The Bulk Registrations issue and why it is complex
This is a kind of introduction to bulk registrations based on tracking domain name statistics and running Web Usage surveys that measures the rates of usage in gTLDs and ccTLDs. I've left out the brand protection/IP aspect as that's really covered by UDRP and URS. The bulk registrations problem is complex but DA is only part of it. While spam, botnet C&C and some other registrations are problems in terms of DA, many bulk registrations are often borderline "content abuse" problems. Some search engines still have problems with handling links from websites and it is not uncommon to see large numbers of webspam websites generated from scraped web content from legitimate websites, Social Media and even search engine results. The more inbound links a website has, the more authoritative it appears. Some search engines have been fighting this problem for years. The software that produces these webspam sites is quite sophisticated and it can churn out thousands of these sites in a few hours. The essential element is low priced or free domain names. These websites are typically one year registrations. They do not renew. This is because the economics do not justify paying the full-priced renewal fee. It is cheaper to register another heavily discounted domain name either in the same gTLD or another gTLD where there is a heavily discounted registrations offer running. There is also a speculative element to some bulk registrations in that there are often mini-bubbles which target short domain names (four letter (4Ls), five letter (5Ls) and some numerical domain names). Many of the registries or brand owners have already registered the three letter domain names. Again, some of these trends are linked to discounting offers. They are not abusive registrations and often end up on domain name sales sites. These trends may start in one gTLD and then, once the 4Ls are all registered in that gTLD, move into other gTLDs. The Chinese bubble in .COM and other legacy gTLDs is a good example of this kind of trend. Most of the bubble registrations did not renew. Affiliate landers (adult and gambling) are also a feature of bulk registrations. There has been somewhat of a shift away from parking undeveloped domain names on pay per click (PPC) landing pages. Again, these types of bulk registrations have a high attrition rate. These affiliate landers have similarities to the automatically generated websites mentioned above. That leaves the real problem categories in bulk registrations. Disposable registrations used for spam are part of the bulk registrations spectrum but detecting them is made more difficult by the damage that GDPR and the reaction to GDPR has caused on WHOIS. The problem of deciding what is and is not a spam domain name is compounded by the fact that the majority of domain names in most gTLDS do not have developed websites. The blacklists generaly operate on the principle of detected use rather than identifying intent. Registration for botnet C&C, phishing, pharming and other forms of abuse can be obvious and non-obvious. Domain generation algorithms used for C&C and other malware generate pseudorandom domain names but sometimes these registrations already exist. The problem with a simple approach is that some languages, like those in China, may use numbers as part of a domain name because they sound like other words. To someone with only experience of English, they may appear to be a random string of characters. Separating these abusive registrations is quite difficult. In the absence of WHOIS data and other data it is extremely difficult to guess the intent of the registrant. With some of the affiliate lander registrations, there is often a clustering pattern in both gTLD and webservers. But that only happens with domain names that a have websites. Spam registrations may only be detected once used for spam and even then they have a finite lifespan. (Heavily discounted registrations are disposable.) These are the Quick Delta numbers and percentages of some new gTLDs. The Quick Delta compares a gTLD's zonefile with the zonefile from a year ago. March 2021 - - Retained - Deleted - Retained % - Deleted % 1,317,370 80,358 1,237,012 6.10 93.90 246,344 22,025 224,319 8.94 91.06 32,838 2,972 29,866 9.05 90.95 Other new gTLDs are quite normal and some even have Quick Delta rates approaching those of ccTLDs (very stable). Discounting is part of the business model of registries. They use it to grow the number of domain name under management. The theory is much like throwing mud at a wall to see how much sticks. A small percentage of domain names will renew at full fee. A registry will gradually build up a core set of domain names that may keep renewing but the vast majority delete without being renewed. Somewhere in those bulk registrations are the abusive registrations. It is made more difficult by the fact that most bulk registrations are one year registrations and the bulk registration problem is a moving target. Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com ********************************************************** -- This email has been checked for viruses by AVG. https://www.avg.com
Good write up John, Do you have any stats on DGA botnet domains? I have not seen much of those in the last few years, but since Avalanche (2016) and Conficker (2008) they are not the size they used to be? I do see them at other places, blockchain, IOT, dropbox API abuse. Thanks in advance. Theo On Sun, Apr 3, 2022, at 6:21 PM, John McCormac via CPWG wrote:
This is a kind of introduction to bulk registrations based on tracking domain name statistics and running Web Usage surveys that measures the rates of usage in gTLDs and ccTLDs. I've left out the brand protection/IP aspect as that's really covered by UDRP and URS.
