North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: McColo and SPAM

  • From: Eric Brunner-Williams
  • Date: Sat Dec 06 08:27:07 2008
Paul,

I read Gregg Keizer's piece in CW where FireEye's Fengmin Gong is quoted as "We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."

Now interposing on the Srizbi system's attempt to communicate shouldn't be signing up to do an unlimited number of $6 buys from VGRS plus the overhead to ICANN and a registrar, after all, it is likely that Srizbi isn't using real money to do its domain buys ... so I wrote to the dead mailbox at Gong's company to ask for numbers, and if anyone in the registrar/registry business units knew why Gong's company was doing a couple hundred buys, and what T&C they were offered to keep Srizbi disconnected ...

No response.

How many domains did FE register, through which registrar(s), and at any point did FE represent to the registrar(s) or to the registry (or registries) the purpose of the buys was to keep Srizbi disconnected? If the registrar(s) or registry(ies) were informed of the purpose of the buys, what response, if any, did they make to FE's representation?

I want to know what FE's burn rate was in prophylactic domain buys, and who told FE to let Srizbi resynch its C&C nodes with its bots. I will discuss what I learn to the ICANN GNSO Council. If Keizer's even remotely correct on this point, then this is a "should never happen again" scenario where the GNSO can mandate registry, and registrar responses.

So yeah, collaboration would be good, but FE ain't taking my mail, so if this is ever going to go to registrar/registry policy land, it will have to find its own way there. We just lost the unlimited 5 day "Add Grace Period" due to domainers and (some) registrars using it for tasting, and carving out a "prophylactic grace period" for things like this is possible, so that it becomes a no-charge to the interposing buy engine.

my two beads worth,
Eric

Paul Ferguson wrote: 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Dec 5, 2008 at 11:10 PM, Paul Kelly :: Blacknight
<[email protected]> wrote:

We saw a dramatic decrease. Attached is our dnsbl mirror in .ie, it
mirrors spamhaus amoungst other things.


McColo was just an exercise in "managing" cyber crime operations in the
U.S.

Please do not be distracted by the whole "spam" issue, it's just a
byproduct of much larger criminal operation.

What this community should really be discussing is how to deal with these
issue in a collaborative manner, because that is exactly what is need to
combat it.

$.02,

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFJOit+q1pz9mNUZTMRApsmAKDiMWX7DFUCNxcGku6kOPex5NlW9wCdEMAb
TPtpX7pW20Tl6TgPeudjgP0=
=n4cP
-----END PGP SIGNATURE-----