-
Blogs
-
News
-
Industry
-
Community
-
Topics
Spam is not about who sent it, it's about who benefits from it. For a moment forget everything you know about filters, zombie PCs, firewalls, spoofing, viruses, beisyan algorithms, header forgery, botnets, or blacklists. These are all methods for sending spam or preventing spam delivery. None of these explain why spam is sent and for far too long all the attention has been paid to the effects and not the driving force. Under the endless onslaught of junk mail it is easy to feel that the goal of the game is send spam and annoy us all. But this isn't the goal. The goal of spam is a transaction. Motivation not method.
A transaction in this sense could be many things. It can refer to the traditional meaning of the word: someone voluntarily exchanging some kind of money for a product or service, like buying illicit products from shady. In terms of cybercrime it can also refer to the involuntary exchange of information, like the reveal of a password, credit card, or bank account information. It could mean that a virus was installed on your pc that opens it up to abuse. An email recipient could follow a link charges and advertising account, click-fraud. Or, a transaction could simply be that the recipient of the spam comes to believe that something is true and then acts on it. Examples of this being stock spam and urban legends. A consumer believes that a stock price will increase so they buy some. An email user believes a chain-hoax to be true so they forward it to more people. Sending spam is not a transaction, it's just an advertisement. The transaction only occurs when the spam recipient takes action or provides money, information, or access.
There are two broad categories of spam emails: ones that advertise a URL and ones that do not. Stock spam, degree mills, and advance fee scams (so-called 419 or Nigerian scams). For the purposes of this discussion we're focusing on the URL-based spam.
Transactions for products and services occur at websites. There is certainly a diversity of products advertised in spam but far and away the number one item: Drugs. Not heroin, cocaine or marijuana but illicit pharmaceuticals. This should not come as a surprise to anyone as Viagra has become synonymous with spam and vice-versa. But it's not just lifestyle drugs. Painkillers, psychotropics, anti-depressants, diabetics, and pretty much any drug that requires a prescription are being sold on domains sponsored by ICANN Accredited Registrars. The only problem here is that these drugs are being sold without a prescription. No, the drugs do not come from Canada. Even though "Canada" is a favorite term for these websites the pills come from Turkey, Serbia, Moldova, and India. The medicine may be real or it may not be, but anyone consuming them is risking their health as well as giving money to organized crime.
Spam offers everything from septic tanks to prostitution, but illicit prescriptions are most of the problem. Rogue pharmacy is now at least at $100 Billion illicit industry and the Internet is driving its growth with absolute impunity.
Criminals hire spammers to promote websites where drugs are sold illegally. Because spammed websites are quickly discovered and complained about they are often taken down soon after a spam campaign. To deal with this problem drug traffickers use multiple layers of linked and redirected domains that are not spammed, stay intact and endure. Spammers may in fact be the Registrars best customers. Whereas the ordinary business may buy one or two domain names, spammers buy thousands and then dump them. The Registrar can then resell the defunct domain names, so they get paid twice for the same item.
Some reading this may think that Registrars are the fall guy here as it is impossible to track the activity of the thousands of domain names they sponsor. Problem is, they have been specifically informed of which domains are conducting illegal activities multiple times. Some might wonder then who is KnujOn to tell a Registrar about fake pharmacy domains? Actually, our reports have been endorsed by the National Association of Boards of Pharmacy(NABP), The National Center on Addiction and Substance Abuse at Columbia University (CASA), The American Pharmacists Association (APhA), and the Partnership for Safe Medicines.
Regardless of our endorsements, if a Registrar receives information of an illicit pharmacy site sponsored by them from any consumer and does not investigate and terminate, that Registrar is now aiding criminals. If a Registrar continues to accept payment from the domain owner after being notified, they are then receiving money from organized crime.
Bottom line is that the Registrars have the authority and technical ability to terminate a domain, even though many claim they do not. Registrars have the power to stop rogue pharmacy domains. The illicit networks rely on stable domains just like any other business. However, until the Registrars are told to stop sponsoring illicit drug traffic they will continue to do so. It is a ridiculous dance that cannot go on much longer. This farce is going to come to an end. No more pointing fingers at the ISPs only, terminating a domain breaks the spam link and closes the transaction platform.
Written by Garth Bruen, Internet Fraud Analyst and Policy Developer. Visit the blog maintained by Garth Bruen here.
Related topics: Cybercrime, Domain Names, Domain Registries, ICANN, Internet Governance, Law, Policy & Regulation, Spam, Top-Level Domains
To post comments, please login or create an account.
Copyright © 2002-2010 CircleID.
Iomemo Inc.
All rights reserved unless where otherwise noted.
Pills yesterday, fake rolexes some other day .. malware URLs that broadcast trojans some other day. It varies.
