Home / Blogs

Most Abusive Domain Registrations are Preventable

Garth Bruen

As the WHOIS debate rages and the Top-Level Domain (TLD) space prepares to scale up the problem of rogue domain registration persists. These are set to be topics of discussion in Costa Rica. While the ICANN contract requires verification, in practice this has been dismissed as impossible. However, in reviewing nearly one million spammed domain registrations from 2011 KnujOn has found upwards of 90% of the purely abusive registrations could have been blocked. To be clear, these were domains intended to be abused, not hijacked or spoofed sites with innocent owners. While it is impossible to truly predict registrant intent it is possible to screen for policy violations and assign risk. In our particular research we only focused on one detail in the WHOIS record, the Administrator email address. By conducting a deep review of the email addresses and the information behind them we have determined a number of factors which invalidate the registration or call out for additional scrutiny. For the Registrar this has always been a conundrum of practicality. On the one hand it is their business to sell as many domain names as possible, on the other hand abused domains create untold headaches for Registrars.

A major concern blocking enhancements to registration verification is domain price. Competition has driven the price down while ingenious registration systems have excelled the process. Many are concerned that adding comprehensive verification to the scheme will add costs and slow the process. However, 23% of the abused domains in our study could have been blocked by very basic form scripting. Some of the most obvious were improperly formatted contact emails, emails with invalid characters inserted, and email addresses missing the TLD extension for the domain (see example 1 and 2). We also found contact emails with non-existent TLDs and in one case this lead to the discovery of an illicit no-prescription pharmacy domain using the mailing address and phone number for the newspaper the Los Angeles Times. The point being that red flags in one area of the registration are good indicators of problems elsewhere. The casual onlooker might wonder how these applications were processed when robust e-form validation has existed for years.

Domain registration is a critical entry point for cybercrime that can be choked easily without interfering with legitimate business. Once an illicit domain is registered it is a "horse out the barn" situation as spammers will abuse a domain at a high volume for a very brief period and then abandon it for greener pastures. By the time a victim reports the problem and a Registrar acts on it the damage is done, the money is gone, and precious time is lost. It is at the moment of creation that havoc can be managed and thwarted. Our study relied on 14 million instances reported by the public, the real number of unreported instances is likely massive in comparison.

Now, the 23% which can be outright blocked is a good start, but there is more hope for the rest. In our tests an additional 67% could be flagged with various risk factors. This type of evaluation gives the Registrar choice. The deep intelligence-based analytics emerged from the data collected from spammed domain registrations, but this is not a blacklist. Clearly it is not in a Registrars interest to manually review each registration but these checks merely present the option of additional review. To be sure we dropped a number of legitimate registrations in the test engine and they passed without being flagged. The screening is specifically targeted at domain registrations created with the intent of being abused. We have also found why some Registrars are being targeted for abusive registrations, often due to conditions which may not be obvious at first.

In general we are encouraged by these findings especially if the threat space on the Internet can be reduced through a process that is invisible to the legitimate domainer. We will be discussing these issues and the details of our findings in Costa Rica. This work is ongoing. A PDF brief is available here: PDF Brief

By Garth Bruen, Internet Fraud Analyst and Policy Developer. More blog posts from Garth Bruen can also be read here.

Related topics: Cyberattack, Cybercrime, DNS, DNS Security, Domain Names, Registry Services, ICANN, Internet Governance, Malware, Policy & Regulation, Security, Spam, Top-Level Domains, Whois

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

How many whois records were examined? Antony Van Couvering  –  Feb 16, 2012 7:18 PM PDT

May I ask how many records you examined?

Antony

Sure... Garth Bruen  –  Feb 16, 2012 7:33 PM PDT

956,702

Am I correct then that you discovered Antony Van Couvering  –  Feb 16, 2012 7:57 PM PDT

Am I correct then that you discovered one illicit use of a domain among 956,702 registrations, among all of the bad whois records?  That does not seem like a high percentage.  It leads me to wonder how big of a problem bad whois records are.

No Garth Bruen  –  Feb 17, 2012 7:04 AM PDT

Not correct, all 956,702 had been abused in 14 million instances. Most were illicit. I just provided one example for the article.

