[NA-Discuss] Proxy-Privacy Use Higher for Illicit Domains

Garth Bruen at Knujon.com gbruen at knujon.com
Thu Mar 10 17:23:09 UTC 2011


Hello folks, look forward to seeing you all next week.

I have just released a sample of one section of a report to be released next 
Tuesday:

WHOIS issues are looming large for the ICANN meeting next week, starting 
with an all-day WHOIS Policy Review (http://svsf40.icann.org/node/21983) on 
Sunday (background 
https://community.icann.org/display/whoisreview/WHOIS+Background+Information). 
WHOIS is a subject that has been the recent topic of a number of issues 
including a debacle over potentially disclosing the identities of compliance 
reporters to spammers and criminal domainers 
(http://krebsonsecurity.com/2011/03/whois-problem-reporting-system-to-gain-privacy-option). 
For those unacquainted with the purpose of WHOIS, I would recommend Paul 
Vixie's (http://www.circleid.com/members/620/) excellent article 
(http://www.circleid.com/posts/whois_scared/).

One of the controversial sub-issues is privacy-proxy domain registrations 
which allow a registrant to replace their WHOIS details with the contact 
information a of privacy shield company. The privacy-proxy business is a 
nebulous world with no standards and little accountability. Supporters claim 
it protects victims and political activists from attacks and private 
citizens from getting spammed or scammed. Critics, like me, contend it is a 
loose system run on behalf of criminals and spammers. Additionally, the 
illicit use of privacy-proxy erodes the legitimate use. This is compounded 
by the fact that many privacy-proxy services are phantom companies 
themselves.

In September of last year ICANN released the results of a study estimating 
18% usage of privacy-proxy services in the 
gTLD(http://www.icann.org/en/announcements/announcement-14sep10-en.htm) 
(full report 
http://www.icann.org/en/compliance/reports/privacy-proxy-registration-services-study-14sep10-en.pdf). 
However, Knujon (http://www.knujon.com) research has revealed that 
privacy-proxy usage is significantly higher among illicit domain 
registrations. We looked at two specific categories: spammed domains and 
illicit pharmacy domains. The conventional logic has always been that 
spammers and criminals would not waste money on privacy services, that they 
would simply falsify registration data or use "throw-away" free email 
addresses. We know this is not the case. One section of a report KnujOn will 
issue on Tuesday March 15th will show 33% usage of privacy-proxy 
registrations for domains advertised in spam and 39 to 51% usage among 
illicit pharmacy domains.

KnujOn studied 13,277 repeatedly spammed domains over six months and found 
that among the general population, most registrants used unmonitored or 
false yahoo.com, gmail.com, hotmail.com, and other free-email accounts in 
the registration. However, six out of the top ten spam registrations were 
through Registrar-sponsored privacy services. Also, 31 of the all the 152 
registrant emails domains collected were privacy services.

For illicit pharmacy domains, the numbers are even more interesting. Once 
again gmail, yahoo, hotmail and aol "throw-aways" were most popular but 15 
out of the top 20 contact emails used were at privacy services, most were 
the services offered by the sponsoring Registrar. Among the general 
population of 27,414 illicit pharmacy domains studied 39% used 
privacy-proxy. Within the 50th percentile there is 45% privacy usage, in the 
25th percentile it is 48%. Among the top 50 contact email domains 51% were 
privacy services. The most used privacy services had 8,380 illicit 
pharmacies as customers.

For some, the question still remains, why pay for a privacy service when 
bogus WHOIS information is easy to use? There are a variety of reasons. 
First, it adds another layer of obfuscation to confound investigators. A 
separate KnujOn study found over 100 illicit pharmacy domains, that had the 
privacy service removed after complaints, had false WHOIS underneath. A 
second reason is that it provides additional cover for illicit registrants 
by creating an unaccountable phantom third party that is neither completely 
registrant nor Registrar. This is evidenced in multiple UDPRs where a brand 
owner eventually wins an infringing domain name through default but the true 
identity of the original owner is never revealed.

There are many more issues including which privacy services are compliant 
with the ICANN RAA and who owns the privacy services heavily used by illicit 
domainers. This will be detailed in our full report.

-Garth

More info: 
http://www.circleid.com/posts/20110310_proxy_privacy_user_higher_for_illicit_domains/ 




More information about the NA-Discuss mailing list