The bulk registrations problem is complex but DA is only part of it. While spam, botnet C&C and some other registrations are problems in terms of DA, many bulk registrations are often borderline "content abuse" problems.
Some search engines still have problems with handling links from websites and it is not uncommon to see large numbers of webspam websites generated from scraped web content from legitimate websites, Social Media and even search engine results. The more inbound links a website has, the more authoritative it appears. Some search engines have been fighting this problem for years.
The software that produces these webspam sites is quite sophisticated and it can churn out thousands of these sites in a few hours. The essential element is low priced or free domain names. These websites are typically one year registrations. They do not renew. This is because the economics do not justify paying the full-priced renewal fee. It is cheaper to register another heavily discounted domain name either in the same gTLD or another gTLD where there is a heavily discounted registrations offer running.
There is also a speculative element to some bulk registrations in that there are often mini-bubbles which target short domain names (four letter (4Ls), five letter (5Ls) and some numerical domain names). Many of the registries or brand owners have already registered the three letter domain names. Again, some of these trends are linked to discounting offers. They are not abusive registrations and often end up on domain name sales sites. These trends may start in one gTLD and then, once the 4Ls are all registered in that gTLD, move into other gTLDs. The Chinese bubble in .COM and other legacy gTLDs is a good example of this kind of trend. Most of the bubble registrations did not renew.
Affiliate landers (adult and gambling) are also a feature of bulk registrations. There has been somewhat of a shift away from parking undeveloped domain names on pay per click (PPC) landing pages. Again, these types of bulk registrations have a high attrition rate. These affiliate landers have similarities to the automatically generated websites mentioned above.
That leaves the real problem categories in bulk registrations. Disposable registrations used for spam are part of the bulk registrations spectrum but detecting them is made more difficult by the damage that GDPR and the reaction to GDPR has caused on WHOIS. The problem of deciding what is and is not a spam domain name is compounded by the fact that the majority of domain names in most gTLDS do not have developed websites. The blacklists generaly operate on the principle of detected use rather than identifying intent.
Registration for botnet C&C, phishing, pharming and other forms of abuse can be obvious and non-obvious. Domain generation algorithms used for C&C and other malware generate pseudorandom domain names but sometimes these registrations already exist. The problem with a simple approach is that some languages, like those in China, may use numbers as part of a domain name because they sound like other words. To someone with only experience of English, they may appear to be a random string of characters.
Separating these abusive registrations is quite difficult. In the absence of WHOIS data and other data it is extremely difficult to guess the intent of the registrant. With some of the affiliate lander registrations, there is often a clustering pattern in both gTLD and webservers. But that only happens with domain names that a have websites. Spam registrations may only be detected once used for spam and even then they have a finite lifespan. (Heavily discounted registrations are disposable.)
These are the Quick Delta numbers and percentages of some new gTLDs. The Quick Delta compares a gTLD's zonefile with the zonefile from a year ago.
March 2021 - - Retained - Deleted - Retained % - Deleted % 1,317,370 80,358 1,237,012 6.10 93.90 246,344 22,025 224,319 8.94 91.06 32,838 2,972 29,866 9.05 90.95
Other new gTLDs are quite normal and some even have Quick Delta rates approaching those of ccTLDs (very stable). Discounting is part of the business model of registries. They use it to grow the number of domain name under management.
The theory is much like throwing mud at a wall to see how much sticks. A small percentage of domain names will renew at full fee. A registry will gradually build up a core set of domain names that may keep renewing but the vast majority delete without being renewed. Somewhere in those bulk registrations are the abusive registrations. It is made more difficult by the fact that most bulk registrations are one year registrations and the bulk registration problem is a moving target.
Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com **********************************************************
-- This email has been checked for viruses by AVG. https://www.avg.com
_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
On 03/04/2022 19:39, Theo Geurts via CPWG wrote:
Good write up John,
Do you have any stats on DGA botnet domains? I have not seen much of those in the last few years, but since Avalanche (2016) and Conficker (2008) they are not the size they used to be? I do see them at other places, blockchain, IOT, dropbox API abuse.
