ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

[gnso-ff-pdp-may08] Domain takedown through 100% automation - kicking the hornet's nest of controversy

  • To: gnso-ff-pdp-May08@xxxxxxxxx
  • Subject: [gnso-ff-pdp-may08] Domain takedown through 100% automation - kicking the hornet's nest of controversy
  • From: Marc Perkel <marc@xxxxxxxxxx>
  • Date: Sun, 03 Aug 2008 08:29:16 -0700


OK - moving to controversial, I want to address automated domain takedown. Let me give you an example of why this can work.

I am a spam filtering operation and a huge number of fraud attempts come into our servers every hour. In this example I'll use PayPal. A message comes into the system in this form:

From:  paypaI@xxxxxxxxxxxxxxxxxxxxxxxx
To: honeypot@xxxxxxxxxxxxxxxxxxx
Subject:  Please unlock your PayPal Password

Your Online PayPal Password was blocked on 19/07/2008
Log In into your account to resolve the problem.

Click here to Log In

The link goes to this address: http://paypaI.com/login.cgi

The message did not come from a PayPal server and does not have PayPal's domain key signature. So there's no doubt that it's bogus and there are no civil liberty or free speech issues involved. This is 100% about criminals stealing money form technically ignorant users.

My software isolates the domain from the link and sees "paypaI.com" (note the I instead of the L) and the domain appears in URI blacklist. And suppose I read information from the DNS info I've proposed and I can see the domain is 1 day old, the name servers have changed 40 times in the first day (clearly fast flux), and the domain is registered through godaddy.com. So - being part of a trusted closed reporting group my software blocks the email and sends it to GoDaddy's automated abuse system. At the same time GoDaddy has received similar messages from several other trusted sources (not a secret society forming a shadow government to dominate the world).

So as a result GoDaddy - through automation - takes down paypai.com in less that 15 minutes after the fraud starts, disrupting the fraud, and saving thousands of people from being ripped off by the russian mafia. With a network like this one could probably ID 90% of purely criminal fast flux abuse with 100% accuracy and be so effective that fast flux no longer works and criminal abandoned the technique.

Tell me why this isn't a good idea.





<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy