KnujOn Updates Top 10 Spam-Friendly Registrars List

alphadogg writes "Some companies are more popular than others for spammers wanting to register their domain names. Spam-fighting organization KnujOn has updated its report on the top 10 registrars whose customers are linked to spam and other illicit activity. (We discussed the original report last year.) These 10 companies registered 83% of the domains spammed in KnujOn's sample of spam between June and January. KnujOn found that some companies have cleaned up their act in recent months and that others — most surprisingly, Network Solutions and GoDaddy sister company Wild West domains — have popped up on the list. At the top of KnujOn's list, for the second time in a row, is Xinnet.com, a Chinese registrar linked to more than 3 million spam messages. KnujOn recommends that ICANN threaten to pull Xinnet's accreditation, as it did for some of the offenders on the previous list."

Excellent

[Phroggy (441)]

The registrar I use has dropped off the list. I no longer have any qualms about signing up for a reseller account with them. :-)

It's Not the Registrars, it's the System

[fm6 (162816)]

Maybe some registrars are more spam-friendly than others, but as long as domains are so absurdly cheap, there's not a lot registrars can do to prevent abuse. If they freeze one domain, the spammer or phisher or whatever just spends a few bucks to get another one.

Ever get spam from Continental Who's Who? They use a different domain name with every daily email!

Not that I think it will ever happen, but I'd dearly love to go back to when domain registration was a monopoly, and a second level domain cost you $50 a year. That's not a lot compared to the cost of maintaining a high-visibility web site — and low-visibility sites don't need second level domains. This situation ended when people started whining about getting "ripped off" by registrars. Opening up competition brought registration fees down, but it also destroyed service levels and enabled another kind of ripoff: squatters who can afford to register thousands of domains on the off chance that somebody might be willing to pay a few thousand bucks to use them.

Re:It's Not the Registrars, it's the System

[MightyYar (622222)]

Maybe some registrars are more spam-friendly than others, but as long as domains are so absurdly cheap, there's not a lot registrars can do to prevent abuse.

They can have an automated call-back system like my bank does... that way even if the credit card they are using is stolen, they'd still have to provide a phone number each time they register a domain.

It would be trivial to track purchasing behavior based on phone numbers, and this would force spammers to somehow get access to a new phone number each time... raising their cost somewhat.

Re:

[fm6 (162816)]

It would be trivial to track purchasing behavior based on phone numbers, and this would force spammers to somehow get access to a new phone number each time... raising their cost somewhat.

http://www.tossabledigits.com/ [tossabledigits.com]

Re:

[MightyYar (622222)]

That's pretty good, and sort of what I was talking about upping their cost a bit.

But I can think of some countermeasures. It's an arms race... there's no solution that will one day solve spam, you just have to keep making it more expensive for them.

Re:It's Not the Registrars, it's the System

[Coopjust (872796)]

Abuse WILL happen, but Xin Net went beyond having a lot of people registering spam domains with it. They would suspend domains when KnujOn and others asked, and would then give them back to the spammers. Additionally, Xin Net keeps letting the SAME abusive customers with the same WHOIS data keep registering new domains.

Re:

[fm6 (162816)]

So what? It's not that hard to fake registration data. The registration data for my own web site is bogus, because I registered it before registrars started offering anonymous registration.

Re:

[Coopjust (872796)]

You're not supposed to do that. Your domain could be suspended until you update the data, and even possibly revoked.

Re:

[fm6 (162816)]

Right, and when was the last time you heard of that happening to anybody?

A long time ago, when I was still silly enough to think I could help stamp out spam one spammer at a time, I looked up the whois entry for somebody who was spamming me. The phone number was useless (don't recall whether it was bogus or just didn't pick up) so I found out who lived at the address given and called them. It was an old woman who didn't even own a computer.

I presented this evidence to the registrar — and got nowhere.

Re:

[fm6 (162816)]

Congratulations! Your email to my registrar forced me to correct my registration info. Now that you've forced me to Do Things Right, you only have 1,532,438,221 bogus registrations to go before you've totally cleaned up the registration system!

Then again, all I did was click a button that set all my contact info to the "anonymous" values they provide. (They didn't provide this service when I first registered.) So I've just replaced one set of useless data with another.

But while I was doing this I noticed th

Re:

[Coopjust (872796)]

The whole point of WHOIS is to have a liable, legal contact. If you got a notice of infringement of copyright or something- for whatever reason- they'd send it to your WHOIS info. The whole point of WHOIS info is to have accountability.

And the reason the registrar made you change your WHOIS info is, if they allow customers to repeatedly use fake WHOIS info, they could lose their accreditation. Any legit domains could be moved to a compliant registrar, while the spam domains get revoked.

