FYI the report from APWG with some very interesting information. I requested that 'subdomain policy' be added to the BlueSky list for reasons at bottom of this string. I hope we can discuss the potential merits and disadvantages of trying to enforce the RAA terms on domain registrants that offer subdomain registration services. Full report: http://www.apwg.org/reports/APWG_GlobalPhishingSurvey2007.pdf Conclusion: As always, phishers are constantly adapting as they find new opportunities and react to anti-phishing efforts. This study has documented some of their recent strategies and tactics, including their adoption of subdomain services, evasion and spoofing techniques, and their systematic exploitation of vulnerable registrars and registries. We hope this study will spur further research on these and related topics. The number of domain names used for phishing in 2007 was upwards of 52,000. This was a miniscule percentage of the approximately 153 million total domain names in existence, but the phishing resulted in huge financial losses for Internet users and the targeted brands. We have noted some of the problems associated with detecting and mitigating phishing in this ocean of domain names. Registrars and registry operators have no control over the security of the Web sites hosted on the domains they sponsor, and have more limited options when vulnerable sites are compromised for phishing. But registries and registrars are in an excellent position to address malicious domain name registrations, which are a major part of the current phishing problem. Registry operators can disseminate information to their registrars, and both can mitigate malicious domain name registrations quickly, thereby reducing phishing up-times and reducing the options available to phishers. Among other findings and suggestions: Only 12 of the 51,989 domain names were Internationalized Domain Names (IDNs). Only about 129 were trademarks at the second level, e.g. bankname.com. The domain name itself usually does not matter to phishers. Therefore a domain name in any TLD will do.  Brand name owners should continue to make defensive domain name registrations, and should continue to use detection methods that find infringing domain names by scanning zone files for pattern matches. However, the data indicates that phishers are probably aware of that countermeasure and avoid domain names that draw attention to themselves. Brand owners should also employ detection methods that collect and analyze entire phishing URLs. In our survey we positively identified 11,443 subdomain sites/accounts used for phishing, beneath 448 unique second-level domains. [I]f we had counted these unique subdomains as “regular” domain names, then these types of domains would represent at least 18% of all domains involved in phishing – a significant percentage. Examples of subdomain accounts used for phishing from our survey data include: -- account-slgnln-elbay-fr.pochta.ru. (Pochta.ru is a popular free e-mail service that offers unlimited mailboxes and free hosting.) -- labsupport.no-ip.org. (The domain no-ip.org redirects to No-IP.com, a company that provides managed DNS, dynamic DNS, domain registration, e-mail, and other domain-related services.) -- A free online tool that makes it easy for anyone to create and publish Web pages in just minutes. This service hosted multiple phishes that targeted social networking sites, an auction provider, and other brands in 2007. The extensive use of subdomain services is eye-opening and poses several challenges. These services are unaccredited (unlike domain name registrars are), are often free, and most are offered by small companies. Thus there are few checks and balances on who runs such services or how they screen their customers. These conditions are ripe for abuse, both at the consumer level and at the reseller level, as any criminal can set up his own such service. Depending on the available features of the service, a criminal can obtain as much control over a unique DNS entry as he can through a domain name registrar, making these types of subdomains very convenient for running fast-flux, name-spoofing, and other common domain name tricks used by phishers. There is no published WHOIS information for these subdomains, making it nearly impossible to determine if there is a fraudulent registration, or if someone’s legitimate (but hacked) site is being used to host a phish. In the latter case, the lack of WHOIS makes it much harder to track down the site owner of a hacked Web site during a take-down effort.   Instead, responders are completely reliant upon the subdomain service provider to handle all mitigation requests. These services are typically unmanned or lightly supported, meaning the only point of contact for the domain may be unavailable for days. The fact that there could be thousands of functional, legitimate subdomain sites beneath the main domain means that suspension of the main domain is usually not a viable option. Best regards, Mike Rodenbaugh