.US Harbors Prolific Malicious Link Shortening Service
https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-short... "The NTIA recently published a proposal that would allow registrars to redact all registrant data from WHOIS registration records for .US domains. A broad array of industry groups have filed comments opposing the proposed changes, saying they threaten to remove the last vestiges of accountability for a top-level domain that is already overrun with cybercrime activity." What hope is there when registrars are actively aiding and abeting criminal enterprises? Are there any legitimate services running solely on .us domain names? -Dan
I personally own a .us domain name -- while it's a personal domain and doesn't do a lot of traffic, it's still a legitimate domain. -----Original Message----- From: "goemon--- via NANOG" <nanog@nanog.org> Sent: Thursday, November 2, 2023 4:30pm To: "NANOG list" <nanog@nanog.org> Subject: .US Harbors Prolific Malicious Link Shortening Service https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-short... "The NTIA recently published a proposal that would allow registrars to redact all registrant data from WHOIS registration records for .US domains. A broad array of industry groups have filed comments opposing the proposed changes, saying they threaten to remove the last vestiges of accountability for a top-level domain that is already overrun with cybercrime activity." What hope is there when registrars are actively aiding and abeting criminal enterprises? Are there any legitimate services running solely on .us domain names? -Dan
On Thu, Nov 2, 2023 at 1:30 PM goemon--- via NANOG <nanog@nanog.org> wrote:
https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-short...
What hope is there when registrars are actively aiding and abeting criminal enterprises?
I'm confused. Does .com/.net/.org have a different/better vulnerability profile to these third party link shorteners? Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
I think it is a matter of proportionality. According to Spamhaus malicious domains account for only 1.5% of all .com domains, but 4.8% of all .us domains (https://www.spamhaus.org/statistics/tlds/) - compare that to .tk where 6.7% of all domains are malicious. allan ------- Original Message ------- On Thursday, November 2nd, 2023 at 4:46 PM, William Herrin <bill@herrin.us> wrote:
On Thu, Nov 2, 2023 at 1:30 PM goemon--- via NANOG nanog@nanog.org wrote:
https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-short...
What hope is there when registrars are actively aiding and abeting criminal enterprises?
I'm confused. Does .com/.net/.org have a different/better vulnerability profile to these third party link shorteners?
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/
On Thu, Nov 2, 2023 at 3:10 PM Allan Liska <allan@allan.vin> wrote:
According to Spamhaus malicious domains account for only 1.5% of all .com domains, but 4.8% of all .us domains (https://www.spamhaus.org/statistics/tlds/) - compare that to .tk where 6.7% of all domains are malicious.
Hi Allan, Careful. Statistics don't mean much when separated from their context. Spamhaus doesn't appear to have published the raw numbers for anything except the "top ten." Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
On November 2, 2023 at 22:09 allan@allan.vin (Allan Liska) wrote:
I think it is a matter of proportionality.
According to Spamhaus malicious domains account for only 1.5% of all .com domains, but 4.8% of all .us domains (https://www.spamhaus.org/statistics/tlds/) - compare that to .tk where 6.7% of all domains are malicious.
And the bit.ly shortening service is operated under the Libyan ccTLD. Also frequently used in spam email etc. Libya doesn't even have a generally recognized government. Or perhaps put better has more than one competing governments. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Thu, Nov 2, 2023 at 5:46 PM William Herrin <bill@herrin.us> wrote:
On Thu, Nov 2, 2023 at 1:30 PM goemon--- via NANOG <nanog@nanog.org> wrote:
https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-short...
What hope is there when registrars are actively aiding and abeting criminal enterprises?
I'm confused. Does .com/.net/.org have a different/better vulnerability profile to these third party link shorteners?
This is likely related to NTIA ongoing consultation on redacting .us WHOIS. Everytime such a movement happens, a number of reports showing the world will end because of that appear. Rubens
There are LOTS of small business that have .us domains. I've got several that just use these domains as well as locality specific things such as schools or towns that use them rather than the longer ones supplied to municipal entities. /rh On Thu, Nov 2, 2023 at 1:34 PM goemon--- via NANOG <nanog@nanog.org> wrote:
https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-short...
"The NTIA recently published a proposal that would allow registrars to redact all registrant data from WHOIS registration records for .US domains. A broad array of industry groups have filed comments opposing the proposed changes, saying they threaten to remove the last vestiges of accountability for a top-level domain that is already overrun with cybercrime activity."
What hope is there when registrars are actively aiding and abeting criminal enterprises?
Are there any legitimate services running solely on .us domain names?
-Dan
K-12 education is typically in *.us -Eric On Thu, Nov 2, 2023 at 1:32 PM goemon--- via NANOG <nanog@nanog.org> wrote:
https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-short...
"The NTIA recently published a proposal that would allow registrars to redact all registrant data from WHOIS registration records for .US domains. A broad array of industry groups have filed comments opposing the proposed changes, saying they threaten to remove the last vestiges of accountability for a top-level domain that is already overrun with cybercrime activity."
What hope is there when registrars are actively aiding and abeting criminal enterprises?
Are there any legitimate services running solely on .us domain names?
