Should we be honoring clientHolds for certain Registrars?

Should we be honoring clientHolds for certain Registrars?

We’ve become aware that the domain suspension system is being gamed. Once we become aware that a malicious domain is targeting consumers, we list it in our database.

We also have some free sub-domains and free URLs to content, but this discussion doesn’t include them.

Up until now, we’ll submit reports to certain registrars who would suspend them. Likewise certain Registries monitor our database and upon a listing by us would investigate and suspend these domains. These Registrars and Registries are invaluable allies in the fight against fraud.

However, many Registrars insist upon individual reports using web forms etc. Some insist that anti-phishing reporting mechanisms be used (we’re not dealing with phishing incidents, we’re dealing with advance fee fraud).  Some Registrars insist the hosting provider or reseller be contacted. Many parties report these incidents using these mechanisms and methods, yet this is where the games begin.

History is gold! We constantly find bad actors abusing the DNS system, registering domains with fake registration details, re-hosting domains once an abuse report has been sent. Most recently we again uncovered one such party going back to 2006. In all the whack-a-mole host hopping, we also noticed patterns where certain facilities were always used. As our investigative techniques evolved, we eventually became aware of large scale facilitation. The very parties some registrars expect us to report to are the ones making a living out of designing malicious websites.  They’re registering domains for these and then hosting them for their clients, the Faker Makers. Some are official resellers of certain registrars. This is big business in West Africa. While a large portion of the ICANN community wishes to deny the existence of DNS abuse in advance fee fraud, the ICANN contracted parties reseller channel is contaminated and deliberate facilitation for advance fee fraud exists.

We’ve not even delved into the reseller channel being gamed for the more common bullet proof hosting. Here the domain reseller will allow their facilities to be abused for the registration of malicious domains, turning a blind eye to the abuse that follows.

We’ll reveal how we manage entries in our database. But let’s first show what is publicly visible:

An entry in our database has either active or expired status, matching the domain status. An expired entry will show (expired) after the URL.

Expired Entries
Expired Entries

If an entry isn’t marked expired, the public view will show as either active, dead or hold statuses.

  • Hold is the only real way that we can guarantee that the malicious domain owner can’t abuse the domain. This is where a domain shows in the Registry to be either a ClientHold or ServerHold status ,  indicating either the registry or registrar suspended this domain. This means the domain won’t resolve and can’t be abused for email or hosting purposes.
  • Dead is a status we assign where some other method exists that may indicate the domain is disabled. However this isn’t foolproof and this system is open to manipulation. Traditionally we accepted the word of a registrar or a hoster in good faith. Yet these methods haven’t stood the test of time. Supposedly dead domains were suddenly found to have active content on sub-domains. We’d receive a victim report showing how the domain was involved in email communications. The problem was  there’s no transparency in how the abuse is mitigated and our good faith belief was abused to the detriment of the consumer. This eventually led to a policy decision of drop-dead, i.e. we won’t assign such a status on good faith. There has to be a measurable metric for us to consider an entry dead. One exception we make is for a registrar to change the domain’s DNS to a well known suspension DNS entry (a shadow database suspension status). This status can be evaluated as a known status. However no published policies or rules exists on how the registrar expects such entries to be evaluated and is open to gaming. In this class we also put numerous ccTLDs that may show suspension statuses. The bigger issue here is that, unlike gTLDs, these domains have been observed to jump back to life again. Despite policies, West African and Cameroonian syndicates do play in these registries and we see constant abuse.
  • Active is where the domain doesn’t meet the previous two criteria for not being able to be abused. This has led to critique that this doesn’t acknowledge the positive role a hoster might play in abuse mitigation. However, unlike a hacked website, we’re discussing malicious domains under the control of malicious actors. It’s trivially easy for the domain owner to re-host content elsewhere. One fake lawyer website changed hosting providers 27 times!


How do we manage all this data for active entries?

Where we submit known malicious domains for evaluation to a registrar, we have tools to evaluate the sent list and our database is updated accordingly.

We also have automated processes that check each non-expired entry at least once per week (more on this later). Using Whois, DNS and other defined triggers, we first check the Active entries:

  • Any Active domain that’s gone onto a ClientHold or ServerHold is updated to Hold.
  • Active entries that have Expired are set to Expired and are no longer maintained.  We also filter for non-existent (AGP drops) domains in this step, or domains that may have expired we may have otherwise missed. The entry shows the (expired) status.
  • Active domains whose name servers change to pre-defined name servers are set to Dead.
  • Active domains not resolving at MX and A record levels are flagged for investigation. This is a manual process and may lead to a Dead status.

Domains that were set to Hold are similarly scanned.

  • The Expired process mentioned is again followed.
  • We also monitor for changes from a hold back to active.

This event may be found in UDRP procedures where a successful UDRP will lead to an Expired status.

We also see this change of status where a domain goes into the reseller market, typically after expiry.

But here we also clearly see other games being played. Once we’ve flagged such a domain as Hold, the clientHold is silently removed despite the usage being incriminating and malicious.  One registrar where we see this even asked us “who are you?”, but apparently their reseller clients clearly understands the answer to that. Ignorance is bliss where the registrar chooses to distance themselves from the abuse as “content issues only”. It’s no irony that this registrar is consistently in the top-five most abused Registrars list.

Dead domains are also monitored. This mechanism depends on WHOIS, DNS checks and also sleuth checks (we won’t discuss these as this might make them moot).

  • Any expired domain is marked as expired.
  • Dead domains that change DNS servers from predefined name servers to others, are flagged for manual investigation.
  • Any other pre-defined triggers also flags the domain for manual investigation.

Any change or registry date also triggers investigation. Despite well published ICANN policies, we do observe policy deviations.

Having clear, consistent and standardized methods to disable domain abuse is vital. Without this we head into a Babylon of misunderstanding and gaming of any system. DNS abuse is not merely hosting abuse or content issues. Advance Fee Fraud isn’t hacking and phishing. There seems to be an unwillingness in certain quarters to game reality for profit, allowing abuse. This is the beast that fuels not only Advance Fee Fraud, but also Romance Scams and BEC. We understand the nature of the abuse, the methods used by malicious actors and what will or won’t work. We understand why regular reports published by government law enforcement departments shows shocking increases in consumer facing fraud losses. This is to be expected and predictable where abuse of a crucial layer of the internet, DNS, is allowed to be gamed for profit, even excuses made for it.

Artists Against 419 has developed a system that monitors as per published DNS standards, also against a gaming of the standards.

Ultimately we’re trying to protect the consumer and small business against fraud. If a Registrar willy-nilly flicks abusive domains onto hold and removes it again despite clear evidence of harm, this is putting the consumer at risk. The same happens where any Registrar allows this to happen in their reseller channel. We rate limit our registry queries to meet best practices at the insistence of the Registry community. Yet the same community allows abuse of their Registry by certain Registrars. We can’t check each domain daily as this would be seen as abusive. Yet where does the abuse start and who can end it?

Should we be honoring ClientHolds for certain Registrars, or rather start publishing a list of Registrars where we don’t honor such holds?



Comments are closed.