Home / Blogs

What's Driving Spam and Domain Fraud? Illicit Drug Traffic

Garth Bruen

Spam is not about who sent it, it's about who benefits from it. For a moment forget everything you know about filters, zombie PCs, firewalls, spoofing, viruses, beisyan algorithms, header forgery, botnets, or blacklists. These are all methods for sending spam or preventing spam delivery. None of these explain why spam is sent and for far too long all the attention has been paid to the effects and not the driving force. Under the endless onslaught of junk mail it is easy to feel that the goal of the game is send spam and annoy us all. But this isn't the goal. The goal of spam is a transaction. Motivation not method.

A transaction in this sense could be many things. It can refer to the traditional meaning of the word: someone voluntarily exchanging some kind of money for a product or service, like buying illicit products from shady. In terms of cybercrime it can also refer to the involuntary exchange of information, like the reveal of a password, credit card, or bank account information. It could mean that a virus was installed on your pc that opens it up to abuse. An email recipient could follow a link charges and advertising account, click-fraud. Or, a transaction could simply be that the recipient of the spam comes to believe that something is true and then acts on it. Examples of this being stock spam and urban legends. A consumer believes that a stock price will increase so they buy some. An email user believes a chain-hoax to be true so they forward it to more people. Sending spam is not a transaction, it's just an advertisement. The transaction only occurs when the spam recipient takes action or provides money, information, or access.

There are two broad categories of spam emails: ones that advertise a URL and ones that do not. Stock spam, degree mills, and advance fee scams (so-called 419 or Nigerian scams). For the purposes of this discussion we're focusing on the URL-based spam.

Transactions for products and services occur at websites. There is certainly a diversity of products advertised in spam but far and away the number one item: Drugs. Not heroin, cocaine or marijuana but illicit pharmaceuticals. This should not come as a surprise to anyone as Viagra has become synonymous with spam and vice-versa. But it's not just lifestyle drugs. Painkillers, psychotropics, anti-depressants, diabetics, and pretty much any drug that requires a prescription are being sold on domains sponsored by ICANN Accredited Registrars. The only problem here is that these drugs are being sold without a prescription. No, the drugs do not come from Canada. Even though "Canada" is a favorite term for these websites the pills come from Turkey, Serbia, Moldova, and India. The medicine may be real or it may not be, but anyone consuming them is risking their health as well as giving money to organized crime.

Spam offers everything from septic tanks to prostitution, but illicit prescriptions are most of the problem. Rogue pharmacy is now at least at $100 Billion illicit industry and the Internet is driving its growth with absolute impunity.

Criminals hire spammers to promote websites where drugs are sold illegally. Because spammed websites are quickly discovered and complained about they are often taken down soon after a spam campaign. To deal with this problem drug traffickers use multiple layers of linked and redirected domains that are not spammed, stay intact and endure. Spammers may in fact be the Registrars best customers. Whereas the ordinary business may buy one or two domain names, spammers buy thousands and then dump them. The Registrar can then resell the defunct domain names, so they get paid twice for the same item.

Some reading this may think that Registrars are the fall guy here as it is impossible to track the activity of the thousands of domain names they sponsor. Problem is, they have been specifically informed of which domains are conducting illegal activities multiple times. Some might wonder then who is KnujOn to tell a Registrar about fake pharmacy domains? Actually, our reports have been endorsed by the National Association of Boards of Pharmacy(NABP), The National Center on Addiction and Substance Abuse at Columbia University (CASA), The American Pharmacists Association (APhA), and the Partnership for Safe Medicines.

Regardless of our endorsements, if a Registrar receives information of an illicit pharmacy site sponsored by them from any consumer and does not investigate and terminate, that Registrar is now aiding criminals. If a Registrar continues to accept payment from the domain owner after being notified, they are then receiving money from organized crime.

Bottom line is that the Registrars have the authority and technical ability to terminate a domain, even though many claim they do not. Registrars have the power to stop rogue pharmacy domains. The illicit networks rely on stable domains just like any other business. However, until the Registrars are told to stop sponsoring illicit drug traffic they will continue to do so. It is a ridiculous dance that cannot go on much longer. This farce is going to come to an end. No more pointing fingers at the ISPs only, terminating a domain breaks the spam link and closes the transaction platform.

By Garth Bruen, Internet Fraud Analyst and Policy Developer. More blog posts from Garth Bruen can also be read here.

Related topics: Cybercrime, Domain Names, ICANN, Internet Governance, Law, Policy & Regulation, Registry Services, Spam, Top-Level Domains


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


It varies Suresh Ramasubramanian  –  Nov 20, 2009 12:14 AM PDT

Pills yesterday, fake rolexes some other day .. malware URLs that broadcast trojans some other day.  It varies.