Oh, and people

Re:

[crow (16139)]

You don't need to raise the price, just raise the minimum initial price. If it's currently $10/year, leave it at that price, but set an initial minimum 5-year registration. For real domains, that's fine. For spammers and squatters, that's a significant bump in their costs.

Re:

[fm6 (162816)]

Actually, it's a lot less than $10 if you register a lot of domains at once. And no, forcing squatters to buy multiple years at once won't raise their average costs much, because squatters often hold on to their domains for years before finding a buyer. I suppose spammers might be hurt, but given the scale of the spam business, not by much.

Anyway, what is the big deal about $50 a year? If your web site has any volume at all, it's costing you thousands to to keep the lights on. The day when you could host a

Re:

[Tanktalus (794810)]

Anyway, what is the big deal about $50 a year? If your web site has any volume at all, it's costing you thousands to to keep the lights on.

Really? I bought in to DreamHosts's new-year's special: $64.44US for two years, including domain name. I would think that if domains were $50/yr instead of $10/yr, I'd likely not have received such a low price. Even at their best rate (bought ahead of time) of $6/month, a jump in registration price of $40/yr (approx $3/month) would likely be noticeable.

Re:

[fm6 (162816)]

Yes, and DreamHost is so reliable.

That was sarcasm. I used to use them, and bailed after not being able to get my email with any reliability for days at a time. And while they offer uncapped bandwidth, I'm dubious of their ability to actually provide it. Couldn't say for sure, because I never served that many bits.

That "best price" you mention requires a ten year up front payment. Having walked away from $60 or so in advance payments I'd already made to them, I'd think twice about giving them $700.

I'll say

To summarize the summary, people are the problem.

[argent (18001)]

and low-visibility sites don't need second level domains

Long-lasting websites need domains at whatever level puts them outside the control of a single ISP or ASP. If that's the second level, then that means they need SLDs. If there's a third level that you can just register a domain under without being tied to a given ISP (eg, state.us), then they need that kind of third level domain.

The thing is, if you made SLDs unaffordable, then there would be a demand for reliable third-level registrars, and many many

Re:

[fm6 (162816)]

The thing is, if you made SLDs unaffordable, then there would be a demand for reliable third-level registrars, and many many people would switch to using reliable 3LD registrars, and the same problem would exist at the third level instead of the second.

Yes, but then you'd have an easy way to identify domains from a spam-friendly registrar: just look at the 3LDN. You can't do that with 2LDNs registered by Wild West (not without a whois lookup, which adds too much overhead) and even if you could, you'd end up filtering a lot of innocent sites.

Anyway, I question your definition of $50/year as "unaffordable." Even annual hosting costs on a minimal web site are more than that. Most people who maintain real web sites could easily afford it. A few would switch

Re:

[argent (18001)]

Yes, but then you'd have an easy way to identify domains from a spam-friendly registrar: just look at the 3LDN.

You mean like .co.uk?

and even if you could, you'd end up filtering a lot of innocent sites

Um, why would you not expect that to be a problem for 3LD registrars?

Anyway, I question your definition of $50/year as "unaffordable."

Oh, sorry, I thought that was just an example. If you want to keep spammers from buying and throwing away domains you need to make it too expensive for them, and I doubt $50 wou

Re:

[fm6 (162816)]

Um, why would you not expect that to be a problem for 3LD registrars?

Because if everybody's getting spam from *.welovespam.com, nobody's going to want to register in that namespace.

If you want to keep spammers from buying and throwing away domains you need to make it too expensive for them, and I doubt $50 would be enough to do the job... and once you get the price high enough to deter spammers, it's going to deter non-spammers as well.

To be honest, I suppose I'm really bitching about the fact that people decided that registration costs were too high, and bitched about it until the marketplace was made competitive. This meant you could renew your domain for a small annual fee, but also that you can't get a really useful domain name without paying a lot of money to a squatter. Ironic, no?

But back to spammers. Spam is profitable b

Re:

[argent (18001)]

Because if everybody's getting spam from *.welovespam.com, nobody's going to want to register in that namespace.

With Tucows and other people offering reseller-in-a-box packages, you really would just be pushing the problem one level down. It wouldn't be "*.welovespam.com", it would be a "*.cool.com" that had 30,000 legitimate domains by the time one of their resellers turned pink.

But for me, the $50 figure always comes to mind, because I remember everybody whining about it when Network Solutions had a monop

Re:

[fm6 (162816)]

Oh well, OK then. I still want to go back to expensive domain names (I'll see to it after I've finished selling skis to Satan) but I'll concede that it probably wouldn't impact spam much. Then again, nothing will, short of a meaningful ID infrastructure so that somebody who wants to send you email has to actually identify themselves. So all this ranting against "spam-friendly" service providers is really silly.

