[anti-abuse-wg] Spam under protection. Believe it or not!

For the sort of domains I have to deal with - @ about a couple of hundred a day -

1. Registered using fake contact information and a freemail address
2. Hosting a live phish, or held in reserve by an individual who keeps creating more such domains to use in phish
3. The domain itself is a “cousin"

Placing the domain on client-hold appears to be the only appropriate action here.

These are not compromised sites

These are not simply trademark infringement sites selling knockoff products

They’re criminal, advertised in spam, frequently serving up malware where they’re not simply trying to steal user credentials.

Unresponsive registrars with poor abuse controls (such as - take the domain down after days, and leave the registrant’s account up and running so the rest of his stockpiled domains are just fine, and new phish domains get registered by him  every other day) seem to vastly outnumber the very few responsible registrars that I have had the pleasure of dealing with.  Note - this is of course based on the subset of registrars that actually do get frequently abused to create phish domains.  There are several that can go for days without seeing a single abusive registration.

—srs

> On 28-Sep-2015, at 6:22 PM, Michele Neylon - Blacknight <michele at blacknight.com> wrote:
> 
> Suresh
> 
> I don’t think many registrars are trying to abdicate responsibility 
> BUT
> 
> The hosting provider for a domain name has a lot more control over things than the registrar.
> 
> As a registrar of record for a domain name I only have the “nuclear option”. 
> 
> Compromised sites account for a lot of the spam we see coming from our network (or at least trying to).
> 
> Regards
> 
> Michele
> 
> --
> Mr Michele Neylon
> Blacknight Solutions
> Hosting, Colocation & Domains
> http://www.blacknight.host/
> http://blog.blacknight.com/
> http://www.blacknight.press - get our latest news & media coverage
> http://www.technology.ie
> Intl. +353 (0) 59  9183072
> Direct Dial: +353 (0)59 9183090
> Social: http://mneylon.social
> Random Stuff: http://michele.irish 
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> 
> 
> 
> 
> 
> 
> 
> On 28/09/2015 13:42, "anti-abuse-wg on behalf of Suresh Ramasubramanian" <anti-abuse-wg-bounces at ripe.net on behalf of ops.lists at gmail.com> wrote:
> 
>> Let me introduce you to, say, fast flux botnets that skip from one IP to another in seconds
>> 
>> IPs matter. So do domains. So do nameservers.  So do [a bunch of other things]
>> 
>> Registrars can’t abdicate their responsibility by claiming spam is entirely related to IP addresses.
>> 
>>> On 28-Sep-2015, at 5:50 PM, andre at ox.co.za wrote:
>>> 
>>> Spam is not a domain thing, it is an IP thing.
>>> 
>>> So why are we focused on domain names? a name is nothing,
>>> it cannot route, a number routes.
>> 
>>