RE: [registrars] WG: [council] Fast Flux DNS

[Tim Ruiz <tim@xxxxxxxxxxx>]

Margie,
 
Some may be blocked before they get to my email provider, but if they
get to my provider I have it set up to allow them through but to be
filed in a special folder. At any rate, I never said the problem should
be ignored. What I said was:
 
"I still think that the most important effort right now is consumer
education, and the development/provision of tools they need to protect
themselves. Reducing the ability to phish should be an ongoing effort,
but given the success with that so far it seems mitigating the
effectiveness of a phish may be a better and more effective approach."

Efforts to reduce the ability to phish are not specific to gTLDs, (in
fact, I'd like to see what data there is on frequency of use of gTLDs,
ccTLDs, and IP addresses for phishes). Since ICANN cannot make
enforceable policy that applies to ccTLDs or IP addresses I don't see
the point in creating further inequity with policy that only gTLD
registry and registrars have to comply with.


Tim 

-------- Original Message --------
Subject: RE: [registrars] WG: [council] Fast Flux DNS
From: "Margie Milam" <Margie.Milam@xxxxxxxxxxxxxxx>
Date: Mon, March 17, 2008 11:02 am
To: "Tim Ruiz" <tim@xxxxxxxxxxx>, <registrars@xxxxxxxxxxxxxx>


Tim,

One of the reasons that you may not be seeing domain related phishes in
your inbox could be related to the spam filters you use. One of our
Anti-Phishing services involves broadcasting a phishing attack to
various ISPs, browser companies and security vendors through a
"blacklisting service" that blocks or flag these emails as phish before
the end user ever sees them. 

I agree that the solution is only a partial one if ccTLDs don't also
adopt a solution as well, but that does not mean that gTLDs are not
being used for these fraudulent attacks. I don't agree with your
notion that we should ignore the problem because we can't solve the
entire problem. If we can solve the domain phish problem with respect
to gTLDS, the ccTLD registries might use our success to adopt the same
solution in their registries.

Another reason for registrars to attack this problem proactively is that
it could potentially reduce the number of incidences of credit card
fraud associated with these phishing attacks. We understand that many
domain name phishes are registered using stolen credentials -- credit
card and personal information acquired through the black market. By
adopting policies that make phishing less attractive to criminals in
gTLDs, or that identify the phishes more quickly to the registrar so
that the domain name can be deleted within the 5 day AGP, registrars may
experience less credit card fraud.

Margie


-----Original Message-----
From: owner-registrars@xxxxxxxxxxxxxx
[mailto:owner-registrars@xxxxxxxxxxxxxx] On Behalf Of Tim Ruiz
Sent: Monday, March 17, 2008 6:28 AM
To: registrars@xxxxxxxxxxxxxx
Subject: RE: [registrars] WG: [council] Fast Flux DNS


I received four phish emails over the last five days. Two eBay phishes
that used IP addresses not a domain name (one from Hong Kong, one from
Austria), and two bank phishes using ccTLDs (a .co.uk and a .com.mx). If
anyone would like to see them let me know and I'll try to forward them,
although your email filters may reject them. Mine just pushes them to a
spam folder.

This is very typical of the phish emails I receive. I have not received
one using a gTLD domain name for at least weeks, probably months. I
point this out because of our recent discussion on fast-flux, my point
being that any GNSO policy will have little affect on what is actually
happening out there and where.

I am as interested as anyone in stopping phishing. Go Daddy cooperates
as best it can and has been a member of the APWG from early on. I just
don't think that GNSO policy will solve it, or even put a modest dent in
it. In fact, my fear is that it will detract from real efforts that may
have more success, or just confuse the real issues entirely.

I still think that the most important effort right now is consumer
education, and the development/provision of tools they need to protect
themselves. Reducing the ability to phish should be an ongoing effort,
but given the success with that so far it seems mitigating the
effectiveness of a phish may be a better and more effective approach.