I haven't been specifically tracking botnet domains, Theo, One possible reason for the decline in the size of DGA networks might be due to the algorithms being cracked and registries being more willing to cooperate. Bad actors may also seek to obscure their footprint as much as possible and using multiple algorithms with smaller networks is an effective way to do it. With discounted new gTLDs, they also can distribute DGA domain names. Again, the scale of one year registrations works in their favour. Even .COM has about 43% non-renewals (it varies by month/season) for first year registrations. Regards...jmcc -- -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com ********************************************************** -- This email has been checked for viruses by AVG. https://www.avg.com
Dear All, This e-mail thread is very interesting. Thank you. I prefer starting with.. White Paper Criminal Abuse of Domain Names: Bulk Registration and Contact Information Access at https://interisle.net/criminaldomainabuse.html makes a good reading. Sincerely, Gopal T V 0 9840121302 https://vidwan.inflibnet.ac.in/profile/57545 https://www.facebook.com/gopal.tadepalli ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Dr. T V Gopal Professor Department of Computer Science and Engineering College of Engineering Anna University Chennai - 600 025, INDIA Ph : (Off) 22351723 Extn. 3340 (Res) 24454753 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ On 2022-04-04 01:24, John McCormac via CPWG wrote:
On 03/04/2022 19:39, Theo Geurts via CPWG wrote:
Good write up John,
Do you have any stats on DGA botnet domains? I have not seen much of those in the last few years, but since Avalanche (2016) and Conficker (2008) they are not the size they used to be? I do see them at other places, blockchain, IOT, dropbox API abuse.
I haven't been specifically tracking botnet domains, Theo, One possible reason for the decline in the size of DGA networks might be due to the algorithms being cracked and registries being more willing to cooperate. Bad actors may also seek to obscure their footprint as much as possible and using multiple algorithms with smaller networks is an effective way to do it. With discounted new gTLDs, they also can distribute DGA domain names.
Again, the scale of one year registrations works in their favour. Even .COM has about 43% non-renewals (it varies by month/season) for first year registrations.
Regards...jmcc -- -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com **********************************************************
-- This email has been checked for viruses by AVG. https://www.avg.com
_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
John But what is your definition of “bulk”? How many domains registered at once constitute “bulk”? 10? 100? 1000? Over what period of time? Minutes? Hours? Days? Can the “definition” be applied to all TLDs? I’d argue that there’s a massive difference between say 100 domains being registered in .bank vs in .store (as a silly example) Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
On 05/04/2022 12:25, Michele Neylon - Blacknight wrote:
John
But what is your definition of “bulk”?
It is a very tricky question, Michele, I don't have an exact definition yet. There can be a lot of activity going on with a gTLD that might appear to be bulk registrations but without WHOIS data to measure the concentration of registrations, a spike due to a registry or registrar promotion might be considered "bulk". The concentration (new domain names to registrants) might help.
How many domains registered at once constitute “bulk”?
10?
I've definitely registered this many at a time across TLDs for brand protection purposes.
100?
1000?
Over what period of time?
Minutes?
Hours?
Days?
It would have to be over a few months at least. Otherwise celebrity and event driven registrations and speculative bubbles will get lumped into the set.
Can the “definition” be applied to all TLDs?
Not unless there is a data element. It would be better to approach it on a TLD-specific basis that takes the performance of the TLD into account. Some TLDs may not have bulk registration issues.
I’d argue that there’s a massive difference between say 100 domains being registered in .bank vs in .store (as a silly example)
Agreed. Heavy discounting is now an established feature of many gTLDs. The problem is that the absence of WHOIS data and registration patterns makes it a lot more difficult to identify abusive registrations. Without heavy discounting, some new gTLDs would have to spend a lot more money on marketing their gTLD in a highly competitive market and would end up with far fewer registrations than they have now. There was a recommendation in the CCT report that ICANN track pricing data. If ICANN had this kind of data to hand then it would be very helpful in defining bulk registrations and identifying trends that are direct results of heavy discounting. It still gets back to the problem of identifying what registrations are registered for malicious purposes and that's getting into Precog/Minority Report territory where the software and technology is just not good enough to guess the intent of all registrants. Regards...jmcc
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/ <https://www.blacknight.com/>
https://blacknight.blog/ <https://blacknight.blog/>
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/ <https://michele.blog/>
Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_camp...> Virus-free. www.avg.com <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_camp...>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
-- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com ********************************************************** -- This email has been checked for viruses by AVG. https://www.avg.com
Let's say bulk means 50 registrations before alarms start to sound. Then the criminals will simply start pulling data from fake ID generator APIs and connect those to the registrar/reseller APIs and generate new unique RNH data/contacts. If that sounds out of the realm of possibilities, consider I have already seen criminals doing this to avoid detection in 2018. Every BEC fraud domain had a unique registrant and they had registered 200 domains total. Their OPSEC was pretty good on the registrant side of things, on the technical infrastructure side, it was an absolute mess and very easy to track down and shut down such domain names. Best, Theo On Tue, Apr 5, 2022, at 12:40 PM, John McCormac via CPWG wrote:
On 05/04/2022 12:25, Michele Neylon - Blacknight wrote:
John
But what is your definition of “bulk”?
