Subscribe to RSS Feed

09|16|2008 03:33 pm EDT

Washington Post Coverage on Nefarious Domain Name Activities

by Adam Strong in Categories: News

Over the last few months Brian Krebs of the Washington Post has been covering stories about domain name resellers and registrars who are in one way or another tied in to nefarious online activities such as spamming, spyware and malware.  A noticeable trend in these articles is that the activity of these scammers is consistently showing them to be using registrar reseller accounts and privacy protection to cover their tracks.  Krebs’ stories are worth reading as they highlight the issues in the domain name system, ICANN and registrars which continue to provide a means for these scammers to operate. 

Privacy Protection and Bad Whois Information
One of Krebs earlier posts covered the story about spamming activity and how nearly 3/4 of all spam activity comes from domain names registered with a handful of domain registrars.  It’s no surprise that the spammers use fake whois information or the privacy protection services available at these registrars to to hide their identities.  The list compiled from over a year of research collecting spam emails can be seen at  It’s important to note that ICANN made efforts back in May  to combat the problem with these registrars and that these registrars aren’t directly responsible for the activity.  These registrars however are responsible for any false whois records and ICANN points out that if the registrars  “do not investigate and correct alleged inaccuracies reported to ICANN, our escalation procedure can ultimately result in ICANN terminating their accreditation and preventing them from registering domain names”.

Another Krebs story covers EstDomains, a company which the Post points out is a Directi reseller and has been tied to numerous spam emails and malware downloads which hijack the users computer. 

One function of these codecs is to install software that changes the victim’s domain name service settings, so that some percentage of their Web site and search engine traffic gets redirected to Web sites and search engines controlled by the attackers.

According to a later article one of the sites EstDomains uses to promote their malware, “, received more traffic than, or before it was deactivated recently.”

Krebs digs around and uncovers more out Dynamaic Dolphin ( a company owned by Media Breakaway). Dynamic Dolphin was listed in the Knujon list is also a Directi reseller and hides a majority of its domain names using the service from Directi.  The domains regsitered by the company are reported to be used in spamming a variety of items from knock-off purses to porn. The majority of the spam though is promoting pharmacy services that require no prescription.

Krebs notes in this article that while some legitimate domain registrants use privacy protection on the whois, it’s very unclear of how this fits within the ICANN registrar agreement which mandates that the whois information be publicly available.  He also points out that it’s unclear what ICANN can and will do about this even after publishing their “concern” over these abuses.

A more recent story is about Klik Domains which is also using a Directi reseller account and has been tricking internet users in to downloading fake anti-spyware software.  The company uses its status as a reseller to quickly create new sites and uses the privacy protection feature to hide their identity.

Directi president Bhavin Turakhia said his company has disabled its registrant-anonymizing service for all Web site names registered through, which he said has sold roughly 100,000 Web site names through Directi during the past couple of years. Nearly half of those have been suspended due to abuse complaints, Turakhia said. More than 21,000 sites were suspended in the past 48 hours alone.
Domain registrar Directi seems to be the hardest hit by these articles and the Knujon list, as most of the companies named in these articles were Directi resellers and/or used Directi’s whois privacy service at  In a recent post on the Directi company blog they detail the ongoing cooperation with Knujon and to combat the issues  

 “Directi ceased to offer its privacy protection services to all customers of ESTDomains and to tens of thousands of other domains obtained through the community”  

“Directi and HostExploit have discussed further ways to enhance their cooperative collaboration to clamp down spam and other forms of abuse on the Internet as rapidly as possible. Directi acknowledges and applauds HostExploit and Knujon’s continuous efforts in tracking down miscreants. HostExploit and Knujon confirms that they are pleased to work directly with the Directi abuse desk in helping Directi identify any miscreants that maybe using Directi’s services. The partnership includes sharing investigative processes and intelligence data on an ongoing basis. “

ICANN and domain name registrars seem to be up against the ropes on these issues, fighting a battle that will likely just change as scammers adapt to any new policies and rules that are created. The scammers meanwhile go about using reseller accounts and whois privacy/protection services to continue their operations and hide their tracks. There doesn’t seem to be an easy answers given in these articles but the mainstream coverage and the efforts of groups like Knujon might lead to some discussions and that hopefully leads to solutions.

Tags: , , , , , , ,


Mickie Kennedy

September 17, 2008 @ 12:21 pm EDT

I wonder sometimes if the domain industry will mature to the need for: title insurance and confirmed ownership. Few domainers are aware of the risk of buying stolen property (sorry for the sidetrack). Lets say you buy for a company and pay $25,000 for it. You have a website and it’s doing well, brining in $10,000 a month. Lots of great SEO and sweat equity. Turns out that in the life of ownership, the third previous owner still thinks he owns it and has it registered for eight years. It’s five years into that eight year term and you now have it. How did that happen? Could be as simply as letting a yahoo or hotmail email address lapse years ago and a bad person assumed control of it, selling it at a forum or online. That new owner then sold it to you. Guess what. You can now lose that domain. You can even be charged for receiving stolen property. Where’s your business? Where’s that $10,000 a month to go? The $25,000 you paid. All gone.

[…] Washington Post Coverage on Nefarious Domain Name Activities | Domain Name NewsCyTRAP Labs – EU-IST – we help protect since 2000 ? Blog Archive ? 4 mio tax returns – Norway privacy blooper could result in surge of identity theft casesFeminist Law Professors ? Blog Archive ? Can we expect the Sarah Palin Email Privacy Act of 2009?PolicyBeta – Blog Archive – More on YouTube v. Viacom v. User PrivacyOffice of the Privacy Commissioner ? Blog Archive ? Privacy for the next decade, not next weekFree 1 Year Spyware Doctor 6 and Privacy Guardian 4.1 License Key | iTechMaxPolicyBeta – Blog Archive – More on YouTube v. Viacom v. User PrivacyOffice of the Privacy Commissioner ? Blog Archive ? YouTube could reveal a lot about youMaking Social DRM work for e-books—with maximum privacy protection | TeleRead: Bring the E-Books HomeFree Software Windows System Optimization Privacy Protection Tool | […]

[…] 6, 2008. However, it seems unlikely that anybody would accept their domains with EstDomains many ties to spam emails, malware downloads, and other criminal […]

[…] 6, 2008. However, it seems unlikely that anybody would accept their domains with EstDomains many ties to spam emails, malware downloads, and other criminal […]

[…] 6, 2008. However, it seems unlikely that anybody would accept their domains with EstDomains many ties to spam emails, malware downloads, and other criminal […]

RSS feed for comments on this post · TrackBack URI

Leave a Reply