$50 was the price charged by NS when .com and the other major domains were first invented. I forge

Re:

[argent (18001)]

Extending the TCPA to cover spam, so you could sue spammers in small claims court for $250/incident, like you can sue telemarketers, would probably do the trick. But it'll never happen.

Re:

[fm6 (162816)]

How do you bring somebody to small claims court who lives in Russia or Nigeria? How do you even trace the origin of spam from a botnet?

Re:

[argent (18001)]

The biggest source of spam is the united states. If you could effectively eliminate US spam it would have a huge and permanent impact on the spamosphere.

You don't need to trace the origin cold, or even at all. For a spammer to make money he has to tell the customer how to find him. You follow the money.

We don't like you so pull their accreditation

[LordKaT (619540)]

While I'm not saying that spam is good by any means, the argument of "we don't like you so ICANN should pull your accreditation" is a fairly stupid one.

Now, if they're involved in something illegal - not annoying/immoral - then I'd like to see that argument made; however, the argument KnujOn currently makes is "we don't agree with how you're running your business, so we think you should be put out of business."

That, I believe, is pretty fucking stupid.

Re:We don't like you so pull their accreditation

[MightyYar (622222)]

IIRC, the contractual basis that they are going after is whois records. The spam-friendly registrars obviously have fraudulent whois records, which is a breach of their contract with ICANN.

Spammers will not have legit whois records because this would probably result in their arrest :)

Re:We don't like you so pull their accreditation

[cream wobbly (1102689)]

This is the most retarded backlash I've heard.

Any accreditation scheme is a method for industry regulation. This is why we *have* accreditation: it functions at a higher ethical standard than legality. So while it's perfectly legal for an unlicensed plumber to do work in your home, it's not guaranteed the work will be up to an acceptable standard. If the work is substandard and damages your home, you can sue, but most people don't want to run the risk of possibly having damage to their home and subsequent legal action. A licensed plumber, on the other hand, must work to certain standards. While the industry is in a completely different league (barring "series of tubes") I am comparing apples to apples here.

It's simple: if a company doesn't fulfill the standards for accreditation, then of course they should be booted, and have to work twice as hard to regain that accreditation.

If the accreditation body only pulls membership based on the legality of what a member is doing, then what is the point of their existence? They're leaving all the work to the legal authorities and doing precisely none themselves.

Re:

[repetty (260322)]

> Now, if they're involved in something illegal - not annoying/immoral -
> then I'd like to see that argument made; however, the argument KnujOn
> currently makes is "we don't agree with how you're running your
> business, so we think you should be put out of business."

In a lot of places, spam and other forms of service/resource theft ARE illegal.

Just thought I'd point that out.

It's like retail shoplifting.... you and I both pay higher prices so retail stores can cover their shoplifting losses. Spa

actually...

[damn_registrars (1103043)]

if they're involved in something illegal

A lot of spam currently involves the illegal sale of (often bogus or counterfeit) drugs and (usually pirated) software. the registrars know this, too. But they continue to do business with these criminals anyways - why? Because they make money off of it, of course.

Re:We don't like you so pull their accreditation

[cream wobbly (1102689)]

You should probably take a look at the Google Message Security ROI calculator [google.com]. You might learn a thing.

Probably not two. That'd be too much to expect.

Surprising?

[fuzzyfuzzyfungus (1223518)]

Since when is the news that a GoDaddy sister company called "Wild West" doesn't have the most stringent anti-spam procedures surprising? The only surprise is that they weren't on the list already.

Color me confused?

[javelinco (652113)]

I notice that #3 is Network Solutions. Then I look at the graphs, and they aren't listed at all. Are they using a different name for them in the graphs?

Re:

[javelinco (652113)]

Thank you.

I'd love to see this in SpamAssassin or a URIBL

[Khopesh (112447)]

I actually do something similar for my greylisting solution, scraping the SpamCop top offending /24 CIDR blocks and giving them a longer grey-time [wikidot.com]. It helps cut down on spam drastically.

I also do something similar within SpamAssassin, giving anything in APNIC an extra 0.5 points (with bayes and net). Here's that SA rule if you like:

header KHOP_THRU_APNIC Received =~ /[^0-9.](?:5[89]|6[01]|12[456]|20[23]|21[0189]|22[012])(?:\.[012]?[0-9]{1,2}){3}(\]|\)| )/
describe KHOP_THRU_APNIC Received through a relay in Asia/Pacific Network
score KHOP_THRU_APNIC 0.4 0.2 0.9 0.5 # lowered for autolearn and use w/ BLs

As mentioned by earlier posts here, there are just too many hosts to implement a straight-up blacklist hack like the two I just mentioned. We'd need some easier whois lookup or URIBL mechanism to deal with this. And those registrars are BIG and surely likely to have legitimate sites hosted too, so it must be in its own SpamAssassin test with a lower score.