It is a very tricky question, Michele, I don't have an exact definition yet.
There can be a lot of activity going on with a gTLD that might appear to be bulk registrations but without WHOIS data to measure the concentration of registrations, a spike due to a registry or registrar promotion might be considered "bulk". The concentration (new domain names to registrants) might help.
How many domains registered at once constitute “bulk”?
10?
I've definitely registered this many at a time across TLDs for brand protection purposes.
100?
1000?
Over what period of time?
Minutes?
Hours?
Days?
It would have to be over a few months at least. Otherwise celebrity and event driven registrations and speculative bubbles will get lumped into the set.
Can the “definition” be applied to all TLDs?
Not unless there is a data element. It would be better to approach it on a TLD-specific basis that takes the performance of the TLD into account. Some TLDs may not have bulk registration issues.
I’d argue that there’s a massive difference between say 100 domains being registered in .bank vs in .store (as a silly example)
Agreed. Heavy discounting is now an established feature of many gTLDs. The problem is that the absence of WHOIS data and registration patterns makes it a lot more difficult to identify abusive registrations. Without heavy discounting, some new gTLDs would have to spend a lot more money on marketing their gTLD in a highly competitive market and would end up with far fewer registrations than they have now.
There was a recommendation in the CCT report that ICANN track pricing data. If ICANN had this kind of data to hand then it would be very helpful in defining bulk registrations and identifying trends that are direct results of heavy discounting. It still gets back to the problem of identifying what registrations are registered for malicious purposes and that's getting into Precog/Minority Report territory where the software and technology is just not good enough to guess the intent of all registrants.
Regards...jmcc
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/ <https://www.blacknight.com/>
https://blacknight.blog/ <https://blacknight.blog/>
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/ <https://michele.blog/>
Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_camp...> Virus-free. www.avg.com <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_camp...>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
-- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com **********************************************************
-- This email has been checked for viruses by AVG. https://www.avg.com
_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Dear All, The National Internet Exchange of India (NIXI) placed restrictions on bulk registering of .in domains due to “national security” reasons. NIXI is the government-appointed authority responsible for managing .in domains. Explicit approval from NIXI for: Individual registrants looking to register more than two domains Registered accredited company looking to register more than a hundred domains It opens a debate on the other end of the spectrum i.e "Red Tape". Your thoughts... Sincerely, Gopal T V 0 9840121302 https://vidwan.inflibnet.ac.in/profile/57545 https://www.facebook.com/gopal.tadepalli ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Dr. T V Gopal Professor Department of Computer Science and Engineering College of Engineering Anna University Chennai - 600 025, INDIA Ph : (Off) 22351723 Extn. 3340 (Res) 24454753 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ On 2022-04-05 18:40, Theo Geurts via CPWG wrote:
Let's say bulk means 50 registrations before alarms start to sound.
Then the criminals will simply start pulling data from fake ID generator APIs and connect those to the registrar/reseller APIs and generate new unique RNH data/contacts. If that sounds out of the realm of possibilities, consider I have already seen criminals doing this to avoid detection in 2018. Every BEC fraud domain had a unique registrant and they had registered 200 domains total. Their OPSEC was pretty good on the registrant side of things, on the technical infrastructure side, it was an absolute mess and very easy to track down and shut down such domain names.
Best,
Theo
On Tue, Apr 5, 2022, at 12:40 PM, John McCormac via CPWG wrote:
On 05/04/2022 12:25, Michele Neylon - Blacknight wrote:
John
But what is your definition of “bulk”?
It is a very tricky question, Michele,
I don't have an exact definition yet.
There can be a lot of activity going on with a gTLD that might appear to
be bulk registrations but without WHOIS data to measure the
concentration of registrations, a spike due to a registry or registrar
promotion might be considered "bulk". The concentration (new domain
names to registrants) might help.
How many domains registered at once constitute “bulk”?
10?
