« new pats posted - 20080915 (maintenance pats release) | Main | Links Roundup »

September 16, 2008

Hey, Afilias, wake up - you're supporting spammers!

I don't often take time out from posting links and project updates to point out things I think are deeply wrong with Internet governance, the responsibility of registrars to police their customers, and so forth. That's what CircleID is for, after all. But today I'm going to shine a light on Afilias, the .info registry, because they're falling down on the job.

There is a spammer or spam organization (I suspect it is "topshoppingcart", a fairly standard "make erection fast" pharma spammer - if you've seen the "Reorder reminder" spam, you've seen them) who is in the practice of registering .info domains with names that are usually words strung together (such as idoweddingbook.info, the example we'll use here). This in itself isn't unusual, spammers have gotten fairly creative when it comes to naming their domains, by necessity, because of course they use and discard them by the hundreds of thousands.

What is unusual here is that this particular spammer forges their whois information in predictable, and maddeningly obvious, ways. From the whois entry for the example domain we quoted above:

Domain ID:D25810743-LRMS
Domain Name:IDOWEDDINGBOOK.INFO
Created On:08-Aug-2008 14:33:41 UTC
Last Updated On:20-Aug-2008 11:47:05 UTC
Expiration Date:08-Aug-2009 14:33:41 UTC
Sponsoring Registrar:AB Systems Inc. (R394-LRMS)
Status:TRANSFER PROHIBITED
Registrant ID:YLK9V2O12N4KXRX4
Registrant Name:Xavier Jimenez
Registrant Organization:Safeway Inc.
Registrant Street1:364 Trumann Str.
Registrant Street2:
Registrant Street3:
Registrant City:Marana
Registrant State/Province:AZ
Registrant Postal Code:92371
Registrant Country:US
Registrant Phone:+1.4807936923
Registrant Phone Ext.:
Registrant FAX:+1.4807936923
Registrant FAX Ext.:
Registrant Email:xavierj@wmconnect.com

There are several "tells" in the information above, and the forgery is easily seen from the use of "Str." as an abbreviation - which is common in Germany and Eastern Europe, but not in the United States. In order of obviousness:

1. There is no Trumann Street in Marana, Arizona, so it's obviously forged, in this case, as in every other one I've seen, from the name of a town.
2. The only town named Trumann in the United States is in Arkansas
3. The 92371 ZIP code is in California, not Arizona
4. There is no 793 exchange in the 480 area code
5. Why would Safeway Inc. be registering random .info domains? And why would they be using a Wal-Mart "wmconnect.com" address?

In a nutshell, if Afilias did any vetting at all on address information for new domain registrations, they could stop this spammer (who is probably using stolen credit card numbers anyway). So the question becomes: why aren't they?

I'm not trying to suggest that they're somehow in on it with the spammers; you'd have to be a frothing loon to think that they don't want to stop this sort of registration, especially if they aren't being paid, as is often the case. It may be that this spammer is actually paying, though, as the domain was registered over six weeks ago and the whois entry is still in effect, as is the DNS.

For forty dollars US, which is even less than forty dollars Canadian these days, they could get a commercial US ZIP code database, or if they wanted to go the open source route, they could even grab an incomplete ZIP database from sourceforge for the cost of a half a megabyte download. For US$250, they could buy a commercial NPA NXX database listing all of the US area codes and their exchanges. I'm sure other mechanisms exist for licensing such databases for use in other software, and there are commercial and open services (such as geocoder.us or geonames) that provide similar information.

Back in April, I was reporting these domains as I found them to a consultant working with Afilias. He's since moved on, but the practice continues. Surely it can't be difficult to identify this practice and put a stop to it with some basic vetting of registrant address data.

Wake up, Afilias. And to all the registrars out there who accept "555.555.5555" as a fax number, and "vet" it by adding "+1" to the front, or allow "null" to be the city in an address, you're hereby on notice, too.

UPDATE: made a couple of minor edits; just wanted to make it clear that I do distinguish between Afilias the registry and the various registrars.

Posted by schampeo at September 16, 2008 3:25 PM

Trackback Pings

TrackBack URL for this entry:
http://enemieslist.com/mt/cgi-bin/mt-tb.cgi/753

Search Blog

Browse

• Archives
• Categories
  • antispam in practice
  • consortiae
  • gripes
  • history
  • legal
  • news
  • privacy
  • project
  • security
  • spammers
  • studies and statistics
  • tactics
  • tools
  • viruses and worms

Feeds

• RSS
• ATOM

Enemieslist

• Package Features
• Contribute