back to article Austrian domain registrar 'aids' phishers

Anti-spam organisation Spamhaus has taken the unusual step of putting an entry for Austrian Domain Registrar Nic.at on its Spamhaus Block List (SBL). Nic.at was listed1 for "knowingly providing services" to hundreds of spam phishing domains run by a Russian cybercrime phishing gang, called 'Rock Phish'. Rock, paper, scissors …

COMMENTS

This topic is closed for new posts.
  1. Morely Dotes

    Historical problem

    NIC.AT has never been cooperative at de-registering domains known to be operated for phishing nor spamming, in my experience. My solution was simple: Any domain ending in ".AT' is firewalled from our servers here at SpamBlocked.com

    We have no intention of changing this policy in the foreseeable future.

  2. G2

    FYI, IP addresses ending in 0 CAN BE VALID HOSTS

    quote:

    IPs ending in 0 are never in use anywhere. So the listing is symbolic.

    /endquote

    hmmm, someone skipped a few classes in ip networking.

    FYI, ip addresses ending in 0, such as 192.174.68.0 CAN be valid and actively used if the netmask for that particular network is appropriately adjusted.

    Network masks and CIDR are a great way of addressing things, so that even addresses ending in .0 are valid.

    for example:

    ip address 192.168.55.0 with a netmask of 255.255.0.0 CAN be accessed from a host having its address of 192.168.77.123 with the same netmask. Thus, the host part of the address is 55.0 and not "0". 192.168.0.0 is the unusable address in this case.

    In the case of NIC.at though, 192.174.68.0/32 seems to be indeed a network address, unusable, because they are registered at RIPE as a /24 class:

    route: 192.174.68.0/24

    descr: NICat-NET

    origin: AS1921

    mnt-by: AS760-MNT

    Just my 0.02€

  3. Anonymous Coward
    Anonymous Coward

    the 0/32 entry

    If the SBL entry for Nic.at really is 0/32 (I'm unable to check as spamhaus.org seems to be barely reachable right now) then this really is a null entry. 0/32 is CIDR notation for the single IP address 0.0.0.0, which really doesn't appear on the Internet. 0/32 does *not* denote any IP address ending with .0, which (as G2 pointed out) can be a perfectly valid host address. Tsk, tsk, El Reg!

  4. Hans-Peter Lackner

    Yeah, yeah... blame the Austrians

    This is a problem of Spamhaus, not of nic.at.

    You can't go to a company and blame: This and that domain are domains used by spammers. Spamhaus in that matter is as trustworthy as the fraudulent users themself. Like every other user, Spamhaus has to provide evidence for the accusations.

    I think, it is better to have a domainprovider who will not shut down my domain because an obscure organisation threatened him.

    FYI: The most spam in my inbox is from .com or .info

  5. Otmar Lendl

    Some corrections

    Richard Cox from Spamhaus came to Vienna to attend http://www.spamsymposium.eu/ . The meeting with me as an employee from nic.at there was pure coincidence.

    There was no constructive dialogue as I am not involved in the .at part of nic.at and thus could not act as a representative of nic.at, and all Richard said was "do as I say or else". That's not a dialogue: that's blackmail.

    The block is symbolic *now*. It was a /24 when introduced. That isn't documented on the spamhaus page, either.

    Summary: don't just accept the spamhaus proclamations as truth. They often aren't.

  6. Anonymous Coward
    Anonymous Coward

    nic.at is right

    spamhouse should take legal actions and not blackmail nic.at.

    nic.at may not remove an entry without an order of a court.

    there is an ongoing discussion on heise.de, and everyone thinks that spamhouse made mistakes!

  7. SImon Hobson Bronze badge

    There's a fair bit of b***ocks being spouted here !

    The most obvious bit is "nic.at may not remove an entry without an order of a court". That probably is not true, and certainly SHOULDN'T be true.

    Domain registrations are done under the terms of a contract with the registrar, and I'm sure there are clauses in the .co.uk contracts regarding use for illegal activities. It all comes down to how the contract is worded - and if the constract says a domain can be suspended on <some condition> then it can be suspended if that condition is true. If that condition is "we believe that the domain is being used for illegal activites" then that would be sufficient cause once they are satisfied that the domain is so being used.

    The decision could be challenged on the basis that the contract term is invalid, or it may be challenged on the basis that the 'belief' is not valid - but that would be a civil action between the registrant and the registrar.

    Now I said "... probably is not true, and certainly SHOULDN'T be true" - I think many contracts will contain clauses about illegal uses, and if they don't then they should or it leaves the registrar stuck between having no grounds for suspending registrations and getting a bad reputation for not doing so. Much the same as certain ISPs have a reputation for hosting spammers whilst most have contract clauses to cover it.

  8. Marc-Oliver Kalis

    Also Spamhaus has to stick to the Law!

    The way spamhouse is behaving is completely out of line!

