2008-10-11

Actions against registry services abuse – Report Oct 2008 - HostExploit and Directi

Jart Armin of HostExploit.com & Bhavin Turakhia, CEO of Directi are pleased to jointly report on the outcome of community actions against abuse of Directi’s domain registry and PrivacyProtect.








The above in figures review of the actions that Directi, in conjunction with HostExploit, have recently taken to track down and stop abusive domain names and registrants from abusing Directi’s services.
Registrar Abuse

  • Over 50,000 domain names have been suspended that were either involved in abusive activity or registered by customers/registrants exhibiting persistent patterns of abuse.
  • These domain names (and/or their registrants) were involved in various types of abuse, such as spamming, phishing/spoofing, malware perpetration, suspected pedopornography, financial frauds and falsified ‘Whois’ information.
  • All other services utilized by any of these domain names have also been revoked.
  • Over the past three months, certain resellers have been identified who have been the destination of choice for bad actors; among these are Vivids Media GMBH, Klikdomains, MyNick.name, and Webst.ru. Approximately 125,000 domain names registered through these resellers have been suspended so far.

PrivacyProtect

  • A large incentive for bad actors to use Directi’s services has been PrivacyProtect.org. This service has been disabled for over 27,000 abusive domain names.
  • The service had been permanently disabled for all existing and new registrations through resellers/registrars that have seen high volumes of abusive registrations - notable being the ones mentioned above and Estdomains. This has amounted to approximately 500,000 domain names which had privacy protection canceled.

Analysis

When suspending domain names on receiving complaints about their involvement in abuse, HostExploit is pleased to report that, Directi, while reviewing the complaints over the past few months, even before the ‘Atrivo-Cyber Crime USA’ report, found certain trends:

  • Domain names registered with the same/similar contact information (name, address patterns)
  • Bulk registrations of domain names with a slight variation in the domain name e.g. 018xyz.com, 018xyza.com, 018xyzb.com, 018xyzc.com …. by abusive registrants/customers
  • Same blacklisted name servers being repeatedly utilized.
  • Registrations in the same customer account involved in various forms of abuse
  • Based on these, we reviewed all domain names, first in the customer's account, then in the reseller's account and then across the databases. Based on these similarities, 35,000 domain names were identified and have been labeled as co-network.

Discussion

Directi’s strengthened abuse team continues to review complaints and revoke privacy protection for abusive domain names, while also forwarding the complaint to the Registrars for whom Directi provide software and other services for them to take action. Where reports of abuse emerge from security community blogs or forums, Directi are now proactively making searches for such comments and investigating any issue that may involve Directi or a reseller.

One advantage of this exercise has been the development of active communication channels between us and the community. We've been able to refresh contacts with organizations e.g. StopBadware, Knujon, CastleCops, Spamhaus, and Artists Against 419, among others, sharing intelligence on abuse activity.

In scouring for more such cases however, every emphasis is made on avoiding any false positives. With this is mind and with the view on net-neutrality all actions are based upon ACM (Association of Computing Machinery)
http://www.acm.org/about/code-of-ethics e.g.

1.2 Avoid harm to others.

"Harm" means injury or negative consequences, such as undesirable loss of information, loss of property, property damage, or unwanted environmental impacts. This principle prohibits use of computing technology in ways that result in harm to any of the following: Internet users, and the general public.


An active list of directly suspended domains is available for down load from 
HostExploit.com

HostExploit and Directi have agreed to maintain their cooperative collaboration to clamp down spam and other forms of abuse on the Internet as rapidly as possible. HostExploit confirms that they are pleased to work directly with the Directi abuse desk in helping Directi identify any miscreants that maybe using Directi's services. The partnership includes sharing investigative processes and intelligence data on an ongoing basis.

We welcome any concerns or reports related to the abuse of Directi’s registry services forward to abuse(at)directi.com or admin(at)hostexploit.com

Together with the community we hope to continue taking steps to make the Internet a better and safer place.