Chinese registrars need rapped on knuckles, expert says

ICANN and the Chinese government could pressure Xin Net and eName to clean up their registrations

A computer security expert is calling for action against two Chinese companies that he and other analysts allege are facilitating spam and cybercrime on the Internet.

Both of the companies, eName ( and Xin Net Technology (, are domain name registrars. They sell domain names and the corresponding registration services that allow a Web site to be found on the Internet, said Gary Warner, director of research in computer forensics at the University of Alabama's computer and information sciences department.

Warner, who runs a research project dedicated to tracking trends in spam, said both companies accept domain name registrations from bad actors who can be traced to illegal activity and spam.

Xin Net came in at the top spot on a list of the most abused registrars released earlier this year by KnujOn, an organization dedicated to fighting spam. It garnered the same rank last year.

From June 2008 through February, KnujOn said it found 34,283 illicit domains linked to Xin Net, covering unregulated prescription drugs, pirate software and counterfeit consumer goods.

EName has allowed registration of Web sites selling software that purportedly allows users to spy on other people's SMS messages, Warner said. The company also allows the registration of domains names that are hosted on botnets, or networks of computers that have been infected with malicious software.

Some Web sites hosting malware and registered through eName have been active for as long as 150 days, Warner said. That's an extraordinarily long amount of time given how most good registrars and hosting companies act much faster to take harmful Web sites off the Web.

Registrars also have the power to permanently render a domain name useless, which in some cases is necessary to decapitate Web sites that are frauds or engaged in illegal activity. That means that fraudster will have to register another, different domain name to continue running a fraud site, which increases their costs.

With eName, "we are seeing an absolute refusal to cooperate with any legitimate form of an abuse complaint," Warner said. Xin Net will take minor action when pressed with a complaint, he said.

For example, Xin Net might excise one domain name from its database if that domain can be definitively linked with spam, Warner said. But spammers often register hundreds of domain names at a time so they can switch quickly to a different name if one gets shut down.

Xin Net's one-at-a-time policy may work fine "for legitimate business but doesn't work when you have cybercriminals as customers," Warner said.

And spammers are utilizing a method that makes it difficult to connect a Web site that is advertised in a spam message. The link in the spam message will go to one Web site but then automatically redirects to, for example, a Web site selling pharmaceuticals.

That redirect isn't recorded anywhere, even by the ISP. It's difficult to automatically link the spammed URL with the redirect target. It also gives the pharmaceutical vendor an extra layer of cushion, since it can argue its domain name was never sent out as spam. The same people are usually behind the spam and the Web site, Warner said.

The overseer of the Internet's addressing system, ICANN (Internet Corporation for Assigned Names and Numbers), can put pressure on Xin Net and eName, Warner said. ICANN could warn the companies that their domain name registration functions could be taken away, as ICANN accredits them, Warner said.

ICANN appointed a new CEO and president, Rod Beckstrom, last week, which could herald a change in how the organization handles Internet abuse problems, Warner said.

ICANN could potentially cut Xin Net and eName's ability to register generic top-level domains such as ".com." However, recent research by Warner's spam team showed that a large percentage of domains associated with spam ended in ".cn," the country-code top-level domain for China. Each country has administrative control over those country-code top-level domains, so ICANN couldn't take away those rights, Warner said.

But the Chinese government could take action. Experts within the security community have been aided by Chinese speakers in reaching out to the Ministry of Industry and Information Technology as well as the country's CERT (Computer Emergency Response Team), Warner said.

But as recently as two years ago, China's CERT had only three English speakers who were trying to handle a massive work load: the agency was getting as many as 9,000 abuse complaints per day, Warner said.

"We really hope the Chinese government will decide they don't want this type of activity on their networks and they will take appropriate action," Warner said.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.