Last month, the Internet Corporation for Assigned Names and Numbers (ICANN) was the target of a public complaint that it wasn't doing enough to fight spam and bogus websites. The complaint was made by anti-spam service Knujon (see disclosure at the bottom of this post), which suggested that most spam-related websites were funneled through 20 ICANN-approved registrars based in the United States and overseas. The company said that ICANN, despite being repeatedly notified that the registrars' WHOIS records were filled with false address and contact information for millions of spam sites, did not follow its own mandate to force WHOIS compliance among the worst offenders.
Now, Knujon founder Garth Bruen has formally requested ICANN to shut down the Beijing-based registrar at the top of the list, Xinnet Bei Gong Da Software. According to a new document that Bruen sent to ICANN this week, none of the WHOIS records in a sample of 11,000 alleged spam sites registered through Xinnet and reported by Knujon to ICANN's Whois Data Problem Report System were corrected in a six-month period ending in May 2008. In many cases, says the document, Xinnet does not have "any Whois record data for review while the sites are still active."
I verified that the samples in the new document that Bruen used to make his point -- fallspot.com, finest-favorite.com, kheenerso.com, mountainfavor.com, rsavefu.com, tioakjiopa.com, exellentquality.com, polaebrue.com, orderheres.com (see inset), keesnerrt.com, killsioe.com, hiaoteyy.com, vijeast.com, and tinescoz.com -- were indeed spam storefronts for replica watches and online pill merchants. Two other sites, sugarfrom.com and blackcame.com, were down when I tried to access them on Friday. All were registered through Xinnet, although in more than half the cases, there was no WHOIS contact information listed. A few others had obvious fake names and contact information, such as Fallspot's "David Fox," whose listed Chinese phone number ended in seven zeroes and had an email address of "test@test.com."
Among the handful of sites that did include real-looking contact information, most email addresses and phone numbers turned out to be bogus. The exception was the identical hotmail email address for tinescoz.com and hiaoteyy.com -- a Chinese-language email sent to the address has yet to generate a bounce-back or response. For the working phone numbers at polaebrue.com (shared with orderheres.com) and tinescoz.com, there was a dial tone but no answer. However, the calls went through on Friday evening in China, and it's conceivable no one was available to answer. I was unable to verify any of the legitimate-looking physical Chinese street addresses listed in the WHOIS records for kheenerso.com, mountainfavor.com, polaebrue.com, orderheres.com, hiaoteyy.com, or tinescoz.com.
Bruen claims that Xinnet is still allowing spam sites to be registered -- "typically about 100 per day," says the Knujon document. His recommendation to ICANN is severe:
"Given the listed issues we are recommending that Xin Net be issued a breach notice and that until these issues are resolved they be prevented from registering new domains. The failure to comply with requirements to have accurate records, the blatant and continued posting of illicit traffic sites, and possible blocking of access to Whois records point to a complete failure at Xin Net to accept its responsibility as a registrar.
We believe that this situation poses an immediate health risk to Internet consumers and since Xin Net will not take proactive steps to prevent repeat offenders from registering fake pharmacy sites, stopping all new registrations is the only way to break this cycle of illicit site registration and faux compliance."
When asked for comment, the ICANN spokesperson issued the following statement:
Comments
Thanks for highlighting Bruen's report. It's important that the community be aware of of this problem. ICANN has just posted a draft revised Registrar Accreditation Agreement. The wording of Section 3.7.8 hasn't changed. The public comment period is open until 4 August if you wish to comment. (Disclosure: I represent the Intellectual Property Constituency on the ICANN GNSO Council.)
Thank you for shining a bright light on this long-standing issue with this and other registrars, mostly located in China.
This hilights two significant windows into the spammer economy:
1) What were once considered "bullet proof" domain registrars, such as XIN NET / Paycentre.com, who will accept bogus contact information, stolen credit cards and hacked paypal accounts during the registration of millions of spammable domains, with the registrar usually located in China.
2) The sponsors who register these domains.
The example website properties used in both this report and Mr. Bruen's report all are part of a group known as SanCash, who have since December 2007 gone even further underground. More than two thirds of the spam everybody in the world receives is for a SanCash property, and it's likely you've all heard of them before: Elite Herbal, VPXL, PowerEnlarge, Canadian Healthcare, Diamond Replicas, Prestige Replicas and King Replicas. More recently they also added Prestige Footwear to this cadre of sites.
I wrote about this issue on my Blog:
http://ikillspammers.blogspot.com/2008/06/china-last-resort-for-spammer-...
in light of XIN NET's sudden change of heart. But they're still apparently allowing several thousands of new domains to continue to be registered using the exact same bogus contact information we all complained to them about for months.
Spammers and their sponsors will rapidly run out of "bullet proof" domain providers. Then we'll start seeing fast-flux ip addresses in place of domains, which will ultimately be far less reliable to them.
Great report.
SiL
Kudo's to Knujon for shing a light on these cockroaches. It seems ironic that one small private group has actually made some progress fighting these Internet criminals. In the meanwhile the law, large private corporations, well funded industry associations, and governments have proven clueless and powerless in this fight.
As the primary backer of HD DVD, Toshiba spent a lot of money developing technology that they didn't get a lot of use out of. Some features from HD DVD players, like upscaling, fit nicely into standard DVD players. Others, like web-enabled content, aren't quite as applicable. Sure you could put the same capabilities into a DVD player, but with no official standard you'd be hard pressed to get anyone to take advantage of it.
welkomcarrental
http://welkomcarrental.freehostia.com ">welkomcarrental
Xgmjrk window media player
For a while, the slap on the wrist helped.
SPAM from criminals registered thru the rogue serial registrars in CN now seems as high as ever.
Too bad that ICANN does not really care...
axkf76erp34fkBiERf7lq2pduy7d
axkf76erp34fkBiERf7lq2pduy7d
http://continentaltire.awardspace.com
axkf76erp34fkBiERf7lq2pduy7d
http://continentaltire.awardspace.com
PLEASE, PLEASE a one year follow up report on what ICANN has (NOT) done since then.
PREDICTION:
ICANN to drive spam to just less than 100% of email.
Fox guarding henhouse. ZERO regulation of registrars serial spam registration.
Rogue registrars now running approx 100% registered sites spamming.
How bad are the rogue registrars ?
You be the judge:
http://rss.uribl.com/nic/
Post new comment