-Dan
-- Eric Harrison Network Services Cascade Technology Alliance / Multnomah Education Service District office: 503-257-1554 cell: 971-998-6249 sms: 503-609-0577
Not specific to .US really Pretty much every new gTLD that can be registered on "promotional" first year prices below .com/.net/.org harbors a large than usual proportion of phishing domains and suspicious things, because one of the sole operational criteria for phishers registering disposable domains that might have useful lives of only hours or a few days, in bulk, is the cost per unit. ".us" is in much the same situation because I am seeing promotional prices of $4.50 to $5 per domain for the first year. On Thu, Nov 2, 2023 at 1:31 PM goemon--- via NANOG <nanog@nanog.org> wrote:
https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-short...
"The NTIA recently published a proposal that would allow registrars to redact all registrant data from WHOIS registration records for .US domains. A broad array of industry groups have filed comments opposing the proposed changes, saying they threaten to remove the last vestiges of accountability for a top-level domain that is already overrun with cybercrime activity."
What hope is there when registrars are actively aiding and abeting criminal enterprises?
Are there any legitimate services running solely on .us domain names?
-Dan
Yeah. I wonder why this cannot be reversed really? First domain registration should cost more.. 50 USD maybe? Dunno. And then, when you want to extend the domain, price should be around 5 times lower? Those who want to use it for legal activity will chew that little CAPEX. ---------- Original message ---------- From: Eric Kuhnke <eric.kuhnke@gmail.com> To: goemon@sasami.anime.net Cc: NANOG list <nanog@nanog.org> Subject: Re: .US Harbors Prolific Malicious Link Shortening Service Date: Thu, 2 Nov 2023 20:39:17 -0700 Not specific to .US really Pretty much every new gTLD that can be registered on "promotional" first year prices below .com/.net/.org harbors a large than usual proportion of phishing domains and suspicious things, because one of the sole operational criteria for phishers registering disposable domains that might have useful lives of only hours or a few days, in bulk, is the cost per unit. ".us" is in much the same situation because I am seeing promotional prices of $4.50 to $5 per domain for the first year. On Thu, Nov 2, 2023 at 1:31˙˙PM goemon--- via NANOG <nanog@nanog.org> wrote:
https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-short...
"The NTIA recently published a proposal that would allow registrars to redact all registrant data from WHOIS registration records for .US domains. A broad array of industry groups have filed comments opposing the proposed changes, saying they threaten to remove the last vestiges of accountability for a top-level domain that is already overrun with cybercrime activity."
What hope is there when registrars are actively aiding and abeting criminal enterprises?
Are there any legitimate services running solely on .us domain names?
-Dan
On 04/11/2023 15:54, borg@uu3.net wrote:
Yeah. I wonder why this cannot be reversed really? First domain registration should cost more.. 50 USD maybe? Dunno. And then, when you want to extend the domain, price should be around 5 times lower?
Most of the new gTLDs that are using this heavy discounting model would not be commerically viable with normal .COM registration fees. It is a very cynical business model that relies on a very small percentage of discounted domain names renewing at full fee (typically between $10 and $30) so that in addition to the registry covering costs on each first year registration, it makes more on a renewal for the second year. The typical renewal rate is 5% or below and it like sieving for plankton. One of the new gTLDs has a renewal rate for 2022 new registrations of 1.53%. It is regularly priced at less than $1 per new registration. When the heavy discounting business model started being widely used by struggling new gTLDs, a lot of the abusive registrations shifted from .COM/NET because the economics of DNS Abuse had changed. The .ORG registry had been working on cleaning its zone and had stopped heavy discounting offers. It is now in a much stronger position than either .COM or .NET in terms of renewals. Most registrants in a country will either consider their local ccTLD (if outside the US) as a first choice and then the .COM as a second choice. Market awareness and familiarity generally play a larger part in driving registration trends than pricing. The .US ccTLD is up against the .COM in the US market and the .COM is the de facto US ccTLD. The .US has had discounting promotions before and most of the discounted registrations did not renew.
Those who want to use it for legal activity will chew that little CAPEX.
