As the WHOIS debate rages and the Top-Level Domain (TLD) space prepares to scale up the problem of rogue domain registration persists. These are set to be topics of discussion in Costa Rica. While the ICANN contract requires verification, in practice this has been dismissed as impossible. However, in reviewing nearly one million spammed domain registrations from 2011 KnujOn has found upwards of 90% of the purely abusive registrations could have been blocked. To be clear, these were domains intended to be abused, not hijacked or spoofed sites with innocent owners. While it is impossible to truly predict registrant intent it is possible to screen for policy violations and assign risk. In our particular research we only focused on one detail in the WHOIS record, the Administrator email address. By conducting a deep review of the email addresses and the information behind them we have determined a number of factors which invalidate the registration or call out for additional scrutiny. For the Registrar this has always been a conundrum of practicality. On the one hand it is their business to sell as many domain names as possible, on the other hand abused domains create untold headaches for Registrars.
A major concern blocking enhancements to registration verification is domain price. Competition has driven the price down while ingenious registration systems have excelled the process. Many are concerned that adding comprehensive verification to the scheme will add costs and slow the process. However, 23% of the abused domains in our study could have been blocked by very basic form scripting. Some of the most obvious were improperly formatted contact emails, emails with invalid characters inserted, and email addresses missing the TLD extension for the domain (see example 1 and 2). We also found contact emails with non-existent TLDs and in one case this lead to the discovery of an illicit no-prescription pharmacy domain using the mailing address and phone number for the newspaper the Los Angeles Times. The point being that red flags in one area of the registration are good indicators of problems elsewhere. The casual onlooker might wonder how these applications were processed when robust e-form validation has existed for years.
Domain registration is a critical entry point for cybercrime that can be choked easily without interfering with legitimate business. Once an illicit domain is registered it is a "horse out the barn" situation as spammers will abuse a domain at a high volume for a very brief period and then abandon it for greener pastures. By the time a victim reports the problem and a Registrar acts on it the damage is done, the money is gone, and precious time is lost. It is at the moment of creation that havoc can be managed and thwarted. Our study relied on 14 million instances reported by the public, the real number of unreported instances is likely massive in comparison.
Now, the 23% which can be outright blocked is a good start, but there is more hope for the rest. In our tests an additional 67% could be flagged with various risk factors. This type of evaluation gives the Registrar choice. The deep intelligence-based analytics emerged from the data collected from spammed domain registrations, but this is not a blacklist. Clearly it is not in a Registrars interest to manually review each registration but these checks merely present the option of additional review. To be sure we dropped a number of legitimate registrations in the test engine and they passed without being flagged. The screening is specifically targeted at domain registrations created with the intent of being abused. We have also found why some Registrars are being targeted for abusive registrations, often due to conditions which may not be obvious at first.
In general we are encouraged by these findings especially if the threat space on the Internet can be reduced through a process that is invisible to the legitimate domainer. We will be discussing these issues and the details of our findings in Costa Rica. This work is ongoing. A PDF brief is available here: PDF Brief
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines
Neustar DNS Services
Neustar DDoS Protection