrars that fail to immediately take down sites that they have identified as abusive.
On the other hand, some registrars say that they should not have to engage in regulating what content their customers publish, at least without court orders, in areas that can sometimes be amorphously grey and fuzzy.
Steve Metalitz, from a trade group that represents the movie and music industies at ICANN, told the US Congress that registrars are dismissing piracy reports without investigating them, and that “unless registrars comply in good faith, and ICANN undertakes meaningful and substantive action against those who will not, these provisions will simply languish as empty words”.
John Horton from pharmacy watchdog used the same Congressional hearing to out several registrars he said were refusing to comply with 3.18.
One Canadian registrar named in Horton’s testimony told DI that every complaint it has received from LegitScript has been about a web site that is perfectly legal in Canada.
In at least some cases, it seems that those pushing for ICANN to more stringently regulate content may have “internet freedom” as the least of their concerns.
If the Defending Internet Freedom Act becomes law in the US, perhaps it could prove a boon to registries and registrars upset with constant meddling from rights owners and others.
On the other hand, perhaps it could also prove a boon for those operating outside the law.

Momentous denies link to “illegal” pharmacy gang

Momentous says CEO Rob Hall is NOT the man behind a registrar devoted almost exclusively to running “illegal” online pharmacies, after the US Congress was told he was a few hours ago.
In written testimony to Congress today, LegitScript president John Horton linked Hall to an “illegal online pharmacy network” called 4rx.
Horton said that the people running 4rx, which he said sells prescription drugs without a license, are also running the ICANN-accredited registrar Crazy8Domains
He went on to produce Canadian corporation records naming Hall as the sole director of the registrar.
I had a bit of a Google and found that Crazy8Domains says it’s based in a building in Ottawa that appears to have been once owned by Momentous.
But Rob Villeneuve, CEO of Momentous registrar Rebel, told us today that Crazy8Domains has not been part of Momentous for years. He said:

the Momentous group sold that Registrar over two years ago, and ICANN approved the sale. Mr. Hall and Momentous are no longer involved in Crazy8Domains in any way. We are unsure why the Industry Canada records have not been updated, and we have today notified Industry Canada of their error.

While Momentous may not be involved with Crazy8Domains, Horton presented some compelling evidence that it’s basically just a puppet registrar for an online pharmacy outfit.
It also goes by the name Kudo.com.
The contact name for the registrar listed by ICANN is Sabita Limbu, who is also listed in Whois as the registrant of domains such as indianpharmaonline.com, offshorerx1.com, and cheapestonlinedrugstore.com.
These sites offer hundreds of generic varieties of drug that purport to treat every condition under the sun, from erectile dysfunction to cancer.
Prescriptions do not appear to be required, and there’s a US toll-free number in case there was any doubt whose citizens are being marketed to.
Whether that’s illegal or not, I couldn’t possibly comment, but Horton told Congresspeople today that there are no countries where it is legal to sell prescription drugs without a license.
According to Horton, Crazy8Domains only has 18 domains live at present, and 15 of them are pharmacies:

In short, for all practical purposes, the ICANN-accredited registrar is the illegal online pharmacy, and the illegal online pharmacy is the ICANN-accredited registrar.

This means it would be virtually impossible for an outfit like LegitScript to get them taken down — any complaints made to ICANN would simply be referred to the registrar, which is in this case also the registrant.

A quarter of registrar’s names are “illicit pharmacies”

Kevin Murphy, January 16, 2015, Domain Services

One in four of the domain names registered with the registrar NetLynx are linked to current, past or potential future rogue drug sites, according to online pharmacy monitor LegitScript.
The Mumbai-based registrar was hit with a breach notice by ICANN Compliance last week, over an alleged failure to investigate an abuse complaint about a single customer domain, tnawsol24h.com.
NetLynx did not adequately respond to ICANN’s calls from November 26 to January 5, according to the notice (pdf).
While ICANN did not identify the source or nature of the complaint, according to LegitScript it was filed by the UK Medicines and Healthcare products Regulatory Agency and it claimed that the domain was being used as a “rogue internet pharmacy”.
LegitScript did some research into NetLynx’s domains under management and now claims that it is not an isolated case.
Company president John Horton blogged:

at least a quarter of the registrar’s business is dependent on rogue Internet pharmacy registrations, with roughly 3,000 of the 12,000 domain names under the registrar’s portfolio taggable as current, past or “holding sites” for illicit online pharmacies.

Horton clarified for DI that the 3,000 number is extrapolated from the fact that LegitScript managed to categorize 1,820 out of the 7,000 NetLynx domains it could find as problematic.
Of those, 820 were “online and active” rogue pharmacies, he said. He gave canadian-drug-pharmacy.com, pills-delivery.net and pillsforlife.net as examples.
Another 780 were hosting rogue pharmacies in the past but have since been shut down, he said.
Finally, LegitScript categorized 220 as “meeting known patterns” for “holding sites” where illicit pharmacies may be launched in future. Horton said:

many of the spam pharma organizations use “holding domain names” (not all are online at any one time), so if the website was NOT currently online, we looked to a variety of data — known domain name patterns, screenshots, known rogue name servers, known rogue IP addresses, etc. — to determine the likelihood that a domain name is likely to be a rogue Internet pharmacy, and gave NetLynx the benefit of the doubt if there was any lack of certainty

LegitScript classifies online pharmacies as “rogue” if they offer to ship medicines without a prescription to people in jurisdictions where prescriptions are required.
Horton is now calling for ICANN to look into terminating NetLynx’s accreditation.

EasyDNS changes take-down policy after man dies

Kevin Murphy, August 15, 2014, Domain Registrars

Canadian registrar EasyDNS has amended its take-down policy after a customer of one of its registrants died of an overdose.
In a frank blog post today, CEO Mark Jeftovic said that the man had died using a “controlled substance” ordered online. The web site in question used a domain registered via EasyDNS.
As a result of the death, and conversations with ICANN and the US Food and Drug Administration, EasyDNS has changed its policy.
It will now turn off any domain used for a pharmacy web site unless the registrant can produce a license permitting it to sell pharmaceuticals in the territories it sells to.
Previously, the company would only turn off a pharmacy-related domain with a court order.
It’s a notable U-turn for the company because Jeftovic is an outspoken critic of unilateral take-down notices.
In January, he referred to the National Association of Boards of Pharmacy as a “batch of clowns” for demanding that EasyDNS and other registrars take down unlicensed pharmacies without court orders.
He also has an ongoing beef with the UK police over its repeated requests for file-sharing and counterfeiting-related domains to be taken down without judicial review.
Jeftovic blogged today:

[I]n one case we have people allegedly pirating Honey Boo Boo reruns and on the other we have people dying. We don’t know where exactly, but the line goes somewhere in between there.
We have always done summary takedowns on net abuse issues, spam, botnets, malware etc. It seems reasonable that a threat to public health or safety that has been credibly vetted fits in the same bucket.
As a private company we feel within our rights to set limits and boundaries on what kinds of business risk we are willing to take on and under what circumstances. Would we tell the US State Department to go to hell if they wanted us to take down ZeroHedge? Absolutely. Do we want to risk criminally indicted by the FDA because of unregulated vicodin imports? Not so much.

You can read his full blog post here.

Registrar threatened with shutdown for failing to reveal registrant

Kevin Murphy, November 9, 2011, Domain Registrars

ICANN has told a Turkish domain name registrar that its accreditation will be terminated unless it fixes its apparently shoddy Whois services.
While Alantron has a track record of Whois failures and connections to abusive domains, ICANN’s threat appears to have been made in connection with a single domain name.
ICANN compliance director Stacey Burnette wrote to Alantron (pdf):

On 12 October 2011, ICANN requested that Alantron make registration records available to ICANN concerning a specific domain name, as ICANN received a complaint that there was no Whois output available for the domain name. Although numerous requests were made by ICANN to make the registration records available for inspection and copying, as of the date of this letter, Alantron has not made any arrangements to comply with ICANN’s request.

The letter also details Alantron’s alleged failures to make Whois available through Port 43 and its web interface going back to September 1.
ICANN has also threatened to suspend Alantron’s ability to create new registrations. Alantron received a similar de-accreditation warning for Whois failures in April 2010.
It does not say who made the complaint or which domain is in question, but the company has come under fire from security pros in the past for allowing its services to be abused to push fake pharmaceuticals.
Alantron, which has about 26,000 domains under management according to Webhosting.info, has until November 25 to rectify the problem.

eNom to crack down on fake pharma sites

Kevin Murphy, September 17, 2010, Domain Registrars

Demand Media is to tighten security at its domain registrar arm, eNom, after bad press blighted its recent IPO announcement.
The company has signed a deal with fake pharmacy watchdog LegitScript, following allegations that eNom sometimes turns a blind eye to illegal activity on its customers’ domains.
The news emerged in the company’s amended S-1 registration statement (large HTML file), filed with the US Securities and Exchange Commission yesterday. New text reads:

We recently entered into an agreement with LegitScript, LLC, an Internet pharmacy verification and monitoring service recognized by the National Association of Boards of Pharmacy, to assist us in identifying customers who are violating our terms of service by operating online pharmacies in violation of U.S. state or federal law.

LegitScript will provide eNom with a regularly updated list of domain names selling fake pharma, so the registrar can more efficiently turn them off. The companies have also agreed to work together on research into illegal online pharmacies.
Surrounding text has also been modified to clarify that eNom is not required, under ICANN rules, to turn off domains that are being used to conduct illegal activity.
This is a bit of a PR win for the small security outfits KnuJon and HostExploit, firms which had used the occasion of Demand’s S-1 filing to give eNom a good kicking in the tech and financial press.
HostExploit reported last month that eNom was statistically the “worst” registrar as far as illegal content goes.
ICANN executives are reportedly going to be hauled to Washington DC at the end of the month to explain the problem of fake pharma to the White House.
Registries and registrars have also been invited, and I’d be surprised if eNom is not among them.