Logo

COVID Registration Spike and Abuse: Lessons Learned from a Contracted Party Perspective - Shared screen with speaker view
Nathalie Peregrine
32:05
Welcome all, all attendees will be on mute until the Q&A asession
Nathalie Peregrine
32:51
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en.
Nathalie Peregrine
33:25
To chat, please change the dropdown to include All Panelists and All Attendees to ensure everyone can see your message.To ask a question, click the Q&A box and type in your question. All unanswered questions will be answered at the end of the webinar. You may also raise your hand during the Q&A portion.
Michele Neylon
34:36
Ashley is being modest - she’s also incoming Chair of the RrSG
Nathalie Peregrine
43:58
To ask a question, click the Q&A box and type in your question. All unanswered questions will be answered at the end of the webinar. You may also raise your hand during the Q&A portion.
Nathalie Peregrine
47:04
RySg website: https://www.rysg.info/
Nathalie Peregrine
49:12
Webinar recordings will be posted on the RySG website shortly.
Nathalie Peregrine
49:45
As a reminder, to chat, please change the dropdown to include All Panelists and All Attendees to ensure everyone can see your message.
Joanna Kulesza
49:59
@Nathalie, will the presentations also be made available?
Anne Aikman-Scalese
50:39
PSWG - the GAC's Public Safety Working Group
Nathalie Peregrine
50:41
@joanna, the Zoom recording will cover slides, audio as well as chat content.
Joanna Kulesza
51:05
Great, thanks @Nathalie!
Nathalie Peregrine
51:16
my pleasure!
Julie Bisland
53:34
Welcome to those just joining. All attendees will be on mute until the Q&A session.To ask a question, click the Q&A box and type in your question. All unanswered questions will be answered at the end of the webinar. You may also raise your hand during the Q&A portion.
Julie Bisland
56:40
@all: to ensure everyone can see your chat messages, please change the dropdown to include All Panelists and Attendees.
Michele Neylon
01:00:41
Comment: though we didn’t use this contact point thing having it was useful
Theo Geurts
01:04:53
connecting with all the different LEA's through the cyber threat coalition helped a lot also to streamline investigations and share info
Michele Neylon
01:06:02
It’s unfortunate that some companies used keyword based lists to block without verifying first
Theo Geurts
01:06:35
which caused some legit government domains to be blocked
Michele Neylon
01:06:40
yup
Michele Neylon
01:06:55
An Garda Siochana weren’t impressed with one of their sites being blocked
Danko Jevtovic
01:08:11
It happens. We had covid19.rs blocked at DNS, I had to email, and then it was unlisted.
James Bladel
01:12:39
It sounds like a few common threads emerging - (1) The vast majority of COVID or CORONA strings were inactive, and some were beneficial, and (2) the “wrapper” of abuse may have been novel, but the tactics and methods were nothing new. Both would indicate that pre-emptively “blocking” strings was not a proportionate response.
Michele Neylon
01:13:46
+1 James
James Bladel
01:14:38
Yeah, that was tough. “Take Zinc to stop COVID!” Was probably free expression. But “Buy our Zinc, it cures COVID” would cross the line.
Jeff Bedser
01:15:06
+1 James
Rod Rasmussen
01:16:22
Blocking depends on your risk posture - who you are and what you are trying to protect from. That is separate from COVID, just a standard risk-management issue. I would like to see data from anti-spam vendors that provide insight into the mystery “parked” domains and their use in spam for example to better understand risks.
Michele Neylon
01:17:40
I don’t understand how a “parked” domain could be used - you can’t set any DNS records if you point a domain at any of the major parking services
Michele Neylon
01:17:53
so it’s just serving the parked monetisation pages
Michele Neylon
01:18:06
the “coming soon” parking is a bit different
Michele Neylon
01:18:24
but I’ve seen way more hyperbole than actual data
Rod Rasmussen
01:19:33
I’ve done exactly that many times for spam honeypots @michele, so not sure that tracks. And yes stats would be much better than hyperbole, hence the ask for data from anti-spam vendors!