I've definitely registered this many at a time across TLDs for brand
protection purposes.
100?
1000?
Over what period of time?
Minutes?
Hours?
Days?
It would have to be over a few months at least. Otherwise celebrity and
event driven registrations and speculative bubbles will get lumped into
the set.
Can the “definition” be applied to all TLDs?
Not unless there is a data element. It would be better to approach it on
a TLD-specific basis that takes the performance of the TLD into account.
Some TLDs may not have bulk registration issues.
I’d argue that there’s a massive difference between say 100 domains
being registered in .bank vs in .store (as a silly example)
Agreed. Heavy discounting is now an established feature of many gTLDs.
The problem is that the absence of WHOIS data and registration patterns
makes it a lot more difficult to identify abusive registrations. Without
heavy discounting, some new gTLDs would have to spend a lot more money
on marketing their gTLD in a highly competitive market and would end up
with far fewer registrations than they have now.
There was a recommendation in the CCT report that ICANN track pricing
data. If ICANN had this kind of data to hand then it would be very
helpful in defining bulk registrations and identifying trends that are
direct results of heavy discounting. It still gets back to the problem
of identifying what registrations are registered for malicious purposes
and that's getting into Precog/Minority Report territory where the
software and technology is just not good enough to guess the intent of
all registrants.
Regards...jmcc
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/ <https://michele.blog/>
Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_camp...>
Virus-free. www.avg.com [1]
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_camp...>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
--
**********************************************************
John McCormac * e-mail: jmcc@hosterstats.com
MC2 * web: http://www.hosterstats.com/
22 Viewmount * Domain Registrations Statistics
Waterford * Domnomics - the business of domain names
Ireland * https://amzn.to/2OPtEIO
IE * Skype: hosterstats.com
**********************************************************
--
This email has been checked for viruses by AVG.
_______________________________________________
CPWG mailing list
CPWG@icann.org
https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Links: ------ [1] http://www.avg.com _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
As far as my current intel on this goes is that NIXI replaced this with another requirement a few weeks ago. Theo On Tue, Apr 5, 2022, at 1:20 PM, gopal@annauniv.edu wrote:
Dear All,
The National Internet Exchange of India (NIXI) placed restrictions on bulk registering of .in domains due to “national security” reasons.
NIXI is the government-appointed authority responsible for managing .in domains.
Explicit approval from NIXI for:
Individual registrants looking to register more than two domains Registered accredited company looking to register more than a hundred domains
It opens a debate on the other end of the spectrum i.e "Red Tape".
Your thoughts...
Sincerely,
Gopal T V 0 9840121302 https://vidwan.inflibnet.ac.in/profile/57545 https://www.facebook.com/gopal.tadepalli ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Dr. T V Gopal Professor Department of Computer Science and Engineering College of Engineering Anna University Chennai - 600 025, INDIA Ph : (Off) 22351723 Extn. 3340 (Res) 24454753 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On 2022-04-05 18:40, Theo Geurts via CPWG wrote:
Let's say bulk means 50 registrations before alarms start to sound.
Then the criminals will simply start pulling data from fake ID generator APIs and connect those to the registrar/reseller APIs and generate new unique RNH data/contacts. If that sounds out of the realm of possibilities, consider I have already seen criminals doing this to avoid detection in 2018. Every BEC fraud domain had a unique registrant and they had registered 200 domains total. Their OPSEC was pretty good on the registrant side of things, on the technical infrastructure side, it was an absolute mess and very easy to track down and shut down such domain names.
Best,
Theo
On Tue, Apr 5, 2022, at 12:40 PM, John McCormac via CPWG wrote:
On 05/04/2022 12:25, Michele Neylon - Blacknight wrote:
John
But what is your definition of “bulk”?
It is a very tricky question, Michele,
I don't have an exact definition yet.
There can be a lot of activity going on with a gTLD that might appear to
be bulk registrations but without WHOIS data to measure the
concentration of registrations, a spike due to a registry or registrar
promotion might be considered "bulk". The concentration (new domain
names to registrants) might help.
How many domains registered at once constitute “bulk”?
10?
I've definitely registered this many at a time across TLDs for brand
protection purposes.
100?
1000?
Over what period of time?
Minutes?
Hours?
Days?
It would have to be over a few months at least. Otherwise celebrity and
event driven registrations and speculative bubbles will get lumped into
the set.
Can the “definition” be applied to all TLDs?
Not unless there is a data element. It would be better to approach it on
a TLD-specific basis that takes the performance of the TLD into account.