Email verification is pretty much a done Volker Greimann  –  Feb 17, 2012 2:30 AM PDT

Email verification is pretty much a done deal already. The ongoing negotiations between ICANN staff and registrars are pointing in the direction of required email verification on a registrant-level in the upcoming new version of the RAA.

Not just about email verification Garth Bruen  –  Feb 17, 2012 7:11 AM PDT

While I'm glad this is being addressed after 12 years verification is only one part (the lesser part) of the overall study. The meat of this potential abuse can be discerned from subtle information and relationships of the email address.

The public may not be privy to the negotiations you're describing, can you enlighten everyone?

While I cannot divulge any details at Volker Greimann  –  Feb 17, 2012 7:20 AM PDT

While I cannot divulge any details at this time to avoid derailing the current talks by breaking the confidentiality agreed with ICANN, I can disclose that email confirmation is one part of the proposal the registrars made.

I read you brief in the meantime, but note that there is relatively little meat on the bone. You are hinting at easy steps to verify but there is no substance. Can you go into detail a bit more on how you propose to cut abusive registrations by 90%. The examples given in your brief would only stop the dumbest criminals, and none of the cases we usually see.

Also, while I agree that the use of stolen addresses is a problem, I see no solution of how to determine an address is stolen prior to the registration, at least not without inconveniencing and increasing costs for 99% if the registrant who operate legitimately.

Progress or no? Garth Bruen  –  Mar 06, 2012 9:16 PM PDT

Are the discussions having the problems described in Kieren's blog?

Yikes! Garth Bruen  –  Feb 17, 2012 8:13 AM PDT

It sounds like transparency is taking a back seat again (or is it even on the bus?)! ICANN still has a problem with its own mission statement and that critical decisions that impact everyone are being made by a handful of presumably unknown people. But thanks for the for the assurance from the inner circle that everything is going to be fine.

The raw data has a problem in that it reveals too much about specific spam gangs and particular malicious players and I have no interest in tipping them off. As for the process I will be in Costa Rica and will meet with any interested party to discuss it. Over time more details will be published.

But, I'll make a deal with you. Get me into the secret negotiations as an observer for the At-Large user and I'll share more of the data with you.

Invalid conclusion Dan Wright  –  Feb 17, 2012 10:52 AM PDT

It is a fallacy to conclude that just because the abused domain names had invalid data, that they would not have been abused with valid whois data.

If you place stricter requirements on registrants to provide valid whois data, they will.  That does not mean it will be their own.  All you are doing is encouraging identity theft.

Anybody want a valid e-mail address so that you can register a domain name for your spam run?  No problem.  You can get as many as you want from hotmail, yahoo, or gmail right now with no barrier of entry.  A week later, you can throw away the address as quickly as you throw away the domain name.

Contact validation only hurts legitimate registrants.  It won't do a single thing to prevent abuse.

fallacious fallacy Garth Bruen  –  Feb 17, 2012 1:41 PM PDT

Dan,

There are fallacies in the fallacy claim. First, valid data and truthful statements are a requirement of domain registration. Knowingly providing false information is a bad faith registration. This is not a good basis for the global consumer trust the Internet. We all deserve better.

Next, saying I'm encouraging identity theft by requiring enforcement of existing rules is like saying the government is encouraging teenagers to buy fake IDs by enforcing cigarette and alcohol restrictions.

Also, you are mixing populations in your statement. One are legitimate persons trying to protect their privacy, which is understandable. The second population (the one I'm talking about) are domainers with illicit commercial interests. There are no expectations of privacy in commercial enterprise. Purporting to protect one by protecting the other is a fallacy.

Then, the validation issue is only one portion of the study, the other is about assigning risks to domain registrations. The risk assignment handles your throwaway argument.

Finally, are you going to disclose to the forum you work for a Registrar?

I agree that knowingly providing false information Dan Wright  –  Feb 17, 2012 4:50 PM PDT

I agree that knowingly providing false information is a bad faith registration.  I dispute the people you are attempting to block are interested in registering in good faith.  I further dispute that you have proven that adding extra checks would have prevented those people from registering domain names.  All it would have done is cause them to to put a little more effort in choosing more legitimate looking contact information.  Bad people don't stop being bad because somebody adds a new rule.