Michele Neylon
01:20:30
Rod - I think we’re mostly on the same page
Danko Jevtovic
01:21:45
Great presentation
Peter Van Roste
01:21:59
Comment: At CENTR we did similar research for European ccTLDs. Sample of 12 members showed very similar graphs as presented by Siôn and Graham.
Amr Elsadr
01:22:26
Yes. Very helpful and informative webinar. Comments in the chat were quite helpful too. Thanks for organizing this.
Marc Trachtenberg
01:23:53
@Michele - the domain name is parked for content and/or does not display content but has MX records so the domain can be use for email. This is the Modus Operandi for phishing. I would be curious if ICANN or anyone else was checking for MX records
Anton L
01:24:25
@ Michele, AFAIK a domain that is listed as "parked" can still have a related e-mail account and can be used for phishing.
Michele Neylon
01:24:40
@Marc - oh I get the technical but what I’m referring to is that most mainstream parking platforms require you to change the name servers to the parking company
Michele Neylon
01:24:50
so there’s no option to add any other DNS records
Theo Geurts
01:25:15
Correct most of them operate in such a manner parking wise
Anton L
01:25:23
Realized that Marc already stated what I said, sorry.
Marc Trachtenberg
01:25:42
Does "parked" necessarily mean using only one of those platforms though? Probably depends on who is doing the study/analysis
Michele Neylon
01:25:59
Marc - devil is in the details of course
Rod Rasmussen
01:26:23
@Michele - yep, we are. I like comprehensive data that explores the entirety of an issue so we don’t draw the wrong conclusions from a narrow viewpoint. Unfortunately, that is very hard to get. Limited viewpoints can lead to assumptions that are both overly pessimistic and optimistic in how things look in fields like abuse. A continuous challenge, and why I find the presentations we have here and have seen elsewhere very interesting and indicative of specific portions of the issues, but not necessarily authoritative for the full picture. Im still looking for data nirvana of course!
Anton L
01:26:26
During the pandemic I've looked at many domains that are listed as parked but have MX records. So this is just something that varies between hosting providers.
Michele Neylon
01:26:54
I think we’re not talking about the same concept of “parked"
Michele Neylon
01:27:05
parked to me means Sedo / Parking Crew / DAN.com
Marc Trachtenberg
01:27:06
Right. So would love to see an analysis like the ones shown in the presentation that addressed this aspect
Theo Geurts
01:27:24
hosting providers parking vs PPC parking providers are two different things
Rod Rasmussen
01:27:28
Oh no, we have a taxonomy problem!
Alan Woods
01:27:37
MX records can of course be monitored - but the presence of a MX record is not determinative, but merely one ‘flag’. The registry / registrar review here would be relying heavily on a level of ‘guesswork’ and connecting very disparate dots. We need to look to the suitability of a registry vs a mail service provider in such instances.
Michele Neylon
01:27:38
Parking for me = PPC
Anton L
01:27:39
Haha cybersec always have taxonomy problems
Graeme Bunton
01:27:44
To Gabe re: MX records. Depends on the Rr, and for us on the reseller. Some may deploy MX as part of registration.
Michele Neylon
01:27:53
+1 to Graeme
Michele Neylon
01:28:05
a lot of domains with us could have an MX in the DNS but no actual service
Alan Woods
01:28:07
And +1 to Graeme too
Peter Van Roste
01:28:38
@michele - do you have any knowledge of what portion of registrars put MX default on during registration?