Some TLDs may not have bulk registration issues.
I’d argue that there’s a massive difference between say 100 domains
being registered in .bank vs in .store (as a silly example)
Agreed. Heavy discounting is now an established feature of many gTLDs.
The problem is that the absence of WHOIS data and registration patterns
makes it a lot more difficult to identify abusive registrations. Without
heavy discounting, some new gTLDs would have to spend a lot more money
on marketing their gTLD in a highly competitive market and would end up
with far fewer registrations than they have now.
There was a recommendation in the CCT report that ICANN track pricing
data. If ICANN had this kind of data to hand then it would be very
helpful in defining bulk registrations and identifying trends that are
direct results of heavy discounting. It still gets back to the problem
of identifying what registrations are registered for malicious purposes
and that's getting into Precog/Minority Report territory where the
software and technology is just not good enough to guess the intent of
all registrants.
Regards...jmcc
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/ <https://michele.blog/>
Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_camp...>
Virus-free. www.avg.com [1]
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_camp...>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
--
**********************************************************
John McCormac * e-mail: jmcc@hosterstats.com
MC2 * web: http://www.hosterstats.com/
22 Viewmount * Domain Registrations Statistics
Waterford * Domnomics - the business of domain names
Ireland * https://amzn.to/2OPtEIO
IE * Skype: hosterstats.com
**********************************************************
--
This email has been checked for viruses by AVG.
_______________________________________________
CPWG mailing list
CPWG@icann.org
https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Links: ------ [1] http://www.avg.com _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Yes. thanks. I should have mentioned as on 11 March 2022 in the context of NIXI Regulations included in my mail. I am sorry, I could check only until this date. I will be happy to look at any further developments in this direction from NIXI? Gopal T V 0 9840121302 https://vidwan.inflibnet.ac.in/profile/57545 https://www.facebook.com/gopal.tadepalli ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Dr. T V Gopal Professor Department of Computer Science and Engineering College of Engineering Anna University Chennai - 600 025, INDIA Ph : (Off) 22351723 Extn. 3340 (Res) 24454753 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ On 2022-04-05 19:01, Theo Geurts wrote:
As far as my current intel on this goes is that NIXI replaced this with another requirement a few weeks ago.
Theo
On Tue, Apr 5, 2022, at 1:20 PM, gopal@annauniv.edu wrote:
Dear All,
The National Internet Exchange of India (NIXI) placed restrictions on
bulk registering
of .in domains due to “national security” reasons.
NIXI is the government-appointed authority responsible for managing .in
domains.
Explicit approval from NIXI for:
Individual registrants looking to register more than two domains
Registered accredited company looking to register more than a hundred
domains
It opens a debate on the other end of the spectrum i.e "Red Tape".
Your thoughts...
Sincerely,
Gopal T V
0 9840121302
https://vidwan.inflibnet.ac.in/profile/57545
https://www.facebook.com/gopal.tadepalli
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Dr. T V Gopal
Professor
Department of Computer Science and Engineering
College of Engineering
Anna University
Chennai - 600 025, INDIA
Ph : (Off) 22351723 Extn. 3340
(Res) 24454753
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On 2022-04-05 18:40, Theo Geurts via CPWG wrote:
Let's say bulk means 50 registrations before alarms start to sound.
Then the criminals will simply start pulling data from fake ID
generator APIs and connect those to the registrar/reseller APIs and
generate new unique RNH data/contacts. If that sounds out of the
realm of possibilities, consider I have already seen criminals doing
this to avoid detection in 2018. Every BEC fraud domain had a unique
registrant and they had registered 200 domains total. Their OPSEC was
pretty good on the registrant side of things, on the technical
infrastructure side, it was an absolute mess and very easy to track
down and shut down such domain names.
Best,
Theo
On Tue, Apr 5, 2022, at 12:40 PM, John McCormac via CPWG wrote:
On 05/04/2022 12:25, Michele Neylon - Blacknight wrote:
John
But what is your definition of “bulk”?
It is a very tricky question, Michele,
I don't have an exact definition yet.
There can be a lot of activity going on with a gTLD that might
appear to
be bulk registrations but without WHOIS data to measure the
concentration of registrations, a spike due to a registry or
registrar
promotion might be considered "bulk". The concentration (new domain
names to registrants) might help.
How many domains registered at once constitute “bulk”?
10?
I've definitely registered this many at a time across TLDs for brand
protection purposes.