About damned time...

[damn_registrars (1103043)]

Good to see that more people are starting to pay attention to the role that registrars play in the spamming epidemic that is affecting everyone who uses the internet. Now that people are starting to shine a light on some of the crooked registrars maybe there will be incentive for them to clean up their act.

It's just too bad that these bumbling idiots [internic.org] are the ones tasked with trying to make the registrars fly straight.

Now if we could get some control of the ISPs and hosting companies, we could make some

Python for the win!

[inviolet (797804)]

I saw that this article is tagged:

spam it spam story

...and I immediately heard that British waitress saying "Well, there's spam-it-spam-story, that's not got much spam in it." Wow I need to go outside more often.

We need a converse list.

[geminidomino (614729)]

Where's the list of the white-hat Registrars? I've got my two personal domains coming up for renewal.

Re:

[AndrewNeo (979708)]

That's hardly fair. Just because a domain is under a certain registar doesn't mean they're spammers - my domains are registered under a Wild West Domains subsidiary, and I know a few people that use GoDaddy. I don't need my personal email suddenly being marked as spam on accident because my domains are through one of those registars.
Now, if accreditation were pulled, then obviously I'd want to change registars, and it wouldn't be a problem.

Re:Blacklisting registrars

[MightyYar (622222)]

I don't need my personal email suddenly being marked as spam on accident because my domains are through one of those registars.

I don't think it would work like that... this isn't a list of where the spam comes from... that is presumably bot nets. This is a list of what domains are being advertised in the spam. So, you'd look up the registrar of each domain mentioned in an email. If the registrar is a big spammer, you'd give them a few extra points toward their spam score. Wild West wouldn't get too much of a penalty, since only 0.36% of their domains are spamvertised. On the other hand, anything mentioning a "Planet Online" domain is much more likely to be a spam message... a whopping 39% of their domains have been spammed.

The only way this would harm you is if you send out bulk email to your customers, they are somewhat spam-like, and they don't have you whitelisted.

Re:

[socsoc (1116769)]

a whopping 39% of their domains have been spammed

I would think that a whopping 100% of domains have been spammed. Did you mean that 39% have sent spam?

Re:

[MightyYar (622222)]

No, as I said, the mail does not come from the domains... it comes from bot-nets. However, 39% of their domains have been mentioned in spam. I probably should have used the word "spamvertised".

In any case, filtering your mail by giving a high score to any mail with one of their domains in the body would probably be a good move :)

Re:

[Presto Vivace (882157)]

I am with Register.com, so I certainly don't want all of its URLs blocked. There is too much innocent third party damage with that system.

Re:

[El Yanqui (1111145)]

I have some exciting offers for you and your penis. Please post your email address since you don't mind receiving them!

Re:

[geminidomino (614729)]

I hate any kind of spam filter that just blocks email. Email should always be received in the worst case it should go to a junk folder.

Spoken like someone who has never administered a mail server for more than 3 users.

Spam/Email Marketing is not bad compared to most things. Deal with it!!!

Spoken like a spammer.

Bug

[pavon (30274)]

Subscribers get to see articles before they are posted on the main site (but they can't comment on them till they go live). To make it obvious that these were stories that havn't gone live yet, they are displayed with a red title. At some point in the transition to the new firehose-integrated index page, this code was broken and now sometimes live stories will be displayed with the red title. It's been like this for months, however, it appears that the slashdot team would rather spend time ruining the profi

DON'T Protest KnujOn

[Coopjust (872796)]

One responsibility of a registrar is to try to stop fraudulent domain sales.

In this case, some of these companies (Xin Net in particular) keep allowing the same spammers with the same obviously fake Whois info keep registering new domains. And Xin Net has suspended domains when KnujOn and others report them, and shortly afterwards, give them back to the same spammers.

Re:

[MightyYar (622222)]

I think you should protest by forwarding them all of your spam.

Re:

[Ironica (124657)]

Sounds like someone makes a lot of money off of spam...

Re:

[Ironica (124657)]

Who cares? I do. A lot of people do. You, on the other hand, seem to have an investment in keeping spamming easy and cheap. Let me guess where your paycheck comes from...

Re:

[Coopjust (872796)]

You ignore several facts:
-The criminals at these registrars often used the same bogus contact info to register domains 1000+ times. They won't provide real info. A good registrar would suspend the domains of customers doing that until they provided real info - since the spammers wouldn't, they'd lose the domains. If the domains last hours instead of weeks, it's lost sales for the spammers, cost & time to register the new domain, and need to send out more spam with the new site.
-If registrars WON'T com