I don't dispute the merits of enforcing existing rules.  I dispute that the proposed methods of implementation will achieve those goals.  I agree that teenagers do buy fake IDs to circumvent cigarette and alcohol restrictions.  There are similarities between the two situations.  The fact that they are often successful only stands to prove my point.

I'm interested in seeing a system that stands a better chance of preventing malicious registrations than legitimate ones.  The system you propose can be defeated by using a hotmail account and picking a random postal address out of a local telephone directory.  It will also end in legitimate registrants having their domain name registrations deleted when some of them fail to verify their contact information in x days.

I do work for a registrar.  I am not representing my employer, and my views do not necessarily reflect their views.  My employment is not relevant to the fallacies in your argument.

Yes to some of it Garth Bruen  –  Feb 18, 2012 9:40 AM PDT

I agree with some of your points, but you are making incorrect assumptions about our work. A big part of what were talking about tracks the usage of throwaway accounts in terms of calculating risk. We've covered this in previous research as well.

There are multiple layers here. The first is that email addresses must be possible, then they must be plausible, then they must be actual, then must be truthful.

I don't think that the Registrars should bare the burden for this alone. As the administrator of the contract ICANN must supply much more specific guidance than it is currently doing, and the registrant (the illicit one) must bear the greatest burden.

You're being a registrar employee does not change the value of the argument but rather the perspective of the reader.

Strained analogy The Famous Brett Watson  –  Feb 17, 2012 8:52 PM PDT

...saying I'm encouraging identity theft by requiring enforcement of existing rules is like saying the government is encouraging teenagers to buy fake IDs by enforcing cigarette and alcohol restrictions.

It's a strained analogy. The barrier of obtaining fake ID is not comparable to the barrier of obtaining a real email address. Email addresses are readily (and legally) available at near-zero effort.

Furthermore, it's the parts of the identity that won't be verified which will result in identity theft. If you can't (or won't) verify a particular identity-related claim (e.g. name, address, telephone number), then you're inviting identity fraud when you demand that such data be provided. Don't demand data that you're not willing to verify.

If you actively verify all the data you collect, then you've raised the problem to a level comparable to the "fake ID" issue — i.e. a select group of miscreants will be prepared to challenge your verification efforts with fake credentials.

Just say no to deafitism Garth Bruen  –  Feb 18, 2012 9:22 AM PDT

Don't demand data that you're not willing to verify.

Excellent statement. So, let's not allow this ad hoc, wink-wink system to continue.

Your argument is that they will do anything to get their hands on domain names no matter how high the barrier. I said in the original the domains are a critical resource the miscreants can operate without. If it is worth so much to them to use as a weapon against the rest of us, isn't it worth it to us to make it harder for them to do so?

There need to be real consequences to forging WHOIS and then using the domain for an illicit purpose (please don't say I'm talking about prosecuting innocent domainers trying to protect their identity, because I'm not).

The other aspects of the record and their verification are different issue, here I'm just talking about email addresses and mostly in the context of measuring risk from the obvious to the discrete.

I don't know where you went to high school but fake IDs were $10 in mine. My analogy is correct regardless of the value comparison.

WTF? The Famous Brett Watson  –  Feb 18, 2012 9:36 PM PDT

Your argument is that they will do anything to get their hands on domain names no matter how high the barrier.

I said absolutely nothing of the sort. In fact, that is so completely unlike my argument that no meaningful response is possible. If you need clarification, I suggest reading my earlier comment again, more carefully.

Um...I did Garth Bruen  –  Feb 19, 2012 5:55 AM PDT

a select group of miscreants will be prepared to challenge your verification efforts with fake credentials.

I will clarify The Famous Brett Watson  –  Feb 20, 2012 8:39 AM PDT

I see. Very well, allow me to clarify. My remarks were primarily a response to this paragraph of yours.

Next, saying I'm encouraging identity theft by requiring enforcement of existing rules is like saying the government is encouraging teenagers to buy fake IDs by enforcing cigarette and alcohol restrictions.