That brings up another problem. When a registry starts to use a heavy discounting model with its gTLD, it kills development and usage rates in the gTLD because the gTLD gets a reputation for being a junk TLD and the rising level of spam and phishing cause the gTLD to be blocked on mailservers. It is very difficult for a gTLD to recover from this. One of the earlier heavy discounting new gTLDs had about 2 million domain names in its zone at the peak. Five years later, approximately 2K were still in the zone. A new registry team took over the gTLD and other Famous Four Media gTLDs in 2018 and they have still not recovered. A high registration fee will act as a barrier to entry for a TLD and it will take longer for the TLD to grow. Prospective registrants will often opt for the cheaper close alternative. (Registrants and tend to be aware of their local ccTLD, .COM, .NET, .ORG and perhaps the ccTLD for adjacent countries.) For much of the late 1990s and early 2000s, that was .COM rather than the ccTLDs. Many ccTLDs were run by university Computer Science departments that couldn't compete. In the mid 2000s, the ccTLDs started to improve due to ICANN's failure to deal with problems in .COM/NET/ORG and abuse of the Add Grace Period. Even with the DotCOM bubble, the initial fee of $50 per year kept registration volume relatively low but it was a very different market compared to today's more global one. The advent of the registrars model and its competition reduced the registration and renewal fees and helped grow the market. The problem today is that the growth in .COM has plateaued. There is web usage in the .US ccTLD but it is at a lower rate than in .COM or in European ccTLDs. A lot of .US registrations are brand protection registrations and redirect to the registrant's primary website in .COM. It isn't a truckstop or gateway TLD like .EU where there are more redirects to other TLDs than active websites. Regards...jmcc
---------- Original message ----------
From: Eric Kuhnke <eric.kuhnke@gmail.com> To: goemon@sasami.anime.net Cc: NANOG list <nanog@nanog.org> Subject: Re: .US Harbors Prolific Malicious Link Shortening Service Date: Thu, 2 Nov 2023 20:39:17 -0700
Not specific to .US really
Pretty much every new gTLD that can be registered on "promotional" first year prices below .com/.net/.org harbors a large than usual proportion of phishing domains and suspicious things, because one of the sole operational criteria for phishers registering disposable domains that might have useful lives of only hours or a few days, in bulk, is the cost per unit.
".us" is in much the same situation because I am seeing promotional prices of $4.50 to $5 per domain for the first year.
On Thu, Nov 2, 2023 at 1:31˙˙PM goemon--- via NANOG <nanog@nanog.org> wrote:
https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-short...
"The NTIA recently published a proposal that would allow registrars to redact all registrant data from WHOIS registration records for .US domains. A broad array of industry groups have filed comments opposing the proposed changes, saying they threaten to remove the last vestiges of accountability for a top-level domain that is already overrun with cybercrime activity."
What hope is there when registrars are actively aiding and abeting criminal enterprises?
Are there any legitimate services running solely on .us domain names?
-Dan
-- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com ********************************************************** -- This email has been checked for viruses by Avast antivirus software. www.avast.com
On Sat, Nov 4, 2023 at 8:54 AM <borg@uu3.net> wrote:
Yeah. I wonder why this cannot be reversed really? First domain registration should cost more.. 50 USD maybe? Dunno. And then, when you want to extend the domain, price should be around 5 times lower?
Maybe go the other way: you have to pay the same 1-year price as for the other registries but two and three year registrations are discounted to the same price. Criminals burn through the names pretty quickly, so a multiyear registration is not of value to them. That would allow the marketing department their loss leaders without making themselves as attractive to criminals. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
----- Original Message -----
From: "Seth Mattinen via NANOG" <nanog@nanog.org>
On 11/2/23 1:30 PM, goemon--- via NANOG wrote:
Are there any legitimate services running solely on .us domain names?
Yes.
Though not -- by several orders of magnitude -- nearly as many as there should be... but let's not get me started on that. Cheers, -- jr 'RFC1480' a -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
I've seen a US based ISP do its internal management network reverse DNS using '.us' as a suffix, where the hierarchy is like POP name, then city/airport code, then state (eg: CA, NJ, FL), then .us for geographical location of equipment in USA. The .us domain in question was owned by the same organization but with only a stub zone file published on public facing authoritatiev NS, with the internal zonefile not available to the public. On Mon, Nov 6, 2023 at 7:35 AM Jay R. Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Seth Mattinen via NANOG" <nanog@nanog.org>
On 11/2/23 1:30 PM, goemon--- via NANOG wrote:
Are there any legitimate services running solely on .us domain names?
Yes.
Though not -- by several orders of magnitude -- nearly as many as there should be... but let's not get me started on that.
Cheers, -- jr 'RFC1480' a -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
It appears that Eric Kuhnke <eric.kuhnke@gmail.com> said:
-=-=-=-=-=-
I've seen a US based ISP do its internal management network reverse DNS using '.us' as a suffix, where the hierarchy is like POP name, then city/airport code, then state (eg: CA, NJ, FL), then .us for geographical location of equipment in USA.
For a long time, .US had an odd geographic structure invented by Jon Postel. Everything was <name>.<city>.<st>.us. There are also some special cases, notably k12.<st>.us for K-12 schools in each state. One could volunteer to be a local subregistrar and a fair number of us still exist. If you have a use for a domain name in watkins-glen.ny.us, just ask. In that era it was up to each subregistrar what to charge, and most of us charged and still charge nothing. Or check out my church's web site at unitarian.ithaca.ny.us. In 2002 the US government contracted with Neustar to run .US and since then it's been a lot like generic TLDs, with second level domains rented for a yearly fee. The old geographic names are still grandfathered but the registry, now run by Godaddy, isn't delegating any new ones. R's, John
participants (14)
-
Allan Liska
-
borg@uu3.net
-
bzs@theworld.com
-
Eric Harrison
-
Eric Kuhnke
-
goemon@sasami.anime.net
-
Jay R. Ashworth
-
John Levine
-
John McCormac
-
Richard Holbo
-
Rubens Kuhl
-
Seth Mattinen
-
Shawn L
-
William Herrin