Anonymous Domain Sales: A Spammer's Delight
Posted at 10:23 AM ET, 06/17/2008
WashingtonPost.com - Security Fix
By Brian Kerbs

Spammers routinely register their sites under false names, or hijack someone else's identity to do so. But new research shows they're also paying for premium services when registering domain names to ensure a deeper level of anonymity.

Data collected by Knujon, an anti-spam outfit that tries to convince registrars to deep-six spam sites, shows that spammers are increasingly registering sites through a handful of domain privacy services that refuse to provide a direct method to contact domain holders.

These services are offered by many Web site name registrars, which allow customers to hide their name and address from the global, publicly-searchable "WHOIS" directory of domain name holders. Most domain privacy protection services provide at least a custom e-mail address linked to each domain, so that correspondence with the domain holder can be passed along through the registrar. But spammers are increasingly flocking to a handful of domain privacy services that refuse to provide any direct methods to contact domain holders.

Knujon looked back at all of the spam domains advertised in junk messages it received over the past year, with an eye toward those spam sites where all of the registrant's contact data was withheld by one of these anonymization services. Garth Bruen, Knujon's co-founder, said the vast majority of those he found - more than 15,000 domains - were registered through a single anonymization service: privacyprotect.org. While a handful of those 15,000 spam-advertised sites peddle knockoff designer goods or adult Web sites, most redirect users to unlicensed pharmacy Web sites that purport to sell everything from Viagra to Valium without requiring a prescription.

I wanted to know whether these 15,000 sites were perhaps grouped at a handful of registrars or Web hosting providers, so I enlisted the help of Roger So, a technical support manager at Outblaze.com, an anti-spam company based in Hong Kong. Mr. So helped me run thousands of automated Web site registration lookups and break the list down by registrar.

What we found closely mirrored the results of a related investigation I detailed last month, which concluded that more than three quarters of all Web sites advertised through spam are clustered at just 10 domain name registrars.

Out of the 15,000 spam-advertised domains we examined, nearly half -- 7,142 names -- were registered through a Broomfield, Colo. company called Dynamic Dolphin. As I noted in my previous story, Dynamic Dolphin is the seventh most-popular registrar among spammers who provide patently false information in their public WHOIS records.

Dynamic Dolphin is owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. The CEO of Media Breakaway is none other than Scott Richter, the once self-avowed "Spam King" who claims to have quit the business. Anti-spam groups also have recently implicated Media Breakaway in the alleged hijacking of more than 65,000 Internet addresses for use in sending e-mail and hosting commercial Web sites.

Dynamic Dolphin is a reseller of registrar services offered by an Indian company called Direct Information PVT Ltd. - also known as Directi and www.PublicDomainRegistry.com. Directi was the second most popular registrar among spammers who used privacyprotect.org; it handled the registration for nearly 4,000 of those 15,000+ domains that Knujon flagged.

Dynamic Dolphin is a reseller of registrar services offered by an Indian company called Direct Information PVT Ltd. - also known as Directi and PublicDomainRegistry.com. Directi was the second most popular registrar among spammers who used privacyprotect.org; it handled the registration for nearly 4,000 of those 15,000+ domains that Knujon flagged.

Prior to researching Bruen's data, I'd run across privacyprotect.org on numerous occasions, but it wasn't until I began this project that I found - perhaps not surprisingly - that it was next to impossible to tell who owned the service.

But, thanks to a few industry sources, I finally worked it out. So who owns privacyprotect.org? Why, Directi, of course.

Bruen said certainly not all spammers use privacy protection or anonymization services; most, he said, just make up phony contact data.

"Which begs the question: why bother [with anonymization]? No one -- except Knujon and a few others -- is policing the records," Bruen said. "The difference here is that the registrar is playing a role in masking the identity and location of the owners. My guess would be the registrars are the real owners of these sites."

I contacted the owners of both Directi and Dynamic Dolphin for comment, and will update this blog in the event that they respond.

No doubt many consumers (this author included) appreciate the privacy these proxy services afford for personal Web sites. But it's never been quite clear to me how these domain anonymization services jibe with the contracts registrars must sign with the Internet Corporation for Assigned Names and Numbers (ICANN), the Marina Del Ray, Calif. entity which oversees the domain name system. ICANN's contracts clearly state that registrars shall make their database of registrant information publicly searchable online.

Turns out I'm not the only one baffled by this apparent conflict in policy.

"Nobody's ever been able to explain to me how anonymized domains meet the ICANN rules," said John Levine, author of Internet for Dummies and a former member of the ICANN At-Large Advisory Committee. "On the one hand, the WHOIS info is for the anonymizers which uniformly disclaim responsibility for the actions of their customers, while the actual info is unavailable, to be disclosed at the whim of the anonymizers whose criteria for disclosure vary from a polite e-mail to a subpoena."

I sought clarification from ICANN, but am still awaiting their response to this question, and to hear more on what -- if anything -- they plan to do about the abuse of anonymization services by spammers.

I'm not suggesting that if some regulatory or law enforcement agency were to subpoena the registration records from a company like Dynamic Dolphin that they'd learn the true identities of the people who registered the sites in question. But I am suggesting - for the second time in as many months - that if ICANN is as serious about cracking down on problematic domain name registrars as it claims, it could do a lot worse than to start with Dynamic Dolphin and Directi.

Update, 10:47 p.m. ET: A previous version of this blog post incorrectly stated that Outblaze is headquartered in India.

Update, June 18, 10:15 a.m. ET: - Abhijit Relekar, team lead of Web solutions for Directi, responded in e-mail today to say that the company is aware that its services are being misused, and that it is investigating the domain names and service providers in question.

Relekar dismissed the suggestion that Directi was the owner of the anonymized domains linked with spam. "While I can not speak for Dynamic Dolphin or any other registrar, I can confirm that Directi does not own or have any association with the domain names registered through it that use the privacy protection service."

"Rest assured the issue is being treated with all the seriousness it deserves, and decisive measures will be taken within the next few days to ensure that the violators do not continue to use this service," Relekar said. "Any domain name proven to be indulging in malicious and/or illegal activities such as spamming would have its privacy protection immediately revoked and, if registered through Directi, would also be suspended."

Source: WashingtonPost.com - Brian Krebs (Security Fix)