Yes, we want to make pill traffic yesterday's problem so we can tackle fake rolexes tomorrow. Thanks for making that point.
That sounds like an invitation for successful lawsuits against the registrars(as well as registries) on two fronts:
* the finding if some operation is a "rogue pharmacy" is usually reserved to courts of law and similar institutions
* what happens if a registry establishes a no-rouge-pharmacy policy and fails to enforce it against a registered domain(e.g. the registry wasn't aware)
That said, registries and registrars should of course enforce their TOS: valid name/address/means of payment.
<<the finding if some operation is a rogue pharmacy is usually reserved to courts of law and similar institutions>> Nope, the licensing is done at the local level by board certification
<<what happens if a registry establishes a no-rouge-pharmacy policy and fails to enforce it against a registered domain(e.g. the registry wasn't aware)>>
If they're not aware they can't enforce. The problem begins when they are informed and do nothing.
<<That said, registries and registrars should of course enforce their TOS: valid name/address/means of payment. >>
The typical TOS also includes "no illegal activies" clause (as does the UDRP) as well as clauses that forbid activities that may harm the public or result in a lawsuit against the provider.
I've done a cursory look at the TOSs of Go Daddy, Enom, Tucows and Networksolutions.
While all of them contain rules against illegal use, the wording seems only to apply to value added services like DNS hosting, email forwarding etc. and not the domain registration itself.
The UDPR does contain (2.c and 2.d) wording against illegal use but also requires an UDPR proceeding(or order of court) to establish the illegal use and decide applicable actions.
Unless I'm missing anything, the registrars would have to request an UDPR decision to cancel domains registered with them.
To file a UDRP a requirement is that "your domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights" so a registrar cannot file a UDRP. However, let's assume they could. The registrar would make $1-$3 profit off the domain reg and then $5K or so in legal fees to cancel it.
The process would be to get a court order. The problem with the suggestions made by the author is that he wants to skip all the legal requirments to have a domain cancelled. He wants to simply hit his "send" button and then have someone else do all the legal work. If there a few mistakes, well just chalk that up to friendly fire in the spam fighting world, too bad for them.
How is a registar or ICANN expected to make a decision about what is legal or illegal? That is why we have courts and a legal process.
<<To file a UDRP a requirement is that "your domain name is identical or confusingly similar to a trademark>>
Yes, to file a UDRP, but that is the process portion. The policy portion reads: "you are not registering the domain name for an unlawful purpose"
<<The process would be to get a court order.>>
Court orders are not required to terminate domains. This is a common red herring.
<<The problem with the suggestions made by the author is that he wants to skip all the legal requirments[sic] to have a domain cancelled[sic].>>
Not at all, it's just that these requirements already exist and the Registrars choose to ignore them because there has, until now, been a lack of enforcement. Not to mention all the money involved.
<<He wants to simply hit his "send" button and then have someone else do all the legal work.>>
Hardly, I made it clear in the article it is simply the Registrar's responsibility to investigate when notified. Their failure to investigate increases their liability, any "legal work" would come at their own cost when the domain remains active and a consumer is harmed because of it.
<<If there a few mistakes, well just chalk that up to friendly fire in the spam fighting world, too bad for them.>>
In every case we have documented the lack or outright forgery of a pharmacy license. The criminal networks behind these operations are also involved in counterfeiting and human sexual traffic. No friendly fire.
<<How is a registar[sic] or ICANN expected to make a decision about what is legal or illegal?>>
Neither is expected or required to, it's actually already laid out for them in clear detail, the Registrars have chosen so far to ignore that fact. Unfortunately, many falsely believe they a protected common carrier status or third-party immunity. Those legal protections go out the window in the case of a felony or
<<That is why we have courts and a legal process.>>
Not in this case. If the Registrars want to take it that far by not terminating illegal pharmacies, that is their choice. Court orders are not required to terminate domains, regardless of the claims made by some Registrars. It is already illegal to have an Internet pharmacy without a proper license, disclosure of the real location, and in some cases the name and license of the pharmacist. In many countries it is already illegal to import pharmaceuticals and controlled substances.
The Registrars have been a silent and unknown part of the puzzle until now, and they are in fact the most important piece. Without their continued support, the Internet mass market illicit product industry fails.
<<Unless I'm missing anything, the registrars would have to request an UDPR decision to cancel domains registered with them. >>
Not required. Registrars terminate domains all the time without UDRP.
<<While all of them contain rules against illegal use, the wording seems only to apply to value added services like DNS hosting, email forwarding etc. and not the domain registration itself.>>
Without the critical service of trying a domain name to an IP address, their other services are meaningless. Terminating a domain means just that, making it unresolvable. So any language referring to their authority to terminate would inevitably refer to the domain name itself.