Tim 

-------- Original Message --------
Subject: Re: [registrars] WG: [council] Fast Flux DNS
From: DotAlliance <helen@xxxxxxxxxxxxxxx>
Date: Thu, March 13, 2008 9:04 pm
To: registrars@xxxxxxxxxxxxxx


Tom has made some very good points.

As far as phish and other fraudulent activity detection is concerned; it
is 
an evolving field.
If we work strenuously to develop an effective scheme to stop them we
find 
they come up with new methods to bypass this.
While I am a firm believer in using ICANN solutions the result is likely
to 
be out dated for the newest schemes.
I do like the idea of publishing RSS feeds at least to ICANN registrars.
I would also very much like an informal session in which registrars can
swap 
notes on their latest schemes.
I suppose the problem is the legality in revealing specific individual
who 
appear to have more legal protection than legitimate users.
However we waste a great deal of resources on developing schemes that
are 
being duplicated and sharing can increase the repertoire of detection 
schemes for all registrars.
When we catch a phishing site or an obvious fraudulent credit card user
we 
frequency track several domain names that have been subsequently
registered 
by other registrars.
I would like a simple way of warning the other registrar, reciprocal if 
possible.
Email addresses that work.
Or perhaps a website that is password protected to registrars.
Registrars must agree not to give out this information outside.
Yes, I know there are various methods as Tim has pointed out but they do
not 
work for all registrars or indeed many.
Effective communication is required.
If we could agree on the appropriate wording that would avoid liability
but 
the underlying message is understood.
Perhaps of the line " we have concerns, this may warrant further 
investigation...)

As far as fast flux DNS we find many users who use it simply for "free" 
websites and this is their way around their ISPS s use of dynamic IPs to

circumvent just that.
So our current solution is to tag these and then some poor victim has to

sort through all these and determine which to shut down!

Helen

----- Original Message ----- 
From: "Margie Milam" <Margie.Milam@xxxxxxxxxxxxxxx>
To: <tbarrett@xxxxxxxxxxx>
Cc: <registrars@xxxxxxxxxxxxxx>
Sent: Thursday, March 13, 2008 3:24 PM
Subject: RE: [registrars] WG: [council] Fast Flux DNS