    I have always regarded them as being quite professional and law-abiding,but it seems, that they have turned into a bunch of cowboys, that are trying to be a law onto themselves, but at the same time trying to avoid taking any responsibility!

    This is typical spineless bullying tactics!

    There are laws in Austria, and nic.at has to adhere to them!

    Spamhaus has absolutely no right in performing this "do what we so, or else..." act.

    The have caused so much damaged in the community, it is really sad!

    I have followed this pretty much from the beginning, and spamhaus have multiple opportunities to get the domains at least deactivated, but not deleted.

    And Steve just gave a "my way or no" and "not good enough" speech.

    then finally you can have a look into the various newsgroups and the way he is expressing himself, is completely unprofessional.

    He has always claimed to be professional, but when you look at all the evidence, he looks more like a little boy throwing a tantrum, because he doesn't get his way.

    I can tell, that by now, there are probably thousands of admins, that will have taken out the spamhaus lists, simply, because they are no longer trustworthy!!!

    best regards

    Marco

  9. Anonymous Coward
    Anonymous Coward

    Unresponsive Registrars deserve to be blocked

    Mr. Lackner wrote: "I think, it is better to have a domainprovider who will not shut down my domain because an obscure organisation threatened him."

    Spamhaus is NOT obscure in the field of blocking spam. Spamhaus is most likely the most well-known and considered the most reasonable by those very familiar with fighting spam and frauds on the internet. Granted Spamhaus has made some mistakes, no doubt considering, but not in this case. On Spamhaus' SBL it sometimes blocks entities who have spamvertizing domains for instance, whilst at those locations no email is actually sent out from. It is to showcase an unresponsive ISP or organization.

    Though I do not agree with all of Steve Lindford's comments on NANAE which seem off-colour at times, I think Spamhaus did the right thing of blocking Nic.AT. This story deserves some press coverage because phishing is a very serious crime. It is ridiculous that a registrar cannot shut down fraudulently purchased domains used by Russian rockphishing gangs. These phishing gangs are stealing millions of dollars (USD) by using these fraudulent domains on their botnets for websites and nameservers. With one domain, they may be running many hundreds of unique phishing urls spoofing many different brands at a time. It is a very large and sophisticated setup. The quicker these fraudulent domains are shutdown, the fewer victims there are defrauded. There are other registrars who have been dragging their feet: HKDNR comes to mind along with NIC.IO, Yesnic and others. I do not know the percentage of domains purchased by spammers and phishers, but I have an idea that the volume they go through is very high in number. We should applaud registrars who act quickly to take down fraudulent domains such as GoDaddy or Register.com.

  10. Anonymous Coward
    Anonymous Coward

    Registrars should be blocked if they are irresponsible

    Over 80% of emails are already spams. Irresponsible registrars are a significant part of this problem.

    Try reporting your spam, especially the name servers registered by the same registrant as the spammed domain. You will find some registrars just go on registering domains for the same spammer, despite weeks of complaints against the registrant from many spam recipients. It's hard not to be cynical, as the registrar is being paid for domains by the spammer.

    Here's some of the Registrars responsibilities in their accreditation agreement with ICANN:

    http://www.icann.org/registrars/ra-agreement-17may01.htm#3

    "3.7 Business Dealings, Including with Registered Name Holders.

    3.7.2 Registrar shall abide by applicable laws and governmental regulations.

    3.7.7.9 The Registered Name Holder shall represent that, to the best of the Registered Name Holder's knowledge and belief, neither the registration of the Registered Name nor the manner in which it is directly or indirectly used infringes the legal rights of any third party."

    For phished emails and websites, it is obvious that a domain is being used illegally. Even if the whois info reflects an accurate address, the use of the domain is still illegal and should be shut down by the registrar once they are informed of illegal use.

    Requiring anti-spammers to prove whois info is inaccurate, when a domain is proven to be involved in spam or worse, is just giving them the run around as well as delaying action until irrelevant 99% of the time.

    Most of the significant spam comes from a few major spammers. They register multiple domains every day, but often use the same registrant details for more than one domain at the same registrar. When one domain is reported and closed by a registrar the spammer just uses the next domain or more likely they are spamming with several at a time. Most spammed domains are only active for a few days as if not the registrar, an Internet Service Provider may shut down the site or it is on spam filters.

    Here's the ICANN advisory on reporting innacurate whois data:

    http://www.icann.org/announcements/advisory-10may02.htm

    You can see from this that registrants have 15 days to reply to the registrar concerning inaccurate whois info. The ICANN tracked process for reporting inaccurate whois data allows for up to 30 days.

    It's just ridiculous for NIC.AT to ask Spamhaus to prove whois data is innacurate before they will do anything about stopping phishing domains being used for theft etc

    I'm not affiliated with Spamhaus, but having manually reported and tracked some of the spam I receive to understand the process better, I can understand how negligent and frustrating some registrars can be.

    No wonder there is so much spam.

This topic is closed for new posts.