100?
1000?
Over what period of time?
Minutes?
Hours?
Days?
It would have to be over a few months at least. Otherwise celebrity
and
event driven registrations and speculative bubbles will get lumped
into
the set.
Can the “definition” be applied to all TLDs?
Not unless there is a data element. It would be better to approach
it on
a TLD-specific basis that takes the performance of the TLD into
account.
Some TLDs may not have bulk registration issues.
I’d argue that there’s a massive difference between say 100
domains
being registered in .bank vs in .store (as a silly example)
Agreed. Heavy discounting is now an established feature of many
gTLDs.
The problem is that the absence of WHOIS data and registration
patterns
makes it a lot more difficult to identify abusive registrations.
Without
heavy discounting, some new gTLDs would have to spend a lot more
money
on marketing their gTLD in a highly competitive market and would end
up
with far fewer registrations than they have now.
There was a recommendation in the CCT report that ICANN track
pricing
data. If ICANN had this kind of data to hand then it would be very
helpful in defining bulk registrations and identifying trends that
are
direct results of heavy discounting. It still gets back to the
problem
of identifying what registrations are registered for malicious
purposes
and that's getting into Precog/Minority Report territory where the
software and technology is just not good enough to guess the intent
of
all registrants.
Regards...jmcc
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/ <https://michele.blog/>
Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_camp...>
Virus-free. www.avg.com [1] [1]
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_camp...>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
--
**********************************************************
John McCormac * e-mail: jmcc@hosterstats.com
MC2 * web: http://www.hosterstats.com/
22 Viewmount * Domain Registrations Statistics
Waterford * Domnomics - the business of domain names
Ireland * https://amzn.to/2OPtEIO
IE * Skype: hosterstats.com
**********************************************************
--
This email has been checked for viruses by AVG.
_______________________________________________
CPWG mailing list
CPWG@icann.org
_______________________________________________
By submitting your personal data, you consent to the processing of
your personal data for purposes of subscribing to this mailing list
accordance with the ICANN Privacy Policy
(https://www.icann.org/privacy/policy) and the website Terms of
Service (https://www.icann.org/privacy/tos). You can visit the
Mailman link above to change your membership status or
configuration, including unsubscribing, setting digest-style
delivery or disabling delivery altogether (e.g., for a vacation),
and so on.
Links:
------
_______________________________________________
CPWG mailing list
CPWG@icann.org
_______________________________________________
By submitting your personal data, you consent to the processing of
your personal data for purposes of subscribing to this mailing list
accordance with the ICANN Privacy Policy
(https://www.icann.org/privacy/policy) and the website Terms of
Service (https://www.icann.org/privacy/tos). You can visit the Mailman
link above to change your membership status or configuration,
including unsubscribing, setting digest-style delivery or disabling
delivery altogether (e.g., for a vacation), and so on.
Links: ------ [1] http://www.avg.com
Yes Theo, NIXI revoked the restrictions. This is the link to the new kyc process NIXI has adopted: https://www.registry.in/registry/images/page/e_KYC.pdf Regards, Amrita From: CPWG <cpwg-bounces@icann.org> On Behalf Of Theo Geurts via CPWG Sent: 05 April 2022 19:01 To: gopal@annauniv.edu; Bill Jouris via CPWG <cpwg@icann.org> Subject: Re: [CPWG] The Bulk Registrations issue and why it is complex As far as my current intel on this goes is that NIXI replaced this with another requirement a few weeks ago. Theo On Tue, Apr 5, 2022, at 1:20 PM, gopal@annauniv.edu <mailto:gopal@annauniv.edu> wrote: Dear All, The National Internet Exchange of India (NIXI) placed restrictions on bulk registering of .in domains due to “national security” reasons. NIXI is the government-appointed authority responsible for managing .in domains. Explicit approval from NIXI for: Individual registrants looking to register more than two domains Registered accredited company looking to register more than a hundred domains It opens a debate on the other end of the spectrum i.e "Red Tape". Your thoughts... Sincerely, Gopal T V 0 9840121302 https://vidwan.inflibnet.ac.in/profile/57545 https://www.facebook.com/gopal.tadepalli ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Dr. T V Gopal Professor Department of Computer Science and Engineering College of Engineering Anna University Chennai - 600 025, INDIA Ph : (Off) 22351723 Extn. 3340 (Res) 24454753 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ On 2022-04-05 18:40, Theo Geurts via CPWG wrote:
Let's say bulk means 50 registrations before alarms start to sound.
