[At-Large] [ALAC] Fwd: A million domains taken down by email checks
derek at aa419.org
Mon Jul 7 12:23:19 UTC 2014
Very well said Evan, +1
What this is essentially saying is that we have 800 thousand /1
million driverless vehicles moving about on our information
super-highway. Definitely a scary place to drive ...
True story #1:
An online shop in Canada is hacked. Phishers plant a phishing kit.
Abuse reports are sent to the hoster/upstream. Nothing is done. An
attempt is made to contact the registrant. Email bounces. Telephone
number - fails.
Eventually the URL is well propagated to blacklists as to make it
unusable for the phisher. He plants an new phish on the same server.
This pattern is repeated many times.
Scarier still: This website is wide open to abuse with shell kits and
other malware. A dump of buyer and account info is also visible - eead
loss of privacy and personal information, data theft.
Eventually this was resolved outside normal channels after more than
The above is not an isolated incident. Those on various mailing lists
linked to anti-abuse will testify to it. There you will many times
find requests for somebody at a provider to action ignored abuse
reports. Trying to rely on hosting providers solely and/or law
enforcement does not work to protect the causal internet user.
True story #2:
My personal details are being sold in Ireland in violation of EU laws
or our own. Not being Irish or living in the EU union, the Irish
regulators aren't responding. All I received is an auto-responder
I guess they "are sorry to hear about MY problem".
This is despite them having much info I provided them on the
responsible party using patently fake contact details.
This brings us to all those arguing that the actual owner couldn't be
bothered with putting down real information for various reasons. My
argument is that if they wish to have a domain name for whatever
purpose, they should take responsibility for it. By not doing so, we
could argue the same for abuse teams, any form of abuse reporting and
the very safety of the net being "somebody else's" problem.
As for rights and responsibilities, the responsibility of the
registrant to provide accurate and reliable contact data is, and has
been, mandated in the RAA where the Registrar so specify this right
from the start. In fact see
> a. The SLD holder shall provide to Registrar accurate and reliable contact details and promptly correct and update them during the term of the SLD registration
Many registrars have since then deliberately chosen to game/ignore
this clause and definitely not live up to the spirit of this
agreement, which in turn has led to much harm.
Sadly most of the common internet users can't be bothered with these
issues, until such a time that they are affected by them. Having to
explain "why" a domain that has harmed them can exist with invalid
contact details despite all the so called agreements, really does not
reflect well on the credibility of the DNS system.
Further, considering that email addresses are probably the most
accurate/legitimate part of domain registration details, this whole
issue paints a scary picture for the casual internet user.
Why does a registrant register a domain with a drdrb.net email
address, to only later pop up in places like VirusTotal? I guess it is
to protect his privacy and more.
There may be many reasons why an email address may fail, some of them
innocent, but ultimately it is the registrant's responsibility to
ensure it is accurate and reliable. It does not help demonizing law
enforcement in this regard. There is a reason why we got to this point
and it started well before the newest provisions in the RAA. I also
wonder how many innocents were spared misfortune by the proactive
steps to suspend the domains.
I do however suggest we start a separate topic on reliable email
address, as this is of concern to many registrants and has a different
focus than this. I also see a business opportunity in this that
registrars could use to give them a competitive edge.
On 2014-07-06 05:57 PM, Evan Leibovitch wrote:
> I was actually surprised to hear Fadi's comments about this at the Fayre.
> I was both dismayed at the stance he took (I recall him saying the incident
> diminished the standing of "law enforcement") and his choice of venues (one
> of too many speeches delivered at a social event when many of the
> participants were winding down after a day of exhaustion).
> Had the issue been raised at a time where genuine interaction and
> thoughtfulness were called for, I suspect Fadi may not have received the
> anticipated response, as this incident clearly indicates how out of touch
> ICANN is with the rest of the world,.
> *Inside the ICANN bubble:*
> * "We are appalled that 800,000 domains were taken down for having
> non-responsive contact info" *
> *The rest of the world:* *"Did you just say that 800,000 domains have
> non-responsive contact info?"*
> The methods of verification and the speed of takedown could be tweaked to
> ensure that good actors with minor access problems (such as mail going into
> spam filters, increasing time to respond, forget to change after moving,
> etc) would not be adversely affected. But the end objective is absolutely
> welcomed from the non-registrant end-user point of view.
> So I personally have zero ethical qualms about the suspensions, noting that
> the issue has already been inflated for dramatic effect. A claim of 800,000
> domains becomes a million in the headlines. And then there was this gem:
> *"We have stories of healthcare sites that have gone down,"*, chimes Elliot
> Noss in the CircleID article
> I don't know about the rest of you ... but given the sensitivity of
> information at healthcare sites regarding privacy and accuracy, that
> category of site is amongst those *most* in need of accurate contact info
> IMO. So if such sites have non-functional contact info, frankly, I couldn't
> suspend them fast enough until things are fixed. This attempt at media
> manipulation backfires.
> The salient point is that a contact address is just that, a way to make
> contact. If it won't work from the registrant's own registrar or registry
> -- a body with which whom the registrant has a contractual and financial
> relationship -- it certainly won't work if someone from the public has a
> question, complaint, or warrant to serve. If policy indicates that contact
> info must be accurate and current, then that is what needs to be enforced.
> When the interests of ICANN and contracted parties are hurt by inaction of
> registrants -- notably non-payment -- enforcement such as suspension is
> immediate, automated and non-controversial. (Indeed, it was even once gamed
> by some contracted parties, which is what led to the PEDNR
> <http://icannwiki.com/index.php/PEDNR> debate.) But here, the inaction
> indicates harm to the public interest while enforcement threatens financial
> loss to ICANN and contracted parties, so all hell breaks loose and Fadi
> lectures us at the Fayre.
> This isn't just a matter of law enforcement, and I am puzzled why that
> community is being singled out for recrimination. Sure, some chunk of those
> 800,000 are bad actors in the sense of intending to have unusable contact
> info. But how many of the others have bad contact info because the domains
> themselves are neglected and unused, squatted or speculated names that
> their registrants have just locked away and forgotten? How does that serve
> the interest of end users to have so many extant but useless domains?
> So, by all means, let's engage in a proper dialogue -- not one initiated,
> almost in passing, at a social event more than halfway into the ICANN
> meeting. We may all look at this incident and see within it a deep problem,
> but the problems At-Large identifies may be far different from those seen
> by the registrars.
> Be careful what you wish for. While registrars complaining loudly may score
> power points inside the bubble (at the expense of public-interest
> advocacy), outside it just reinforces ICANN's detachment from the rest of
> the Internet-using world. If news broke that there were 800,000 cars on the
> road with unusable contact info related to their license plates, public
> reaction would be loud and ugly no matter what proportion of those cars
> belonged to criminals.
> I look forward to any debate going forward on the issue in At-Large's
> Regulatory Issues Working Group, which is where I believe any future ALAC
> stance must be discussed and first formulated.
> - Evan
> At-Large mailing list
> At-Large at atlarge-lists.icann.org
> At-Large Official Site: http://atlarge.icann.org
More information about the At-Large