Michele Neylon
01:28:39
like 99% of our hosted sites have IPv6 but only about 1% of our clients would even know about it
Marc Trachtenberg
01:28:49
@Alan Woods - of course MX record is only an indicator and not determinative but still very useful information as part of the overall analysis
Michele Neylon
01:28:52
@peter - no but JMCC would probably know
Ashley Heineman
01:30:24
The "quarantent" mentioned in Graeme's slide actually made it into a CNN article on interesting COVID-related designs. :-) https://www.cnn.com/style/article/design-competition-coronavirus-spc-intl/index.html
Anton L
01:30:52
From what I've seen regarding the TLDs we've been looking at most of the "parked" domains are "parked" such as the domains etc are paid for but the customer havent taken any visible action. So If I purchase a domain many of the companies will automatically list it as "parked" while in fact it is being used for e-mail communication. :)
Marc Trachtenberg
01:32:00
+1 to Anton L - This is what I see in my practice every day when we go after phishers
Ashley Heineman
01:32:48
Can those registries and registrars that want to BRIEFLY provide their insights on this subject please raise their hands now so that know who to call on? We are running short on time. Thanks!
Cheryl Langdon-Orr
01:32:49
Indeed Anton, that is what both myself and several of my niche customers do routinely
Anton L
01:33:18
@Marc Connecting to share experiences regarding that would be very beneficial for me.
Michele Neylon
01:33:48
I think Marc + Anton are calling “parked” what we’d probably call “inactive”
Glenn McKnight
01:33:55
Sharing our site on Covid
Glenn McKnight
01:33:56
https://padlet.com/acalderon/COVID19
Michele Neylon
01:33:57
or on a “coming soon"
Anton L
01:34:01
@Michele: Likely
Marc Trachtenberg
01:34:06
@Anton L- or it appears that the customer hasn't taken any action so when brand owners check monitoring it looks like unused. But in fact, they have set up MX records and are using for email-based fraud
Anton L
01:34:30
@Marc - Exactly.
Cheryl Langdon-Orr
01:34:55
Or actually using them for non fraudulent email
Marc Trachtenberg
01:35:17
@Cheryl - that's possible but I am talking about phishers
Cheryl Langdon-Orr
01:35:41
I know @Marc, just reminding there is valid use as well ;-)
Anton L
01:35:51
Phishes everywhere!
Marc Trachtenberg
01:38:47
I look at thousands of domain names every week and in my experience it is statistically rare (but possible) that a domain name is similar to a well-known brand, has no content but MX records, and is being used for legitimate purposes. Of course if the brand has words that have generic meaning in a different context that number might go up, but not much in my experience.
Danko Jevtovic
01:39:45
yes, but do dont see you ;)
Nathalie Peregrine
01:40:36
@Danko, only panelists can activate their video :)
Michele Neylon
01:41:53
Not seeing me is a good thing - I forgot to shave today
Danko Jevtovic
01:42:31
;)
Anton L
01:43:07
Not a very experienced Zoom-user, is direct messaging not activated for this chat?
Nathalie Peregrine
01:43:58
@anton, if you scroll down the chat drop down menu, you will see the individual names of attendees below
Gopal Tadepalli
01:44:04
It is useful to observe in one of the presentations that the 11th week was the peak time and 21st Week was quite low. I surmise that the "activeness" of the domain names was always comparable. Am I correct in this surmise ?
Nathalie Peregrine
01:45:31
@Anton, Michele is right, in webinar mode, you can only chat either the panelist group, or all panelists and attendees. Apologies for the confusion!
Anton L
01:46:15
@Nathalies & Michele: Thanks for the info
Graeme Bunton
01:52:35
I can answer!
Anne Aikman-Scalese
01:55:59
Thank you Graeme and Jim for answering. Anne
Maxim Alzoba
01:56:19
proactive is similar to prosecution before the crime, so it is case by case
James Bladel
01:57:56
Thanks Brian. Altho a shopping cart is content. :)
Brian Cimbolic
01:58:30
Right - it’s something we deployed specifically for this issue.
Danko Jevtovic
02:00:20
thank you all, great webinar!
Cheryl Langdon-Orr
02:00:21
Thanks everyone VERY informative!
Peter Van Roste
02:00:30
Excellent session. Thanks everyone!
Anton L
02:00:30
Thanks everyone!
James Bladel
02:00:33
Thanks all!