ICANN Asked To Shut Down "Worst" Chinese Registrar

Ian Lamont writes "Anti-spam service Knujon has released reports highlighting how certain registrars in the US and abroad have consistently failed to live up to certain WHOIS-related obligations under ICANN's Registrar Accreditation Agreement (RAA) — specifically, the requirement that people or company registering domains provide valid contact information. Now the firm is requesting that ICANN shut down the worst alleged offender, Xinnet Bei Gong Da Software. According to Knujon, none of the WHOIS records in a sample of 11,000 alleged spam sites registered through Xinnet and reported by Knujon to ICANN's Whois Data Problem Report System were corrected in a six-month period ending in May 2008 — and the Chinese registrar continues to register about 100 spam sites per day. In many cases, says the Knujon document (PDF), Xinnet does not have 'any Whois record data for review while the sites are still active' and the spam sites further promote 'seal abuse' by posting bogus BBB, Verisign, and other trusted industry seals. ICANN says it is investigating. ICANN has just posted a draft revised RAA that is open for public comment until August 4. However, the wording of Section 3.7.8, governing registrars' obligations to check and correct domain owners' contact information, hasn't changed."

Re:My prediction: Internet segmentation

[_merlin]

Well, I'd be all for a segregated internet if it could keep all the American spam comments advertising drugs, loans, insurance and porn off my blog. Remember the USA is still the biggest spam producer. It would be nice if you could only spam yourselves.

Re:GASP and SHOCK!

[kalirion]

So if they shut down the registrar, wouldn't that invalidate all domains currently registered through them? I'm assuming some of those belong to legitimate non-spammers....

Contact info is better found on the web site.

[Animats]

There's been a formal study of bad WHOIS data by the Government Accounting Office, the investigative arm of Congress, titled "Prevalence of False Contact Information for Registered Domain Names", on this topic. They found at least 8% of contact info in WHOIS to be totally bogus. They also, as a test of ICANN, submitted 45 "WHOIS information problem reports", of which 11 resulted in correction and 33 did not. But GAO didn't break down the data by registrar.

We've been interested in this issue at SiteTruth for some time. We take a broader view of "bad" web sites than most; we consider any commercial site that lacks valid business name and address information to be bogus. Over 35% of Google AdWords advertisers fail that test. For advertisers whose ads appear on Myspace, the ratio is much higher.

Originally, we tried to get contact information from WHOIS data, but the data quality was so appallingly bad that we had to develop another approach. We have a system that looks for contact info the way a user would, looking at pages with names like "About", "Contact", and such, trying to find a user-readable street address. We also have some big databases of business addresses to check against. This turns out to work much better than looking at WHOIS data when the goal is to find the business behind the web site.

(You can see this info using our AdRater plug-in for Firefox. Download our plug-in to see the ratings for each Google advertiser as the ads go by. Unless you're already blocking all such ads, of course.)

Re:My prediction: Internet segmentation

[SpamIsLame]

We may have more spammers here, but at least we have a history of prosecuting and convicting at least some of them. What difference does that make to me, sitting here with an inbox full of American spam? Actually, in the case of the particular properties listed in this report (PowerEnlarge, VPXL, Canadian Healthcare, Wondercum) the sponsor for all of those sites is known as SanCash, which is operated jointly out of India and New Zealand. It recently changed its name to ETranz.mu. They list their corporate offices as being located in Mauritius, a notorious offshore location for underground activity.

The mailers who send you this crap are more than likely located in the US, but the ones who profit from it the most are not. (Based on my own research, even the large-scale American spammers tend to be either Russian or from other foreign countries. It is rare that someone born in the US is behind the send button.)

The individuals behind these mass domain registrations may also be located in the US, but again they are not the main profit department from these activities.

These Chinese Registrars may not (repeat: may not) be in cahoots with them either. They merely represented a prime resource due to their total lack of attention to non-Chinese-language complaints.

The other high profile spam operation who profits from this abuse is known alternately as Spamit or GlavMed. They are the affiliate program behind "Canadian Pharmacy", which is notable due to the fact that there is now a direct link between Canadian Pharmacy domains and the Storm worm. (Documented in several blogs and security review sites.) They also have a lengthy history of hacking public web servers to use them as redirections to the actual spammed target, causing grief for a lot of otherwise legitimate domain owners.

Spamit / Glavmed is known to be a largely Russian operation. Glavmed is largely considered a non-spam affiliate program but they deal with precisely the same properties, just without any mention of email spamming.

Not one of the large-scale spam operations has its roots in North America. They are all located offshore, and run by citizens of non-US countries, and remain located in those non-US countries, probably in an attempt to enforce some bogus "immunity" on their criminal activity.

Registrars are a tiny piece of the puzzle. I wish someone would directly investigate and go after these sponsor organizations.

Spamit and SanCash are responsible for the majority of all spam received by most individuals around the world. When they experience difficulties (ie: widepsread domain shutdowns), you begin to see incoming spam revert 100% to stock spam, since they can't spam domains anymore. This is a provable, repeatable experiment.

SiL / IKS / concerned citizen