[At-Large] [ALAC] Fwd: A million domains taken down by email checks

RJ Glass jipshida2 at yahoo.com
Wed Jul 9 01:26:17 UTC 2014


I agree, Christian.

So the rationale goes like this....

Registrants pay money for a service, yet is required to go through EVERYONE having access to the records.  So now, the domain owner is spammed by EVERYONE because they can.  Then, when a legitimate email shows up, the owner is magically required to know that this is actually a legit email and a link must be clicked in order to keep your domain active.

For real?  


There is no reason.  None.  At all. For anyone to need a domain owner's contact information.  The information is stored with the registrar, and if it is necessary, the registrar can contact the owner.  If there is some majestic bot that is sending out bogus data or malicious code, the server rather than the domain itself is the responsible party.  Therefore, contact the server administrator/provider.

My $0.02....

RJ Glass
A at L




On Monday, July 7, 2014 8:44 AM, Derek Smythe <derek at aa419.org> wrote:
 

>
>
>Very well said Evan, +1
>
>What this is essentially saying is that we have 800 thousand /1
>million driverless vehicles moving about on our information
>super-highway. Definitely a scary place to drive ...
>
>------------------
>True story #1:
>An online shop in Canada is hacked. Phishers plant a phishing kit.
>Abuse reports are sent to the hoster/upstream. Nothing is done. An
>attempt is made to contact the registrant. Email bounces. Telephone
>number - fails.
>
>Eventually the URL is well propagated to blacklists as to make it
>unusable for the phisher. He plants an new phish on the same server.
>This pattern is repeated many times.
>
>Scarier still: This website is wide open to abuse with shell kits and
>other malware. A dump of buyer and account info is also visible - eead
>loss of privacy and personal information, data theft.
>
>Eventually this was resolved outside normal channels after more than
>two months.
>--------------------
>
>The above is not an isolated incident. Those on various mailing lists
>linked to anti-abuse will testify to it. There you will many times
>find requests for somebody at a provider to action ignored abuse
>reports. Trying to rely on hosting providers solely and/or law
>enforcement does not work to protect the causal internet user.
>
>------------------
>True story #2:
>My personal details are being sold in Ireland in violation of EU laws
>or our own. Not being Irish or living in the EU union, the Irish
>regulators aren't responding. All I received is an auto-responder
>response.
>
>I guess they "are sorry to hear about MY problem".
>
>This is despite them having much info I provided them on the
>responsible party using patently fake contact details.
>------------------
>
>This brings us to all those arguing that the actual owner couldn't be
>bothered with putting down real information for various reasons. My
>argument is that if they wish to have a domain name for whatever
>purpose, they should take responsibility for it. By not doing so, we
>could argue the same for abuse teams, any form of abuse reporting and
>the very safety of the net being "somebody else's" problem.
>
>As for rights and responsibilities, the responsibility of the
>registrant to provide accurate and reliable contact data is, and has
>been, mandated in the RAA where the Registrar so specify this right
>from the start. In fact see
>https://archive.icann.org/en/nsi/icann-raa-04nov99.htm#IIJ7
>
>> a. The SLD holder shall provide to Registrar accurate and reliable contact details and promptly correct and update them during the term of the SLD registration
>
>Many registrars have since then deliberately chosen to game/ignore
>this clause and definitely not live up to the spirit of this
>agreement, which in turn has led to much harm.
>
>Sadly most of the common internet users can't be bothered with these
>issues, until such a time that they are affected by them. Having to
>explain "why" a domain that has harmed them can exist with invalid
>contact details despite all the so called agreements, really does not
>reflect well on the credibility of the DNS system.
>
>Further, considering that email addresses are probably the most
>accurate/legitimate part of domain registration details, this whole
>issue paints a scary picture for the casual internet user.
>
>Why does a registrant register a domain with a drdrb.net email
>address, to only later pop up in places like VirusTotal? I guess it is
>to protect his privacy and more.
>
>There may be many reasons why an email address may fail, some of them
>innocent, but ultimately it is the registrant's responsibility to
>ensure it is accurate and reliable. It does not help demonizing law
>enforcement in this regard. There is a reason why we got to this point
>and it started well before the newest provisions in the RAA. I also
>wonder how many innocents were spared misfortune by the proactive
>steps to suspend the domains.
>
>I do however suggest we start a separate topic on reliable email
>address, as this is of concern to many registrants and has a different
>focus than this. I also see a business opportunity in this that
>registrars could use to give them a competitive edge.
>