Yes, we want to make pill traffic Garth Bruen  –  Nov 20, 2009 7:55 AM PDT

Yes, we want to make pill traffic yesterday's problem so we can tackle fake rolexes tomorrow. Thanks for making that point.

Registrars have the power to stop rogue Th. Kühne  –  Nov 20, 2009 2:37 PM PDT

Registrars have the power to stop rogue pharmacy domains.

That sounds like an invitation for successful lawsuits against the registrars(as well as registries) on two fronts:

* the finding if some operation is a "rogue pharmacy" is usually reserved to courts of law and similar institutions
* what happens if a registry establishes a no-rouge-pharmacy policy and fails to enforce it against a registered domain(e.g. the registry wasn't aware)

That said, registries and registrars should of course enforce their TOS: valid name/address/means of payment.

@Th. Kühne Garth Bruen  –  Nov 20, 2009 2:45 PM PDT

the finding if some operation is a rogue pharmacy is usually reserved to courts of law and similar institutions

Nope, the licensing is done at the local level by board certification

what happens if a registry establishes a no-rouge-pharmacy policy and fails to enforce it against a registered domain(e.g. the registry wasn't aware)

If they're not aware they can't enforce. The problem begins when they are informed and do nothing.

That said, registries and registrars should of course enforce their TOS: valid name/address/means of payment.

The typical TOS also includes "no illegal activities" clause (as does the UDRP) as well as clauses that forbid activities that may harm the public or result in a lawsuit against the provider.

I've done a cursory look at the Th. Kühne  –  Nov 20, 2009 3:26 PM PDT

I've done a cursory look at the TOSs of Go Daddy, Enom, Tucows and Networksolutions.

While all of them contain rules against illegal use, the wording seems only to apply to value added services like DNS hosting, email forwarding etc. and not the domain registration itself.

The UDPR does contain (2.c and 2.d) wording against illegal use but also requires an UDPR proceeding(or order of court) to establish the illegal use and decide applicable actions.

Unless I'm missing anything, the registrars would have to request an UDPR decision to cancel domains registered with them.

I suppose cybercrime is a myth and Garth Bruen  –  Nov 22, 2009 8:37 PM PDT

You make a number of statements about "organized crime" "felonies" "subverted the entire DNS" and "raking in billions" that you would have extreme difficulty proving in a court.

I suppose cybercrime is a myth and the Registrars have no responsibility to anyone, that's one theory.

But if that were true Interpol and 24 governments wouldn't be conducting massive sweeps of fake Internet pharmacies: http://www.interpol.int/Public/ICPO/PressReleases/PR2009/PR2009111.asp

The FDA, Customs, DEA and Postal Inspectors wouldn't be taking down illicit pharma operations and including Registrars and ISPs as part of that: http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm191330.htm

And I suppose MarkMonitor's excellent report on the rapid growth of pharma brandjacking is also an exaggeration: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=220300056

This is a dark, dangerous illicit market that cares little for public safety as they prey on consumer fears and market fake flu medicine online: http://blogs.wsj.com/digits/2009/11/18/cybercrime-capitalizes-on-swine-flu-fears/

The Registrars have a choice. They can help end the illicit use of their products or they will soon find themselves more heavily regulated. The heavy regulations will surely lead to the increases in pricing you fear.

The guidelines are quite clear. The crime Garth Bruen  –  Nov 22, 2009 9:28 PM PDT

My point is that registrars do not have the knowledge or ability to determine what is a "crime" and should not have the ability to go around shutting down domains for whatever reason they want.

The guidelines are quite clear. The crime is quite clear. We're not talking about "shutting down domains for whatever reason they want", we're talking about a very specific set of circumstances. Registrars are providing an easy portal for international drug traffickers to meet victims in ways they could not dream of 20 years ago. The amount of money flowing through this portal is unprecedented and actually quantifiable. The Internet has erased the protective layers of doctors, pharmacists, regulatory inspections, and industry standards. The role of the Registrar in this dramatic shift has not gone unnoticed and will continue to be the focus of regular scrutiny.

As predicted, it's coming around Garth Bruen  –  Dec 15, 2010 7:57 AM PDT

Google, Microsoft, Others Join Obama to Fight Phony Pharmacies


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias


Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Domain Registrations Reach 331.9 Million, 6.7 Million Growth Year over Year

.brands Spotlight: Banking and Finance Industries

Google Buys Business.Site Domain for 'Google My Business'

Radix Announces Global Web Design Contest, F3.space

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition