KnujOn Updates Top 10 Spam-Friendly Registrars List

alphadogg writes "Some companies are more popular than others for spammers wanting to register their domain names. Spam-fighting organization KnujOn has updated its report on the top 10 registrars whose customers are linked to spam and other illicit activity. (We discussed the original report last year.) These 10 companies registered 83% of the domains spammed in KnujOn's sample of spam between June and January. KnujOn found that some companies have cleaned up their act in recent months and that others — most surprisingly, Network Solutions and GoDaddy sister company Wild West domains — have popped up on the list. At the top of KnujOn's list, for the second time in a row, is Xinnet.com, a Chinese registrar linked to more than 3 million spam messages. KnujOn recommends that ICANN threaten to pull Xinnet's accreditation, as it did for some of the offenders on the previous list."

Excellent

The registrar I use has dropped off the list. I no longer have any qualms about signing up for a reseller account with them. :-)

It's Not the Registrars, it's the System

Maybe some registrars are more spam-friendly than others, but as long as domains are so absurdly cheap, there's not a lot registrars can do to prevent abuse. If they freeze one domain, the spammer or phisher or whatever just spends a few bucks to get another one.

Ever get spam from Continental Who's Who? They use a different domain name with every daily email!

Not that I think it will ever happen, but I'd dearly love to go back to when domain registration was a monopoly, and a second level domain cost you $50 a year. That's not a lot compared to the cost of maintaining a high-visibility web site — and low-visibility sites don't need second level domains. This situation ended when people started whining about getting "ripped off" by registrars. Opening up competition brought registration fees down, but it also destroyed service levels and enabled another kind of ripoff: squatters who can afford to register thousands of domains on the off chance that somebody might be willing to pay a few thousand bucks to use them.

Re:It's Not the Registrars, it's the System

Maybe some registrars are more spam-friendly than others, but as long as domains are so absurdly cheap, there's not a lot registrars can do to prevent abuse.

They can have an automated call-back system like my bank does... that way even if the credit card they are using is stolen, they'd still have to provide a phone number each time they register a domain.

It would be trivial to track purchasing behavior based on phone numbers, and this would force spammers to somehow get access to a new phone number each time... raising their cost somewhat.

Re:

It would be trivial to track purchasing behavior based on phone numbers, and this would force spammers to somehow get access to a new phone number each time... raising their cost somewhat.

http://www.tossabledigits.com/ [tossabledigits.com]

Re:It's Not the Registrars, it's the System

Abuse WILL happen, but Xin Net went beyond having a lot of people registering spam domains with it. They would suspend domains when KnujOn and others asked, and would then give them back to the spammers. Additionally, Xin Net keeps letting the SAME abusive customers with the same WHOIS data keep registering new domains.

Re:

So what? It's not that hard to fake registration data. The registration data for my own web site is bogus, because I registered it before registrars started offering anonymous registration.

Re:

You don't need to raise the price, just raise the minimum initial price. If it's currently $10/year, leave it at that price, but set an initial minimum 5-year registration. For real domains, that's fine. For spammers and squatters, that's a significant bump in their costs.

Re:

Actually, it's a lot less than $10 if you register a lot of domains at once. And no, forcing squatters to buy multiple years at once won't raise their average costs much, because squatters often hold on to their domains for years before finding a buyer. I suppose spammers might be hurt, but given the scale of the spam business, not by much.

Anyway, what is the big deal about $50 a year? If your web site has any volume at all, it's costing you thousands to to keep the lights on. The day when you could host a

To summarize the summary, people are the problem.

and low-visibility sites don't need second level domains

Long-lasting websites need domains at whatever level puts them outside the control of a single ISP or ASP. If that's the second level, then that means they need SLDs. If there's a third level that you can just register a domain under without being tied to a given ISP (eg, state.us), then they need that kind of third level domain.

The thing is, if you made SLDs unaffordable, then there would be a demand for reliable third-level registrars, and many many

We don't like you so pull their accreditation

While I'm not saying that spam is good by any means, the argument of "we don't like you so ICANN should pull your accreditation" is a fairly stupid one.

Now, if they're involved in something illegal - not annoying/immoral - then I'd like to see that argument made; however, the argument KnujOn currently makes is "we don't agree with how you're running your business, so we think you should be put out of business."

That, I believe, is pretty fucking stupid.

Re:We don't like you so pull their accreditation

IIRC, the contractual basis that they are going after is whois records. The spam-friendly registrars obviously have fraudulent whois records, which is a breach of their contract with ICANN.

Spammers will not have legit whois records because this would probably result in their arrest :)

Re:We don't like you so pull their accreditation

This is the most retarded backlash I've heard.

