Let's say bulk means 50 registrations before alarms start to sound.

Then the criminals will simply start pulling data from fake ID generator APIs and connect those to the registrar/reseller APIs and generate new unique RNH data/contacts. If that sounds out of the realm of possibilities, consider I have already seen criminals doing this to avoid detection in 2018. Every BEC fraud domain had a unique registrant and they had registered 200 domains total. Their OPSEC was pretty good on the registrant side of things, on the technical infrastructure side, it was an absolute mess and very easy to track down and shut down such domain names.

Best,

Theo

On Tue, Apr 5, 2022, at 12:40 PM, John McCormac via CPWG wrote:

On 05/04/2022 12:25, Michele Neylon - Blacknight wrote:
> John
>
> But what is your definition of “bulk”?
>

It is a very tricky question, Michele,
I don't have an exact definition yet.

There can be a lot of activity going on with a gTLD that might appear to
be bulk registrations but without WHOIS data to measure the
concentration of registrations, a spike due to a registry or registrar
promotion might be considered "bulk". The concentration (new domain
names to registrants) might help.

> How many domains registered at once constitute “bulk”?
>
> 10?

I've definitely registered this many at a time across TLDs for brand
protection purposes.

>
> 100?
>
> 1000?
>
> Over what period of time?
>
> Minutes?
>
> Hours?
>
> Days?

It would have to be over a few months at least. Otherwise celebrity and
event driven registrations and speculative bubbles will get lumped into
the set.

> Can the “definition” be applied to all TLDs?

Not unless there is a data element. It would be better to approach it on
a TLD-specific basis that takes the performance of the TLD into account.
Some TLDs may not have bulk registration issues.

> I’d argue that there’s a massive difference between say 100 domains
> being registered in .bank vs in .store (as a silly example)

Agreed. Heavy discounting is now an established feature of many gTLDs.
The problem is that the absence of WHOIS data and registration patterns
makes it a lot more difficult to identify abusive registrations. Without
heavy discounting, some new gTLDs would have to spend a lot more money
on marketing their gTLD in a highly competitive market and would end up
with far fewer registrations than they have now.

There was a recommendation in the CCT report that ICANN track pricing
data. If ICANN had this kind of data to hand then it would be very
helpful in defining bulk registrations and identifying trends that are
direct results of heavy discounting. It still gets back to the problem
of identifying what registrations are registered for malicious purposes
and that's getting into Precog/Minority Report territory where the
software and technology is just not good enough to guess the intent of
all registrants.

Regards...jmcc

>
> Regards
>
> Michele
>
> --
>
> Mr Michele Neylon
>
> Blacknight Solutions
>
> Hosting, Colocation & Domains
>
> https://www.blacknight.com/ <https://www.blacknight.com/>
>
> https://blacknight.blog/ <https://blacknight.blog/>
>
> Intl. +353 (0) 59  9183072
>
> Direct Dial: +353 (0)59 9183090
>
> Personal blog: https://michele.blog/ <https://michele.blog/>
>
> Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>
>
> -------------------------------
>
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>
> Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
>
>
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> Virus-free. www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
>
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

--
**********************************************************
John McCormac * e-mail: jmcc@hosterstats.com
MC2            * web: http://www.hosterstats.com/
22 Viewmount   * Domain Registrations Statistics
Waterford      * Domnomics - the business of domain names
Ireland        *  https://amzn.to/2OPtEIO
IE             * Skype: hosterstats.com
**********************************************************

--
This email has been checked for viruses by AVG.
https://www.avg.com

_______________________________________________
CPWG mailing list
CPWG@icann.org
https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.