90% Spam coming from 20 Registrars

ABC : 90% Spam coming from 20 Registrars

Most Spam Sites Tied to a Handful of Registrars

By Brian Krebs

The Washington Post

May 19, 2008

http://blog.washingtonpost.com/securityfix/2008/05/most_spam_sites_tied_to_a_hand_1.html

New research suggests that more than three quarters of all Web sites advertised through spam are clustered at just 10 domain name registrars.

The data comes from millions of junk messages collected over the past year by Knujon ("no junk" spelled backwards and pronounced "new john"), an anti-spam outfit that works by convincing registrars to dismantle spam sites.

Knujon's co-founder Garth Bruen said the links in spam messages touting fake pharmacies, knock-off designer products, pirated software and phony lending institutions redirect users to a relatively minuscule subset of sites that are generally under the control of a small number of companies.

Bruen focuses most of his energy on calling attention to spam sites that list blatantly false information in their WHOIS records, the global online directory designed to list the contact data for individuals who register Web sites.

The Internet Corporation for Assigned Names and Numbers (ICANN), the Marina Del Rey, Calif.-based group charged with overseeing the domain name system, requires all Web domain registrars to collect and maintain accurate WHOIS data for all domain holders. Under the terms of their contracts with ICANN, registrars are supposed to cancel any Web site registrations with inaccurate WHOIS data if the domain holder does not update their records within 15 days of receiving notice from the registrar.

It should surprise no one that spammers rarely provide their real credentials when registering new sites. But the trouble is that relatively few registrars police their own WHOIS records, or bother to do any kind of rudimentary checks to verify that the information is accurate when the domain holder first registers the site. And, until very recently, Bruen said, ICANN hasn't done much about it.

"ICANN doesn't have any authority or mandate to deal with spam or Internet abuse, but it does have a mandate to make sure the WHOIS records are accurate," Bruen said. "A lot of our work has focused on what's clearly within ICANN's management and what's in the registrar's contractual agreement with ICANN. And ICANN doesn't like the fact that they're being forced to comply with their own standards by third parties."

Over the past several months, Knujon has submitted so many automated complaints about inaccurate WHOIS records at registrars that it crashed ICANN's database on several occasions.

Bruen said he tried to warn ICANN that this would happen.

"The absurd thing about this is I flew out there in June and said 'Here's the direction we're heading in with Knujon, and from what I can tell, your database can't handle what we have to submit'," Bruen recalls telling the ICANN folks.

Bruen said ICANN tacitly acknowledged in a recent newsletter that the complaint database crashes and that Knujon was responsible for filing 40 percent (19,873 out of 50,189) of all WHOIS inaccuracy reports submitted to ICANN in the latest reporting period.

In April 2007, ICANN launched a new program to address WHOIS compliance issues, including an annual WHOIS data accuracy audit. It also combed through all of the inaccurate WHOIS reports and sent certain registrars a "Notice of Concern," though it declined to publicly name those companies.

So who are the top 10 registrars most favored by spammers? You can see the list along with Knujon's methodology ay http://www.knujon.com/registrars/. A few of the names on it are unsurprising simply by virtue of their market share. Number five -- Bellevue, Wash., based eNom -- is the second largest registrar, according to DomainTools's registrarstats.com. Number six -- Pompano Beach, Fla., based Moniker -- has the eighth largest market share among registrars.

But size doesn't explain most of the names on the list. The registrars that scored the worst overall - Xinnet Bei Gon Da Software, BEIJINGNN, and Todaynic -- are all located in China, and are 18th, 47th and 99th in terms of market share, respectively.

Perhaps the most interesting name on the list is number 7 - a registrar out of Broomfield, Colo., called Dynamic Dolphin. According to Knujon, more than 10 percent of the company's 45,000-plus domains have false WHOIS data, and more than 17 percent of the domains registered through the company have been observed being advertised through spam.

A bit of digging into Dynamic Dolphin revealed that it is owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. Those of you who read this post a few weeks back will recognize this company: Its CEO is Scott Richter, a notorious, self-avowed spammer who claims to have quit the business. As I noted in that post, anti-spam groups claim that Media Breakaway recently hijacked more than 65,000 IP address for use in sending e-mail and hosting commercial Web sites.

Dynamic Dolphin is a reseller of registrar services offered by number 9 on the list, an Indian company named Direct Information PVT Ltd. (Directi) and doing business as PublicDomainRegistry.com.

To its credit, Directi has been fairly active of late in removing spammy and outright nasty customers from its domain portfolio. Last year, the company canceled more than 18,000 registrations tied to the Russian Business Network (RBN), an ISP that experts say served as a front for organized Russian cyber criminals and child pornographers.

RBN was scattered to the four winds in November 2007, after stories from The Washington Post and other media outlets exposed the company's business activities and supporting networks. Experts say RBN may be dispersed, but it is hardly gone. Anti-spam groups have spotted cyber-crime activity that fits RBN's modus operandi at a number of Chinese ISPs and registrars since its original online base of operations was boarded up.