It's true that, in both cases, enforcement of rules results in efforts to thwart those rules. It's also true that efforts to thwart the rules don't automatically invalidate the rules themselves. The analogy is still not apt for several reasons, however.

First, a working email address proves nothing about identity, because the barrier to obtaining one is essentially zero. Failure to provide or verify an email address is sheer laziness on the part of the registrant or registrar, respectively, and there are good reasons for requiring a valid email address and verifying it, but it proves nothing about the owner of the address.

Second, if you require name, address, and telephone number details to be provided, and you validate that data (in the sense of checking that there is such an address, and the telephone number matches a known good pattern), then you promote a harmful kind of identity fraud. If the details are completely fictitious, then there is no owner of the identity to suffer harm. If, however, the attacker is obliged to offer realistic details because of validation, then his simplest course of action is to copy them straight out of a phone book or similar resource. A real person is thus falsely and publicly associated with whatever misdeeds are going on at the domain. In both cases the details are false, but in the latter case an innocent third party suffers harm.

This kind of public damage to reputation is not associated with fake IDs used to purchase booze on the sly. The main aim of the fake ID is to look authentic and attest to an acceptable age. Other aspects of the ID are assumed to be true if the ID is accepted as genuine, but they aren't relevant to the transaction, and none of the details in the ID are made public in the transaction.

Now, back to what I said.

If you actively verify all the data you collect, then you've raised the problem to a level comparable to the "fake ID" issue — i.e. a select group of miscreants will be prepared to challenge your verification efforts with fake credentials.

This was meant to show what kind of difference would be necessary to the registration process in order to make your analogy more apt — and also mention in passing the consequences of that difference.

In retrospect, my analysis was clearly wrong. People don't actively verify the data on a false ID — they just decide whether it looks like a real ID, and assume the data is correct if it does. Thus, the parallel in computing terms would not be for the registrar to verify customer data, but for the customer to provide some kind of digital certificate when registering a domain. The registrar would merely check the validity of the certificate and the registrant's cryptographic proof of association. Also, for proper similarity, the transaction would not result in a public record showing the association between the purchased item and the purchaser's identity: the transaction would be a private affair between the registrant and registrar.

Now I know you hate with a passion the idea that people might be allowed to register domain names privately — that is, without making that transaction an immediate matter of public record in WHOIS — so please don't be distracted into thinking that I'm actually suggesting that here. I'm not. Nor am I suggesting that registrants ought to obtain digital certificates as a prerequisite to purchasing a domain. I'm observing that if a fraudulent domain purchase were like buying booze on the sly with fake ID, a certificate would be used in the purchase, and the transaction wouldn't be a matter of public record. Details such as that have consequences, and can make the difference between a good analogy, a poor analogy, and a disingenuous piece of propaganda.

Lastly, your interpretation of my argument, and why it is in error.

Your argument is that they will do anything to get their hands on domain names no matter how high the barrier.

On the contrary, the height of the barrier has an inverse relationship to the number of miscreants who will be prepared to challenge it. I thought this was obvious and uncontroversial. Your interpretation reads far too much into my words. As it happens, I can think of numerous (outrageously drastic) barriers which would probably eliminate all fraudulent registrations — and probably all legitimate registrations as an unintended side-effect. Consequences are consequences, however, regardless of intention.

In closing, let me reiterate that I'm not advocating particular positions in my comments here. I have my views on the matter, but I'm restraining myself to analysis for now. In particular, I'm not suggesting that registrants should require digital certificates in order to register domains. Indeed, I'm prepared provide an argument, on request, as to why it's a bad idea. However, it does provide an interesting angle into the question of whether registries should be obliged to verify the data they collect on registrants: to the extent that we require such verification, we are effectively asking them to act as certification authorities, or at least do the hard part of the certification process (the verification). Once you understand that, the economics of the situation are made clearer, and the difference between "verifying registrant data" and "requiring the registrant to have a digital certificate" is seen to be little but a choice of words.

