On Fri, 23 Jul 2004, Richard Cox wrote:
The key here is not registration but change. Currently, while spammers and other malfeasants have the ability to send out through compromised proxies and zombied PCs, there is little that can be done to identify them until they require a response, and then the return path provides some traceability via the IP addresses used, at least for nameservers.
One of the latest spammer exploits involves relying on compromised PCs for hosting of websites and DNS: which, coupled with the ability to update the root DNS in close-to-real-time, means that the entire hosting operation including nameservers can be based on compromised boxes, often with an encrypted/obfuscated link back to the real point of control, and that is significantly harder to track. This becomes of rather greater significance if the hosting is for a phishing site.
That is one of the main reasons why I don't like that Verisign has removed ability to find data on how list of nameservers for domain and more ip address of nameserver might have been changed. The only thing we can see is what whois shows (=bulk zone data) which is just one time/day snapshot while spammer may have changed the ip address of nameserver many times during the day to point to different zombie PCs. I hope Matt can get through to correct people and deltas will be available for those already doing bulk zone downloads.
The demand for extra domains serves the registrars' business model well. When a contact address is proved to be bogus, and at the end of 15 days the domain complained of is in consequence shut down, it does not seem to occur to most registrars that the other (say) six hundred - perhaps thousands of domains - that were registered by the same person with the identical contact details, must also have bogus contact details and so should be automatically shut down. No, an individual complaint seems to be needed in each case, which means that the malfeasants are given 15 days from the first appearance of EACH domain during which the entire domain is, as it were, bulletproof.
It seems that by these policies registries are actively helping out spammers while claiming to be neutral party. But in reality they know full well who the registrant of the domain is and that they deliberately breaking ICANN rules but they do not close their account and allow them to register more domains with false data. This "neutral party" excuse also leads to most domain registries refusing spam compaints, again they know exactly who it is that registers these domain and can definetly see they are spammer, but they will not do anything about it because spammers are good customers who register lots of domains. This situation not helping in trying to stop this epidemic. -- William Leibzon Elan Networks william@elan.net