Then the criminals will simply start pulling data from fake ID
generator APIs and connect those to the registrar/reseller APIs and
generate new unique RNH data/contacts. If that sounds out of the
realm of possibilities, consider I have already seen criminals doing
this to avoid detection in 2018. Every BEC fraud domain had a unique
registrant and they had registered 200 domains total. Their OPSEC was
pretty good on the registrant side of things, on the technical
infrastructure side, it was an absolute mess and very easy to track
down and shut down such domain names.
Best,
Theo
On Tue, Apr 5, 2022, at 12:40 PM, John McCormac via CPWG wrote:
On 05/04/2022 12:25, Michele Neylon - Blacknight wrote:
John
But what is your definition of “bulk”?
It is a very tricky question, Michele,
I don't have an exact definition yet.
There can be a lot of activity going on with a gTLD that might
appear to
be bulk registrations but without WHOIS data to measure the
concentration of registrations, a spike due to a registry or
registrar
promotion might be considered "bulk". The concentration (new domain
names to registrants) might help.
How many domains registered at once constitute “bulk”?
10?
I've definitely registered this many at a time across TLDs for brand
protection purposes.
100?
1000?
Over what period of time?
Minutes?
Hours?
Days?
It would have to be over a few months at least. Otherwise celebrity
and
event driven registrations and speculative bubbles will get lumped
into
the set.
Can the “definition” be applied to all TLDs?
Not unless there is a data element. It would be better to approach
it on
a TLD-specific basis that takes the performance of the TLD into
account.
Some TLDs may not have bulk registration issues.
I’d argue that there’s a massive difference between say 100
domains
being registered in .bank vs in .store (as a silly example)
Agreed. Heavy discounting is now an established feature of many
gTLDs.
The problem is that the absence of WHOIS data and registration
patterns
makes it a lot more difficult to identify abusive registrations.
Without
heavy discounting, some new gTLDs would have to spend a lot more
money
on marketing their gTLD in a highly competitive market and would end
up
with far fewer registrations than they have now.
There was a recommendation in the CCT report that ICANN track
pricing
data. If ICANN had this kind of data to hand then it would be very
helpful in defining bulk registrations and identifying trends that
are
direct results of heavy discounting. It still gets back to the
problem
of identifying what registrations are registered for malicious
purposes
and that's getting into Precog/Minority Report territory where the
software and technology is just not good enough to guess the intent
of
all registrants.
Regards...jmcc
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/ <https://michele.blog/>
Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
<http://www.avg.com/email-signature?utm_medium=email <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_camp...> &utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
Virus-free. www.avg.com <http://www.avg.com> [1]
<http://www.avg.com/email-signature?utm_medium=email <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_camp...> &utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
--
**********************************************************
John McCormac * e-mail: jmcc@hosterstats.com <mailto:jmcc@hosterstats.com>
MC2 * web: http://www.hosterstats.com/
22 Viewmount * Domain Registrations Statistics
Waterford * Domnomics - the business of domain names
Ireland * https://amzn.to/2OPtEIO
IE * Skype: hosterstats.com
**********************************************************
--
This email has been checked for viruses by AVG.
_______________________________________________
CPWG mailing list
CPWG@icann.org <mailto:CPWG@icann.org>
_______________________________________________
By submitting your personal data, you consent to the processing of
your personal data for purposes of subscribing to this mailing list
accordance with the ICANN Privacy Policy
(https://www.icann.org/privacy/policy) and the website Terms of
Service (https://www.icann.org/privacy/tos). You can visit the
Mailman link above to change your membership status or
configuration, including unsubscribing, setting digest-style
delivery or disabling delivery altogether (e.g., for a vacation),
and so on.
Links:
------
_______________________________________________
CPWG mailing list
CPWG@icann.org <mailto:CPWG@icann.org>
_______________________________________________
By submitting your personal data, you consent to the processing of
your personal data for purposes of subscribing to this mailing list
accordance with the ICANN Privacy Policy
(https://www.icann.org/privacy/policy) and the website Terms of
Service (https://www.icann.org/privacy/tos). You can visit the Mailman
link above to change your membership status or configuration,
including unsubscribing, setting digest-style delivery or disabling
delivery altogether (e.g., for a vacation), and so on.
participants (5)
-
Amrita CCAOI -
gopal@annauniv.edu -
John McCormac -
Michele Neylon - Blacknight -
Theo Geurts