In other words, if you are going to insist that all registrant data be verified, you may as well suggest that digital certificates be required as part of the registration process. At least the registrant gets to keep a digital certificate that way, not to mention the possibilities for integration with DNSSEC. If it seems too high a barrier, then bear in mind that it's no higher than the barrier of verifying registrant data in general.

Uh, no Garth Bruen  –  Mar 11, 2012 8:55 AM PDT

Now I know you hate with a passion the idea that people might be allowed to register domain names privately

Wrong. You couldn't know this, you've never asked me and I never said it. My arguments have been that there is no expectation of privacy in commercial transactions, meaning domains used for commerce need to be completely transparent to the consumer, this would include all the illicit domains in question as they deal in trademarked goods and heavily regulated products (like drugs). The consumer has zero tools at their disposal to address phantom registrants. In the real world this behavior is unacceptable. One cannot have secret ownership of a pharmacy. I have been pushing for, and this is recommended by the working groups, that privacy services be accredited, transparent and accountable. There are NO standards for privacy services at the moment.

People don't actively verify the data on a false ID — they just decide whether it looks like a real ID, and assume the data is correct if it does

Not true. Given it has been a while since either of us had to sneak into a bar, they have a number of procedures now since potentially losing a liquor license because of a violation threatens the business' bottom line. ID's are scanned and verified by machines - blacklight watermarks, magnetic strips. ID's are photographed by special cameras. Bouncers will look at the ID and ask the person trick questions about their age and birthday. Fake IDs are frequently confiscated and placed on display at bars and liquor stores with the fraudulent person permanently banned. Why? You're entering a public space and it is a privilege. The venue has a responsibility to the other patrons. The cost of IDs has increased to cover the physical changes but it is not a prohibitive cost.

Contradictions and counter-examples The Famous Brett Watson  –  Mar 12, 2012 1:36 AM PDT

Wrong. You couldn't know this, you've never asked me and I never said it.

If I'm wrong, then there are reasonable conditions under which you would countenance private domain name registrations. Please tell: I'd be interested to hear about them.

ID's are scanned and verified by machines - blacklight watermarks, magnetic strips. ID's are photographed by special cameras.

Yes, and digital certificates are signed in a way that can be verified with a public key. These are examples of "deciding whether it looks like a real ID", not "verifying the data", so they do not contradict my point.

Bouncers will look at the ID and ask the person trick questions about their age and birthday.

This is closer to a legitimate counter-example, but I reject it because the approach does not actually verify the data: it merely tests the owner's knowledge of the data (regardless of whether it is true or false). In the absence of an actual test for veracity, the bouncer is simply making do with a test that has results somewhat correlated with the desired test. False positives and negatives will occur, along with their associated problems.

Fake IDs are frequently confiscated and placed on display at bars and liquor stores with the fraudulent person permanently banned.

If that's true, then I retract my earlier statement, "this kind of public damage to reputation is not associated with fake IDs used to purchase booze on the sly." The damage would be less widespread, because it is localised to the shop in which the ID is displayed, but it becomes possible to conduct a reputation-smearing attack on a person by impersonating them in the store. If the person is simply sent away without service, then there is no such attack vector.

None of these examples invalidates my final analysis that, "if you are going to insist that all registrant data be verified, you may as well suggest that digital certificates be required as part of the registration process." I'd be interested to know whether you concur, or whether your counter-examples were intended as a rebuttal.

The point remains Volker Greimann  –  Feb 20, 2012 6:09 AM PDT

The point remains however that in all likelyhood and checking of the whois data will not reduce the amount of crime on the internet.

True, additional verification will increase the accuracy of the data of the legitimate registrants, but criminals will always find a way to circumvent the system.

Management not solution Garth Bruen  –  Feb 20, 2012 7:46 AM PDT

The work of addressing criminality in the real world and on the Net is one of proper management of the scale of the problem. Crime never truly goes away it's a human problem that fluctuates. Our job as policy makers is to not make it easy for the malicious actors.