>
> Tom,
>
> You raise good points regarding the lack of tools to determine whether
> it is a legitimate phish and the potential liability for taking
action.
> These are the kinds of issues that could be addressed if registrars
were
> to attempt to address a phishing solution through ICANN. Bringing
> together registars and security vendors that fight phishing would
> facilitate an exchange of ideas/recommendations that are more likely
to
> have an impact than working with legislation written by persons
> unfamiliar with registrar operations.
>
> Also, I understand that data sharing on domain phishes is already
> occurring through email lists that include many registrars. The
problem
> is that there are many domestic and international registrars that
either
> ignore the requests or delay responding to such request. If a
registrar
> policy were developed through ICANN for domain phishes, we should
expect
> to see greater attention and response from registrars in shutting down
> these fraudulent sites.
>
> Margie
>
>
>
> -----Original Message-----
> From: Thomas Barrett - EnCirca [mailto:tbarrett@xxxxxxxxxxx]
> Sent: Sunday, March 09, 2008 7:04 PM
> To: Margie Milam; john@xxxxxxxxxxxxxxxxx
> Cc: registrars@xxxxxxxxxxxxxx
> Subject: RE: [registrars] WG: [council] Fast Flux DNS
>
>
>
> Margie,
>
> Here is my perspective, which may be shared by others: takedown
requests
> due
> to alleged phishing are sometimes indistinguishable from hi-jacking
> attempts. We do not have the right tools or resources to determine if
> the
> requestor OR the request is legitimate. What is likely needed is a
> UDRP-type challenge concensus process that would eliminate any
liability
> for
> registrars agreeing to such requests.
>
> In the interim, as a registrar, I do want to know about a domain that
is
> suspected of being used for phishing, since it will also likely result
> in a
> charge-back. I have no problem of being notified of these suspects to
> determine if a charge-back is also likely.
>
> I have a suggestion that I think would be very effective in raising
the
> awareness among registrars about the type of domains and the frequency
> of
> this problem. And might lead to registrars being more pro-active about
> this
> issue.
>
> Presumably, MarkMonitor and others are monitoring this problem on
bahalf
> of
> clients and emailing them alerts when a phishing case is detected. Why
> not
> publish these alerts as RSS feeds so registrars could subscribe to
these
> as
> well? The feed would include the domain name, registration date and
> sponsoring registrar. This would need to be done at no cost to
> registrars.
> You could promote it to your clients as an additional benefit of your
> service.
>
> I am sure that some clients feel this data should be kept confidential
> because that is how lawyers think. But publicizing it may mobilize
more
> support and help solve the problem. You could always restrict
> publication
> to just ICANN registrars, if this is a serious concern.
>
> best regards,
>
> Tom
>
>
>
> -----Original Message-----
> From: owner-registrars@xxxxxxxxxxxxxx
> [mailto:owner-registrars@xxxxxxxxxxxxxx] On Behalf Of Margie Milam
> Sent: Thursday, March 06, 2008 1:20 PM
> To: john@xxxxxxxxxxxxxxxxx
> Cc: registrars@xxxxxxxxxxxxxx
> Subject: RE: [registrars] WG: [council] Fast Flux DNS
>
>
> John,
>
> I don't know what "shenanigans" you refer to because I recall the APWG
> was
> pretty helpful in the domain tasting working group in issuing a report
> that
> stated that they generally did not see phishers using domain tasting
in
> domain based phishes. I can send you a link to that report if you
would
> like to see it.
>
> The APWG is not comprised of lawyers setting policy. The participants
> tend to be technology types who deal with online fraud. For example,
> we are a member and participate through our product managers and
> engineers
> that design and operate our anti-phishing detection and take down
> solutions.
> GoDaddy is also a member of the APWG. If registrars have technical
> objections to their recommendations, I think ICANN is the right place
to
> have this discussion to make recommendations that help solve the
problem
> and
> minimize the impact to registrar operations. We have more control over
> the
> solution if the policy comes out of the ICANN structure as opposed to
> another forum.
>
> With respect to the Anti-Phishing Bill, currently it does not deal
with
> fast-flux issues, but it certainly could be amended to address this
> problem. It includes WHOIS requirements, presumably because of the
> problems and roadblocks imposed by registrars in accessing this data
in
> the past. If registrars continue to fight proposals to address domain
> based phishes and continue to allow phishers to use their registration
> systems as a means of accomplishing their activities, we should expect
> that another solution, perhaps a legislative one, would be pursued. I
> would think it is better for registrars to come up with a solution
> through
> ICANN than to try to revise legislative initiatives written by people
> that
> don't understand the registrar business.
>
> I disagree with you that the issue does not affect or involve the
domain
> business. The issue is a problem that can be addressed by registrars
