By Dancho Danchev
On a daily basis, spammers register thousands of new domains across multiple domain registrars, and take advantage of WHOIS privacy services to ensure that security researchers and anti-spam fighters will have hard time taking them down. So what can we do about it?
According to a newly released research by Knujon.com, proper screening could have prevented 67% of those abusive domain registrations.
KnujOn.com LLC is proud to release this briefing of our Abused Internet Domain RegistrationAnalysis for Calculating Risk and Mitigating Malicious Activity. KnujOn reviewed nearly onemillion WHOIS records from domain names advertised with spam in 2011 and found that 22.8%of the rogue registrations could be blocked with fundamental validation. Another 67.5% could befiltered or held for additional screening with a robust analysis developed in response to ourfindings. This study focused exclusively on the Administrator Email Address in each WHOISrecord. We are confident that this promising method could prevent slightly more than 90% of trulyabusive registrations, potentially curtailing the 14 million distinct spam instances which suppliedthe test data.
The main problem according to KnujOn.com has to do with the fact that domain registrars think that proper and in-depth screening of new domain registrations will slow down the entire registration process, allowing cybercriminals to actively abuse their services in an automated fashion.
KnujOn.com gives this example of a fraudulent pharmaceutical scam site that’s using the domain registration details of the Los Angeles Times, a registration which could have been prevented if secondary screening of the WHOIS record was in place. The research further examines the connection between WHOIS privacy services and abusive domain registrations:
In our study there were 956,702 unique abused domain names with 237,557 unique administrator email addresses in their registrations. These email addresses were at 71,484unique administrator email address domains, but more than 55% of the abuse originated from just50 administrator email domains. Within 500 of the worst administrator email domains we see 73%of the abuse. This percentage of abuse only rises to 77% at the 1000 worst administrator emaildomain mark.
Now it’s up to the domain registrars to wake up and realize that abusive domain registrations can be prevented if proper screening policies are in place.