I have to take of my hat and sunglasses when I enter a bank, and then pass my papers through a tiny hole in bullet proof glass. The money behind the counter is broken up into smaller increments per employee which reduces the likelihood of getting large amounts of money. Bank robberies still happen but it's a desperate crime. The amount of the take compared with the level of violence needed keeps most criminals disinterested. Most bank robbers are eventually caught and the conviction rate is high. I used to be much easier to rob a bank and escape but it is now a problem which has been managed to a lower volume. There are other ways to steal larger amounts of money now electronically, but this is a field which is also managed with controls and auditing.

Yes, criminals will adapt, they always do. But when they have to change tactics there is a cost for them and not all of them can adapt. We have to raise the barriers for them and force them to take more risks which increase the chance of getting caught.

Registration abuse will not be eliminated, but the risk can be managed. How effective it is will be seen with implementation through proper testing. It's premature to say it wont work. I do not believe that doing nothing and tightening controls are equal propositions.

Benefits must outweigh the effort required Volker Greimann  –  Feb 20, 2012 8:33 AM PDT

Not all barriers that can be implemented actually make sense, especially if they overly inconvenience "normal" registrants. Not everything that _can_ be done _should_ be done.

Additionally, any change to registration procedures needs to have a substantial effect. Cosmetic changes that make registrations more expensive and cumbersome for legitimate registrants but provide no long-term effect towards crime or crimefighting are not helpful.

What is needed are common methodologies carefully selected with an eye to their likely effects on internet crime and the interests legitimate registrants.

As an example: Any address can be verified, at a price, but does that ensure the address is actually that of the criminal? Probably not, since everyone has access to online phone books.

As the head of a registrars abuse team, I see and take down criminal sites every day. I will be happy to look at your suggestions to see if they bring anything new to the table. The way I see it, any solution must be universal, i.e. apply to all registrars and work for all registrants around the world exactly the same way.

Let's get real Garth Bruen  –  Mar 06, 2012 9:18 PM PDT

As an example: Any address can be verified, at a price, but does that ensure the address is actually that of the criminal? Probably not, since everyone has access to online phone books.

Don't you have customer/cc data to compare it to?

Usually not. CC payments are handled through Volker Greimann  –  Mar 07, 2012 2:10 AM PDT

Usually not. CC payments are handled through a payment service provider, we do not have access to the data and resellers get paid directly by their customers so we do not see the individual payments or customer data either.

I would not bet on the basic premise: "Most abusive domain registrations are preventable". "Most abusive domain registrations can be made a bit more difficult for the registrants" sounds more convincing…

CentralNic & False Designation ccTLDs. Graham Schreiber  –  Oct 18, 2013 8:10 AM PDT

Hi Garth:

If companies such as CentralNic, easily the pinnacle of "rogue domain registration" agents were subjected to the Rule of Law; as written in ICANN's RAA Sections 3.7.7.3 and 3.7.7.9

A vast number of "Abusive" [[[ Contributory Infringing ]]] Domain Names would stop being created.

Cheers, Graham.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Dot Chinese Online and Dot Chinese Website Featured in EURid's World Report on IDNs 2014

New .ORGANIC Top-Level Domain Opens to Serve the Organic Community

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

Independent Endorsement of Dot Chinese Online & Dot Chinese Website by by FiarWinds Partners

New gTLDs and Best Practices for Domain Management Policies (Video)

.Host Announces Top Global Players As Pioneer Partners

Public Interest Registry Releases Bi-Annual Report, .Org Domain Registrations Pass 10.4 Million

Public Interest Registry to Speak About Upcoming Launch of .ngo and .ong Domains for NPOs

Landrush Opens for .Website, .Press and .Host

Afilias Announces General Availability of .BLACK Top-Level Domain

Nominum Announces Future Ready DNS

Last Lap of .WEBSITE, .PRESS and .HOST Sunrise

DotConnectAfrica Trust Responds to ICANN 50 GAC Advice, Updates on .Africa Application IRP Status

New .ORGANIC Domain Sunrise Begins, Creating Verified Space 
for Organic Products and Services

Non-English "IDN Email" Addresses Are Finally Working!

TLD Registry to Speak at Inaugural World Domain Day India

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Independent Endorsement of Dot Chinese Online & Dot Chinese Website

ICANN London Recap Webinar

Four Reasons to Move from .COM to Your .BRAND Domain

Sponsored Topics