Any accreditation scheme is a method for industry regulation. This is why we *have* accreditation: it functions at a higher ethical standard than legality. So while it's perfectly legal for an unlicensed plumber to do work in your home, it's not guaranteed the work will be up to an acceptable standard. If the work is substandard and damages your home, you can sue, but most people don't want to run the risk of possibly having damage to their home and subsequent legal action. A licensed plumber, on the other hand, must work to certain standards. While the industry is in a completely different league (barring "series of tubes") I am comparing apples to apples here.

It's simple: if a company doesn't fulfill the standards for accreditation, then of course they should be booted, and have to work twice as hard to regain that accreditation.

If the accreditation body only pulls membership based on the legality of what a member is doing, then what is the point of their existence? They're leaving all the work to the legal authorities and doing precisely none themselves.

Re:

> Now, if they're involved in something illegal - not annoying/immoral -
> then I'd like to see that argument made; however, the argument KnujOn
> currently makes is "we don't agree with how you're running your
> business, so we think you should be put out of business."

In a lot of places, spam and other forms of service/resource theft ARE illegal.

Just thought I'd point that out.

It's like retail shoplifting.... you and I both pay higher prices so retail stores can cover their shoplifting losses. Spa

actually...

if they're involved in something illegal

A lot of spam currently involves the illegal sale of (often bogus or counterfeit) drugs and (usually pirated) software. the registrars know this, too. But they continue to do business with these criminals anyways - why? Because they make money off of it, of course.

Re:We don't like you so pull their accreditation

You should probably take a look at the Google Message Security ROI calculator [google.com]. You might learn a thing.

Probably not two. That'd be too much to expect.

Surprising?

Since when is the news that a GoDaddy sister company called "Wild West" doesn't have the most stringent anti-spam procedures surprising? The only surprise is that they weren't on the list already.

Color me confused?

I notice that #3 is Network Solutions. Then I look at the graphs, and they aren't listed at all. Are they using a different name for them in the graphs?

I'd love to see this in SpamAssassin or a URIBL

I actually do something similar for my greylisting solution, scraping the SpamCop top offending /24 CIDR blocks and giving them a longer grey-time [wikidot.com]. It helps cut down on spam drastically.

I also do something similar within SpamAssassin, giving anything in APNIC an extra 0.5 points (with bayes and net). Here's that SA rule if you like:

header KHOP_THRU_APNIC Received =~ /[^0-9.](?:5[89]|6[01]|12[456]|20[23]|21[0189]|22[012])(?:\.[012]?[0-9]{1,2}){3}(\]|\)| )/
describe KHOP_THRU_APNIC Received through a relay in Asia/Pacific Network
score KHOP_THRU_APNIC 0.4 0.2 0.9 0.5 # lowered for autolearn and use w/ BLs

As mentioned by earlier posts here, there are just too many hosts to implement a straight-up blacklist hack like the two I just mentioned. We'd need some easier whois lookup or URIBL mechanism to deal with this. And those registrars are BIG and surely likely to have legitimate sites hosted too, so it must be in its own SpamAssassin test with a lower score.

Re:

That's hardly fair. Just because a domain is under a certain registar doesn't mean they're spammers - my domains are registered under a Wild West Domains subsidiary, and I know a few people that use GoDaddy. I don't need my personal email suddenly being marked as spam on accident because my domains are through one of those registars.
Now, if accreditation were pulled, then obviously I'd want to change registars, and it wouldn't be a problem.

Re:Blacklisting registrars

I don't need my personal email suddenly being marked as spam on accident because my domains are through one of those registars.

I don't think it would work like that... this isn't a list of where the spam comes from... that is presumably bot nets. This is a list of what domains are being advertised in the spam. So, you'd look up the registrar of each domain mentioned in an email. If the registrar is a big spammer, you'd give them a few extra points toward their spam score. Wild West wouldn't get too much of a penalty, since only 0.36% of their domains are spamvertised. On the other hand, anything mentioning a "Planet Online" domain is much more likely to be a spam message... a whopping 39% of their domains have been spammed.

The only way this would harm you is if you send out bulk email to your customers, they are somewhat spam-like, and they don't have you whitelisted.

Bug

Subscribers get to see articles before they are posted on the main site (but they can't comment on them till they go live). To make it obvious that these were stories that havn't gone live yet, they are displayed with a red title. At some point in the transition to the new firehose-integrated index page, this code was broken and now sometimes live stories will be displayed with the red title. It's been like this for months, however, it appears that the slashdot team would rather spend time ruining the profi

DON'T Protest KnujOn

One responsibility of a registrar is to try to stop fraudulent domain sales.

In this case, some of these companies (Xin Net in particular) keep allowing the same spammers with the same obviously fake Whois info keep registering new domains. And Xin Net has suspended domains when KnujOn and others report them, and shortly afterwards, give them back to the same spammers.

Re:

I think you should protest by forwarding them all of your spam.

Re:

Sounds like someone makes a lot of money off of spam...

Re:

Who cares? I do. A lot of people do. You, on the other hand, seem to have an investment in keeping spamming easy and cheap. Let me guess where your paycheck comes from...