>Derek Smythe
>
>
>On 2014-07-06 05:57 PM, Evan Leibovitch wrote:
>> I was actually surprised to hear Fadi's comments about this at the Fayre.
>> 
>> I was both dismayed at the stance he took (I recall him saying the incident
>> diminished the standing of "law enforcement") and his choice of venues (one
>> of too many speeches delivered at a social event when many of the
>> participants were winding down after a day of exhaustion).
>> 
>> Had the issue been raised at a time where genuine interaction and
>> thoughtfulness were called for, I suspect Fadi may not have received the
>> anticipated response, as this incident clearly indicates how out of touch
>> ICANN is with the rest of the world,.
>> 
>> *Inside the ICANN bubble:*
>> 
>> * "We are appalled that 800,000 domains were taken down for having
>> non-responsive contact info" *
>> *The rest of the world:* *"Did you just say that 800,000 domains have
>> non-responsive contact info?"*
>> 
>> 
>> The methods of verification and the speed of takedown could be tweaked to
>> ensure that good actors with minor access problems (such as mail going into
>> spam filters, increasing time to respond, forget to change after moving,
>> etc) would not be adversely affected. But the end objective is absolutely
>> welcomed from the non-registrant end-user point of view.
>> 
>> So I personally have zero ethical qualms about the suspensions, noting that
>> the issue has already been inflated for dramatic effect. A claim of 800,000
>> domains becomes a million in the headlines. And then there was this gem:
>> 
>> *"We have stories of healthcare sites that have gone down,"*, chimes Elliot
>> Noss in the CircleID article
>> <http://domainincite.com/16963-a-million-domains-taken-down-by-email-checks>
>> .
>> 
>> I don't know about the rest of you ... but given the sensitivity of
>> information at healthcare sites regarding privacy and accuracy, that
>> category of site is amongst those *most* in need of accurate contact info
>> IMO. So if such sites have non-functional contact info, frankly, I couldn't
>> suspend them fast enough until things are fixed. This attempt at media
>> manipulation backfires.
>> 
>> The salient point is that a contact address is just that, a way to make
>> contact. If it won't work from the registrant's own registrar or registry
>> -- a body with which whom the registrant has a contractual and financial
>> relationship -- it certainly won't work if someone from the public has a
>> question, complaint, or warrant to serve. If policy indicates that contact
>> info must be accurate and current, then that is what needs to be enforced.
>> 
>> When the interests of ICANN and contracted parties are hurt by inaction of
>> registrants -- notably non-payment -- enforcement such as suspension is
>> immediate, automated and non-controversial. (Indeed, it was even once gamed
>> by some contracted parties, which is what led to the PEDNR
>> <http://icannwiki.com/index.php/PEDNR> debate.) But here, the inaction
>> indicates harm to the public interest while enforcement threatens financial
>> loss to ICANN and contracted parties, so all hell breaks loose and Fadi
>> lectures us at the Fayre.
>> 
>> This isn't just a matter of law enforcement, and I am puzzled why that
>> community is being singled out for recrimination. Sure, some chunk of those
>> 800,000 are bad actors in the sense of intending to have unusable contact
>> info. But how many of the others have bad contact info because the domains
>> themselves are neglected and unused, squatted or speculated names that
>> their registrants have just locked away and forgotten? How does that serve
>> the interest of end users to have so many extant but useless domains?
>> 
>> So, by all means, let's engage in a proper dialogue -- not one initiated,
>> almost in passing, at a social event more than halfway into the ICANN
>> meeting. We may all look at this incident and see within it a deep problem,
>> but the problems At-Large identifies may be far different from those seen
>> by the registrars.
>> 
>> Be careful what you wish for. While registrars complaining loudly may score
>> power points inside the bubble (at the expense of public-interest
>> advocacy), outside it just reinforces ICANN's detachment from the rest of
>> the Internet-using world. If news broke that there were 800,000 cars on the
>> road with unusable contact info related to their license plates, public
>> reaction would be loud and ugly no matter what proportion of those cars
>> belonged to criminals.
>> 
>> I look forward to any debate going forward on the issue in At-Large's
>> Regulatory Issues Working Group, which is where I believe any future ALAC
>> stance must be discussed and first formulated.
>> 
>> - Evan
>> _______________________________________________
>> At-Large mailing list
>> At-Large at atlarge-lists.icann.org
>> https://atlarge-lists.icann.org/mailman/listinfo/at-large
>> 
>> At-Large Official Site: http://atlarge.icann.org
>
>> 
>_______________________________________________
>At-Large mailing list
>At-Large at atlarge-lists.icann.org
>https://atlarge-lists.icann.org/mailman/listinfo/at-large
>
>At-Large Official Site: http://atlarge.icann.org
>
>
>


More information about the At-Large mailing list