> because (i) preventing the domain name from resolving altogether will
> effectively stop the phish, and (ii) for those registrars that provide
> name
> server services, limiting the number of updates could reduce the
number
> of
> IP addresses that are utilized in a phish attack. I would like to
> understand why this is so objectionable-- and what registrars
> think would be a reasonable solution to this problem.
>
> Margie
>
>
>
> -----Original Message-----
> From: John Berryhill [mailto:john@xxxxxxxxxxxxxxxxx]
> Sent: Wednesday, March 05, 2008 9:35 PM
> To: Margie Milam; 'Thomas Keller'; 'Ross Rader'
> Cc: registrars@xxxxxxxxxxxxxx
> Subject: RE: [registrars] WG: [council] Fast Flux DNS
>
>
>
>>The Anti-Phishing Working Group has been trying for years
>>to get registrars to conform to their best practice approach.
>
> Did you actually *read* the last report?
>
> I sure did. If recent comments about the AGP are any indication, there
> are
> a whole lot of people who didn't.
>
> While we were sitting in the room in Delhi, and Paul Stahura was
> explaining
> how the AGP can be used to run fraud profile tests and delete names
that
> meet fraud profiles, I was actually reading the APWG recommendation
that
> registrars do precisely that.
>
> Now, over in the BCISPIP cross-constituency meeting, they were
> discussing
> how use of the AGP for DOING just what the APWG was recommending, was
a
> "phony excuse" for keeping the AGP.
>
> Sorry, but I call shenanigans here.
>
> Let's have a rational explanation as to why elements of the GNSO are
> hell-bent on ELIMINATING use of one of the mechanisms recommended by
the
> Anti-Phishing working group.
>
> Is there a "ten words or less" explanation that anyone has, as to WHY
> the
> BCISPIP folks DON'T want registrars to be able to implement the fraud
> profile and domain deletion recommendations of the most recent APWG
> report.
>
> Because if there isn't, this is the wrong place to come crying about
> just
> who is not interested in implementing the APWG recommendations.
>
>> As many of you may know, there is an anti-phishing bill introduced by
>> Senator Snowe in the U.S. senate that, if enacted as currently
> written,
>> would impose requirements on registrars.
>
> And the provisions of that bill relating to Fast Flux DNS are where,
> exactly? The argument that an ineffective solution from the GNSO will
> forestall an ineffective solution from elsewhere is simply posturing.
>
> I am convinced that too few people are capable of reading and
> understanding
> either the SSAC or APWG reports.
>
> The issue is not "changing name servers" rapidly. The issue is
changing
> IP
> resource records and DNS records *IN* the nameservers rapidly. It is a
> DNS
> and hosting issue, NOT a domain name registration issue.
>
> Where this whole discussion goes into stupid overdrive is that if you
> want
> to put a choke on nameserver changes, then the choke point is at the
> REGISTRY. If you believe that this issue relates to how quickly the
> designated nameservers are changed, then you simply roll back to what
we
> had
> a few years ago when you had to wait a few hours for batch updates to
> the
> .com (or other TLD) zone file.
>
> I don't know if you know how any of this stuff works, but it is the
data
> in
> the TLD zone file that identifies the IP addresses of the name servers
> in
> which DNS records can be found.
>
> REGISTRARS DON'T RUN THE ZONE SERVERS. Let those six words sink in for
> a
> few moments. Anyone who does not understand the implications of those
> six
> words to this issue is simply not qualified to participate.
>
> Catering to a group of lawyers who don't know how the internet works
> doesn't
> make sense. People can have wonderful and interesting opinions about
> lots
> of things. But if they want to participate in technical coordinating
> tasks
> relevant to a global computer network, then having a clue how that
> network
> actually works would be a great idea.
>
> So, let's re-cap the agenda:
>
> 1. The APWG wants registrars to be able to delete domain names rapidly
> soon
> after registration if fraud is detected. Much of the GNSO would like
to
> eliminate that capability.
>
> 2. There is a security issue arising, in part, from too many changes
> being
> permitted to records in the TLD zone files maintained by the
REGISTRIES.
> Solving this problem is the responsibility of the REGISTRARS.
>
> 3. Agreeing to an irrelevant and ineffective ICANN GNSO proposal will
> prevent the US Government from doing silly things.
>
> Hey, here's a "best practice" - how about if the Telco's and ISP's
quit
> shipping everyone's phone and internet traffic to the US Government
> without
> a warrant (even a retroactive warrant). Boy, it's a good thing we
don't
> have outfits like that proposing ICANN policy.
>
> Oh, wait a minute. We do!
>
> We obviously need better lobbyists. ICANN participants in the other
> constituencies can get their very own law that permits them to engage
in
> criminal activity with immunity, but we have to pretend to be solving
a
> problem by agreeing to a solution that won't solve the problem, or
we'll
> be
> in big trouble.
>
>
>
>
>
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.519 / Virus Database: 269.21.7/1328 - Release Date: 
> 13/03/2008 11:31 AM
>
>