<<The UDPR does contain (2.c and 2.d) wording against illegal use but also requires an UDPR proceeding(or order of court) to establish the illegal use and decide applicable actions.>>
This is one common interpretation that positions the UDRP as all procedure and no policy. The policy is: "(c) you are not registering the domain name for an unlawful purpose and (d) you will not knowingly use the domain name in violation of any applicable laws or regulations." The procedure is separate and intended to resolve disputes between parties over trademarked names. The intellectual property clause is only one clause (b) of the four clauses in the policy.
Registrars can use their terms of service or the registration contract to take back domains. While this may seem like a good thing when fighting spam it also allows them to cancel domains under polical or corporate pressure (GoDaddy has done things like this several times).
Also, the registrars are seeking permission to charge higher fees. For instance, they could say that the renewal fee for AOL.com is $5 Million ... pay up or have your domain taken away. This type of activity may create more problems than it solves. If you ever dealt with some of these registrars I am sure you would not want these companies being judge and jury over who gets to use which domain names.
What would you say if YOUR domain was taken away because of some reporting error from someone who didn't bother to check their complaint closely enough, made some technical error, or had some unusual notion of what was illegal?
<< it also allows them to cancel domains under polical[sic] or corporate pressure (GoDaddy has done things like this several times). >>
Big difference. If someone wants to have a site extolling the merits of counterfeit drugs, that's their right. The domains in question are part of a network that conducts transactions and delivers harmful products to consumers. Speech and criminal traffic are two different things.
<<Also, the registrars are seeking permission to charge higher fees. For instance, they could say that the renewal fee for AOL.com is $5 Million ... pay up or have your domain taken away. This type of activity may create more problems than it solves. If you ever dealt with some of these registrars I am sure you would not want these companies being judge and jury over who gets to use which domain names. >>
I don't support any of what you just said. The last thing I want the Registrars being is judge and jury, just want them to terminate domains that they know are already breaking the law.
<<What would you say if YOUR domain was taken away because of some reporting error from someone who didn't bother to check their complaint closely enough, made some technical error, or had some unusual notion of what was illegal? >>
That of course would be problematic, but we're not talking about any old reason or a whim. We're talking about organized crime that takes people's money and returns poison. They have successfully subverted the entire DNS for their gain. We're all paying for their infrastructure while the rake in billions.
"The last thing I want the Registrars being is judge and jury, just want them to terminate domains that they know are already breaking the law"
So how do they "know" ... because someone on the Internet sends them an e-mail saying so?
You make a number of statements about "organized crime" "felonies" "subverted the entire DNS" and "raking in billions" that you would have extreme difficulty proving in a court. This is an example of why court orders should be required rather than a "Salem Witch Trial" system to shut down domains.
<<You make a number of statements about "organized crime" "felonies" "subverted the entire DNS" and "raking in billions" that you would have extreme difficulty proving in a court. >>
I suppose cybercrime is a myth and the Registrars have no responsibility to anyone, that's one theory.
But if that were true Interpol and 24 governments wouldn't be conducting massive sweeps of fake Internet pharmacies: http://www.interpol.int/Public/ICPO/PressReleases/PR2009/PR2009111.asp
The FDA, Customs, DEA and Postal Inspectors wouldn't be taking down illicit pharma operations and including Registrars and ISPs as part of that: http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm191330.htm
And I suppose MarkMonitor's excellent report on the rapid growth of pharma brandjacking is also an exaggeration: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=220300056
This is a dark, dangerous illicit market that cares little for public safety as they prey on consumer fears and market fake flu medicine online: http://blogs.wsj.com/digits/2009/11/18/cybercrime-capitalizes-on-swine-flu-fears/
The Registrars have a choice. They can help end the illicit use of their products or they will soon find themselves more heavily regulated. The heavy regulations will surely lead to the increases in pricing you fear.
Now you are misrepresenting my statements, I never said cybercrime is a myth. You also like to engage in fear mongering. Misrepresentation and fear mongering are what you are complaining about yet you do the same thing when it fits your agenda.
My point is that registrars do not have the knowledge or ability to determine what is a "crime" and should not have the ability to go around shutting down domains for whatever reason they want.
<<My point is that registrars do not have the knowledge or ability to determine what is a "crime" and should not have the ability to go around shutting down domains for whatever reason they want. >>
The guidelines are quite clear. The crime is quite clear. We're not talking about "shutting down domains for whatever reason they want", we're talking about a very specific set of circumstances. Registrars are providing an easy portal for international drug traffickers to meet victims in ways they could not dream of 20 years ago. The amount of money flowing through this portal is unprecedented and actually quantifiable. The Internet has erased the protective layers of doctors, pharmacists, regulatory inspections, and industry standards. The role of the Registrar in this dramatic shift has not gone unnoticed and will continue to be the focus of regular scrutiny.